Knowledge Base

The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
 
Search the VMware Knowledge Base (KB)   View by Article ID
 

Allowing inbound Internet connectivity to a virtual machine within VMware vCloud Hybrid Service (2053482)

Symptoms

  • You are unable to reach a virtual machine that resides within VMware vCloud Hybrid Service from the Internet 

Purpose

This article provides steps to configure a virtual machine within VMware vCloud Hybrid Service to allow inbound Internet communication.  Specifically, the steps in this article allow communication initiated by an Internet-facing machine to reach a virtual machine, but does not allow the virtual machine to initiate one-way or two-way communication to the Internet.

For the process of allowing a virtual machine running within VMware vCloud Hybrid Service to initiate communication with an Internet-facing machine, see Allowing outbound Internet connectivity to a virtual machine within vCloud Hybrid Service (2053464).

Resolution

Prerequisites

To allow inbound inbound Internet connectivity to a virtual machine within VMware vCloud Hybrid Service, you require:

  • A virtual machine that has been created with at least one network interface card (NIC) attached to a routed Organization network.
  • Permissions to modify network configuration. Your user account must contain the Network Administrator role.

Configuring inbound Internet connectivity 

Caution: The steps in this section may directly affect the security of your network. VMware recommends that you discuss the associated security risks with your network administrator.
 
To configure inbound Internet connectivity for a virtual machine, you must:
  1. Configure Destination Network Address Translation (DNAT)
  2. Configure a firewall exception for inbound traffic
Configuring Destination Network Address Translation (DNAT)
 
To configure DNAT:
  1. Log in to the VMware vCloud Hybrid Service portal with a user that has the required permissions. See Prerequisites for more information.
  2. From the dashboard tab, click on your Organization Virtual Datacenter (OrgVDC).
  3. Click the Gateways tab from your OrgVDC.
  4. Make note of the Gateway IP, which you will use later. This is your Internet-facing IP address.
  5. Click on the details of the gateway to edit its properties.
  6. Under NAT Rules, click Add One and select Destination NAT from the drop-down.
  7. Enter the Internet-facing IP address recorded in step 4 into the Original (External) IP/range text box. 

    Note: You can also verify the IP address by clicking on the Show link below the text box.

  8. Set the desired Protocol(s):
    • If the Protocol is set to TCP, UDP, or TCP & UDP, set the Original Port to the desired port by typing it in the provided field. 

      Note: You can leave the setting at Any for all ports.
    • If the Protocol is set to ICMP, set the ICMP type to the desired type of ICMP message by selecting it from the dropdown. 

      Note: You can leave the setting at Any for all message types.

  9. Enter the IP address of the virtual machine requiring Internet connectivity into the Translated (Internal) IP/range text box. For example: 192.168.100.2/32or 172.16.17.18.
  10. Enter the desired Translated Port into the provided field.

    Note: You can leave the setting at Any for all ports.

  11. Ensure that Enable this rule is selected checkbox, then click Save to add the rule. You will receive a notification stating Gateway: Gateway updated successfully when the change has been completed.
  12. Repeat steps 5 through 12 for any additional ports or ICMP types.
Configuring a firewall exception for inbound traffic
 
To configure a firewall exception for inbound traffic:
  1. From the main screen's dashboard tab, click your OrgVDC.
  2. Click the Gateways tab from your OrgVDC.
  3. Click on the details of the gateway to edit its properties.
  4. Under Firewall Exceptions, click Add One.
  5. Provide a Name for the rule.
  6. Ensure that Enable this rule is selected.
  7. Set the desired Protocol(s).
  8. Set the Source to an IP or range of IPs from which the virtual machine should receive traffic.
    Note: You can also enter the word external to allow all external sources.
  9. Leave the Source Port set to Any.
  10. Set the Destination to the IP address or CIDR notation of the virtual machine requiring Internet connectivity. For example, 192.168.100.2 or 172.16.17.18/32.
  11. Leave the Destination Port set to Any.
  12. Click Save to add the exception.  You will receive a notification stating Gateway: Gateway updated successfully when the change has been completed.
  13. Repeat steps 3 through 12 for any additional exceptions needed.

When the reconfiguration task has completed, your virtual machine will be allowed inbound Internet connectivity on the configured IP address and port(s).

Impact/Risks

The steps in this article may directly affect the security of your network. VMware recommends that you discuss the associated security risks with your network administrator.

See Also

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 5 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.
What can we do to improve this information? (4000 or fewer characters)
  • 5 Ratings
Actions
KB: