Once VM is ready, we need to setup rules for inbound and outbound connection to this Virtual Machine. In this exercise we will see how to add firewall rules to allow the connectivity.
Note: Make sure IP Sets and Application Port Profiles are created before adding firewall rules.
Demonstrating Firewall Rules in Different Scenarios
Scenario #1 allows traffic from the VM01 to reach destinations Edge Gateway over ICMP.
Scenario #2 allows traffic from the VM01 to reach destinations VM02 over port 80.
Navigate to the Edges and select the T1 Edge Gateway->Tenant1-AZ1-ENT-T1
Note:The T1 Edge Gateway name uses your Tenant name. For "Tenant1," the Cloud T1 Edge Gateway is named "Tenant1-AZ1-ENT-T1"
Screenshot 1 Accessing Edge Gateway
Before adding the firewall rules, make sure "IP Sets" and "Application Port Profiles" are created.
IP Sets: To create firewall rules, you must first create IP sets, which are groups of objects that the rules apply to.
Application Port Profiles: To create firewall rules, you can use preconfigured or custom application port profiles, which combine a protocol and port (or group of ports) for firewall services on the edge gateway. Custom profiles can also be created in addition to the default NSX profiles.
Note: the default Gateway firewall setting is set to "DENY."
Screenshot 2 T1-EdgeFirewall Dashboard
IP Sets
Creating IP Sets go to Security -> IP Sets -> NEW
Screenshot 3 IP Sets 1
Creating an IP Set for VM01 and VM02
Screenshot 4 IP Sets 2
Screenshot 5 IP Sets 3
Screenshot 6 IP Sets 4
Application Port Profiles
Create an application port profile for cases where your application's required port is not available in the preconfigured port profiles.
No custom ports are available. Let's create Custom Ports.
Navigate to Security -> Application Port Profiles -> Custom Applications -> NEW
Screenshot 7 Application Port 1
Adding Single Custom Port
Screenshot 8 Application Port 2
To configure multiple custom ports, select "ADD PORT PROFILE" for ports requiring the UDP protocol.
Screenshot 8 Application Port 3
Adding Multiple Ports with Comma-Separated and Port Ranges
Screenshot 9 Application Port 4
The custom port profile has been created, and we can also use the pre-configured port profiles.
Now that we have created the "IP Sets" and "Custom Port Profiles," we can begin adding firewall rules.
Adding Firewall Rules
Navigate to Services -> Firewall -> Edit Rules.
Note: The default Gateway firewall setting is set to "DENY."
Screenshot 10 Add Firewall 1
A new dialog box will appear when you click "Edit Rules," where you can add firewall rules.
Select the "NEW ON TOP" option to start.
Screenshot 11 Add Firewall 2
Update the values in the row for the New Rule based on the following Scenarios:
1
Scenario 1: Allow ICMP Ping to Reach Gateway
Name: ICMP
Applications: Here, you can choose either the pre-configured ports or the custom ports we created earlier. For this demo, I am selecting the pre-configured ICMP port.
Source: Select Any
Destination: Any.
Action: Allow
Save
2
Scenario 2: Allow Port 80 between VM01 and VM02
Name: VM01_to_VM02_Port_80
Applications: Here, you can choose either the pre-configured ports or the custom ports we created earlier. For this demo, I am selecting the pre-configured HTTP port.
Source: Select the Source VM01 “IP Set” that we created in Step 5.
Destination: Select VM02 “IP Set”.
Action: Allow
Save
Screenshot 12 Add Firewall 3
Validate VM network settings
Before we start using our VM, lets validate if it has correct network settings and connectivity to ping the Edge gateway.
Navigate to Virtual Machines sectionDetails
Screenshot 13 Validate VM 1
Under Details screen Hardware Scroll to NICs section Note the IP address mentioned
Screenshot 14 Validate VM 2
Navigate back to Victual Machines section Click the “VM Console” to open the popout console.
Screenshot 15 Validate VM 3
Login to the VM and validate if it has the correct IP from the “Step 2” and able to ping the Default Gateway (Edge IP).
Screenshot 16 Validate VM 4
In case of any urgent requirements that may arise, you can reach out to Moro Support Center on 2266, Or [email protected].
