VMware Cloud on AWS GovCloud (US) 服務

SaaS services
Español 繁體中文

Add or Modify Management Gateway Firewall Rules

By default, the management gateway blocks traffic to all destinations from all sources. Add Management Gateway firewall rules to allow traffic as needed.
Management Gateway firewall rules specify actions to take on network traffic from a specified source to a specified destination. Sources and destinations can be defined as
Any
 or as members of a system-defined or user-defined inventory group, but either the source or destination must be system-defined. See Add a Management Group for information about viewing or modifying inventory groups.
  1. Log in to the
    VMware Cloud on AWS GovCloud
     at https://www.vmc-us-gov.vmware.com/.
  2. On the
    Networking & Security
     tab, click
    Gateway Firewall
    .
  3. On the
    Gateway Firewall
     card, click
    Management Gateway
    , then click
    ADD RULE
     and give the new rule a
    Name
    .
  4. Enter the parameters for the new rule.
    Parameters are initialized to their default values (for example,
    All
     for
    Sources
     and
    Destinations
    ). To edit a parameter, move the mouse cursor over the parameter value and click the pencil icon () to open a parameter-specific editor.
    Option
    Description
    Sources
    Select
    Any
    to allow traffic from any source address or address range.
    If you need to access the Management Gateway over the public internet you must configure a management gateway firewall rule that allows traffic only from IP addresses you own or trust. For example, an enterprise that accesses the internet from a public IP address in the CIDR block 93.184.216.34/30 should create a management gateway firewall rule that allows only traffic with a
    Sources
     CIDR of 93.184.216.34/30 to access the management systems including vCenter, NSX Manager, and ESXi. Never configure a management gateway firewall rule to allow traffic originating from
    Any
     address. See VMware Knowledge Base article 84154 for more information about providing secure access to your SDDC management infrastructure.
    Select
    System Defined Groups
    and select one of the following source options:
    • ESXi
      to allow traffic from your SDDC's
      ESXi
       hosts.
    • NSX Manager
      to allow traffic from your SDDC's NSX-T manager appliance.
    • vCenter
       to allow traffic from your SDDC's
      vCenter
      .
    • Site Recovery Manager
       to allow traffic from your SDDC's Site Recovery Manager.
    Select
    User Defined Groups
    to use a management group that you have defined. See Add a Management Group.
    Destinations
    Select
    Any
    to allow traffic to any destination address or address range.
    Select
    System Defined Groups
    and select one of the following destination options:
    • ESXi
      to allow traffic to your SDDC's
      ESXi
       management.
    • NSX Manager
      to allow traffic to your SDDC's NSX-T.
    • vCenter
       to allow traffic to your SDDC's
      vCenter
      .
    • Site Recovery Manager
       to allow traffic from your SDDC's Site Recovery Manager.
    Services
    Select the service types that the rule applies to. The list of service types depends on your choices for
    Sources
     and
    Destinations
    .
    Action
    The only action available for a new management gateway firewall rule is
    Allow
    .
    The new rule is activated by default. Slide the toggle to the left to deactivate it.
  5. Repeat the previous step to apply the following firewall rules for
    .
    Name
    Source
    Destination
    Service
    Action
    Remote SRM to
    vCenter
    User-Defined Group that includes the remote
    IP address.
    vCenter
    HTTPS (TCP 443)
    Allow
    Remote VR to
    vCenter
    User-Defined Group that includes the remote
    IP address.
    vCenter
    HTTPS (TCP 443)
    Allow
    Remote network to
    SRM
     (SRM Server Management)
    User-Defined Group that includes the remote
    and
    IP addresses.
    VMware Site Recovery SRM
    Allow
    Remote network to
    VR
     (VM Replication)
    User-Defined Group that includes the remote
    ESXi
     hosts IP addresses.
    VMware Site Recovery vSphere Replication
    Allow
    Remote network to
    VR
     (VR Server Management)
    or User-Defined Group that includes the remote
    and
    IP addresses.
    VMware Site Recovery vSphere Replication
    Allow
    Remote network to
    VR
     (UI and API)
    User-Defined Group that includes the remote browser IP address.
    VMware Site Recovery vSphere Replication
    Allow
    SRM
     (HTTPS) to remote network
    Any or User-Defined Group that includes the remote
    Platform Services Controller
     and
    vCenter
     IP addresses.
    HTTPS (TCP 443)
    Allow
    VR
     (HTTPS) to remote network
    Any or User-Defined Group that includes the remote
    Platform Services Controller
     and
    vCenter
     IP addresses.
    HTTPS (TCP 443)
    Allow
    SRM
     (SRM Server Management) to remote network
    Any or User-Defined Group that includes the remote
    IP address.
    VMware Site Recovery SRM
    Allow
    VR
     (SRM Server Management) to remote network
    Any or User-Defined Group that includes the remote
    IP address.
    VMware Site Recovery SRM
    Allow
    ESXi
     (VM Replication) to remote network
    ESXi
    Any or User-Defined Group that includes the remote
    IP addresses (combined
    appliance and any add-on
    appliances).
    VMware Site Recovery vSphere Replication
    Allow
    SRM
     (VR Server Management) to remote network
    Any or User-Defined Group that includes the remote
    IP address.
    VMware Site Recovery vSphere Replication
    Allow
    VR
     (VR Server Management) to remote network
    Any or User-Defined Group that includes the remote
    IP address.
    VMware Site Recovery vSphere Replication
    Allow
  6. Click
    PUBLISH
     to create the rule.
    The system gives the new rule an integer
    ID
     value, which is used in log entries generated by the rule.
    Firewall rules are applied in order from top to bottom. Because there is a default
    Drop
     rule at the bottom and the rules above are always
    Allow
     rules, management gateway firewall rule order has no impact on traffic flow.
Create a Management Gateway Firewall Rule
To create a management gateway firewall rule that enables vMotion traffic from the on-premises
ESXi
 hosts to the
ESXi
 hosts in the SDDC:
  1. Create a management inventory group that contains the on-premises ESXi hosts that you want to enable for vMotion to the SDDC.
  2. Create a management gateway rule with source
    ESXi
     and destination on-premises
    ESXi
     hosts.
  3. Create another management gateway rule with source on-premises
    ESXi
     hosts group and destination
    ESXi
     with a vMotion service.
You can take any or all of these optional actions with an existing firewall rule.
  • 按一下齒輪圖示 ,以檢視或修改規則記錄設定。記錄項目會傳送至 VMware
    vRealize Log Insight Cloud
     Service。請參閱
    VMware Cloud on AWS 作業指南
    中的使用
    vRealize Log Insight Cloud
  • 按一下圖形圖示 ,以檢視規則的生效規則數和流量統計資料。
    生效規則統計資料
    熱門度索引
    在過去 24 小時內觸發規則的次數。
    叫用次數
    自規則建立以來觸發規則的次數。
    流量統計資料
    封包計數
    流經此規則的封包總計。
    位元組計數
    流經此規則的位元組總計。
    啟用此規則後,統計資料即會開始累積。

Content feedback and comments