Example Management Gateway Firewall Rules

Some common firewall rule configurations include opening access to the
vSphere Client
from the internet, allowing access to
vCenter
through the management VPN tunnel, and allowing remote console access.

Commonly Used Firewall Rules

The following table shows the Service, Source, and Destination settings for commonly-used firewall rules.
Commonly-Used Firewall Rules
Use Cases
Service
Source
Destination
Provide access to
vCenter
from the internet.
Use for general
vSphere Client
access as well as for monitoring
vCenter
HTTPS
public IP address
vCenter
Provide access to
vCenter
over VPN tunnel.
Required for Management Gateway VPN, Hybrid Linked Mode, Content Library.
HTTPS
IP address or CIDR block from on-premises data center
vCenter
Provide access from cloud
vCenter
to on-premises services such as Active Directory, Platform Services Controller, and Content Library.
Any
vCenter
IP address or CIDR block from on-premises data center.
Provisioning operations involving network file copy traffic, such as cold migration, cloning from on-premises VMs, snapshot migration, replication, and so on.
Provisioning
IP address or CIDR block, either public or from an on-premises data center connected by a VPN tunnel
ESXi
Management
VMRC remote console access
Required for
vRealize Automation
Remote Console
IP address or CIDR block, either public or from an on-premises data center connected by a VPN tunnel
ESXi
Management
vMotion traffic over VPN
Any
ESXi
Management
IP address or CIDR block from on-premises data center