[VMC on AWS] NSX Manager GUI Access, Public URL, and Private Network Considerations
search cancel

[VMC on AWS] NSX Manager GUI Access, Public URL, and Private Network Considerations

book

Article ID: 314138

calendar_today

Updated On:

Products

VMware Cloud on AWS

Issue/Introduction

To understand the accessibility of NSX manager over a private network and Public URL.


Symptoms:

Encountering a situation involving NSX Manager accessibility, specifically regarding the transition from public network access to a private network setup ( after following the instructions outlined here: Open NSX Manager)

Despite the configuration changes and making the NSX Manager accessibility limited through private channels, the NSX Manager's public URL remains accessible from the Internet. 


Cause

This is by design and architecture.

Resolution

The user's concerns about NSX Manager GUI accessibility, the continued availability of the public URL, and relevant configuration settings are addressed with insights into the following aspects:

 

1.) Effect of Adjusting Console Settings:

Altering the default behavior of the NSX Manager button from "Via the Internet (Public)" to "Via internal network (Private)" through console settings impacts the button's behavior. However, it does not affect the public URL's accessibility. The public URL remains accessible via the reverse proxy setup, maintaining consistency across commercial VMware Cloud (VMC) environments.

 

2.) Security Enhancement through IP Authentication Policy:

To strengthen security, an IP authentication policy approach is employed. This strategy ensures that access to the organizational environment, including NSX Manager, is allowed only from designated public IP ranges. This policy serves to enhance security by controlling access to authorized sources.

 

3.) NSX Manager's Connectivity and Accessibility:

Given NSX Manager's critical role in defining connectivity, it requires accessibility beyond private access. This is necessary to configure private access in the first place. Consequently, NSX Manager maintains access via the Cloud Services Platform (CSP) path, secured using industry-standard methods. This access path remains fundamental to the system's functionality.

 

4.) Configuration's Influence on NSX Manager Access Control:

The configuration settings affecting NSX Manager access control dictate the default behavior when the "Open NSX Manager" button is utilized. This setting determines whether the public or private path is chosen. However, it's essential to recognize that this configuration does not impact NSX Manager's availability or connectivity through either path.

 

 

Conclusion:

This knowledge-based article synthesizes insights into NSX Manager GUI accessibility, public URL availability, and the underlying design considerations. While configuration changes influence default behaviors, the public URL's accessibility remains intact due to the platform's design principles. Security measures, IP authentication policies, and architectural considerations are pivotal in managing accessibility and mitigating potential risks.

 

The resolution of the NSX manager only decides the accessibility of the manager via "Open NSX Manager" button.

 

image.png

 

 

NSX manager would still be accessible over the internet from this URL even if the resolution is set to private in the VMC console.

 

image.png

 

 

 

 

 


Workaround:

N/A


Additional Information

Open NSX Manager


Impact/Risks:

User would be still able to access NSX manager over public URL even after setting up the resolution to private.