Abiquo Documentation


Abiquo 5.0

Skip to end of metadata
Go to start of metadata


Introduction to Firewalls

The platform provides a unified interface to firewalls in varied cloud environments. 

This section describes firewall policies, which are similar to security groups. The platform supports firewall policies in private cloud with network managers (NSX, Neutron) and in public cloud (AWS, Azure). In Oracle Cloud, the platform enables users to onboard classic firewalls and assign them to VMs.

In vCloud Director, the platform supports classic firewalls, which are Edge firewalls at level of the public cloud region (orgVDC). The platform does not support security groups for VMs in vCloud Director. See Manage Classic Firewalls



Synchronize firewall policies with the cloud provider

The synchronization process will onboard firewalls and it will update the platform's information about firewalls that already exist in the cloud provider. The platform synchronizes automatically when you onboard virtual resources from public cloud. Depending on the provider, the platform may support synchronization at the level of the location (public cloud region) or virtual datacenter.

To synchronize firewalls do these steps:

  1. Select All virtual datacenters and the location, or a single virtual datacenter
  2. Click the double-arrow synchronize button 

To synchronize a firewall before you add new firewall rules:

  1. Select the firewall and click the double-arrow synchronize button



Create a firewall policy

The platform can create firewall policies in virtual datacenters in the provider, or in the platform only, for later use in providers, depending on provider support.

Privilege: Manage firewall

To create a new firewall, do these steps:

  1. Go to Virtual datacentersNetworkFirewalls
  2. Click the Add button
  3. Enter the firewall details

    Field

    Description

    Name

    Name of the firewall policy.

    LocationPublic cloud region
    Virtual datacenter
    • Virtual datacenter: The platform will create your firewall in the cloud provider. It will add a provider-ID that will display on the main Firewalls page. The platform will synchronize rules with the provider
    • No virtual datacenter: If allowed by the provider. The platform will create the firewall in the platform only, for your enterprise in the public cloud region. The platform will not synchronize rules with the provider. The platform will create the firewall in the provider when you select a virtual datacenter.
    DefaultOptional. Select to make the firewall the default for the virtual datacenter

    Description

    Description of the firewall policy

  4. Click Save to create the firewall
  5. Add Firewall rules as described below

If you entered a virtual datacenter, the platform created your firewall in the provider. The platform will display a Provider-ID and a Virtual datacenter ID for the firewall. 

If you selected No virtual datacenter, the firewall will be created in the platform in the public cloud region for your enterprise. The synchronize process will not update this firewall. The platform will not create it in the provider until you select a virtual datacenter.



Set a firewall policy as the default for a virtual datacenter

You can set a default firewall policy for each virtual datacenter. 

Privilege: Manage default firewall

To set or unset a default firewall for a virtual datacenter:

  1. Select the firewall
  2. Click the star button

When the user creates a VM, the platform will assign the default firewall. The firewall rules apply to VMs, not individual NICs on the VMs. Changes to the firewall ruleset will apply to every VM in the virtual datacenter with the default firewall. If you do not set a default firewall but the provider requires one, for example, AWS, the platform will set the provider's default firewall. In AWS the default firewall is not marked. 



Edit a firewall policy

If your provider allows it, you may edit a firewall policy in the platform. 

To edit a firewall policy:

  1. Go to Virtual datacenters → select virtual datacenter or select a region → Network → Firewalls
  2. Select the firewall and click the pencil edit button.
  3. Make your changes and click Save

Field

Description

Name

Name of the firewall policy

Virtual datacenter
  • Virtual datacenter: If your firewall had no virtual datacenter and you select one, the platform will create your firewall in the cloud provider. It will add a provider-ID that will display on the main Firewalls page. The platform will synchronize rules with the provider
DefaultSelect this option to set the firewall as the default. Note: The platform will not assign the default firewall to existing VMs.

Description

Description of the firewall policy

If the provider does not allow you to edit the policy, you may be able to delete the firewall in the provider, then reuse the configuration.

Edit firewall rules in AWS

Amazon allows you to edit firewall rules and you can do this through the platform. First synchronize the firewall to update the rules because AWS will not allow you to create a rule that already exists in the security group. Remember that it may take some time for firewall rules to propagate throughout AWS. Until the rules have propagated, the platform will not be able to detect them. See http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/query-api-troubleshooting.html#eventual-consistency

Edit firewalls in AWS

To edit an AWS firewall in Abiquo, you can delete the firewall directly in the provider, then synchronize so the provider ID will be removed from the firewall in the platform. You can now edit the firewall and the firewall rules, and you can even assign the firewall to another virtual datacenter. The following screenshot shows the default firewall for several different VDCs. The "webDB" firewall currently exists in AWS. The other firewalls have been created in the platform but are not assigned to a virtual datacenter and do not currently exist in AWS.



Edit firewall policy rules

You can define firewall rules for inbound and outbound traffic in your firewall policy.

To add a new firewall rule:

  1. Select the virtual datacenter or location
  2. Select the firewall
  3. On the Firewall rules panel, click the pencil Edit button
  4. Select the Inbound or Outbound tab for the traffic direction you wish to control
  5. Enter the details of a rule
    1. Protocol
      • Select from Common protocols, OR
      • Select and enter a Custom protocol
    1. Port range with the Start port and End port that this rule will apply to. To enter one port, enter the same value twice, or optionally apply the rule to a number of ports at the same time
    2. Sources or Targets as a network address and netmask
  6. Click Add. The firewall rule will be added to the Firewall rules list
  7. Enter more rules as required, then click Save



Delete firewall policy rules

To delete firewall rules, do these steps.

  1. Go to Virtual datacenters → select a virtual datacenter or select All → Network → Firewalls
  2. Edit the firewall
  3. Select the Inbound or Outbound tab
  4. On the left-hand side of each rule you wish to delete, click the trash/garbage Delete button
  5. Click Save



Display firewall policies

You can display and manage firewalls in the platforms at the level of the virtual datacenter or the location (public cloud region or datacenter).

To display firewalls that exist in a virtual datacenter in the provider:

  1. Go to Virtual datacenters → select a virtual datacenter → NetworkFirewalls

To display all firewalls in a location (public cloud region or datacenter), including those that only exist in the platform and not in the provider:

  1. In the Virtual datacenters list, select All
  2. On the Firewalls tab, select the location (public cloud region or datacenter)

To filter firewalls, enter text in the Search box to search by the NameDescription, and Provider ID in the Firewalls list.


Assign a firewall policy to a VM

See Assign a firewall policy to a VM



Move a firewall policy to another VDC

To move a firewall to another virtual datacenter:

  • In Neutron, edit the firewall in Abiquo and change the VDC

  • In Azure ARM, edit the firewall and change or remove the virtual datacenter
  • In AWS, delete the firewall directly in the provider, then synchronize so the provider ID will be removed from the firewall in Abiquo. Now you can edit the firewall and change the virtual datacenter. This is because you are not allowed to edit firewalls or move them from one VPC to another in AWS but you can do this in Abiquo. The following screenshot shows a firewall after the AWS security group was deleted. The firewall rules are preserved for you to edit or apply to another virtual datacenter. 



Reuse a firewall after deleting a virtual datacenter

If you delete a virtual datacenter, the firewalls will be deleted in the cloud provider or network virtualization system but they will still be present in the platform. The details of the firewalls may vary, for example, in AWS they will not have a Provider ID but in Neutron they will have a provider ID. You can edit these firewalls as required and assign them to another virtual datacenter.

To assign a firewall with no virtual datacenter to a virtual datacenter, do these steps

  1. Go to Virtual datacentersAll → Network → Firewalls

  2. Select a cloud Location

     Click here to expand...

    Reuse a firewall after deleting a virtual datacenter

  3. Select and edit the firewall
  4. Select the virtual datacenter to assign it to
  5. Click Save
 Click here to show/hide the screenshot

Edit a firewall to assign it to a new virtual datacenter


Delete a firewall policy

To delete a firewall policy:

  1. Edit each VM that is using the firewall policy to remove the firewall policy
  2. Select the firewall policy
  3. Click the Delete button



Troubleshoot firewall policies

Q: Does my firewall exist in the provider? Which VDC does it belong to?

A: In the Abiquo API, the firewall object contains a link to the virtual datacenter it belongs to.

  • In AWS or Azure ARM, if a firewall has a provider ID, then it exists in the cloud provider. The provider ID is the AWS security group ID or the Azure firewall name.
  • Neutron assigns a provider ID to the firewall and it remains the same. In Neutron, the provider ID does not indicate if the firewall is assigned to a VDC or not. This means that the firewall can have a provider ID even when it does not exist in the provider.


Manage firewalls with the API

API Documentation

For the Abiquo API documentation of this feature, see Abiquo API Resources and the page for this resource FirewallPoliciesResource.

Copyright © 2006-2020, Abiquo Holdings SL.   All rights reserved.        Privacy Policy      Cookie Policy