Manage Firewalls

This section describes firewall policies, which are similar to security groups. The platform supports firewall policies in private cloud with network managers (NSX, Neutron) and in public cloud (AWS, Azure). In Oracle Cloud, the platform enables users to onboard classic firewalls and assign them to VMs.

In vCloud Director, the platform supports classic firewalls, which are Edge firewalls at level of the public cloud region (orgVDC). The platform does not support security groups for VMs in vCloud Director. See Manage classic firewalls

To synchronize firewalls do these steps:

1. Select All virtual datacenters and the location, or a single virtual datacenter
2. Click the synchronize button  

To synchronize a firewall before you add new firewall rules:

1. Select the firewall and click the synchronize button  .

The platform can create firewall policies in virtual datacenters in the provider, or in the platform only, for later use in providers, depending on provider support.

To create a new firewall, do these steps:

1. Go to Virtual datacenters → Network → Firewalls
2. Click the add button
3. Enter the firewall details
   

   

   Field	Description
   Name	Name of the firewall policy.
   Location	Public cloud region
   Virtual datacenter	Virtual datacenter: The platform will create your firewall in the cloud provider. It will add a provider-ID that will display on the main Firewalls page. The platform will synchronize rules with the provider No virtual datacenter: The platform will create the firewall in the platform only, for your enterprise in the public cloud region. The platform will not synchronize rules with the provider. The platform will create the firewall in the provider when you select a virtual datacenter.
   Description	Description of the firewall policy

4. Click Save to create the firewall
5. Add firewall rules as described below

If you entered a virtual datacenter, the platform created your firewall in the provider. The platform will display a provider-ID and a virtual datacenter ID for the firewall. 

If you selected No virtual datacenter, the firewall will be created in the platform in the public cloud region for your enterprise. The synchronize process will not update this firewall. The platform will not create it in the provider until you select a virtual datacenter.

• Cloud Tenant Admin Guide
• Manage Firewalls 

To set or unset a default firewall for a virtual datacenter:

1. Select the firewall
2. Click the star button

When the user creates a VM, the platform will assign the default firewall. The firewall rules apply to VMs, not individual NICs on the VMs. Changes to the firewall ruleset will apply to every VM in the virtual datacenter with the default firewall. If you do not set a default firewall but the provider requires one, for example, AWS, the platform will set the provider's default firewall. In AWS the default firewall is not marked. 

To edit a firewall policy:

1. Go to Virtual datacenters → select virtual datacenter or select a region → Network → Firewalls
2. Select the firewall and click the pencil edit button.
3. Make your changes and click Save

If the provider does not allow you to edit the policy, you may be able to delete the firewall in the provider, then reuse the configuration.

Edit firewall rules in AWS

Amazon allows you to edit firewall rules and you can do this through the platform. First synchronize the firewall to update the rules because AWS will not allow you to create a rule that already exists in the security group. Remember that it may take some time for firewall rules to propagate throughout AWS. Until the rules have propagated, the platform will not be able to detect them. See http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/query-api-troubleshooting.html#eventual-consistency

Edit firewalls in AWS

To edit an AWS firewall in Abiquo, you can delete the firewall directly in the provider, then synchronize so the provider ID will be removed from the firewall in the platform. You can now edit the firewall and the firewall rules, and you can even assign the firewall to another virtual datacenter. The following screenshot shows the default firewall for several different VDCs. The "webDB" firewall currently exists in AWS. The other firewalls have been created in the platform but are not assigned to a virtual datacenter and do not currently exist in AWS.

To add a new firewall rule:

1. Select the virtual datacenter or location
2. Select the firewall
3. On the firewall rules panel, click the pencil Edit button
4. Select the Inbound or Outbound tab for the traffic direction you wish to control
5. Enter the details of a rule
   1. Protocol
   • • Select from Common protocols, OR
     • Enter a custom protocol
   1. Port range with the start and end ports that this rule will apply to. You can enter the same value twice, for one port, or you can optionally apply the rule to a number of ports at the same time
   2. Source or Target IP address (network address/netmask).
6. Click Add. The firewall rule will be added to the rule list. 
7. Enter more rules as required, then click Save

To display firewalls that exist in a virtual datacenter in the provider:

1. Go to Virtual datacenters → Network → Firewalls
2. In the Virtual datacenters list, select the virtual datacenter

To display all firewalls in a location (public cloud region or datacenter), including those that only exist in the platform and not in the provider:

1. In the Virtual datacenters list, select All
2. On the Firewalls tab, select the location (public cloud region or datacenter)
   

To filter firewalls, enter text in the search box to search by the name, description, and provider ID in the firewall list.

To assign a firewall with no virtual datacenter to a virtual datacenter, do these steps

1. Go to Virtual datacenters → Network → Firewalls

2. Go to V. Datacenters All → Firewalls location

    Click here to expand...

   

3. Select and edit the firewall
4. Select the virtual datacenter to assign it to
5. Click Save

A: In the Abiquo API, the firewall object contains a link to the virtual datacenter it belongs to.

• In AWS or Azure ARM, if a firewall has a provider ID, then it exists in the cloud provider. The provider ID is the AWS security group ID or the Azure firewall name.
• Neutron assigns a provider ID to the firewall and it remains the same. In Neutron, the provider ID does not indicate if the firewall is assigned to a VDC or not. This means that the firewall can have a provider ID even when it does not exist in the provider.