Create firewall rules that allow administrators to connect to the various VMware solutions, to allow for the user access to the vRealize Automation portal, and to provide for the external connectivity to the SDDC.

Procedure

  1. Log in to vCenter Server by using the vSphere Client.
    1. Open a Web browser and go to https://sfo01m01vc01.sfo01.rainpole.local/ui.
    2. Log in by using the following credentials.
      Setting Value
      User name administrator@vsphere.local
      Password vsphere_admin_password
  2. Add a section of rules for the management applications.
    1. From the Home menu, select Networking & Security and click Firewall.
    2. From the NSX Manager drop-down menu, select 172.16.11.65.
    3. Click Add Section.

      The New Section dialog box appears.

    4. In the Section Name text box, enter VMware Management Services, turn on Universal Synchronization, and click Add.
  3. Create a distributed firewall rule to allow an SSH access to administrators for the different VMware appliances.
    1. Click Add rule.
    2. In the Name column, enter Allow SSH to admins.
    3. In the Source column, click the Edit icon.
    4. From the Object Type drop-down menu, select Security Group, add Administrators to the Selected Objects list, and click Save.
    5. In the Destination column, click the Edit icon.
    6. From the Object Type drop-down menu, select Security Group, add VMware Appliances and Update Manager Download Service to the Selected Objects list, and click Save.
    7. In the Service column, click the Edit icon, add SSH to the Selected Objects list, and click Save.
    8. Click the Publish button.
  4. Repeat the previous step to create the following distributed firewall rules.

    Name

    Source

    Destination

    Service / Port

    Allow vRA Portal to end users

    * any

    • vRealize Automation Appliances

    • vRealize Automation Windows

    • vRealize Business Server

    HTTP, HTTPS

    Allow vRA Console Proxy to end users

    * any

    vRealize Automation Appliances

    TCP: 8444

    AllowSDDC to any

    SDDC

    * any

    * any

    Allow PSC to admins

    Administrators

    Platform Services Controller Instances

    HTTPS

    Allow SSH to admins

    Administrators

    • VMware Appliances

    • Update Manager Download Service

    SSH

    Allow RDP to admins

    Administrators

    Windows Servers

    RDP

    Allow Orchestrator to admins

    Administrators

    vRealize Automation Appliances

    TCP: 8281, 8283

    Allow vRB Data Collector to admins

    Administrators

    vRealize Business Data Collector

    HTTP, HTTPS

    Allow vROPs to admins

    Administrators

    • vRealize Operations Manager

    • vRealize Operations Manager Remote Collectors

    HTTP, HTTPS

    Allow vRLI to admins

    Administrators

    vRealize Log Insight

    HTTP, HTTPS

    Allow vRSLCM to admins

    Administrators

    vRealize Suite Lifecycle Manager

    HTTPS

    Allow VAMI to admins

    Administrators

    VMware Appliances

    TCP: 5480

    Allow VMware VADP Solution to admins

    Administrators

    VMware Appliances

    TCP: 8543

  5. Change the allow default rule action to block.
    1. From the NSX Manager drop-down menu, select 172.16.11.65.
    2. On the General tab, expand Default Section Layer3.
    3. Under Default Rule, in the Action column, change the action to Block.
    4. Click Save and click Publish.

Results

You improve the network security by allowing only the network traffic required by the SDDC.