My customer is using bare metal version window vcenter now. I ever follow the below link but that just only can choose VM put in the Exclusion List. How can I do the same effect with window vcenter?
DFW Exclusion List is only for Virtual Objects , either service VM's or workload/management VM's . However you could still configure rules based on IP/IP sets at DFW/Edge level for any incoming/outgoing traffic irrespective of the workload type(Physical/Virtual) . So my advice would be to leverage traditional F/W since VC is a bare-metal or allow only rules for VC to communicate management VM's if there is a use case.
Thanks Sreec. Customer do not skilled in DFW environment. They possible input mistake to make it whole VCenter malfunction such as:(Deny any any). Do I just only use your advise to do it?
By default traffic is allowed for both L2/L3 rules , just keep that in mind. If you are worried about deny rules getting pushed , better exclude management components ( For eg : AD/DNS/NTP if they are running in VM form factor) to start of with and while customer gain more knowledge/confidence with the product ,you should educate them regarding the usage various rule creation options and general considerations to be followed.
Normally vCenter needs two kind of communitations:
1. vCenter <--> ESXi management vmkernal.
In your case, vCenter will not be infected by any DFW rules in this situation, because both of them is not managed by NSX DFW, Their communication simply does not go through DFW.
2. vCenter <--> Other management VMs links vRops, vRealize Automation, DNS, AD etc.
In this situation, communication might be infected, the solution is add all these management VMs into NSX exclusion list.