A firewall rule consists of a section to segregate the firewall rules and the rule itself, which defines what network traffic is, or is not, blocked.

You create firewall rules that allow administrators to connect to the different VMware solutions, rules to allow user access to the vRealize Automation portal, and to provide external connectivity to the SDDC.

1

Log in to vCenter Server by using the vSphere Web Client.

a

Open a Web browser and go to https://mgmt01vc01.sfo01.rainpole.local/vsphere-client.

b

Log in using the following credentials.

Setting

Value

User name

administrator@vsphere.local

Password

vsphere_admin_password

2

Add a section for the rules for the management applications.

a

In the Navigator, click Networking & Security and click Firewall.

b

From the NSX Manager drop-down menu, select 172.16.11.65.

c

Click the Add Section icon.

d

In the Add New Section dialog box, enter VMware Management Services in the Section Name text box, select the Mark this section for Universal Synchronization check box, and click Save.

3

Create a distributed firewall rule to allow SSH access to administrators for the different VMware appliances.

a

Click Add rule in the VMware Management Services section.

b

In the Name cell of the new rule, click the Edit icon to change the rule name to Allow SSH to admins.

c

Click the Edit icon in the Source column, change the Object Type to Security Groups, add Administrators to the Selected Objects list, and click OK.

d

Click the Edit icon in the Destination column, change the Object Type to Security Groups, add VMware Appliances and Update Manager Download Service to the Selected Objects list, and click OK.

e

Click the Edit icon in the Service column, enter SSH in the filter, add SSH to the Selected Objects list, and click OK.

f

Click Publish Changes.


4

Repeat the previous step to create the following distributed firewall rules.

Name

Source

Destination

Service / Port

Allow vRA Portal to end users

* any

vRealize Automation Appliances

HTTP, HTTPS

Allow vRA Console Proxy to end users

* any

vRealize Automation Appliances

TCP:8444

Allow SDDC to any

SDDC

* any

* any

Allow PSC to admins

Administrators

Platform Services Controller Instances

HTTPS

Allow SSH to admins

Administrators

VMware Appliances

SSH

Allow RDP to admins

Administrators

Windows Servers

RDP

Allow Orchestrator to admins

Administrators

vRealize Orchestrator

TCP:8281,8283

Allow vROPs to admins

Administrators

vRealize Operations Manager

HTTP, HTTPS

Allow vRLI to admins

Administrators

vRealize Log Insight

HTTP, HTTPS

Allow VAMI to admins

Administrators

VMware Appliances

TCP:5480

Allow VDP to admins

Administrators

VMware Appliances

TCP:8543

5

Click Publish Changes.

6

Change the default rule action from allow to block for Region A.

a

Under Default Section Layer3, in the Action column for the Default Rule, change the action to Block and click Save.

b

Click Publish Changes.

7

Change the default rule action from allow to block for Region B.

a

From the NSX Manager drop-down menu, select 172.17.11.65.

b

Under Default Section Layer3, in the Action column for the Default Rule, change the action to Block and click Save.

c

Click Publish Changes.

By allowing only the network traffic that is required by the SDDC to pass, network security is improved.