Create firewall rules that allow administrators to connect to the different VMware solutions.

About this task

Also create rules to allow user access to the vRealize Automation portal and to provide external connectivity to the SDDC.

A firewall rule consists of a section to segregate the firewall rules and the rule itself, which defines what network traffic is, or is not, blocked.

Procedure

  1. Log in to vCenter Server by using the vSphere Web Client.
    1. Open a Web browser and go to https://nyc01vc01.rainpole.local/vsphere-client.
    2. Log in using the following credentials.

      Setting

      Value

      User name

      administrator@vsphere.local

      Password

      vsphere_admin_password
  2. Add a section for the rules for the management applications.
    1. In the Navigator, click Networking & Security and click Firewall.
    2. From the NSX Manager drop-down menu, select 172.18.11.65.
    3. Click the Add Section icon.
    4. In the Add New Section dialog box, enter VMware Management Services in the Section Name text box, select the Add above check box, and click Save.
  3. Create a distributed firewall rule to allow SSH access to administrators for the different VMware appliances.
    1. Click Add rule in the VMware Management Services section.
    2. In the Name cell of the new rule, click the Edit icon to change the rule name to Allow SSH to admins.
    3. Click the Edit icon in the Source column, change the Object Type to Security Groups, add Administrators to the Selected Objects list, and click OK.
    4. Click the Edit icon in the Destination column, change the Object Type to Security Groups, add VMware Appliances and Update Manager Download Service to the Selected Objects list, and click OK.
    5. Click the Edit icon in the Service column, enter SSH in the filter, add SSH to the Selected Objects list, and click OK.
    6. Click Publish Changes.
  4. Repeat the previous step to create the following distributed firewall rules.

    Name

    Source

    Destination

    Service / Port

    Allow ROBO SDDC to any

    ROBO SDDC

    * any

    * any

    Allow RDP to admins

    Administrators

    Windows Servers

    RDP

    Allow VAMI to admins

    Administrators

    VMware Appliances

    TCP:5480

    Allow VDP to admins

    Administrators

    VMware Appliances

    TCP:8543

    Allow vRLI to admins

    Administrators

    vRealize Log Insight

    HTTP HTTPS
  5. Create a distributed firewall rule to deny all other traffic to the management subnets.
    1. Click Add rule in the VMware Management Services section.
    2. In the Name cell of the new rule, click the Edit icon to change the rule name to Deny Management subnets.
    3. Click the IP icon in the Destination column, enter 172.18.11.0/24,172.18.19.0/24 and click OK.
    4. Click the Edit icon in the Action column and change the action to Block and click Save.
    5. Click Publish Changes.

Results

Figure 1. Distributed Firewall Rules