Micro-Segmentation

Distributed Firewall (DFW) enables micro-segmentation of virtual network you have in Moro Cloud.

Edge firewall handles your north south traffic whereas DFW is designed to handle east west traffic.

To enable DFW/Micro-segmentation feature, please contact your account manager.

• To access DFW configuration Select Security in left navigation pane Configure Services

• This opens the DFW configuration wizard. The DFW rules can be based on Layer 2 (L2) up to Layer 4 (L4).

• L2 rules (Ethernet tab) are based on MAC address

• L3 rules (General tab) are based on Ip source destination

• L4 rules (General tab) use a TCP or UDP service port

• The default firewall rule allows L2 and L3 traffic to pass through your VDCs. Once you have implemented all the rules, you can change this to block.

Creating a DFW rule in Moro Cloud

To create a DFW rule to block ICMP traffic between two Virtual Machines which reside on the same subnet.

Usually, this traffic is not blocked by traditional firewalls or Edge firewall as both the Virtual Machines are in same subnet but using Micro-segmentation, we can control the same subnet communication as well.

• Moro Cloud Network - VDC-Network1, 192.168.0.1/24

Virtual Machines

• Default DFW rule allows all traffic

• At this stage we can ping from VM01(192.168.0.3) to VM02(192.168.0.2) as all traffic in same subnet is allowed.

• Changed the Default DFW rule to “Deny” “Save Changes”

• Now the ping from VM01(192.168.0.3) to VM02(192.168.0.2) does not work as DFW rule is blocking all traffic in this Moro Cloud VDC. Even though virtual machines are on same subnet.

• To allow the ping (ICMP) communication between these Virtual Machines we will add a DFW rule. In the General tab, click the + button to add a new L3 rule.

• Enter name for the new rule and click the “IP” button under source section.

• In Source IP Address popup add IP of VM01(192.168.0.3) Keep

• click the “IP” button under destination and enter IP for Virtual Machine VM02(192.168.0.2)

• Under “Service” section click “IP” option

• In “Add Service” pop up select “ICMP” under protocol Keep

• For rest of sections select values as mentioned below Save changes

• Actions: Allow

• Direction: In/Out

• Packet Type: Any

• Applied to: Tenant1-VDC

• At this stage we can ping from VM01(192.168.0.3) to VM02(192.168.0.2) as the rule we added allows it. All the other traffic is blocked except ICMP.

• DFW rules can have one or more of the following entities as the source or destination: Org VDC networks, virtual machines, Org VDCs, MAC sets (L2 – Ethernet), IP sets (L3 – General) or security groups.

Note: As a best practice always use IP address as source and destination

Conclusion:

• VM01(192.168.0.3)

• VM02(192.168.0.2)

• Both are on same subnet 192.168.0.1/24

• After applying the DFW micro segmentation rule all the traffic is blocked between these VMs except the ICMP traffic.