Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

In Abiquo 5.0, the platform implements vCloud firewall policies and classic firewalls at the Edge level, which  which is the distributed virtual firewall in vCenter and NSX. In previous versions we use VM IP literals but now we specify the VM object.

First, when the user assigns a firewall to a deployed VM, the platform creates a new rule with the source or destination that points to the VM object.

Secondly, when a user creates a classic firewall rule, the platform will implement it as in the following table.

Source or destination

New rule created using....

Any/Internal/External/All

A Network object. "Any" or "All" maps to ''VSE''

object:vcloudUrn
(e.g. the internal providerId of a vm)

Also ''IP Sets'' or ''Security Groups'', aggregations in NSX/vCloud, configured in orgVdc / Security

A VM (for example) object - (source or destination restricted to specific virtual machine)

IP or IPstart-IPend or network CIDR

A single IP, a IP range or an IP network specification

Comma separated list of the above values, e.g. 10.60.1.0,object:vmInternalProvidrId,10.60.2.0/24

An IP, a VM, and a network CIDR


When using a NAT IP in a VM, the platform also creates a firewall rule. And when using a public IP or NAT IP as a load balancer address, the platform also creates a firewall rule.

For vCloud versions without NSX support (versions below 9.5) or to restore the previous configuration with the firewall at the vApp network level, set the "abiquoabiquo.vcd.firewall.vappnetwork" property to true.

There is no specific upgrade path and the platform will platform will apply the new configuration when a user modifies the existing deployed firewalls, attaches firewalls to new VMs, or modifies an IP of a VM attached to a firewall.