vCloud Director cells must be accessible by tenants and system administrators, who typically connect to it from outside the service provider's network perimeter. The recommended approach to making vCloud Director services available to the outside is to place a Web Application Firewall between the Internet (or other enterprise network) and each vCloud Director public endpoint.

Network firewalls segment physical and/or virtual networks such that only a limited, well-defined set of traffic on specific ports and protocols pass between them. This document does not define the rationale for firewall deployment in general or cover the details of firewall setup. Those topics are outside the scope of this guide. Rather, this guide identifies the locations where it is suggested that network firewalls be placed in relation to the different components of a vCloud Director deployment.

Note:

Management connections can be further limited via IP address restrictions in the network or per-tenant VPNs. This level of protection may be appropriate in certain deployments, but is outside the scope of this document.

As the vCloud Director cells are in the DMZ, their access to the services they need should also be mediated by a network firewall. Specifically, it is recommended that access to the vCloud Director DB, vCenter Server, ESXi hosts, AMQP and any backup or similar services be restricted to an internal network that is unreachable from the public side of the firewall. See Network Security Requirements for a list of ports that must be opened in that firewall.

Blocking Malicious Traffic

A number of firewall rules are recommended to protect the system against network threats:
  • Dropping packets that appear to originate from nonroutable addresses (IP spoofing)
  • Dropping malformed TCP packets
  • Limiting the rate of requests, especially of SYN requests -- to protect against a SYN flood attack (an attempted denial of service)
  • Consider denying outbound traffic from the firewall that does not originate from an incoming request

These and other rules are typically applied by Web Application Firewalls and may be applied by default by the network firewall you choose to deploy. See your firewall's documentation for specific configuration instructions and default capabilities.