A firewall rule consists of a section to segregate the firewall rules and the rule itself, which defines what network traffic is allowed or blocked. You create firewall rules to allow administrators to connect to the different VMware solutions, to allow user access to the vRealize Automation portal, and to provide external connectivity to the SDDC.

Procedure

  1. Log in to vCenter Server by using the vSphere Web Client.
    1. Open a Web browser and go to https://nyc01r01vc01.rainpole.local/vsphere-client.
    2. Log in using the following credentials.

      Setting

      Value

      User name

      administrator@vsphere.local

      Password

      vsphere_admin_password

  2. Add a section of rules for the management applications.
    1. In the Navigator, click Networking & Security and click Firewall.
    2. From the NSX Manager drop-down menu, select 172.18.11.65.
    3. Click the Add Section icon.
    4. In the Add New Section dialog box, enter VMware Management Services in the Section Name text box, click the Universal Synchronization toggle to On, and click Save.
  3. Create a distributed firewall rule to allow SSH access to administrators for the different VMware appliances.
    1. Click Add rule in the VMware Management Services section.
    2. In the Name column of the new rule, enter the rule name as Allow SSH to admins.
    3. Click the Edit icon in the Source column, change the Object Type to Security Group, add Administrators to the Selected Objects list, and click Save.
    4. Click the Edit icon in the Destination column, change the Object Type to Security Group, add VMware Appliances and Update Manager Download Service to the Selected Objects list, and click Save.
    5. Click the Edit icon in the Service column, enter SSH in the Search filter of the Available Objects, add SSH to the Selected Objects list, and click Save.
    6. Click Publish.
  4. Repeat the previous step to create the following distributed firewall rules.

    Name

    Source

    Destination

    Service / Port

    Allow ROBO SDDC to any

    ROBO SDDC

    * any

    * any

    Allow RDP to admins

    Administrators

    Windows Servers

    RDP

    Allow vRLI to admins

    Administrators

    vRealize Log Insight

    HTTP, HTTPS

    Allow vRSLCM to admins

    Administrators

    vRealize Suite Lifecycle Manager

    HTTPS

    Allow VAMI to admins

    Administrators

    VMware Appliances

    TCP:5480

    Allow VMware VADP Solution to admins

    Administrators

    VMware Appliances

    TCP:8543

  5. Create a distributed firewall rule to deny all other traffic to the management subnets.
    1. Click Add rule in the VMware Management Services section.
    2. In the Name cell of the new rule, click the Edit icon to change the rule name to Deny Management subnets.
    3. Click the IP icon in the Destination column, enter 172.18.11.0/24,172.18.19.0/24 and click OK.
    4. Click the Edit icon in the Action column and change the action to Block and click Save.
    5. Click Publish.

Results

Network security is improved by allowing only required network traffic by the SDDC to pass.