NSX-V Lab: Exclude VM’s From Distributed Firewall


Welcome to Part 6 of the NSX-V Lab Series. In the previous post, we covered how to deploy the NSX-V controllers. 
In this post we’ll cover exclusions to the NSX Distributed Firewall.

Now I don’t technically need to do this since the management cluster isn’t going to be prepared for NSX but I’ll cover it in case you are preparing your cluster where the vCenter is.
By default NSX automatically excludes the manager and any of it’s deployed components however it won’t exclude other VM’s and that includes the vCenter. Why is this an issue you ask? Well if you enable a default block on your distributed firewall but have either not setup any firewall rules or you have but you’ve missed something, if the vCenter is on a prepared host then you can lock out access to the vCenter! We therefore exclude the vCenter from the distributed firewall so we will never get blocked.
If you do manage to block access to the vCenter there is a way to restore it by resetting the distributed firewall, I’ll make a post on that later and update this post with a link when i do.

You can see the System Excluded VM’s in the screenshot below.

To add VM’s the the Distributed Firewall Exclusion list open NSX and go to Firewall Settings then select the Exclusion List and Click + ADD

Select any VM’s you want to exclude

And you are done. we don’t have to just limit this to the vCenter, any VM’s that you wish to exclude from the firewall can be added.

We are now finally ready to install NSX on the hosts.
NSX-V Lab Part:7 NSX-V Host Preparation

Leave a Reply

Your email address will not be published. Required fields are marked *