To control the incoming and outgoing network traffic to and from an NSX edge gateway, you create firewall rules.
Procedure
- From the primary left navigation panel, select Networking and from the page top navigation bar, select Edge Gateways.
- Click the edge gateway.
- If the Firewall screen is not already visible under the Services section, click the Firewall tab.
- Click New.
- Configure the firewall rule.
Option Description Name Enter a name for the rule. State To enable the rule upon creation, turn on the State toggle. Applications (Optional) Depending on your VMware Cloud Director version and your environment needs, the options vary. - You can select specific applications to which the rule applies. Click the pencil icon, select one or more applications from the list, and click Save.
- If you are using VMware Cloud Director 10.5.1 or later, you can select specific ports to which the rule applies. Select the Raw Port-Protocols tab, click Add, select a protocol type, and enter source and destination ports or port ranges separated by commas. You can add up to 15 port-protocol rows per rule.
Context (Optional) Select one or more NSX context profile for the firewall rule. For details on context profiles creation, see Context Profiles in the NSX Administration Guide.
Source - Choose one of the following options.
- To allow or deny traffic from any source address, toggle on Any Source.
- To allow or deny traffic from specific firewall groups, , click Firewall Groups and select the firewall groups from the list.
- To enter IP addresses, CIDR blocks, or IP ranges manually, click Firewall IP Addresses, then click Add and enter the individual IP addresses, CIDR blocks, or ranges.
- Click Keep.
Destination - Choose one of the following options.
- To allow or deny traffic to any destination address, toggle on Any Destination.
- To allow or deny traffic to specific firewall groups, click Firewall Groups and select the firewall groups from the list.
- To enter IP addresses, CIDR blocks, or IP ranges manually, click Firewall IP Addresses, then click Add and enter the individual IP addresses, CIDR blocks, or ranges.
- Click Keep.
Action From the Action drop-down menu, select an option. - To allow traffic from or to the specified sources, destinations, and services, select Accept.
- To block traffic from or to the specified sources, destinations, and services, without notifying the blocked client select Drop.
- To block traffic from or to the specified sources, destinations, and services, and to notify the blocked client that traffic was rejected, select Reject.
IP Protocol Select whether to apply the rule to IPv4 or IPv6 traffic. Applied To (Optional) From the drop-down menu, select a spectific network to which to apply the rule. You can select either an organization VDC network for which distributed routing is deactivated or an external network uplink. Logging To have the address translation performed by this rule logged, turn on the Logging toggle.
After you create the rule, in the Logging ID text box, you can see the unique NSX firewall rule ID that the system generates upon the rule creation.
Comment (Optional) Add a comment to the firewall rule. - Click Save.
- To change the position of the firewall rule, select the rule, click Move to, and, from the drop-down menu, select a new position.
- To configure additional rules, repeat these steps.
Results
After the firewall rules are created, they appear in the Edge Gateway Firewall Rules list. You can move up, move down, edit, or delete the rules as needed.