Configure the Firewall on the Edge router
Firewall rules are configured on Edge routers.
An IP Set is a group of IP addresses to which Firewall rules apply. By combining IP addresses into an IP Set, you do not need to create a separate rule for each IP address.
1. Create IP Set
- From the Control Panel, open the Cloud Director panel: from the top menu, click Products → VMware-based Cloud → Cloud Director.
- Open the virtual data center page.
- Go to Networking → Edges.
- Open the page of the desired Edge.
- Click Services.
- Open the Grouping object → IP Sets tab.
- Press +.
- Enter the name of the group.
- Enter IP addresses or ranges of IP addresses.
- Press Keep.
2. Create a Firewall rule
If the Firewall is enabled, the default rule for ingress
traffic will block all traffic until you configure other rules.
-
From the Control Panel, open the Cloud Director panel: from the top menu, click Products → VMware-based Cloud → Cloud Director.
-
Open the virtual data center page.
-
Go to Networking → Edges.
-
Open the page of the desired Edge.
-
Click Services.
-
Open the Firewall tab.
-
Turn on the Enabled toggle switch.
-
Press +.
-
Enter the name of the rule.
-
In the Source field, click + and enter the source address.
-
In the Service field, select any.
-
In the Action field, select Accept.
-
To specify the destination objects for which the rule will be applied, in the Destination field, click +, in the Browse objects of type field, select the type of destination objects, add the desired objects, and then click KEEP. Available object types:
- Gateway interfaces — all internal networks (Internal), all external networks (External), or all external and internal networks (Any);
- Virtual machines — Virtual machines;
- OrgVdcNetworks — organization-level networks;
- IP Sets — groups of IP addresses;
- Security Groups — Security Groups.
-
Click Save changes.
Examples of rules
Example 1
Example 2
To allow access to the Internet via any protocols to a server with a specified IP:
- From the Control Panel, open the Cloud Director panel: from the top menu, click Products → VMware-based Cloud → Cloud Director.
- Open the virtual data center page.
- Go to Networking → Edges.
- Open the page of the desired Edge.
- Click Services.
- Open the Firewall tab.
- Turn on the Enabled toggle switch.
- Press +.
- Enter the name of the rule.
- In the Source field, click IP and enter the IP address.
- In the Destination field, select Any.
- In the Service field, select Any.
- In the Action field, select Accept.
- Click Save changes.
To allow access from the Internet via TCP protocol and port 80 through an external IP address:
- From the Control Panel, open the Cloud Director panel: from the top menu, click Products → VMware-based Cloud → Cloud Director.
- Open the virtual data center page.
- Go to Networking → Edges.
- Open the page of the desired Edge.
- Click Services.
- Open the Firewall tab.
- Turn on the Enabled toggle switch.
- Press +.
- Enter the name of the rule.
- In the Source field, select Any.
- In the Destination field, click IP and enter the IP address.
- In the Service field, enter tcp:80:Any.
- In the Action field, select Accept.