By default, the Compute Gateway blocks traffic into and out of the SDDC Compute Network. Add Compute Gateway firewall rules to allow traffic as needed.

Firewall rules for the default Compute Gateway and any additional Tier-1 gateways you create specify actions to take on network traffic from a specified source to a specified destination and service. Actions can be one of:
  • allow (allow matching traffic)
  • drop (silently drop matching traffic)
  • reject (drop matching traffic and notify the source)
Rules can be applied to a selection from a list of physical network interfaces or the generic specification All Uplinks, which applies to all traffic leaving the gateway and going to the VPC interface, Internet interface, or Intranet (Direct Connect) interface.
Note: A firewall rule applied to All Uplinks does not apply to the VPN Tunnel Interface (VTI), which is a virtual interface and not a physical uplink. The VPN Tunnel Interface must be specified explicitly in the Applied To parameter of any firewall rule that manages workload VM communications over a route-based VPN.

All traffic attempting to pass through the firewall is evaluated by the rules in the order shown in the rules table. Traffic matching the first rule follows its action (allow, drop, or reject) and evaluation stops. Traffic not matching the first rule is passed on to subsequent rules. When it hits a match, the traffic is allowed, dropped, or rejected as specified by the rule action, and further rule evaluation is stopped. Traffic that does not match any customer-defined rules is handled by a default rule.

There are two types of firewall rules:
  • Pre-defined firewall rules are created by VMware Cloud on AWS. There are two pre-defined Compute Gateway firewall rules:
    Table 1. Pre-Defined Compute Gateway Firewall Rules
    Name Sources Destinations Services Applied To Action
    Default VTI Rule Any Any Any VPN Tunnel Interface Drop *
    Default Uplink Rule Any Any Any All Uplinks Drop
    * The Default VTI Rule drops all route-based VPN traffic (over the Virtual Tunnel Interface), so to enable workload VMs to communicate over a route-based VPN, modify this rule to Allow the traffic or move it to a lower rank in the rule hierarchy, after more permissive rules. You cannot modify or re-order the Default Uplink Rule.
  • Customer-defined firewall rules are processed in the order you specify and are always processed before the Default Uplink Rule.

Prerequisites

Compute Gateway firewall rules require named inventory groups for Source and Destination values. See Working With Inventory Groups.

Procedure

  1. Log in to VMware Cloud Services at https://vmc.vmware.com.
  2. Click Inventory > SDDCs, then pick an SDDC card and click VIEW DETAILS.
  3. Click OPEN NSX MANAGER and log in with the NSX Manager Admin User Account shown on the SDDC Settings page. See SDDC Network Administration with NSX Manager.
    You can also use the VMware Cloud Console Networking & Security tab for this workflow.
  4. On the GATEWAY FIREWALL page, click Compute Gateway.
  5. To add a rule, click ADD RULE and give the new rule a Name.
  6. Enter the parameters for the new rule.
    Parameters are initialized to their default values (for example, All for Sources and Destinations). To edit a parameter, move the mouse cursor over the parameter value and click the pencil icon ( pencil icon) to open a parameter-specific editor.
    Option Description
    Sources Click Any in the Sources column and select an inventory group for source network traffic, or click ADD GROUP to create a new user-defined inventory group to use for this rule. Click SAVE.
    Destinations Click Any in the Destinations column and select an inventory group for destination network traffic, or click ADD GROUP to create a new user-defined inventory group to use for this rule. Click SAVE.
    Services Click Any in the Services column and select a service from the list or click ADD SERVICE to create a new user-defined service to use for this rule.. Click SAVE.
    Applied To Define the type of traffic that the rule applies to:
    • Select VPN Tunnel Interface if you want the rule to apply to traffic over the route-based VPN.
    • Select VPC Interface if you want the rule to apply to traffic over the linked AWS VPC connection.
    • Select Internet Interface if you want the rule to apply to traffic over the SDDC's Internet Gateway, including traffic over policy-based VPNs using the public IP endpoint.
    • Select Intranet Interface if you want the rule to allow traffic over AWS Direct Connect, VMware Transit Connect, and policy-based VPNs using private IP.
    • All Uplinks if you want the rule to apply to the VPC Interface, the Internet Interface, and the Intranet Interface, but not to the VPN Tunnel Interface.
      Note: The VPN Tunnel Interface is not classified as an uplink.
    Action
    • Select Allow to allow all L3 traffic to pass through the firewall.
    • Select Drop to drop packets that match any specified Sources, Destinations, and Services. This is a silent action with no notification to the source or destination systems. Dropping the packet causes the connection to be retried until the retry threshold is reached.
    • Select Reject to reject packets that match any specified Sources, Destinations, and Services. This action returns a "destination unreachable message" to the sender. For TCP packets, the response includes a TCP RST message. For UDP, ICMP and other protocols, the response includes an "administratively prohibited" code (9 or 10). The sender is notified immediately (without any re-tries) when connection cannot be established.
    The new rule is enabled by default. Slide the toggle to the left to disable it.
  7. Click PUBLISH to create the rule.

    The system gives the new rule an integer ID value, which is used in log entries generated by the rule.

What to do next

You can take any or all of these optional actions with an existing firewall rule.

  • Click the gear icon cog icon to view or modify rule logging settings. Log entries are sent to the VMware VMware Aria Operations for Logs Service. See Using VMware Aria Operations for Logs in the VMware Cloud on AWS Operations Guide.

  • Click the graph icon graph icon to view Rule Hits and Flow statistics for the rule.
    Table 2. Rule Hits Statistics
    Popularity Index Number of times the rule was triggered in the past 24 hours.
    Hit Count Number of times the rule was triggered since it was created.
    Table 3. Flow Statistics
    Packet Count Total packet flow through this rule.
    Byte Count Total byte flow through this rule.
    Statistics start accumulating as soon as the rule is enabled.
  • Reorder firewall rules.

    A rule created from the ADD NEW RULE button is placed at the top of the list of rules. Firewall rules are applied in order from top to bottom. To change the position of a rule in the list, select it and drag it to a new position. Click PUBLISH to publish the change.