Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents

Introduction to firewalls

...

Table of Contents

Info

This section describes firewall policies in private cloud with network managers (NSX, NSX-T) and in public cloud (AWS, Amazon, OCI), and firewall rules in Google Cloud Platform.
For details of classic firewalls (Edge firewalls in orgVDC in vCloud Director), see Manage classic firewalls

Introduction to firewalls

The platform provides a unified interface to firewalls in varied cloud environments. 

This section

...

describes firewall policies, which are similar to security groups.

...

Abiquo firewall policies represent.

  • AWS security groups

  • Azure firewall policies

  • GCP firewall rules

  • OCI network security groups

For more details, please see the public cloud features table for each provider.

...

In vCloud Director, the platform also supports classic firewalls, which are Edge firewalls at level of the public cloud region (orgVDC). See Manage classic firewalls

...

Synchronize firewall policies with the cloud provider

...

Create a firewall policy

...

Edit firewall rules

...

...

Synchronize firewall policies with the cloud provider

The synchronization process will onboard firewalls and it will update the platform's information about firewalls that already exist in the cloud provider. The platform synchronizes automatically when you onboard virtual resources from public cloud. Depending on the provider, the platform may support synchronization at the level of the location (public cloud region) or virtual datacenter.

To synchronize firewalls do these steps:

  1. In the myCloud view go to Virtual datacenters, or Locations, or for Google Cloud Platform select the Global view

  2. Go to Network → Firewalls

  3. Click the double-arrow synchronize button 

To synchronize a firewall in AWS before you add new firewall rules:

  1. Select the firewall and click the double-arrow synchronize button

...

Create a firewall policy

The platform can create firewall policies in virtual datacenters in the provider, or in the platform only, for later use in providers, depending on provider support.

Panel

Privileges: Manage firewall

To create a new firewall, do these steps:

  1. Go to Virtual datacentersNetworkFirewalls

    1. For GCP go to Global → Network → Firewalls

  2. Click the Add button

  3. Enter the firewall details

    1. In GCP, if you assign a firewall to a Virtual datacenter, you can then use it as a default firewall

    2. In VCD, if you do not select a Virtual datacenter, the platform will create the firewall in the platform only, not in the provider

       Create a firewall in AWSImage Added
  4. Click Save to create the firewall

  5. Add Firewall rules as describe in Create firewall rules.

...

Edit firewall rules

You can edit firewall rules after you create a firewall.

See Edit firewall policy rules

...

Create a firewall policy in GCP

include
Excerpt
nameCreate a firewall policy in GCP

In GCP, the platform can create firewall rules in virtual datacenters or in global networks, to later attach to VMs.

Panel

Privileges: Manage firewall, Manage global networks

To create a new firewall, do these steps:

  1. Go to Virtual datacentersNetworkFirewalls OR
    Go to myCloud → Global → select the GCP

Create a firewall policy in GCP
  1. provider → Network → Firewalls

  2. Click the Add button

  3. Enter the firewall details and select the direction

    1. For the Name, see the Google cloud entity naming conventions. See Google Cloud Platform integration

    2. For the Direction, select INGRESS for incoming traffic or EGRESS for outgoing traffic

    3. For Sources or Targets, enter a list of comma separated values in CIDR format

    4. For Priority, the default is 1000 and lower numbers have higher priority

  4. Go to Inbound or Outbound and add firewall rules

    1. Optionally, select from predefined Common protocols OR
      Enter Protocols and enter a list of Ports, separated by commas, and/or a port range, separated with a dash (e.g. 80,8000-8009)

  5. After you finish adding rules, click Save

The platform will create your firewall in the provider.

...

Set a firewall policy as the default for a virtual datacenter

...

You can set a default firewall policy for each virtual datacenter. 

Panel

Privileges: Manage default firewall

To set or unset a default firewall for a virtual datacenter:

...

  1. Select the firewall

  2. Click the star default firewall button

...

When the user creates a VM, the platform will assign the default firewall. The firewall rules apply to VMs, not individual NICs on the VMs. Changes to the firewall ruleset will apply to every VM in the virtual datacenter with the default firewall. If you do not set a default firewall but the provider requires one, for example, AWS, the platform will set the provider's default firewall. In AWS the default firewall is not marked. 

...

Edit a firewall policy

...

Add tags to a firewall policy

...

If your provider allows it, you may edit a firewall policy in the platform. 

To edit a firewall policy:

  1. Go to Virtual datacenters → select virtual datacenter OR
    select a region → Network → Firewalls

  2. Select the firewall policy and click the pencil edit button.

    1. In GCP only, optionally select a virtual datacenter. You can use this option to recommend firewalls for your users.
      If you do not select a virtual datacenter, the firewall will still exist in the provider and users can still attach this firewall to their VMs.

    2. If you select the Default option, the platform will assign this firewall to new VMs.

  3. Make your changes and click Save

...

Add tags to a firewall

...

policy

When you edit a firewall, you can add tags to group resources. You can then go to Control view to manage tagged resources.

To manage tags for a firewall, edit the firewall, go to Tags, and add tags.

...

For more details, see Manage tags.

...

Move a firewall policy to another virtual datacenter

...

Display firewall policies

...

Before you begin:

  1. Check if your provider allows you to move firewalls. For example, Azure ARM allows you to move firewalls to other VDCs in the same resource group

To move a firewall to another virtual datacenter

  1. Go to Virtual datacenters → Locations or Global

  2. Select the public cloud region, or Azure provider and resource group

  3. Edit the firewall policy and select the new Virtual datacenter

...

Display firewall policies

You can display and manage firewalls in the platforms at the level of the virtual datacenter or the location (public cloud region or datacenter).

To display firewalls in a virtual datacenter in a provider:

  1. Go to Virtual datacenters → select a virtual datacenter → NetworkFirewalls

     Display firewall policiesImage Added

To display all firewalls in Google Cloud Platform

  1. Go to myCloud → Global view

  2. Select the GCP provider → Networks → Firewalls

To display all firewalls in a location (public cloud region or datacenter):

  1. Go to Cloud virtual datacenters view → Locations

  2. Select a location

  3. Go to Network → Firewalls

    Display firewalls in a cloud locationImage Added

    Firewalls that do not exist in the provider are grayed out, and you should delete these firewalls.

Tip

To filter firewalls, enter text in the Search box to search by the NameDescription, and Provider ID in the Firewalls list.

To display firewalls in an Azure Resource Group:

  1. Go to Cloud virtual datacenters view

  2. Go to Global → Azure → Resource Groups

  3. Select a resource group

  4. To display the details of the firewall, edit the firewall

     Edit a firewall in a resource groupImage Added

...

Assign a firewall policy to a VM

See VM firewalls.

...

Delete firewall policy rules

To delete firewall rules

...

Delete a firewall policy

...

, do these steps.

  1. Go to Virtual datacenters → select a virtual datacenter OR
    select AllNetworkFirewalls

  2. Edit the firewall

  3. Select the Inbound or Outbound tab

  4. On the left-hand side of each rule you wish to delete, click the trash bin Delete button

  5. Click Save

...

Delete a firewall policy

To delete a firewall policy:

  1. Edit each VM that is using the firewall policy to remove the firewall policy

  2. Select the firewall policy

  3. Click the Delete button

Excerpt
nameDelete network resources

In private cloud with NSX-T, you can delete network resources by deleting the virtual datacenters. The platform will automatically remove VMs, virtual appliances, load balancers, public IPs, and firewalls from the virtual datacenter. The firewalls will remain in the enterprise and you can reuse them. When you delete a virtual datacenter, public IPs that are not used by VMs will remain in the provider and the synchronization process will delete them.

...

Manage firewalls with the API

Tip

API Documentation

For the Abiquo API documentation of this feature, see Abiquo API Resources and the page for this resource FirewallPoliciesResource.