Micro-Segmentation

Distributed Firewall (DFW) enables micro-segmentation of virtual network you have in Moro Cloud.

Edge firewall handles your north south traffic whereas DFW is designed to handle east west traffic.

To enable DFW/Micro-segmentation feature, please contact your account manager.

Screenshot 1 DFW 1

  • To access DFW configuration Select Security in left navigation pane Configure Services

Screenshot 2 DFW 2

  • This opens the DFW configuration wizard. The DFW rules can be based on Layer 2 (L2) up to Layer 4 (L4).

  • L2 rules (Ethernet tab) are based on MAC address

  • L3 rules (General tab) are based on Ip source destination

  • L4 rules (General tab) use a TCP or UDP service port

Screenshot 3 DFW 3

  • The default firewall rule allows L2 and L3 traffic to pass through your VDCs. Once you have implemented all the rules, you can change this to block.

Creating a DFW rule in Moro Cloud

To create a DFW rule to block ICMP traffic between two Virtual Machines which reside on the same subnet.

Usually, this traffic is not blocked by traditional firewalls or Edge firewall as both the Virtual Machines are in same subnet but using Micro-segmentation, we can control the same subnet communication as well.

  • Moro Cloud Network - VDC-Network1, 192.168.0.1/24

Screenshot 4 DFW 4

Virtual Machines

Screenshot 5 DFW 5
Screenshot 6 DFW 6

  • Default DFW rule allows all traffic

Screenshot 7 DFW 7

  • At this stage we can ping from VM01(192.168.0.3) to VM02(192.168.0.2) as all traffic in same subnet is allowed.

Screenshot 8 DFW 8

  • Changed the Default DFW rule to “Deny” “Save Changes

Screenshot 9 DFW 9

  • Now the ping from VM01(192.168.0.3) to VM02(192.168.0.2) does not work as DFW rule is blocking all traffic in this Moro Cloud VDC. Even though virtual machines are on same subnet.

Screenshot 10 DFW 10

  • To allow the ping (ICMP) communication between these Virtual Machines we will add a DFW rule. In the General tab, click the + button to add a new L3 rule.

Screenshot 11 DFW 11

  • Enter name for the new rule and click the “IP” button under source section.

Screenshot 12 DFW 12

  • In Source IP Address popup add IP of VM01(192.168.0.3) Keep

  • click the “IP” button under destination and enter IP for Virtual Machine VM02(192.168.0.2)

Screenshot 14 DFW 14

  • Under “Service” section click “IP” option

Screenshot 15 DFW 15

  • In “Add Service” pop up select “ICMP” under protocol Keep

Screenshot 16 DFW 16

  • For rest of sections select values as mentioned below Save changes

  • Actions: Allow

  • Direction: In/Out

  • Packet Type: Any

  • Applied to: Tenant1-VDC

Screenshot 17 DFW 17

  • At this stage we can ping from VM01(192.168.0.3) to VM02(192.168.0.2) as the rule we added allows it. All the other traffic is blocked except ICMP.

Screenshot 18 DFW 17

  • DFW rules can have one or more of the following entities as the source or destination: Org VDC networks, virtual machines, Org VDCs, MAC sets (L2 – Ethernet), IP sets (L3 – General) or security groups.

Note: As a best practice always use IP address as source and destination

Conclusion:

  • VM01(192.168.0.3)

  • VM02(192.168.0.2)

  • Both are on same subnet 192.168.0.1/24

  • After applying the DFW micro segmentation rule all the traffic is blocked between these VMs except the ICMP traffic.

In case of any urgent requirements that may arise, you can reach out to Moro Support Center on 2266, Or [email protected].

PreviousLoad BalancerNextMonitoring

Last updated

Was this helpful?