Org VDC Distributed Firewall Rules

In vCloud Directory, it is possible to use the Org VDC distributed firewall to use the Micro Segmentation capabilities on the Org VDC level.

Note: Use of Advanced Firewall requires EBC Advanced NFV features. A surcharge is applied to VMs that use this feature.

See EBC Service Descriptions for details.

Before you create distributed firewall rules:

• If you use an IP set as a source or destination in a rule, create an IP set in Firewall Rules and DHCP Relay Configuration.

• If you use a MAC set as a source or destination in a rule, create a MAC set in Firewall Rules.

• If you use a Security group as a source or destination in a rule, create a Security Group.

Create distributed firewall rules

1. On the vCloud Directory Virtual Data-Center dashboard, select the VDC that contains the distributed firewall to be configured.

2. Click Security in the left navigation panel.

   

3. Select the Org VDC to be configured and click Configure Services.

   

4. Click the Distributed Firewall tab and select the type of rule you want to create.

   • L3 rules are configured on the General tab.

   • L2 rules are configured on the Ethernet tab.

   

5. Click the add button, to add a new row to the firewall rules table.

   

6. Specify a Name for the New Rule.

   

7. Specify the source and destination addresses for the firewall rule in the Source and Destination fields.

8. To specify an IP address or range, click IP and enter the appropriate Value.

   

9. Click Keep.

10. To specify a group of VMs or IPs, click + and select the desired objects.

    

11. Click Keep.

12. To reuse a group of the same source or destination IP addresses in multiple rules, select the Grouping Objects tab and click + to create an IP set. You can then select this IP set in the Select objects window.

    

13. In the Service field, click +.

14. In the Add Service window, specify the Service for the rule, and click Keep.

    

15. Select whether the rule is an Accept or Deny rule.

16. Select whether the rule is based on Direction.

17. Select Packet Type and Applied To.

    Note: If the rule contains VMs in the Source and Destination cells, add both the source and destination VMs to Applied To for the rule to operate correctly.

18. If you have a syslog server configured, select Enable logging.

19. Click Save changes.