As per VVD guidance the following layer2 management VMs are excluded from any distributed firewall rules in a VCF On VxRail solution:
- VxRail Manager
- WLD VCSA Appliances
- NSX Managers
- SDDC Managers
The logic here is to allow traffic flow freely between these management service virtual machines, for example if a DFW rule blocks traffic between vCenter and NSX Manager then it becomes impossible to manage the firewall.
View from vSphere html client on how the DFW Exclusion Lists are configured:
By default the following system VMs are also added to the DFW exclusion list:
- NSX Manager
- NSX Controllers
- Edge services gateways
As per VCF On VxRail Release Notes:
VxRail Manager is not added to the exclusion list of NSX-V Firewall in the management domain.
Generally all the VMs in the management domain are made part of the exclusion list of the NSX-V firewall in the management domain. However, the VxRail Manager VM in the management domain is not added to the exclusion list.
Workaround: Manually add VxRail Manager to the exclusion list of the NSX-V firewall in the management domain.