Creating a Firewall Policy for the Grafana Instance

This topic describes how to create a firewall policy for the Grafana instance in your Healthwatch for VMware Tanzu installation.

Overview of Firewall Policies for the Grafana Instance

In the Healthwatch tile, allowing external access to individual VMs is disallowed by default. Creating a firewall policy for the Grafana instance allows users to access the Grafana UI more easily from outside your BOSH network, including from the links to the Grafana UI that Alertmanager provides in alert messages.

You create firewall policies in the console for your Ops Manager deployment’s IaaS. To create a firewall policy for the Grafana instance, see the section for your IaaS:

AWS: Create a Firewall Policy in AWS
Azure: Create a Firewall Policy in Azure
GCP: Create a Firewall Policy in GCP
vSphere: Create a Firewall Policy in vSphere NSX-V

Create a Firewall Policy in AWS

To create a firewall policy in AWS:

Log in to the Amazon EC2 dashboard.
Select Security Group.
Click Create Security Group.
For Security group name, enter the name you want to give the security group. For example, grafana-port-access.
For Description, enter a description for your security group.
For VPC, select from the dropdown the VPC where the Grafana instance is deployed.
Select the Inbound tab.
To create the first rule:
1. Click Add rule.
2. For Type, select HTTPS from the dropdown.
3. For Protocol, select TCP from the dropdown.
4. For Port Range, enter 443.
5. For Source, enter 0.0.0.0/0.
6. Click Save rules.
To create the second rule:
1. Click Add rule.
2. For Type, select HTTP from the dropdown.
3. For Protocol, select TCP from the dropdown.
4. For Port Range, enter 80.
5. For Source, enter 0.0.0.0/0.
6. Click Save rules.
Click Create.
Select Instances.
Click the Grafana instance.
Click Actions.
Under Security, click Change security groups.
Activate the checkbox next to the security group you created for the Grafana instance.
Click Add security group.
Click Save.

For more information about creating a firewall policy in AWS for a Linux instance, see the AWS documentation for Linux instances of Amazon EC2. For more information about creating a firewall policy in AWS for a Windows instance, see the AWS documentation for Windows instances of Amazon EC2.

Create a Firewall Policy in Azure

To create a firewall policy in Azure:

Log in to the Azure portal.
Select Resource groups.
Click Add.
Create a resource group for the Grafana instance. For more information, see the Azure documentation.
Select the Network rule collection tab.
Click Add network rule collection.
For Name, enter the name you want to give the rule collection. For example, grafana-port-access.
For Priority, enter 1000.
For Action, select Allow.
Click Rules.
Under IP addresses, configure the following fields for your first rule:
1. For Name, enter a name for the first rule.
2. For Protocol, select TCP from the dropdown.
3. For Source type, select IP address from the dropdown.
4. For Source, enter (*).
5. For Destination type, select IP address from the dropdown.
6. For Destination address, enter the public IP address of the Grafana instance or the load balancer for the Grafana instance.
7. For Destination Ports, enter 443.
Under IP addresses, configure the following fields for your second rule:
1. For Name, enter a name for the second rule.
2. For Protocol, select TCP from the dropdown.
3. For Source type, select IP address from the dropdown.
4. For Source, enter (*).
5. For Destination type, select IP address from the dropdown.
6. For Destination address, enter the public IP address of the Grafana instance or the load balancer for the Grafana instance.
7. For Destination Ports, enter 80.
Click Add.
Click Review + create.
Click Save.

For more information about creating a firewall policy in Azure, see the Azure documentation.

Create a Firewall Policy in GCP

To create a firewall policy in GCP:

Log in to the Google Cloud console.
Under VPC, select Firewall.
To create the first rule:
1. Click Create firewall rule.
2. For Name, enter a name for the first rule.
3. For Network, select from the dropdown the network where the Grafana instance is deployed.
4. For Priority, enter 1000.
5. For Target tags, enter grafana.
6. For Source IP ranges, enter 0.0.0.0/0.
7. Under Protocols and ports, select Specified protocols and ports.
8. Activate the tcp checkbox.
9. For tcp, enter 443.
10. Click Create.
To create the second rule:
1. Click Create firewall rule.
2. For Name, enter a name for the second rule.
3. For Network, select from the dropdown the network where the Grafana instance is deployed.
4. For Priority, enter 1000.
5. For Target tags, enter grafana.
6. For Source IP ranges, enter 0.0.0.0/0.
7. Under Protocols and ports, select Specified protocols and ports.
8. Activate the tcp checkbox.
9. For tcp, enter 80.
10. Click Create.

For more information about creating a firewall policy in GCP, see the GCP documentation.

Create a Firewall Policy in vSphere NSX-V

To create a firewall policy in vSphere NSX-V:

Log in to vSphere.
Click Networking & Security.
Select NSX Edges.
Double-click the Edge for your TAS for VMs deployment.
Select Manage.
Select Firewall.
To create the first rule:
1. Click the Add icon.
2. For Name, enter a name for the first rule.
3. For Source, select Any.
4. For Destination, enter the public IP address for the Grafana instance or the load balancer for the Grafana instance.
5. For Service, select Any.
To create the second rule:
1. Click the Add icon.
2. For Name, enter a name for the first rule.
3. For Source, select Any.
4. For Destination, enter the public IP address for the Grafana instance or the load balancer for the Grafana instance.
5. For Service, select Any.
Click Publish Changes.

For more information about adding an NSX Edge firewall rule, see the vSphere documentation.