NSX-T Data Center Distributed Firewall Rule Configuration

This section describes how to configure distributed firewall (DFW) rules on NSX-T Data Center for securing the load-balanced applications configured on the NSX Advanced Load Balancer.

Note:

The Controller’s NSX-T Cloud Connector will create NSX-T Data Center inventory resources (Services and Groups) with the configured ‘Object Name Prefix’ in the Cloud configuration on the Controller.

During the NSX-T Cloud Connector creation on the Controller the following NSGroup(s)/ NSService(s) are created by the Controller:

Object	Naming Convention	Description
Group	<prefix>-ControllerCluster	Contains all the NSX Advanced Load Balancer Controller Management IPs
Group	<prefix>-ServiceEngineMgmtIPs	Contains all the Service Engine IPs
Group	<prefix>-ServiceEngines	Contains all the Service Engines as VMs
Service	<prefix>-ControllerCluster	Contains protocols/ports for the Controller. Allows TCP ports 22, 8443 and UDP 123

During load-balanced application creation on the Controller, the following NSGroup(s)/ NSService(s) are created by the Controller:

Object	Naming Convention	Description
Group	<prefix>-<VS-Name>	Contains all the data vNIC IPs of all the Service Engines Engines servicing traffic for this load-balanced application (VS)
Group	<prefix>-<VS-Name>VsServiceEngines	Contains all the Service Engine VMs servicing traffic for this load-balanced application (VS)
Service	<prefix>-<VS-Name>	Contains protocols/ports for the load-balanced application (VS)
Service	<prefix>-<Pool-Name>	Contains protocols/ports for the backend servers (Pool)

Table 1. Design Decisions for the NSX-T Data Center Distributed Firewall Rules
Decision ID	Design Decision	Design Justification	Design Implication
AVI-NSX-002	Create necessary NSX DFW and/ or Gateway Firewall rules for the NSX Advanced Load Balancer control plane as described to ensure connectivity from: Admin to the Controllers The Controllers to the Controllers The Controllers to Service Engines	These firewall rules are needed to allow required communication for the NSX Advanced Load Balancer control plane. Note: If DFW is enabled and these rules are not configured, this might result in NSX Advanced Load Balancer control plane not functioning as expected.	None
AVI-NSX-003	Create necessary NSX DFW and/ or Gateway Firewall rules for the configured load-balanced applications as described to ensure connectivity from: Client to VIPs Service Enginess to Backend Pool Servers	These firewall rules are needed to allow required communication for the configured load-balanced applications. Note: If DFW is enabled and these rules are not configured, this might result in the configured load-balanced applications not functioning as expected.	None