VCF ON VXRAIL – DFW EXCLUSION LISTS

As per VVD guidance the following layer2 management VMs are excluded from any distributed firewall rules in a VCF On VxRail solution:

  • VxRail Manager
  • WLD VCSA Appliances
  • NSX Managers
  • SDDC Managers

The logic here is to allow traffic flow freely between these management service virtual machines, for example if a DFW rule blocks traffic between vCenter and NSX Manager then it becomes impossible to manage the firewall.

View from vSphere html client on how the DFW Exclusion Lists are configured:

Networking & Security > Security > Firewall Settings > Exclusion List

By default the following system VMs are also added to the DFW exclusion list:

  • NSX Manager
  • NSX Controllers
  • Edge services gateways
As per VCF On VxRail Release Notes:

VxRail Manager is not added to the exclusion list of NSX-V Firewall in the management domain.

Generally all the VMs in the management domain are made part of the exclusion list of the NSX-V firewall in the management domain. However, the VxRail Manager VM in the management domain is not added to the exclusion list.

Workaround: Manually add VxRail Manager to the exclusion list of the NSX-V firewall in the management domain.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s