This topic describes how to configure a firewall rule for a virtual private cloud (VPC) and a dedicated VMware environment.
Prerequisites
A workload network segment is created for a dedicated VMware environment. For more information, see Create a workload network segment.
Tasks
Configure a firewall rule for a VPC and a dedicated VMWare environment
Configure a firewall rule for a VPC and a dedicated VMWare environment
By default, the VPC bound to a dedicated VMware environment can only access the vCenter and NSX Manager. The VPC cannot directly access the NSX-T segments created by you. You must add relevant firewall rules in the NSX-T console to allow communication between the VPC and NSX-T segments.
Procedure
Open the NSX-T console in a browser. Choose Security > Gateway Firewall > Compute Gateway.
Click ADD RULE. Edit the new rule to allow the VPC to access the dedicated VMware environment.
Click the Name column of the new rule to set a new name, such as VPC To CGW.
Click the Sources column of the new rule to set the access source of the firewall rule. The Set Source dialog box appears.
If no group meets your requirements, click ADD GROUP.
Enter a name for the group and click Set Members in the Compute Members column.
In the Select Members dialog box, click the IP Addresses tab, enter the CIDR block of the VPC, and then click APPLY.
172.16.0.0/16 is the CIDR block of the VPC.
Click SAVE to save the group.
Select the created group. If other VPCs need to access the dedicated VMware environment, you can select multiple groups at a time and then click APPLY.
Click the Destinations column of the firewall rule.
Select the required group, such as, CGW Network01, which contains the CIDR block 192.168.1.0/24. If the required group is not available, create a group based on your business requirements. Click APPLY.
Click the Applied To column of the firewall rule, which is set to All Uplinks by default.
The Applied To parameter can be set to the following values:
All Uplinks: includes three uplink interfaces: Internet Interface, Intranet Interface, and Services Interface.
Internet Interface: uplink interface used to access the Internet.
Intranet Interface: uplink interface used to access VPCs and on-premises environments.
Services Interface: used to access the Internet-facing services of Alibaba Cloud.
Remove All Uplinks. Then, select Intranet Interface from the drop-down list, and set the action in the Action column to Allow.
After you configure the firewall rule, click PUBLISH to apply the firewall rule. Then, cloud services such as Elastic Compute Service (ECS) instances in the VPC can access the 192.168.1.0/24 network segment of the dedicated VMware environment.
The NSX-T gateway firewall rule created in the preceding steps defines the network segment that allows the VPC to access the dedicated VMware environment. If the network segment of the dedicated VMware environment needs to access an Alibaba Cloud VPC, you must create a similar firewall rule. The source and destination groups must be configured to allow network traffic from the network segment of the dedicated VMware environment to the VPC.