In Abiquo 5.0, the vCloud firewall service is implemented at the Edge level, and new classic firewall capabilities are also available. When using a NAT IP in a VM, the platform also creates a firewall rule. And when using a public IP or NAT IP as a loadbalancer address, the platform also creates a firewall rule.
First, when the user assigns a firewall to a deployed VM, the platform creates a new rule with source or destination (inbound or outbound rule) that points to the VM object.
Secondly, when a user creates a classic firewall rule, the platform will implement it as in the following table.
| Source or destination | Rule created |
|---|---|
| Any/Internal/External/All | The platform creates a new rule with source or destination using a Network object. Note: Any or All maps to ''VSE'' |
object:vcloudUrn Also ''IP Sets'' or ''Security Groups'', aggregations in NSX/vCloud, configured in orgVdc / Security | The platform creates a new rule with source or destination using a VM (for example) object - (source or destination restricted to specific virtualmachine) |
| IP or IPstart-IPend or network CIDR | The platform creates a new rule with source or destination using a single IP, a IP range or an IP network specification |
| Comma separated list of the above values, e.g. 10.60.1.0,object:vmInternalProvidrId,10.60.2.0/24 | The platform creates a new rule with source or destination using an IP, a VM and a network CIDR |
To restore the previous configuration where the platform implemented the firewall at the vApp network level, the administrator can set the "abiquo.vcd.firewall.vappnetwork" property to true.
There is no specific upgrade path and the platform will apply the new configuration when a user modifies the existing deployed firewalls, attaches firewalls to new VMs, or modifies an IP of a VM attached to a firewall.