docker -H <VCHost> run --name build-slave -d -p 12375:2375 <dev-vic-registry>/default-project/dch-photon:1.13-cert
Creates a "container" VM with the private IP 172.16.0.2 which communicates with the VCH, 172.16.0.1, across the bridge network.
I created special DFW rule for the 172.16.0.0/16 to communicate with the VCH (first on DNS, but then ANY).
There is an outbound rule that allows for all VMs on the cluster to communicate outbound, but it appears that the dch-photon container is not allowed to communicate outbound to docker.io container registry with out a destination any:service any rule in place. Any thoughts or suggestions about better rule to allow DCH to NAT the traffic from the dch-photon engine?