The management gateway on the VMware Cloud on AWS SDDC is configured with a firewall that blocks all inbound connections to the management network on the VMware Cloud on AWS SDDC. This configuration ensures the security and integrity of the management interfaces on VMware Cloud on AWS, such as vCenter Server and ESXi. The firewall has limited configuration options for existing management interfaces, but some connections can be allowed.
Rule Name |
Source |
Destination |
Services |
Action |
---|---|---|---|---|
vCenter Outbound Rule |
vCenter |
Any |
Any |
Allow |
ESXi Outbound Rule |
ESXi |
Any |
Any |
Allow |
Default Deny All |
Any |
Any |
Any |
Block |
To allow the SDDC on VMware Cloud on AWS to connect to your on-premises management domain, you must change the default firewall policy. To simplify the firewall rule management, you can create groups of IP addresses and subnets.
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
SDDC-VMC-NET-005 |
Configure the management gateway firewall to allow access from the on-premises management subnet to the vCenter Server, ESXi, and NSX Manager instances on the VMware Cloud on AWS SDDC. |
The hybrid functionality requires changes on the firewall. |
Changing the default firewall rules increases the security boundary from which the SDDC on VMware Cloud on AWS can be accessed. |
SDDC-VMC-NET-006 |
Configure the local on-premises SDDC management subnets as groups. |
Using groups simplifies the firewall rule management. |
None. |
Name |
Member Type |
Members |
---|---|---|
SFO01Nets |
IP Address |
172.16.11.0/24, 172.16.12.0/24, 172.16.31.0/24, 172.16.32.0/24, 192.168.11.0/24, 192.168.31.0/24 |
LAX01Nets |
IP Address |
172.17.11.0/24, 172.17.12.0/24, 172.17.31.0/24, 172.17.32.0/24, 192.168.11.0/24, 192.168.32.0/24 |
Name |
Source |
Destination |
Services |
Action |
---|---|---|---|---|
SFO01M01 ESXi Rule |
SFO01Nets |
ESXi |
Provisioning & Remote Console (TCP 902), vSphere vMotion (TCP 8000), ICMP (ALL ICMP), HTTPS (TCP 443) |
Allow |
SFO01M01 vCenter Rule |
SFO01Nets |
vCenter |
ICMP (ALL ICMP), SSO (TCP 7444), HTTPS (TCP 443) |
Allow |
SFO01 NSX Rule |
SFO01Nets |
NSX |
HTTPS (TCP 443) |
Allow |