Table of Contents | ||
---|---|---|
|
...
Excerpt | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Manage firewallsThe platform provides a unified interface to firewalls in varied cloud environments. This section describes firewall policies, which are similar to security groups. The platform supports firewall policies in private cloud with network managers (NSX, Neutron) and in public cloud (AWS, Azure). In Oracle Cloud, the platform enables users to onboard classic firewalls and assign them to VMs. In vCloud Director, the platform supports classic firewalls, which are Edge firewalls at level of the public cloud region (orgVDC). The platform does not support security groups for VMs in vCloud Director. See Manage classic firewalls Firewall provider documentationSee the following provider documentation for more information about firewall functionality.
Synchronize firewallsThe synchronize process will onboard firewalls and it will update the platform's information about firewalls that already exist in the cloud provider. The platform synchronizes automatically when you onboard virtual resources from public cloud. Depending on the provider, the platform may support synchronization at the level of the location (public cloud region) or virtual datacenter. To synchronize firewalls do these steps:
To synchronize a firewall before you add new firewall rules:
Create a firewallDepending on provider support, the platform can create firewalls in virtual datacenters in the provider, or in the platform only, for later use in providers.
To create a new firewall, do these steps:
If you entered a virtual datacenter, the platform created your firewall in the provider. The platform will display a provider-ID and a virtual datacenter ID for the firewall. If you selected No virtual datacenter, the firewall will be created in the platform in the public cloud region for your enterprise. The synchronize process will not update this firewall. The platform will not create it in the provider until you select a virtual datacenter. Edit firewall rulesYou can define firewall rules for inbound and outbound traffic. To add a new firewall rule:
Delete firewall rulesTo delete firewall rules, do these steps.
Display firewallsTo manage firewalls go to Virtual datacenters → Network → Firewalls. You can display and manage firewalls in the platforms at the level of the virtual datacenter or the location (public cloud region or datacenter). To display firewalls that exist in a virtual datacenter in the provider, do these steps:
To display all firewalls in a location (public cloud region or datacenter), including those that only exist in the platform and not in the provider, do these steps:
Filter firewallsEnter text in the search box to search by the name, description, and provider ID in the firewall list. Assign a firewall to a VMSee Configure VMs (or VM firewalls) Move a firewall to another VDCTo move a firewall to another virtual datacenter:
Reuse a firewall after deleting a virtual datacenterIf you delete a virtual datacenter, the firewalls will be deleted in the cloud provider but they will still be present in the platform. The details of the firewalls may vary, for example, in AWS they will not have a Provider ID but in Neutron they will have a provider ID. You can edit these firewalls as required and assign them to another virtual datacenter. To assign a firewall with no virtual datacenter to a virtual datacenter, do these steps
Delete a firewallTo delete a firewall, do these steps
Troubleshooting firewallsQ: Does my firewall exist in the provider? Which VDC does it belong to? A: In the Abiquo API, the firewall object contains a link to the virtual datacenter it belongs to.
Q: How can I edit a firewall in AWS? A: Amazon allows you to edit firewall rules and you can do this through the platform. First synchronize the firewall to update the rules because AWS will not allow you to create a rule that already exists in the security group. Remember that it may take some time for firewall rules to propagate throughout AWS. Until the rules have propagated, Abiquo will not be able to detect them. See http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/query-api-troubleshooting.html#eventual-consistency To edit an AWS firewall in Abiquo, you can delete the firewall directly in the provider, then synchronize so the provider ID will be removed from the firewall in Abiquo. You can now edit the firewall and the firewall rules, and you can even assign the firewall to another virtual datacenter. The following screenshot shows the default firewall for several different VDCs. The "webDB" firewall currently exists in AWS. The other firewalls have been created in Abiquo but are not assigned to a virtual datacenter and do not currently exist in AWS.
Manage firewalls with the APIManage load balancersThe Abiquo load balancer feature is designed to streamline the creation of load balancers in both public and private cloud with the unified Abiquo interface.
Abiquo supports load balancers using public cloud providers, including AWS and Rackspace, and network managers, including OpenStack Neutron and VMware NSX. In some providers, Abiquo also offers the following functionality:
In public cloud, to synchronize load balancers, the platform will retrieve public cloud entities and create or update the corresponding Abiquo entities. In private cloud, the platform may retrieve Abiquo private cloud entities only and update the corresponding Abiquo entities. Warning: Do not modify Abiquo entities directly in the network manager. Load balancers in a provider usually belong to a virtual datacenter but in vCloud Director they belong to a public cloud region. This means that in vCloud Director, you can attach VMs from more than one virtual datacenter to the same load balancer, and these load balancers do not work with private networks, which belong to only one virtual datacenter. Support for load balancers by providerThe following tables summarize the load balancer functionality in each provider.
Please refer to cloud provider documentation or network manager documentation as the definitive guide to the load balancer feature. Create a load balancerBefore you begin:
To create a load balancer:
Load balancer general informationThe following screenshots are from AWS.
Load balancer routing rules
Load balancer SSL certificate
Load balancer health check
Load balancer firewallsIf your provider supports firewalls, to add a firewall to your load balancer, select your firewall from the list of firewalls that were created in your provider. Rackspace does not display a firewall selection list. If a firewall is not on the list, it may not have been properly synchronized. In this case, you will need to click Cancel, synchronize firewalls and start again to create a new load balancer. Assign load balancer nodesTo assign your load balancer to VMs, drag and drop the VMs them from the Available Nodes list into the Attached Nodes list.
The following screenshot is from OpenStack Neutron. Load balancer node statusAbiquo will display the status of the load balancer nodes on the Nodes tab, if the status is available from the provider. You can also check this status using the Abiquo API. Manage load balancers with the APIEdit load balancersThe cloud provider determines which elements of a load balancer that you can modify. It may be possible to make modifications in Abiquo that will later be rejected by the cloud provider, triggering an error. Check your cloud provider documentation for supported modifications. Edit VMs to assign or unassign load balancersWhen creating or editing a VM, if the user has the privilege to Assign load balancers, the platform will display the Load balancers tab.
Onboard and synchronize load balancers from public cloudWhen you onboard a VDC from a public cloud provider, the load balancers associated with the VDC and its VMs will be onboarded into the platform. Remember: to access vCloud load balancers, and provider-only load balancers, go to All virtual datacenters and select the region. To synchronize all load balancers in a VDC or region:
Load balancers that have been deleted directly in the provider are displayed in light gray text. You can edit these load balancers to recreate them in the provider, or delete them. Delete or release load balancersTo delete a load balancer, select the load balancer and click the delete button. If your enterprise does not have credentials in the provider, then the load balancer will be released (it will be deleted in the platform but it will remain in cloud provider). |
...