Firewall Rules Design

The management gateway on the VMware Cloud on AWS SDDC is configured with a firewall that blocks all inbound connections to the management network on the VMware Cloud on AWS SDDC. This configuration ensures the security and integrity of the management interfaces on VMware Cloud on AWS, such as vCenter Server and ESXi. The firewall has limited configuration options for existing management interfaces, but some connections can be allowed.

When you create an SDDC on VMware Cloud on AWS, the management gateway firewall has the following rules.

Table 1. Default Management Gateway Firewall Rules
Rule Name	Source	Destination	Services	Action
vCenter Outbound Rule	vCenter	Any	Any	Allow
ESXi Outbound Rule	ESXi	Any	Any	Allow
Default Deny All	Any	Any	Any	Block

To allow the SDDC on VMware Cloud on AWS to connect to your on-premises management domain, you must change the default firewall policy. To simplify the firewall rule management, you can create groups of IP addresses and subnets.

Table 2. Design Decisions on Management Gateway Firewall Configurations
Decision ID	Design Decision	Design Justification	Design Implication
SDDC-VMC-NET-005	Configure the management gateway firewall to allow access from the on-premises management subnet to the vCenter Server, ESXi, and NSX Manager instances on the VMware Cloud on AWS SDDC.	The hybrid functionality requires changes on the firewall.	Changing the default firewall rules increases the security boundary from which the SDDC on VMware Cloud on AWS can be accessed.
SDDC-VMC-NET-006	Configure the local on-premises SDDC management subnets as groups.	Using groups simplifies the firewall rule management.	None.

To simplify the firewall rule management, you add the following groups.

Table 3. Inventory Groups
Name	Member Type	Members
SFO01Nets	IP Address	172.16.11.0/24, 172.16.12.0/24, 172.16.31.0/24, 172.16.32.0/24, 192.168.11.0/24, 192.168.31.0/24
LAX01Nets	IP Address	172.17.11.0/24, 172.17.12.0/24, 172.17.31.0/24, 172.17.32.0/24, 192.168.11.0/24, 192.168.32.0/24

To allow the hybrid functionality, you must add the following management gateway firewall rules to the default outbound rules that are configured when the SDDC infrastructure is created on VMware Cloud on AWS.

Table 4. Additional Management Gateway Firewall Rules
Name	Source	Destination	Services	Action
SFO01M01 ESXi Rule	SFO01Nets	ESXi	Provisioning & Remote Console (TCP 902), vSphere vMotion (TCP 8000), ICMP (ALL ICMP), HTTPS (TCP 443)	Allow
SFO01M01 vCenter Rule	SFO01Nets	vCenter	ICMP (ALL ICMP), SSO (TCP 7444), HTTPS (TCP 443)	Allow
SFO01 NSX Rule	SFO01Nets	NSX	HTTPS (TCP 443)	Allow