[VMC on AWS] Customer is unable to create MGW/CGW Firewall Rules Post Terraform Execution
search cancel

[VMC on AWS] Customer is unable to create MGW/CGW Firewall Rules Post Terraform Execution

book

Article ID: 329470

calendar_today

Updated On:

Products

VMware Cloud on AWS

Issue/Introduction

To detail a known issue that can occur when Terraform is used to modify the SDDC.

Symptoms:
  • The customer is attempting to create a Management(MGW)/Compute(CGW) Gateway Firewall rule. Clicking Add Rule does nothing.
  • The user attempting to modify the Firewall rules has the correct permissions applied to their account
  • Verified the same behavior exists in multiple different web browsers/machines or incognito mode.
  • The customer has used Terraform in the past to make modifications to the specific VMC SDDC.
  • The DFW rules are not impacted.
  • The following is seen in the NSX Manager logs

2023-06-0106:21:44.016 +0100<99>1 2023-06-30T07:23:44.016Z NSX-Manager-1 NSX 89284 SYSTEM [nsx@6876 audit="true" comp="nsx-manager" level="INFO" subcomp="manager"] UserName:'[email protected]' ModuleName:'nsx-cloud-service' Operation:'GET@/api/v1/infra/vmc/realized-state/status' Operation status: 'failure' Error: Intent path /infra/linked-vpcs/vpc-xxxxxxxxxxxxx does not exist

2023-06-0112:12:48.559 +0100<99>1 2023-06-30T13:14:48.559Z NSX-Manager-1 NSX 89284 SYSTEM [nsx@6876 audit="true" comp="nsx-manager" level="INFO" subcomp="manager"] UserName:'[email protected]' ModuleName:'nsx-cloud-service' Operation:'GET@/api/v1/infra/sddc/mgw/gateway-policies/invalid-fw-rules' Operation status: 'failure' Error: Policy IPSEC VPN session retrieval failure: RuleListResultDto
 

  • The HAR for the web browser will report an HTTP 500 status code

{

  "httpStatus" : "INTERNAL_SERVER_ERROR",
  "error_code" : 80391,
  "module_name" : "nsx-cloud-service",
  "error_message" : "Policy IPSEC VPN session retrieval failure: RuleListResultDto"
}


Cause

The Terraform script which was executed deleted the default policy group for the MGW or CGW.

Resolution

A future SDDC version will block the Cloudadmin account from accidentally deleting the default policy group for the MGW/CGW.

Workaround:
Engage VMware Support and request that the default policy group be recreated for the SDDC in question.

Additional Information

Always test Terraform scripts that make modifications to the environment in a lab SDDC prior to implementing on the Production SDDC.

Impact/Risks:
The customer will be unable to modify any MGW/CGW Firewall rules. The DFW rules can still be modified.