By default, the Compute Gateway blocks traffic to all uplinks. Add Compute Gateway firewall rules to allow traffic as needed.
All traffic attempting to pass through the firewall is subjected to the rules in the order shown in the rules table, beginning at the top. A packet allowed by the first rule is passed on to the second rule, and so on through subsequent rules until the packet is dropped, rejected, or hits a default rule.
Compute Gateway firewall rules require named inventory groups for Source and Destination values. See Add or Modify a Compute Group.
- Log in to the VMware Cloud on AWS GovCloud at https://www.vmc-us-gov.vmware.com/.
- On the Networking & Security tab, click Gateway Firewall.
- On the GATEWAY FIREWALL page, click Compute Gateway.
- To add a rule, click ADD RULE and give the new rule a Name.
- Enter the parameters for the new rule.
Parameters are initialized to their default values (for example, All for Sources and Destinations). To edit a parameter, move the mouse cursor over the parameter value and click the pencil icon ( ) to open a parameter-specific editor.
Option Description Sources Click Any in the Sources column and select an inventory group for source network traffic, or click ADD GROUP to create a new user-defined inventory group to use for this rule. Click SAVE. Destinations Click Any in the Destinations column and select an inventory group for destination network traffic, or click CREATE NEW GROUP to create a new user-defined inventory group to use for this rule. Click SAVE. Services Click Any in the Services column and select a service from the list. Click SAVE. Applied To Define the type of traffic that the rule applies to:
- Select VPN Tunnel Interface if you want the rule to apply to traffic over the route-based VPN.
- Select VPC Interface if you want the rule to apply to traffic over the linked AWS VPC connection.
- Select Internet Interface if you want the rule to apply to traffic over the Internet, including over policy-based VPNs using Public IP.
- Select Direct Connect Interface if you want the rule to allow traffic over AWS Direct Connect (private VIF), including over policy-based VPNs using Private IP.
- All Uplinks if you want the rule to apply to the VPC Interface, the Internet Interface, and the Direct Connect Interface, but not to the VPN Tunnel Interface.
Note: The VPN Tunnel Interface is not classified as an uplink.
The new rule is enabled by default. Slide the toggle to the left to disable it.
- Select Allow to allow all L2 and L3 traffic to pass through the firewall.
- Select Drop to drop packets that match any specified Sources, Destinations, and Services. This is a silent action with no notification to the source or destination systems. Dropping the packet causes the connection to be retried until the retry threshold is reached.
- Select Reject to reject packets that match any specified Sources, Destinations, and Services. This action returns a "destination unreachable message" to the sender. For TCP packets, the response includes a TCP
RSTmessage. For UDP, ICMP and other protocols, the response includes an "administratively prohibited" code (9 or 10). The sender is notified immediately (without any re-tries) when connection cannot be established.
- Click PUBLISH to create the rule.
The system gives the new rule an integer ID value, which is used in log entries generated by the rule.
What to do next
You can take any or all of these optional actions with an existing firewall rule.
Click the gear icon to view or modify rule logging settings. Log entries are sent to the VMwarevRealize Log Insight Cloud Service. See Using vRealize Log Insight Cloud in the VMware Cloud on AWS Operations Guide.
Click the graph icon to view Rule Hits and Flow statistics for the rule.
Table 1. Rule Hits Statistics Popularity Index Number of times the rule was triggered in the past 24 hours. Hit Count Number of times the rule was triggered since it was created. Table 2. Flow Statistics Packet Count Total packet flow through this rule. Byte Count Total byte flow through this rule.
- Reorder firewall rules.
A rule created from the ADD NEW RULE button is placed at the top of the list of rules. Firewall rules are applied in order from top to bottom. To change the position of a rule in the list, select it and drag it to a new position. Click PUBLISH to publish the change.