The entire list of firewall rules that need to be configured to support every permutation of Cloud Foundation on VxRail is extensive, and is out of scope for this guide. As part of  delivery engagement, Dell professional services will work with a customer’s network administrators to identify all firewall rules that need to be configured before starting a Cloud Foundation on VxRail deployment.

Depending on your company’s security policies, if a firewall or firewall rules are in place between Cloud Foundation on VxRail VLANs (for example, between the management network of the Management Domain and a VI Workload Domain), then an extensive list of ports must be opened. You can research the list at https://ports.vmware.com/home. For simplicity’s sake, an any-any trust rule between any of these pairs of subnets is the most practical option.

The following basic firewall rules must be in place:

• The deployment of Cloud Foundation on VxRail is typically performed from a jump host. Firewall rules need to be in place to allow users logged into the jump host to access the out-of-band management (iDRAC) network for the VxRail nodes and allow access to the management network targeted for the Cloud Foundation on VxRail management domain.
• IT administrators will need connectivity to the management network to enable access to the management components for SDDC, VxRail, and NSX-T.
• VxRail Manager will need to reach local IT services such as DNS and NTP.
• If Secure Connect Gateway is deployed in the data center, VxRail Manager will require access for ‘call home’ support.
• SDDC Manager will require access to the VMware and Dell support sites. This is required to download bundles for lifecycle management.

Figure 58.    External access for SDDC Manager and VxRail Manager