Manage firewalls

The platform provides a unified interface to firewalls in varied cloud environments. This section describes firewall policies, which are similar to security groups.

In vCloud Director, the platform supports classic firewalls, which are Edge firewalls at level of the public cloud region (orgVDC). The platform does not support security groups for VMs in vCloud Director.

Firewall provider documentation

See the following provider documentation for more information about firewall functionality.

Synchronize firewalls

The synchronize process will onboard firewalls and it will update the platform's information about firewalls that already exist in the cloud provider. The platform synchronizes automatically when you onboard virtual resources from public cloud. Depending on the provider, the platform may support synchronization at the level of the location (public cloud region) or virtual datacenter.

To synchronize firewalls do these steps:

1. Select All virtual datacenters and the location, or a single virtual datacenter
2. Click the synchronize button  

To synchronize a firewall before you add new firewall rules:

1. Select the firewall and click the synchronize button  .

Create a firewall

Depending on provider support, the platform can create firewalls in virtual datacenters in the provider, or in the platform only, for later use in providers.

To create a new firewall, do these steps:

1. Go to Virtual datacenters → Network → Firewalls
2. Click the add button
3. Enter the firewall details
   1. Name
   2. Location (selected from the pulldown list)
   3. Virtual datacenter: To create the firewall in the provider, select the virtual datacenter. OR To create the firewall in the platform only, select No virtual datacenter
      
   4. Description
      
4. Click Save to create the firewall
5. Add firewall rules as described below

If you entered a virtual datacenter, the platform created your firewall in the provider. The platform will display a provider-ID and a virtual datacenter ID for the firewall. 

If you selected No virtual datacenter, the firewall will be created in the platform in the public cloud region for your enterprise. The synchronize process will not update this firewall. The platform will not create it in the provider until you select a virtual datacenter.

Edit firewall rules

You can define firewall rules for inbound and outbound traffic.

To add a new firewall rule:

1. Select the virtual datacenter or location
2. Select the firewall
3. On the firewall rules panel, click the pencil Edit button
4. Select the Inbound or Outbound tab for the traffic direction you wish to control
5. Enter the details of a rule
   1. Protocol
   • • Select from Common protocols, OR
     • Enter a custom protocol
   1. Port range with the start and end ports that this rule will apply to. You can enter the same value twice, for one port, or you can optionally apply the rule to a number of ports at the same time
   2. Source or Target IP address (network address/netmask).
6. Click Add. The firewall rule will be added to the rule list. 
7. Enter more rules as required, then click Save

Delete firewall rules

To delete firewall rules, do these steps.

1. Edit the firewall
2. Select the Inbound or Outbound tab
3. On the left-hand side of each rule you wish to delete, click the trash/garbage Delete button
4. Click Save

Display firewalls

To manage firewalls go to Virtual datacenters → Network → Firewalls.

You can display and manage firewalls in the platforms at the level of the virtual datacenter or the location (public cloud region or datacenter).

To display firewalls that exist in a virtual datacenter in the provider, do these steps:

1. Go to Virtual datacenters → Network → Firewalls
2. In the Virtual datacenters list, select the virtual datacenter

To display all firewalls in a location (public cloud region or datacenter), including those that only exist in the platform and not in the provider, do these steps:

1. In the Virtual datacenters list, select All
2. On the Firewalls tab, select the location (public cloud region or datacenter)

Filter firewalls

Enter text in the search box to search by the name, description, and provider ID in the firewall list.

Assign a firewall to a VM

See Configure VMs (or VM firewalls)

Move a firewall to another VDC

To move a firewall to another virtual datacenter:

• In Neutron, edit the firewall in Abiquo and change the VDC

• In Azure ARM, edit the firewall and change or remove the virtual datacenter
• In AWS, delete the firewall directly in the provider, then synchronize so the provider ID will be removed from the firewall in Abiquo. Now you can edit the firewall and change the virtual datacenter. This is because you are not allowed to edit firewalls or move them from one VPC to another in AWS but you can do this in Abiquo. The following screenshot shows a firewall after the AWS security group was deleted. The firewall rules are preserved for you to edit or apply to another virtual datacenter. 

Reuse a firewall after deleting a virtual datacenter

If you delete a virtual datacenter, the firewalls will be deleted in the cloud provider but they will still be present in the platform. The details of the firewalls may vary, for example, in AWS they will not have a Provider ID but in Neutron they will have a provider ID. You can edit these firewalls as required and assign them to another virtual datacenter.

To assign a firewall with no virtual datacenter to a virtual datacenter, do these steps

1. Go to Virtual datacenters → Network → Firewalls

2. Go to V. Datacenters All → Firewalls location

   Expand

   
   

3. Select and edit the firewall
4. Select the virtual datacenter to assign it to
5. Click Save

Delete a firewall

To delete a firewall, do these steps

1. Edit the VMs that are using the firewall and remove the firewall from these VMs
2. Select the firewall
3. Click the Delete button

Troubleshooting firewalls

Q: Does my firewall exist in the provider? Which VDC does it belong to?

A: In the Abiquo API, the firewall object contains a link to the virtual datacenter it belongs to.

• In AWS or Azure ARM, if a firewall has a provider ID, then it exists in the cloud provider. The provider ID is the AWS security group ID or the Azure firewall name.
• Neutron assigns a provider ID to the firewall and it remains the same. In Neutron, the provider ID does not indicate if the firewall is assigned to a VDC or not. This means that the firewall can have a provider ID even when it does not exist in the provider.

Q: How can I edit a firewall in AWS?

A: Amazon allows you to edit firewall rules and you can do this through the platform. First synchronize the firewall to update the rules because AWS will not allow you to create a rule that already exists in the security group. Remember that it may take some time for firewall rules to propagate throughout AWS. Until the rules have propagated, Abiquo will not be able to detect them. See http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/query-api-troubleshooting.html#eventual-consistency

To edit an AWS firewall in Abiquo, you can delete the firewall directly in the provider, then synchronize so the provider ID will be removed from the firewall in Abiquo. You can now edit the firewall and the firewall rules, and you can even assign the firewall to another virtual datacenter. The following screenshot shows the default firewall for several different VDCs. The "webDB" firewall currently exists in AWS. The other firewalls have been created in Abiquo but are not assigned to a virtual datacenter and do not currently exist in AWS.

Manage firewalls with the API

Manage load balancers

The Abiquo load balancer feature is designed to simplify the creation of load balancers in both public and private cloud with the unified Abiquo interface.

Abiquo supports load balancers using public cloud providers, including AWS and Rackspace, and network managers, including OpenStack Neutron and VMware NSX. In some providers, Abiquo also offers the following functionality:

• Create a load balancer in Abiquo that is not assigned to a provider, at the cloud location level
• Remove a load balancer configuration from the provider and reuse it

In public cloud, to synchronize load balancers, the platform will retrieve public cloud entities and create or update the corresponding Abiquo entities. In private cloud, the platform may retrieve Abiquo private cloud entities only and update the corresponding Abiquo entities. Warning: Do not modify Abiquo entities directly in the network manager.

Load balancers in a provider usually belong to a virtual datacenter but in vCloud Director they belong to a public cloud region. This means that in vCloud Director, you can attach VMs from more than one virtual datacenter to the same load balancer, and these load balancers do not work with private networks, which belong to only one virtual datacenter.

Support for load balancers by provider

The following tables summarize the load balancer functionality in each provider.

• AWS load balancers table
• Azure load balancers table
• Rackspace load balancers table
• OpenStack Neutron load balancers table
• VMware NSX load balancers table
• vCloud Director load balancers table

Please refer to cloud provider documentation or network manager documentation as the definitive guide to the load balancer feature.

Create load balancers

Before you begin:

• Synchronize your virtual datacenters (including VMs, networks, firewalls, firewall rules, and load balancers)
• If required by your provider, create firewalls for your VMs to allow your load balancers to access the VMs

To create load balancers:

1. Select a virtual datacenter → Network → Load balancers.
   For vCloud, select All virtual datacenters → Network → Load balancers → Region

2. Click the + Add button and complete the following dialogs according to your cloud provider's documentation
   Screenshot: Creating a load balancer in AWS
   

   Screenshot: Creating a load balancer in vCloud Director

   Expand
   title Click here to show/hide the screenshot

   
   

Load balancer general information

The following screenshots are from AWS.

Load balancer routing rules

Load balancer SSL certificate

Load balancer health check

Load balancer firewalls

If your provider supports firewalls, to add a firewall to your load balancer, select your firewall from the list of firewalls that were created in your provider. Rackspace does not display a firewall selection list.

If a firewall is not on the list, it may not have been properly synchronized. In this case, you will need to click Cancel, synchronize firewalls and start again to create a new load balancer.

Assign load balancer nodes

To assign your load balancer to VMs, drag and drop the VMs them from the Available Nodes list into the Attached Nodes list.

• The VMs to be load balanced can be in the same or different virtual appliances in the same virtual datacenter
• You can also attach VMs by selecting load balancers when configuring the VM.

The following screenshot is from OpenStack Neutron. 

Load balancer node status

Abiquo will display the status of the load balancer nodes on the Nodes tab, if the status is available from the provider.

You can also check this status using the Abiquo API.

Manage load balancers with the API

Edit load balancers

The cloud provider determines which elements of a load balancer that you can modify. It may be possible to make modifications in Abiquo that will later be rejected by the cloud provider, triggering an error. Check your cloud provider documentation for supported modifications.

Edit VMs to assign or unassign load balancers

When creating or editing a VM, if the user has the privilege to Assign load balancers, the platform will display the Load balancers tab.