Abiquo 5.2

Skip to end of metadata
Go to start of metadata


Introduction to Firewalls

The platform provides a unified interface to firewalls in varied cloud environments. 

This section describes firewall policies, which are similar to security groups. The platform supports firewall policies in private cloud with network managers (NSX) and in public cloud (AWS, Azure). In Oracle Cloud, the platform enables users to onboard classic firewalls and assign them to VMs.

In vCloud Director, the platform also supports classic firewalls, which are Edge firewalls at level of the public cloud region (orgVDC). See Manage classic firewalls




Synchronize firewall policies with the cloud provider

The synchronization process will onboard firewalls and it will update the platform's information about firewalls that already exist in the cloud provider. The platform synchronizes automatically when you onboard virtual resources from public cloud. Depending on the provider, the platform may support synchronization at the level of the location (public cloud region) or virtual datacenter.

To synchronize firewalls do these steps:

  1. Select All virtual datacenters and the location, or a single virtual datacenter
  2. Click the double-arrow synchronize button 

To synchronize a firewall before you add new firewall rules:

  1. Select the firewall and click the double-arrow synchronize button




Create a firewall policy

The platform can create firewall policies in virtual datacenters in the provider, or in the platform only, for later use in providers, depending on provider support.

Privilege: Manage firewall

To create a new firewall, do these steps:

  1. Go to Virtual datacentersNetworkFirewalls
  2. Click the Add button
  3. Enter the firewall details

    Field

    Description

    Name

    Name of the firewall policy.

    LocationPublic cloud region or datacenter
    Virtual datacenter
    • Virtual datacenter: The platform will create your firewall in the cloud provider. It will add a provider-ID that will display on the main Firewalls page. The platform will synchronize rules with the provider
    • No virtual datacenter: If allowed by the provider. The platform will create the firewall in the platform only, for your enterprise in the public cloud region. The platform will not synchronize rules with the provider. The platform will create the firewall in the provider when you select a virtual datacenter.
    DefaultOptional. Select to make the firewall the default for the virtual datacenter

    Description

    Description of the firewall policy

  4. Click Save to create the firewall
  5. Add Firewall rules as described below

If you entered a virtual datacenter, the platform created your firewall in the provider. The platform will display a Provider-ID and a Virtual datacenter ID for the firewall. 

If you selected No virtual datacenter, the firewall will be created in the platform in the public cloud region for your enterprise. The synchronize process will not update this firewall. The platform will not create it in the provider until you select a virtual datacenter.




Set a firewall policy as the default for a virtual datacenter

You can set a default firewall policy for each virtual datacenter. 

Privilege: Manage default firewall

To set or unset a default firewall for a virtual datacenter:

  1. Select the firewall
  2. Click the star button

When the user creates a VM, the platform will assign the default firewall. The firewall rules apply to VMs, not individual NICs on the VMs. Changes to the firewall ruleset will apply to every VM in the virtual datacenter with the default firewall. If you do not set a default firewall but the provider requires one, for example, AWS, the platform will set the provider's default firewall. In AWS the default firewall is not marked. 




Edit a firewall policy

If your provider allows it, you may edit a firewall policy in the platform. 

To edit a firewall policy:

  1. Go to Virtual datacenters → select virtual datacenter or select a region → Network → Firewalls
  2. Select the firewall policy and click the pencil edit button.
  3. Make your changes and click Save

Field

Description

Name

Name of the firewall policy. Some providers will not allow you to edit the name of the firewall policy

DefaultSelect this option to set the firewall as the default. The platform will assign the default firewall to new VMs.

Description

Description of the firewall policy

To add a tag, enter the Key and Value, then click Add

For providers that support tags:

  • If you have invalid tags, optionally select the checkbox to Create local tags if tags are invalid in the provider
  • To onboard or update tags with changes from the provider, click the round arrow Synchronize button.

To delete a tag, select the tag, then click the Delete button.

To save your changes, click Save.





Add tags to a firewall policy

Unable to render {include} The included page could not be found.



Move a firewall policy to another virtual datacenter

Before you begin:
  1. Check if your provider allows you to move firewalls. For example, Azure ARM allows you to move firewalls to other VDCs in the same resource group

To move a firewall to another virtual datacenter

  1. Go to Virtual datacenters → Locations or Global
  2. Select the public cloud region, or Azure provider and resource group
  3. Edit the firewall policy and select the new Virtual datacenter




Edit firewall rules

You can define firewall rules for inbound and outbound traffic in your firewall policy.

To add a new firewall rule:

  1. Select the virtual datacenter or location
  2. Select the firewall
  3. On the Firewall rules panel, click the pencil Edit button
  4. Select the Inbound or Outbound tab for the traffic direction you wish to control
  5. Enter the details of a rule
    1. Protocol
      • Select from Common protocols, OR
      • Select and enter a Custom protocol
    1. Port range with the Start port and End port that this rule will apply to. To enter one port, enter the same value twice, or optionally apply the rule to a number of ports at the same time
    2. Sources or Targets as a network address and netmask
  6. Click Add. The firewall rule will be added to the Firewall rules list
  7. Enter more rules as required, then click Save


Edit firewall rules in AWS

Before you edit firewall rules in AWS, synchronize the firewall to update the rules because AWS will not allow you to create a rule that already exists in the security group. Remember that it may take some time for firewall rules to propagate throughout AWS. Until the rules have propagated, the platform will not be able to detect them. See http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/query-api-troubleshooting.html#eventual-consistency




Delete firewall policy rules

To delete firewall rules, do these steps.

  1. Go to Virtual datacenters → select a virtual datacenter or select All → Network → Firewalls
  2. Edit the firewall
  3. Select the Inbound or Outbound tab
  4. On the left-hand side of each rule you wish to delete, click the trash/garbage Delete button
  5. Click Save




Display firewall policies

You can display and manage firewalls in the platforms at the level of the virtual datacenter or the location (public cloud region or datacenter).

To display firewalls that exist in a virtual datacenter in the provider:

  1. Go to Virtual datacenters → select a virtual datacenter → NetworkFirewalls


To display all firewalls in a location (public cloud region or datacenter):

  1. Go to Cloud virtual datacenters view → Locations
  2. Select a location
  3. Go to Network → Firewalls

    Firewalls that do not exist in the provider are grayed out, and you should delete these firewalls.


To filter firewalls, enter text in the Search box to search by the NameDescription, and Provider ID in the Firewalls list.


To display firewalls in an Azure Resource Group:

  1. Go to Cloud virtual datacenters view
  2. Go to Global → Azure → Resource Groups → select a resource group
  3. To display the details of the firewall, edit the firewall



Assign a firewall policy to a VM

See Assign a firewall policy to a VM




Delete a firewall policy

To delete a firewall policy:

  1. Edit each VM that is using the firewall policy to remove the firewall policy
  2. Select the firewall policy
  3. Click the Delete button



Manage firewalls with the API

API Documentation

For the Abiquo API documentation of this feature, see Abiquo API Resources and the page for this resource FirewallPoliciesResource.