Tier-1 Edge Firewall

Once VM is ready, we need to setup rules for inbound and outbound connection to this Virtual Machine. In this exercise we will see how to add firewall rules to allow the connectivity.

Note: Make sure IP Sets and Application Port Profiles are created before adding firewall rules.

Demonstrating Firewall Rules in Different Scenarios

Scenario #1 allows traffic from the VM01 to reach destinations Edge Gateway over ICMP.

Scenario #2 allows traffic from the VM01 to reach destinations VM02 over port 80.

Navigate to the Edges and select the T1 Edge Gateway -> Tenant1-AZ1-ENT-T1

Note: The T1 Edge Gateway name uses your Tenant name. For "Tenant1," the Cloud T1 Edge Gateway is named "Tenant1-AZ1-ENT-T1"

Before adding the firewall rules, make sure "IP Sets" and "Application Port Profiles" are created.

IP Sets: To create firewall rules, you must first create IP sets, which are groups of objects that the rules apply to.
Application Port Profiles: To create firewall rules, you can use preconfigured or custom application port profiles, which combine a protocol and port (or group of ports) for firewall services on the edge gateway. Custom profiles can also be created in addition to the default NSX profiles.

Note: the default Gateway firewall setting is set to "DENY."

IP Sets

Creating IP Sets go to Security -> IP Sets -> NEW

Creating an IP Set for VM01 and VM02

Application Port Profiles

Create an application port profile for cases where your application's required port is not available in the preconfigured port profiles.
No custom ports are available. Let's create Custom Ports.
Navigate to Security -> Application Port Profiles -> Custom Applications -> NEW

Adding Single Custom Port

To configure multiple custom ports, select "ADD PORT PROFILE" for ports requiring the UDP protocol.

Adding Multiple Ports with Comma-Separated and Port Ranges

The custom port profile has been created, and we can also use the pre-configured port profiles.

Now that we have created the "IP Sets" and "Custom Port Profiles," we can begin adding firewall rules.

Adding Firewall Rules

Navigate to Services -> Firewall -> Edit Rules.

Note: The default Gateway firewall setting is set to "DENY."

A new dialog box will appear when you click "Edit Rules," where you can add firewall rules.
Select the "NEW ON TOP" option to start.

Update the values in the row for the New Rule based on the following Scenarios:

Scenario 1: Allow ICMP Ping to Reach Gateway

Name: ICMP

Applications: Here, you can choose either the pre-configured ports or the custom ports we created earlier. For this demo, I am selecting the pre-configured ICMP port.

Source: Select Any

Destination: Any.

Action: Allow

Save

Scenario 2: Allow Port 80 between VM01 and VM02

Name: VM01_to_VM02_Port_80

Applications: Here, you can choose either the pre-configured ports or the custom ports we created earlier. For this demo, I am selecting the pre-configured HTTP port.

Source: Select the Source VM01 “IP Set” that we created in Step 5.

Destination: Select VM02 “IP Set”.

Action: Allow

Save

Validate VM network settings

Before we start using our VM, lets validate if it has correct network settings and connectivity to ping the Edge gateway.

Navigate to Virtual Machines section Details

Under Details screen Hardware Scroll to NICs section Note the IP address mentioned

Navigate back to Victual Machines section Click the “VM Console” to open the popout console.

In case of any urgent requirements that may arise, you can reach out to Moro Support Center on 2266, Or [email protected].

PreviousCreate a VM NextCatalogs

Last updated 8 months ago

Was this helpful?