vCloud Directory provides a fully featured layer 3 firewall to control transit from inside to outside security boundaries, and within the various VDC networks you create.
When you specify networks or IP addresses, you can use:
-
An individual IP address
-
IP ranges separated by a dash (-)
-
A CIDR, for example, 192.168.2.0/24
-
Keywords such as, internal, external or any
Create firewall rules
-
On the vCloud Directory Virtual Data-Center dashboard, select the VDC that contains the edge gateway where you will create the firewall rule.
-
From the left navigation panel, select Edges..
-
Select the edge that you want to configure and click Configure Services.
-
Click the Firewall tab.
-
Click the add button,
to add a new row to the firewall rules table.
-
For the New Rule, specify a Name.
-
Specify the Source and Destination addresses for the firewall rule.
-
Specify an IP address or range – Click IP to enter the appropriate Value, and click Keep.
-
Specify a group of VMs or IPs – Click + to select the desired objects, and click Keep.
-
To reuse a group of the same source or destination IP addresses in multiple rules, click the Grouping Objects tab and click + to create an IP set. You can then select this IP set in the Select objects window.
-
-
In the Service field, click + to add the Service.
In the Add Service window, specify the Protocol, Source Port and Destination Port for the rule, and click Keep.
-
Choose to Accept or Deny the rule.
-
If you have a syslog server configured, select Enable logging.
-
Click Save changes.
Example:
A common use case for a firewall rule is to allow HTTPS from the internet. This example uses allocated public IP addresses.
The Name is 'HTTP inbound', the source is any IP address within the VDC and the Source port is 'Any'. The Destination is a private IP address and the destination port is '443' for HTTPS.
For this to function, you need a DNAT configuration. To learn more, see NAT Rule.
