When attempting to add Management Gateway Firewall rules for HTTPS service in HCX, the operation fails with the following validation error:

Validation for entity with HCX Inbound failed for Constraints [mgw_group_communication_constraint_2: 
if sourceGroups excludes [/infra/domains/mgw/groups/VCENTER], 
destinationGroups includes [/infra/domains/mgw/groups/VCENTER]]

This error occurs when creating both user-defined and custom groups for HTTPS service in the firewall rules. The issue prevents the addition of necessary HTTPS management firewall rules for HCX.

To validate this issue, check if creating a Management Gateway Firewall rule with HTTPS service selected consistently produces the validation error shown above.

• VMware HCX
• VMware Cloud on AWS
• VMware Cloud Foundation

The validation failure occurs due to stale HCX management entries present in the SDDC configuration database. These obsolete entries conflict with new rule creation attempts, causing the constraint validation to fail when defining HTTPS services in the Management Gateway Firewall.

Since the stale entries exist in the backend system configuration, they require specialized cleanup by the service team. Contact Broadcom Support with the following information:

1. Create a support case specifically mentioning the HCX Management Gateway Firewall HTTPS validation error
2. Provide screenshots showing the exact error message received
3. Include details of the rule being created when the error occurred
4. Supply the HCX version information from the HCX Manager interface
5. Share troubleshooting steps already attempted

The Broadcom Support team will coordinate with the HCX service team to remove the stale entries from the SDDC database.

See additional information for help with creating a case with Broadcom

For additional information on creating a support case see

• Uploading files to cases on the Broadcom Support Portal
• Creating and managing Broadcom support cases