DFW Blocks dch-photon through VCH unless destination any:any specified

I'm trying to setup VMware Integrated Containers in NSX when I came across interesting issue.

I set up the test network in the diagram included below.  But basically used an L2 non-routed VXLAN network for my bridge network and routed L3 VXLAN

Following Build, Push, and Pull and Image · VMware vSphere Integrated Containers 1.4 Documentation

     docker -H <VCHost> run --name build-slave -d -p 12375:2375 <dev-vic-registry>/default-project/dch-photon:1.13-cert

Creates a "container" VM with the private IP which communicates with the VCH,, across the bridge network.

I created special DFW rule for the to communicate with the VCH (first on DNS, but then ANY).

There is an outbound rule that allows for all VMs on the cluster to communicate outbound, but it appears that the dch-photon container is not allowed to communicate outbound to docker.io container registry with out a destination any:service any rule in place.  Any thoughts or suggestions about better rule to allow DCH to NAT the traffic from the dch-photon engine?


0 Kudos
0 Replies