The NSX Data Center for vSphere software in your VMware Cloud Director environment provides the capability for defining sets and groups of certain entities, which you can then use when specifying other network-related configurations, such as in firewall rules.

Create an IP Set for Use in Firewall Rules and DHCP Relay Configuration by Using Your VMware Cloud Director Tenant Portal

An IP set is a group of IP addresses that you can create at a VMware Cloud Director organization virtual data center level. You can use an IP set as the source or destination in a firewall rule or in a DHCP relay configuration.

You create an IP set by using the Grouping Objects page of the VMware Cloud Director tenant portal. The Grouping Objects page is available on both the Services and Edge Gateway screens.

Procedure

  1. Open the Grouping Objects page.
    Option Action
    Open through Edge Gateway Services
    1. Navigate to Networking > Edges.
    2. Select the edge gateway that you want to edit, and click Configure Services.
    3. Click Grouping Objects.
    Open through Security Services
    1. Navigate to Networking > Security.
    2. Select the security service that you want to edit, and click Configure Services.
    3. Click Grouping Objects.
  2. Click the IP Sets tab.
    The IP sets that are already defined are displayed on the screen.
  3. To add an IP set, click the Create (Create button) button.
  4. Enter a name, optionally, a description for the IP set, and the IP addresses to be included in the set.
  5. (Optional) If you are specifying the IP set using the Grouping Objects page on the Services screen, use the Inheritance toggle to enable inheritance and allow visibility at the underlying scopes.
    Inheritance is enabled by default.
  6. To save this IP set, click Keep.

Results

The new IP set is available for selection as the source or destination in firewall rules or in DHCP relay configurations.

Create a MAC Set for Use in Firewall Rules by Using Your VMware Cloud Director Tenant Portal

A MAC set is a group of MAC addresses that you can create at an organization virtual data center level in VMware Cloud Director. You can use a MAC set as the source or destination in a firewall rule.

You create a MAC set using the Grouping Objects page of the VMware Cloud Director tenant portal. The Grouping Objects page is available on both the Services and Edge Gateway screens.

Procedure

  1. Open the Grouping Objects page.
    Option Action
    Open through Edge Gateway Services
    1. Navigate to Networking > Edges.
    2. Select the edge gateway that you want to edit, and click Configure Services.
    3. Click Grouping Objects.
    Open through Security Services
    1. Navigate to Networking > Security.
    2. Select the security service that you want to edit, and click Configure Services.
    3. Click Grouping Objects.
  2. Click the MAC Sets tab.
    The MAC sets that are already defined are displayed on the screen.
  3. To add a MAC set, click the Create (Create button) button.
  4. Enter a name for the set, optionally, a description, and the MAC addresses to be included in the set.
  5. (Optional) If you are specifying the MAC set using the Grouping Objects page on the Services screen, use the Inheritance toggle to enable inheritance and allow visibility at underlying scopes.
    Inheritance is enabled by default.
  6. To save the MAC set, click Keep.

Results

The new MAC set is available for selection as the source or destination in firewall rules.

View Services Available for Firewall Rules by Using Your VMware Cloud Director Tenant Portal

By using the VMware Cloud Director Tenant Portal, you can view the list of services that are available for use in firewall rules. In this context, a service is a protocol-port combination.

You can view the available services using the Grouping Objects page of the VMware Cloud Director tenant portal. The Grouping Objects page is available on both the Services and Edge Gateway screens.

You cannot add new services to the list using the tenant portal. The set of services available for your use is managed by your VMware Cloud Director system administrator.

Procedure

  1. Open the Grouping Objects page.
    Option Action
    Open through Edge Gateway Services
    1. Navigate to Networking > Edges.
    2. Select the edge gateway that you want to edit, and click Configure Services.
    3. Click Grouping Objects.
    Open through Security Services
    1. Navigate to Networking > Security.
    2. Select the security service that you want to edit, and click Configure Services.
    3. Click Grouping Objects.
  2. Click the Services tab.

Results

The available services are displayed on the screen.

View Service Groups Available for Firewall Rules by Using Your VMware Cloud Director Tenant Portal

By using the VMware Cloud Director Tenant Portal, you can view the list of service groups that are available for use in firewall rules. In this context, a service is a protocol-port combination, and a service group is a group of services or other service groups.

You can view the available service groups using the Grouping Objects page of the VMware Cloud Director tenant portal. The Grouping Objects page is available on both the Services and Edge Gateway screens.

You cannot create service groups using the tenant portal. The set of service groups available for your use is managed by your VMware Cloud Director system administrator.

Procedure

  1. Open the Grouping Objects page.
    Option Action
    Open through Edge Gateway Services
    1. Navigate to Networking > Edges.
    2. Select the edge gateway that you want to edit, and click Configure Services.
    3. Click Grouping Objects.
    Open through Security Services
    1. Navigate to Networking > Security.
    2. Select the security service that you want to edit, and click Configure Services.
    3. Click Grouping Objects.
  2. Click the Service Groups tab.

Results

The available service groups are displayed on the screen. The Description column displays the services that are grouped in each service group.