Hey,
ANY > Cluster MGMT > Service > Deny. As you said should work.
Q1: Is your MGMT cluster prepared for NSX? You need to have the DFW module to work.
Q2: Check your exceptions tab, if your vcenter is in there, the firewall rule wont apply.
Is this like production cluster or is your lab and you want to hide it for peoplo looking at your infra? If is the second option you can use indentity firewall also to only allow your user to access it.
-------------------------------------------------------------------
Triple VCIX (CMA-NV-DCV) | vExpert | MCSE | CCNA