VCP-IaaS Study Notes: Section 2.3

This is Section 2.3 in the VCP-IaaS blueprint Guide 1.2. The rest of the (completed) sections can be found here.

Identify where to set firewall rules within vCloud Director

  • Click the Manage & Monitor tab and click Organization Networks in the left pane.
  • Right-click the organization network name and select Configure Services.
  • Click the Firewall tab and select Enable firewall.
  • Select the default firewall action.
  • (Optional) Select the Log check box to log events related to the default firewall action.
  • Click OK.

Explain vShield firewall concepts as they relate to a vCloud environment

  • The vShield Edge firewall provides network perimeter security and services to a tenant. It isolates the tenant’s stub network from the shared (uplink) networks and provides common perimeter security services such as DHCP, VPN and NAT.
  • The vShield Edge virtual machine has two network interfaces. One of the interfaces is connected to the uplink port through the PG-C port group and provides access to the external world. The other interface of the vShield Edge virtual machine is connected to the internal port group PG-X, which is part of the company X network.
  • All virtual machines of the company X tenant connect to PG-X port group, and these virtual machines are allowed to communicate with each other without going through the vShield Edge firewall virtual machine. However, if the company X virtual machine attempts to access external devices, traffic must flow through the vShield Edge virtual machine. Depending on the security rules defined, the access will be allowed or denied.
  • Also, the vShield Edge firewall virtual machine is protected through the VMware DRS and VMware HA features of the vSphere platform. So when a host on which vShield Edge is running goes down, that virtual machine gets restarted immediately on another available host in that cluster.

Determine which firewall rules need to be applied or modified

  • What port will your application need to communicate through.

Identify ordering for firewall rules

  • Firewall rules are enforced in the order in which they appear in the firewall list. You can change the order of the rules in the list. When you add a new firewall rule to an organization network, it appears at the bottom of the firewall rule list. If you want to enforce the new rule before an existing rule, make sure to reorder the rules.
  • Click Administration.
  • Select Cloud Resources > Networks.
  • Right-click the organization network name and select Configure Services.
  • Click the Firewall tab.
  • Drag and drop the firewall rules to establish the order in which the rules are applied.
  • Click OK.

Enable/Disable firewall

  • See the first bullet in this section.

Add/Modify/Delete firewall rules

  • Click the Manage & Monitor tab and click Organization Networks in the left pane.
  • Right-click the organization network name and select Configure Services.
  • Click the Firewall tab and click Add.
  • Type a name for the rule.
  • Select the traffic direction.
  • Type the source IP address and select the source port.
    • For incoming traffic, the source is the external network. For outgoing traffic, the source is the organization network.
  • Type the destination IP address and select the destination port.
    • For incoming traffic, the destination is the organization network. For outgoing traffic, the destination is the external network.
  • Select the protocol.
  • Select the action.
    • A firewall rule can allow or deny traffic that matches the rule.
  • Select the Enabled check box.
  • (Optional) Select the Log network traffic for firewall rule check box.
    • If you enable this option, vCloud Director sends log events to the syslog server for connections affected by this rule. Each syslog message includes logical network and organization UUIDs.
  • Click OK and click OK again.

Determine which vShield devices impact a given service

  • What port is the service trying to communicate through? Where is the service located in the vCloud Organization network? On an internal NAT-ed network? On an external NATed network?

Verify firewall rule operation

  • Allow the port and check for connectivity.

Troubleshoot common firewall service issues

  • vShield Edge appliances are protected by HA so they should restart on another ESXi host if the first one fails.
  • Open port 80 to check for internet connection. Can rule out physical mis-configuration issues.
  • Etc…

PS. I recommend reading the VMware vShield Edge Design Guide – Great read for vShield firewall designs.

Leave a Reply

Your email address will not be published. Required fields are marked *