By default, the Compute Gateway blocks traffic to all uplinks. Add Compute Gateway firewall rules to allow traffic as needed.
- allow (allow matching traffic)
- drop (silently drop matching traffic)
- reject (drop matching traffic and notify the source)
All traffic attempting to pass through the firewall is evaluated by the rules in the order shown in the rules table. Traffic matching the first rule follows its action (allow, drop, or reject) and evaluation stops. Traffic not matching the first rule is passed on to subsequent rules. When it hits a match, the traffic is allowed, dropped, or rejected as specified by the rule action, and further rule evaluation is stopped. Traffic that does not match any customer-defined rules is handled by a default rule.
- Pre-defined firewall rules are created by VMware Cloud on AWS. There are two pre-defined Compute Gateway firewall rules:
Table 1. Pre-Defined Compute Gateway Firewall Rules Name Sources Destinations Services Applied To Action Default VTI Rule Any Any Any VPN Tunnel Interface Drop * Default Uplink Rule Any Any Any All Uplinks Drop
- Customer-defined firewall rules are processed in the order you specify and are always processed before the Default Uplink Rule.
Compute Gateway firewall rules require named inventory groups for Source and Destination values. See Working With Inventory Groups.
- Log in to VMware Cloud Services at https://vmc.vmware.com.
- Click VIEW DETAILS. , then pick an SDDC card and click
- Click OPEN NSX MANAGER and log in with the NSX Manager Admin User Account shown on the SDDC Settings page.
You can also use the VMware Cloud Console Networking & Security tab for this workflow. See SDDC Network Administration with NSX Manager.
- On the GATEWAY FIREWALL page, click Compute Gateway.
- To add a rule, click ADD RULE and give the new rule a Name.
- Enter the parameters for the new rule.
Parameters are initialized to their default values (for example, All for Sources and Destinations). To edit a parameter, move the mouse cursor over the parameter value and click the pencil icon ( ) to open a parameter-specific editor.
Option Description Sources Click Any in the Sources column and select an inventory group for source network traffic, or click ADD GROUP to create a new user-defined inventory group to use for this rule. Click SAVE. Destinations Click Any in the Destinations column and select an inventory group for destination network traffic, or click ADD GROUP to create a new user-defined inventory group to use for this rule. Click SAVE. Services Click Any in the Services column and select a service from the list or click ADD SERVICE to create a new user-defined service to use for this rule.. Click SAVE. Applied To Define the type of traffic that the rule applies to:
- Select VPN Tunnel Interface if you want the rule to apply to traffic over the route-based VPN.
- Select VPC Interface if you want the rule to apply to traffic over the linked AWS VPC connection.
- Select Internet Interface if you want the rule to apply to traffic over the SDDC's Internet Gateway, including traffic over policy-based VPNs using the public IP endpoint.
- Select Intranet Interface if you want the rule to allow traffic over AWS Direct Connect, VMware Transit Connect, and policy-based VPNs using private IP.
- All Uplinks if you want the rule to apply to the VPC Interface, the Internet Interface, and the Intranet Interface, but not to the VPN Tunnel Interface.
Note: The VPN Tunnel Interface is not classified as an uplink.
The new rule is enabled by default. Slide the toggle to the left to disable it.
- Select Allow to allow all L3 traffic to pass through the firewall.
- Select Drop to drop packets that match any specified Sources, Destinations, and Services. This is a silent action with no notification to the source or destination systems. Dropping the packet causes the connection to be retried until the retry threshold is reached.
- Select Reject to reject packets that match any specified Sources, Destinations, and Services. This action returns a "destination unreachable message" to the sender. For TCP packets, the response includes a TCP
RSTmessage. For UDP, ICMP and other protocols, the response includes an "administratively prohibited" code (9 or 10). The sender is notified immediately (without any re-tries) when connection cannot be established.
- Click PUBLISH to create the rule.
The system gives the new rule an integer ID value, which is used in log entries generated by the rule.
What to do next
You can take any or all of these optional actions with an existing firewall rule.
Click the gear icon to view or modify rule logging settings. Log entries are sent to the VMware vRealize Log Insight Cloud Service. See Using vRealize Log Insight Cloud in the VMware Cloud on AWS Operations Guide.
Click the graph icon to view Rule Hits and Flow statistics for the rule.
Table 2. Rule Hits Statistics Popularity Index Number of times the rule was triggered in the past 24 hours. Hit Count Number of times the rule was triggered since it was created. Table 3. Flow Statistics Packet Count Total packet flow through this rule. Byte Count Total byte flow through this rule.
- Reorder firewall rules.
A rule created from the ADD NEW RULE button is placed at the top of the list of rules. Firewall rules are applied in order from top to bottom. To change the position of a rule in the list, select it and drag it to a new position. Click PUBLISH to publish the change.