The entire list of firewall rules that need to be configured to support every permutation of Cloud Foundation on VxRail is extensive and out of scope for this guide. Dell Professional Services as part of delivery engagement will work with a customer’s network administrators to identify all the firewall rules that needs to be configured before starting a Cloud Foundation on VxRail deployment.
Depending on your organization’s security policies, if a firewall or firewall rules are in place between Cloud Foundation on VxRail VLANs (for example, between the management network of the Management Domain and a VI Workload Domain), then there will be an extensive list of ports that must be opened. You can research the list at https://ports.vmware.com/home. For simplicity’s sake, an any-any trust rule between any of these pairs of subnets would be the most practical option.
There are a few basic firewall rules that need to be in place:
- The deployment of Cloud Foundation on VxRail is typically performed from a jump host. Firewall rules need to be in place to allow users logged into the jump host to access the out-of-band management (iDRAC) network for the VxRail nodes and allow access to the management network targeted for the Cloud Foundation on VxRail management domain.
- IT administrators will need connectivity to the management network to enable access to the management components for SDDC, VxRail, and NSX.
- VxRail Manager will need to reach local IT services such as DNS and NTP.
- If Secure Connect Gateway is deployed in the data center, VxRail Manager will require access for ‘call home’ support.
- SDDC Manager will require access to the VMware and Dell support sites. This is required for the downloading of bundles for lifecycle management.
Figure 57. External access for SDDC Manager and VxRail Manager