The purpose of this KB article is to offer guidance and a solution to customers who might encounter connectivity problems when setting up communication between virtual machines in a Software-Defined Data Center (SDDC) and on-premises resources.

• Customers encounter connectivity issues when attempting to establish communication between a Virtual Machine (VM) within a Software-Defined Data Center (SDDC) and a VM or instance located on the on-premises or xVPC network. The problem arises from a mismatch between the rules configured in the Compute Gateway Firewall (CGW) and the Distributed Firewall (DFW).
• Connectivity works as expected when a CGW rule is configured, specifying the source and destination for communication.
• A DFW rule with the "Allow" action permits any-to-any communication without issues.
• However, when the DFW rule is changed to the "Drop" action, the established connectivity between CGW source/destination is disrupted.

Both GW FW and DFW have to allow the connectivity, N/S traffic becomes E/W traffic as it arrives at or at the moment it leaves the workload VM (even though the Edges, T0, and T1, are excluded from DFW)

To establish seamless connectivity between the CGW rules and the DFW rules, additional steps are necessary.

1.) Matching DFW Rule:

Create a Distributed Firewall (DFW) rule that matches the source subnets involved in the Compute Gateway Firewall (CGW) communication. The rule should allow communication between these source subnets and the appropriate destination, using the required protocols and ports.

2.) Consistent Rule Action:

Ensure that the actions of both the CGW rule and the corresponding DFW rule are consistent. If the CGW rule allows traffic, the corresponding DFW rule should also allow traffic. Similarly, if the CGW rule drops traffic, the corresponding DFW rule should also drop traffic.

3.) Understanding Traffic Flow:

It's essential to recognize that North-South (N/S) traffic entering or leaving the workload VM can be treated as East-West (E/W) traffic. This transformation occurs either as the traffic arrives at the VM or at the moment it leaves the VM. Even if the Edges (T0 and T1) are excluded from the Distributed Firewall (DFW), communication must still be explicitly allowed within the DFW for the source and destination subnets involved in the CGW communication.

Establishing effective communication between Compute Gateway Firewall (CGW) rules and Distributed Firewall (DFW) rules requires consistent rule actions and the creation of DFW rules that match the source subnets. Despite the exclusion of Edges from DFW rules, it's necessary to allow communication within the DFW for the desired source and destination subnets. By following these steps, organizations can achieve seamless connectivity between their SDDC VMs and on-premises resources.

For any further assistance or inquiries, please contact our technical support team.

 How to file a Support Request

Workaround:

N/A

N/A

 Issues in connectivity between source and destination.