As per VVD guidance the following layer2 management VMs are excluded from any distributed firewall rules in a VCF On VxRail solution:

  • VxRail Manager
  • WLD VCSA Appliances
  • NSX Managers
  • SDDC Managers

The logic here is to allow traffic flow freely between these management service virtual machines, for example if a DFW rule blocks traffic between vCenter and NSX Manager then it becomes impossible to manage the firewall.

View from vSphere html client on how the DFW Exclusion Lists are configured:

Networking & Security > Security > Firewall Settings > Exclusion List

By default the following system VMs are also added to the DFW exclusion list:

  • NSX Manager
  • NSX Controllers
  • Edge services gateways
As per VCF On VxRail Release Notes:

VxRail Manager is not added to the exclusion list of NSX-V Firewall in the management domain.

Generally all the VMs in the management domain are made part of the exclusion list of the NSX-V firewall in the management domain. However, the VxRail Manager VM in the management domain is not added to the exclusion list.

Workaround: Manually add VxRail Manager to the exclusion list of the NSX-V firewall in the management domain.

Posted on 0 By David Ring VCF Posted in VCF, VxRAIL Tagged #, ,

David Ring

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s