MORO CLOUD
  • INTRODUCTION
  • User Guide
    • Know Your Moro Cloud
    • Infrastructure as a Service
      • Self-Managed Infrastructure as a Service (IaaS)
      • Login procedure
      • Role Based Access Control
      • Create a VM
      • Tier-1 Edge Firewall
      • Catalogs
      • Load Balancer
      • Micro-Segmentation
      • Monitoring
    • Advanced Load Balancer
      • In-Action
    • Backup as a Service
      • In-Action
    • Disaster Recovery as a Service
      • In-Action
    • Kubernetes as a Service
      • In-Action
Powered by GitBook
On this page
  • Demonstrating Firewall Rules in Different Scenarios
  • IP Sets
  • Application Port Profiles
  • Validate VM network settings

Was this helpful?

  1. User Guide
  2. Infrastructure as a Service

Tier-1 Edge Firewall

PreviousCreate a VMNextCatalogs

Last updated 5 months ago

Was this helpful?

Once VM is ready, we need to setup rules for inbound and outbound connection to this Virtual Machine. In this exercise we will see how to add firewall rules to allow the connectivity.

Note: Make sure IP Sets and Application Port Profiles are created before adding firewall rules.

Demonstrating Firewall Rules in Different Scenarios

Scenario #1 allows traffic from the VM01 to reach destinations Edge Gateway over ICMP.

Scenario #2 allows traffic from the VM01 to reach destinations VM02 over port 80.

  1. Navigate to the Edges and select the T1 Edge Gateway -> Tenant1-AZ1-ENT-T1

Note: The T1 Edge Gateway name uses your Tenant name. For "Tenant1," the Cloud T1 Edge Gateway is named "Tenant1-AZ1-ENT-T1"

  1. Before adding the firewall rules, make sure "IP Sets" and "Application Port Profiles" are created.

  • IP Sets: To create firewall rules, you must first create IP sets, which are groups of objects that the rules apply to.

  • Application Port Profiles: To create firewall rules, you can use preconfigured or custom application port profiles, which combine a protocol and port (or group of ports) for firewall services on the edge gateway. Custom profiles can also be created in addition to the default NSX profiles.

Note: the default Gateway firewall setting is set to "DENY."

IP Sets

  1. Creating IP Sets go to Security -> IP Sets -> NEW

  1. Creating an IP Set for VM01 and VM02

Application Port Profiles

  1. Create an application port profile for cases where your application's required port is not available in the preconfigured port profiles.

  2. No custom ports are available. Let's create Custom Ports.

  3. Navigate to Security -> Application Port Profiles -> Custom Applications -> NEW

  1. Adding Single Custom Port

  1. To configure multiple custom ports, select "ADD PORT PROFILE" for ports requiring the UDP protocol.

  1. Adding Multiple Ports with Comma-Separated and Port Ranges

  1. The custom port profile has been created, and we can also use the pre-configured port profiles.

Now that we have created the "IP Sets" and "Custom Port Profiles," we can begin adding firewall rules.

Adding Firewall Rules

  1. Navigate to Services -> Firewall -> Edit Rules.

Note: The default Gateway firewall setting is set to "DENY."

  1. A new dialog box will appear when you click "Edit Rules," where you can add firewall rules.

  2. Select the "NEW ON TOP" option to start.

  1. Update the values in the row for the New Rule based on the following Scenarios:

1

Scenario 1: Allow ICMP Ping to Reach Gateway

Name: ICMP

Applications: Here, you can choose either the pre-configured ports or the custom ports we created earlier. For this demo, I am selecting the pre-configured ICMP port.

Source: Select Any

Destination: Any.

Action: Allow

Save

2

Scenario 2: Allow Port 80 between VM01 and VM02

Name: VM01_to_VM02_Port_80

Applications: Here, you can choose either the pre-configured ports or the custom ports we created earlier. For this demo, I am selecting the pre-configured HTTP port.

Source: Select the Source VM01 “IP Set” that we created in Step 5.

Destination: Select VM02 “IP Set”.

Action: Allow

Save

Validate VM network settings

Before we start using our VM, lets validate if it has correct network settings and connectivity to ping the Edge gateway.

  1. Navigate to Virtual Machines section Details

  • Under Details screen Hardware Scroll to NICs section Note the IP address mentioned

  • Navigate back to Victual Machines section Click the “VM Console” to open the popout console.

  • Login to the VM and validate if it has the correct IP from the “Step 2” and able to ping the Default Gateway (Edge IP).

In case of any urgent requirements that may arise, you can reach out to Moro Support Center on 2266, Or .

Support@Morohub.com
Screenshot 1 Accessing Edge Gateway
Screenshot 2 T1-EdgeFirewall Dashboard
Screenshot 3 IP Sets 1
Screenshot 4 IP Sets 2
Screenshot 5 IP Sets 3
Screenshot 6 IP Sets 4
Screenshot 7 Application Port 1
Screenshot 8 Application Port 2
Screenshot 8 Application Port 3
Screenshot 9 Application Port 4
Screenshot 10 Add Firewall 1
Screenshot 11 Add Firewall 2
Screenshot 12 Add Firewall 3
Screenshot 13 Validate VM 1
Screenshot 14 Validate VM 2
Screenshot 15 Validate VM 3
Screenshot 16 Validate VM 4