Managing Networking Data Center for VMware vSphere Edge Gateway Services
Cyfuture Cloud Console provides Advanced Networking Capabilities powered by the Networking Data Center for VMware vSphere network virtualization software that offer enhanced security controls, routing, and network scaling capabilities in a cloud environment.
Using these networking capabilities, you can achieve unprecedented security and isolation in your organization's virtual data center. These capabilities deliver the following benefits:Dynamic routing. The Networking Data Center for VMware vSphere capabilities in your Cyfuture Cloud Console environment support routing protocols such as Border Gateway Protocol (BGP) and Open Shortest Path First (OSPF) to simplify network integration between systems, to provide redundancy and continuity in a cloud-hosted application deployment.
Fine-grained network security and isolation. The Networking Data Center for VMware vSphere capabilities in your Cyfuture Cloud Console environment supports the use of object-based rule definitions to provide stateful network traffic isolation without requiring multiple virtual networks. This zero-trust security model prevents intruders from gaining full network access if an application or virtual machine is compromised. Network configuration is simplified by using the same network security policies to protect applications wherever they are physically located in the Cyfuture Cloud Console environment and to extend your zero-trust security model for portable security no matter where an application is deployed.
Additional capabilities provided by Networking Data Center for VMware vSphere are enhanced VPN support for point-to-site (IPsec VPN) and user (SSL VPN-Plus) connectivity, enhanced load balancing for HTTPS, and expanded network scalability.
You can configure two types of firewalls: the edge gateway firewall and the distributed firewall. For more information about the differences between these firewalls, see Firewall Configuration Using the Tenant Portal.
You access these Advanced Networking Capabilities using the Cyfuture Cloud Console Tenant Portal or the Cyfuture Cloud Console Service Provider Admin Portal. The edge gateway must first be converted to an advanced edge gateway. See Convert an Edge Gateway to an Advanced Edge Gateway.
Important- IPv6 edge gateways support limited services. IPv6 edge gateways support edge firewalls, distribute firewalls, and static routing.
Getting Started with Cyfuture Cloud Console Advanced Networking
You use the Cyfuture Cloud Console Advanced Networking to perform management tasks on an organization in a Cyfuture Cloud Console system. You can manage distributed firewalls and other
®Advanced Networking Capabilities that are provided by the Cyfuture Cloud Networking software components made available to an organization by a Cyfuture Cloud Console system administrator.
The typical users of Advanced Networking are:
Cyfuture Cloud Console system administrators, who might use the tenant portal to configure the distributed firewall and other Advanced Networking Capabilities for an organization.
Organization administrators, who use the tenant portal to manage the distributed firewall and other Advanced Networking Capabilities that the system administrator has made available to that organization.
Firewall Configuration Using the Tenant Portal
Using the tenant portal, you can configure the firewall capabilities provided by the Networking software in your Cyfuture Cloud Console organization virtual data center. You can create firewall rules for distributed firewalls to provide security between virtual machines in an organization virtual data center and firewall rules to apply to an edge gateway firewall to protect the virtual machines in an organization virtual data center from outside network traffic.
Note-The tenant portal provides the ability to configure both edge gateway firewalls and distributed firewalls.
The Networking logical firewall technology consists of two components to address different deployment use cases. The edge gateway firewall focuses on North-South traffic enforcement while the distributed firewall focuses on East-West access controls.
Key Differences Between Edge Gateway Firewalls and Distributed Firewalls
An edge gateway firewall monitors North-South traffic to provide perimeter security functionality including firewall, Network Address Translation (NAT) as well as site-to-site IPSec and SSL VPN functionality.
A distributed firewall provides the capability to isolate and secure each virtual machine and application down to the layer 2 (L2) level. Configuring distributed firewalls effectively quarantines any external or internal network security compromise, isolating East-West traffic between virtual machines on the same network segment. Security policies are centrally managed, inheritable, and nestable, so networking and security administrators can manage them at scale. Additionally, once deployed, defined security policies follow the virtual machines or applications when they move between different virtual data centers.
About Firewall Rules
As described in the Networking product documentation, in Networking, the firewall rules defined on the centralized level are referred to as pre rules. You can also add rules at an individual edge gateway level, and those rules are referred to as local rules.
Each traffic session is checked against the top rule in the firewall table before moving down the subsequent rules in the table. The first rule in the table that matches the traffic parameters is enforced. Rules are displayed in the following order:
1 User-defined pre rules have the highest priority, and are enforced in top-to-bottom ordering with a per-virtual NIC level precedence.
2 Auto-plumbed rules (rules that enable control traffic to flow for edge gateway services).
3 Local rules defined at an edge gateway level.
4 Default distributed firewall rule
For more information about how the Networking software enforces firewall rules, see Change the Order of a Firewall Rule in the Networking Administration documentation.
Edge Gateway Firewall
The firewall for the edge gateway helps you meet key perimeter security requirements, such as building DMZs based on IP/VLAN constructs, tenant-to-tenant isolation in multi-tenant virtual data centers, Network Address Translation (NAT), partner (extranet) VPNs, and user-based SSL VPNs.
The edge gateway firewall capability in the Cyfuture Cloud Console environment is provided by the Networking software. In Networking, this firewall capability is also referred to as the edge firewall. The edge gateway firewall monitors North-South traffic to provide perimeter security functionality including firewall, Network Address Translation (NAT) as well as site-to-site IPSec and SSL VPN functionality.
For more detailed information about the capabilities provided by the edge gateway firewall of the Networking software, see the Networking Administration documentation.
Managing an Networking Data Center for VMware vSphere Edge Gateway Firewall
To protect traffic to and from an edge gateway, you can create and manage firewall rules on that edge gateway.
For information about protecting traffic traveling between virtual machines in an organization virtual data center, see Managing Distributed Firewall Rules Using the Tenant Portal.
Rules created on the distributed firewall screen that have an advanced edge gateway specified in their Applied To column are not displayed in the Firewall screen for that advanced edge gateway .
The edge gateway firewall rules for an edge gateway are displayed in the Firewall screen and are enforced in the following order:
1 Internal rules, also known as auto-plumbed rules. These internal rules enable control traffic to flow for edge gateway services.
2 User-defined rules.
3 Default rule.
The default rule settings apply to traffic that does not match any of the user-defined firewall rules. The default rule is displayed at the bottom of the rules on the Firewall screen.
In the tenant portal, use the Enable toggle on the Firewall Rules screen of the edge gateway to disable or enable an edge gateway firewall.
Convert an Edge Gateway to an Advanced Edge Gateway
To work with an edge gateway in the tenant portal, you need to convert it to an advanced edge gateway. Once you convert it to an advanced edge gateway, you can use the tenant portal to configure the static and dynamic routing capabilities that are provided by the Networking software for those advanced edge gateways.
Prerequisites
You have an existing edge gateway.
Procedure
1 In the top navigation bar, click Networking and click the Edge Gateways tab.
2 Select the edge gateway to edit.
3 Click Convert to Advanced.
Results
Your edge gateway is converted to an advanced edge gateway.
What to do next
Once you have converted to an advanced edge gateway, you can configure settings by selecting the gateway and clicking Services.
Add an Networking Data Center for VMware vSphere Edge Gateway Firewall Rule
You use the edge gateway Firewall tab to add firewall rules for that edge gateway. You can add multiple Networking Edge interfaces and multiple IP address groups as the source and destination for these firewall rules.
Specifying internal for a source or a destination of a rule indicates traffic for all subnets on the port groups connected to the Networking edge gateway. If you select internal as the source, the rule is automatically updated when additional internal interfaces are configured on the Networking gateway.
Note- Edge gateway firewall rules on internal interfaces do not work when the edge gateway is configured for dynamic routing.
Procedure
1 Open Edge Gateway Services.
a In the top navigation bar, click Networking and click Edge Gateways. b Select the edge gateway that you want to edit and click Services.
2 If the Firewall Rules screen is not already visible, click the Firewall tab.
3 To add a rule below an existing rule in the firewall rules table, click in the existing row and then click the Create button.
A row for the new rule is added below the selected rule, and is assigned any destination, any service, and the Allow action by default. When the system-defined default rule is the only rule in the firewall table, the new rule is added above the default rule.
4 Click in the Name cell and type in a name.
5 Click in the Source cell and use the now visible icons to select a source to add to the rule:
|
Option |
Description |
|
Click the IP icon |
Type the source value you want to use. Valid values are an IP address, CIDR, an IP range, or the keyword any. The edge gateway firewall supports both IPv4 and IPv6 formats. |
|
Click the + icon |
Use the + icon to specify the source as an object other than a specific IP address: ■ Use the Select objects window to add objects that match your selections |
and click Keep to add them to the rule.
■ To exclude a source from the rule, add it to this rule using the Select objects window and then select the toggle exclusion icon to exclude that source from this rule.
When the toggle exclusion is selected on the source, the rule is applied to traffic coming from all sources except for the source you excluded. When the toggle exclusion is not selected, the rule applies to traffic coming from the source you specified in the Select objects window
6 Click in the Destination cell and perform one of the following options:
|
Option |
Description |
|
Click the IP icon |
Type the destination value you want to use. Valid values are an IP address, CIDR, an IP range, or the keyword any. The edge gateway firewall supports both IPv4 and IPv6 formats. |
|
Click the + icon |
Use the + icon to specify the source as an object other than a specific IP address: ■ Use the Select objects window to add objects that match your selections |
and click Keep to add them to the rule.
■ To exclude a source from the rule, add it to this rule using the Select objects window and then select the toggle exclusion icon to exclude that source from this rule.
When the toggle exclusion is selected on the source, the rule is applied to traffic coming from all sources except for the source you excluded. When the toggle exclusion is not selected, the rule applies to traffic coming from the source you specified in the Select objects window
7 Click in the Service cell of the new rule and click the + icon to specify the service as a port-protocol combination:
a Select the service protocol.
b Type the port numbers for the source and destination ports, or specify any. c Click Keep.
8 In the Action cell of the new rule, configure the action for the rule.
|
Option |
Description |
|
Accept |
Allows traffic from or to the specified sources, destinations, and services. |
|
Deny |
Blocks traffic from or to the specified sources, destinations, and services. |
9 Click Save changes.
The save operation can take a minute to complete.
Modify Networking Data Center for VMware vSphere Edge Gateway Firewall Rules
You can edit and delete only the user-defined firewall rules that were added to an edge gateway. You cannot edit or delete an auto-generated rule or a default rule, except for changing the action setting of the default rule. You can change the priority order of user-defined rules.
For details about the available settings for the various cells of a rule, see Add an Networking Data Center for VMware vSphere Edge Gateway Firewall Rule.
Procedure
1 Open Edge Gateway Services.
a In the top navigation bar, click Networking and click Edge Gateways.
b Select the edge gateway that you want to edit and click Services.
2 Click the Firewall tab.
3 Manage the firewall rules.
■ Disable a rule by clicking the green check mark in its No. cell. The green check mark turns to a red disabled icon. If the rule is disabled and you want to enable the rule, click the red disabled icon.
■ Edit a rule name by double-clicking in its Name cell and typing the new name.
■ Modify the settings for a rule, such as the source or action settings, by selecting the appropriate cell and using the displayed controls.
■ Delete a rule by selecting it and clicking the Delete button located above the rules table.
■ Hide system-generated rules by using the Show only user-defined rules toggle.
■ Move a rule up or down in the rules table by selecting the rule and clicking the up and down arrow buttons located above the rules table.
4 Click Save changes.
Distributed Firewall
The distributed firewall allows you to segment organization virtual data center entities, such as virtual machines, based on virtual machine names and attributes.
Cyfuture Cloud Console supports distributed firewall services on organization virtual data centers that are backed by Networking Data Center for VMware vSphere. As described in the Networking Administration documentation, this distributed firewall is a hypervisor kernel-embedded firewall that provides visibility and control for virtualized workloads and networks. You can create access control policies based on objects like virtual machine names and on network constructs like IP addresses or IP set addresses. Firewall rules are enforced at the vNIC level of each virtual machine to provide consistent access control even when the virtual machine is moved to a new ESXi host by VMware vSphere vMotion. This distributed firewall supports a micro-segmentation security model where East-West traffic can be inspected at near line rate processing.
As described in the Networking Administration documentation, for layer 2 (L2) packets, the distributed firewall creates a cache for performance boost. Layer 3 (L3) packets are processed in the following sequence:
1 All packets are checked for an existing state.
2 When a state match is found, the packets are processed.
3 When a state match is not found, the packets are processed through the rules until a match is found.
-
For TCP packets, a state is set only for packets with a SYN flag. However, rules that do not specify a protocol (service ANY), can match TCP packets with any combination of flags.
-
For UDP packets, 5-tuple details are extracted from the packet. When a state does not exist in the state table, a new state is created using the extracted 5-tuple details. Subsequently received packets are matched against the state that was just created.
-
For ICMP packets, ICMP type, code, and packet direction are used to create a state.
The distributed firewall can help in creating identity-based rules as well. Administrators can enforce access control based on the user's group membership as defined in the enterprise Active Directory (AD). Some use cases for when you might use identity-based firewall rules are:
-
Users accessing virtual applications using a laptop or mobile device where AD is used for user authentication
-
Users accessing virtual applications using VDI infrastructure where the virtual machines are Microsoft Windows-based
For more detailed information about the capabilities provided by the Networking software's distributed firewall, see the Networking Administration documentation.
Enable the Distributed Firewall on an Organization Virtual Data Center using the Tenant Portal
Before you can use the tenant portal to work with the distributed firewall capabilities on an organization virtual data center, the distributed firewall must be enabled for that organization virtual data center. A Cyfuture Cloud Console system administrator or a user granted the ORG_VDC_DISTRIBUTED_FIREWALL_ENABLE right can enable the distributed firewall on an organization virtual data center.
You use the Distributed Firewall screen in the tenant portal to enable the distributed firewall for an organization virtual data center.
Prerequisites
Cyfuture Cloud Console supports distributed firewall services on organization virtual data centers that are backed by Networking Data Center for VMware vSphere.
Verify that the organization to which the organization virtual data center belongs has the following rights assigned to it:
Organization vDC Distributed Firewall: Enable/Disable
-
Organization vDC Distributed Firewall: Configure Rules
-
Organization vDC Distributed Firewall: View Rules
The Cyfuture Cloud Console system administrator assigns rights to an organization. The Organization vDC Distributed Firewall: Enable/Disable right is required for enabling the distributed firewall using the user interface in the tenant portal. The Organization vDC Distributed Firewall: View Rules right is required for viewing the firewall rules in the tenant portal and the Organization vDC Distributed Firewall: Configure Rules right is required for configuring the firewall rules using the tenant portal.
Verify that you have an assigned role that grants you the right named Organization vDC Distributed Firewall: Enable/Disable. Of the predefined roles in a Cyfuture Cloud Console system, only the System Administrator role has that right by default.
Procedure
1 On the Virtual Data Center dashboard screen, click the card of the virtual data center you want to explore and under Networking, select Security.
2 Select the organization virtual data center for which you want to configure distributed firewall rules.
3 Click Configure Services.
4 Enable distributed firewall on the Distributed Firewall tab.
What to do next
For a description of the default distributed firewall rule, see Managing Distributed Firewall Rules Using the Tenant Portal.
Managing Distributed Firewall Rules Using the Tenant Portal
As described in the Networking Administration Guide, default firewall settings apply to traffic that does not match any of the user-defined firewall rules. In the Cyfuture Cloud Console Tenant Portal, the default distributed firewall rule is labeled Default Allow Rule.
The distributed firewall capability must be enabled on an organization virtual data center before you can manage the distributed firewall settings using the Cyfuture Cloud Console Tenant Portal.
The default distributed firewall rule is configured to allow all layer 3 and layer 2 traffic to pass through the organization virtual data center. This setting is indicated by the Allow set in the Action column in the user interface. The default rule is always at the bottom of the rules table.
Important- You cannot delete or modify the default distributed firewall rules.
Add a Distributed Firewall Rule
You first add a distributed firewall rule to the scope of the organization virtual data center. Then you can narrow down the scope at which you want to apply the rule. The distributed firewall allows you to add multiple objects at the source and destination levels for each rule, which helps reduce the total number of firewall rules to be added.
For information about the predefined services and service groups that you can use in a rule, see View Services Available for Firewall Rules and View Service Groups Available for Firewall Rules.
Prerequisites
Enable the Distributed Firewall on an Organization Virtual Data Center using the Tenant Portal
If you want to use an IP set as a source or destination in a rule, Create an IP Set for Use in Firewall Rules and DHCP Relay Configuration.
If you want to use an MAC set as a source or destination in a rule, Create a MAC Set for Use in Firewall Rules.
If you want to use a Security group as a source or destination in a rule, Create a Security Group.
Procedure
1 On the Virtual Data Center dashboard screen, click the card of the virtual data center you want to explore and under Networking, select Security.
2 Select the security services VDC network for which you want to modify firewall rules, and click Configure Services.
The Security Services screen displays.
3 Select the type of rule you want to create. You have the option to create a general rule or an Ethernet rule.
Layer 3 (L3) rules are configured on the General tab. Layer 2 (L2) rules are configured on the Ethernet tab.
4 To add a rule below an existing rule in the firewall table, click in the existing row and then click the Create () button.
A row for the new rule is added below the selected rule, and is assigned any destination, any service, and the Allow action by default . When the system-defined Default Allow rule is the only rule in the firewall table, the new rule is added above the default rule.
5 Click in the Name cell and type in a name.
6 Click in the Source cell and use the now visible icons to select a source to add to the rule:
|
Action |
Description |
|
Click the IP icon |
Applicable for rules defined on the General tab. Type the source value you want to use. Valid values are an IP address, CIDR, an IP range, or the keyword any. The distributed firewall supports IPv4 format only. |
|
Click the + icon |
Use the + icon to specify the source as an object other than a specific IP address: ■ Use the Select objects window to add objects that match your selections |
and click Keep to add them to the rule.
■ To exclude a source from the rule, add it to this rule using the Select objects window and then select the toggle exclusion icon to exclude that source from this rule.
When the toggle exclusion is selected on the source, the rule is applied to traffic coming from all sources except for the source you excluded. When the toggle exclusion is not selected, the rule applies to traffic coming from the source you specified in the Select objects window
7 Click in the Destination cell and perform one of the following actions:
|
Action |
Description |
|
Click the IP icon |
Applicable for rules defined on the General tab. Type the destination value you want to use. Valid values are an IP address, CIDR, an IP range, or the keyword any. The distributed firewall supports IPv4 format only. |
|
Click the + icon |
Use the + icon to specify the source as an object other than a specific IP address: ■ Use the Select objects window to add objects that match your selections |
and click Keep to add them to the rule.
■ To exclude a source from the rule, add it to this rule using the Select objects window and then select the toggle exclusion icon to exclude that source from this rule.
When the toggle exclusion is selected on the source, the rule is applied to traffic coming from all sources except for the source you excluded. When the toggle exclusion is not selected, the rule applies to traffic coming from the source you specified in the Select objects window
8 Click in the Service cell of the new rule and perform one of the following actions:
|
Action |
Description |
|
Click the IP icon |
To specify the service as a port–protocol combination: a Select the service protocol. b Type the port numbers for the source and destination ports, or specify any, and click Keep. |
|
Click the + icon |
To select a pre-defined service or service group, or define a new one: a Select one or more objects and add them to the filter. b Click Keep. |
9 In the Action cell of the new rule, configure the action for the rule.
|
Option |
Description |
|
Allow |
Allows traffic from or to the specified sources, destinations, and services. |
|
Deny |
Blocks traffic from or to the specified sources, destinations, and services. |
10 In the Direction cell of the new rule, select whether the rule applies to incoming traffic, outgoing traffic, or both.
11 If this is a rule on the General tab, in the Packet Type cell of the new rule, select a packet type of Any, IPV4, or IPV6.
12 Select the Applied To cell, and use the + icon to define the object scope to which this rule is applicable.
When the rule contains virtual machines in the Source and Destination cells, you must add both the source and destination virtual machines to the rule's Applied To for the rule to work correctly.
Important IP address groups (IP sets), MAC address groups (MAC sets), and security groups containing either IP sets or MAC sets are not valid input parameters.
13 Click Save Changes.
Edit a Distributed Firewall Rule
In a Cyfuture Cloud Console environment, to modify an existing distributed firewall rule of an organization virtual data center, use the Distributed Firewall screen.
For details about the available settings for the various cells of a rule, see Add a Distributed Firewall Rule.
Procedure
1 On the Virtual Data Center dashboard screen, click the card of the virtual data center you want to explore and under Networking, select Security.
2 Select the security services VDC network for which you want to modify firewall rules, and click Configure Services.
The Security Services screen displays.
3 Perform any of the following actions to manage the distributed firewall rules:
■ Disable a rule by clicking the green check mark in its No. cell.
The green check mark turns to a red disabled icon. If the rule is disabled and you want to enable the rule, click the red disabled icon.
■ Edit a rule name by double-clicking in its Name cell and typing the new name.
■ Modify the settings for a rule, such as the source or action settings, by selecting the appropriate cell and using the displayed controls.
■ Delete a rule by selecting it and clicking the Delete () button located above the rules table.
■ Move a rule up or down in the rules table by selecting the rule and clicking the up and down arrow buttons located above the rules table.
4 Click Save Changes.