In this example, your goal is to create a Distributed Firewall policy in NSX-T Data Center to secure Pod-to-Pod traffic in the Enterprise Human Resource application, which is running in a single Antrea container cluster.
Let us assume that the Pod workloads in the Antrea container cluster are running Web, App, and Database microservices of the Enterprise Human Resource application. You have added Antrea groups in your NSX-T environment by using Pod-based membership criteria, as shown in the following table.
|Antrea Group Name||Membership Criteria|
Pod Tag Equals Web Scope Equals HR
Pod Tag Equals App Scope Equals HR
Pod Tag Equals DB Scope Equals HR
- Allow all traffic from HR-Web group to HR-App group.
- Allow all traffic from HR-App group to HR-DB group.
- Reject all traffic from HR-Web to HR-DB group.
Antrea container cluster is registered to NSX-T Data Center.
- From your browser, log in to an NSX Manager at https://nsx-manager-ip-address.
- Click the Security tab, and then under Policy Management, click Distributed Firewall.
The Category Specific Rules page is displayed.
- Make sure that you are in the Application category.
- Click Add Policy and enter a policy name.
For example, enter EnterpriseHRPolicy.
- In the Applied To of the policy, select the Antrea container cluster where the Pod workloads of the Enterprise Human Resource application are running.
- Publish the policy.
- Select the policy name, and click Add Rule.
Configure three firewall rules, as shown in the following table.
Rule Name Rule ID Sources Destinations Services Applied To Action Web-to-App 1022 HR-Web N/A Any HR-App Allow App-to-DB 1023 HR-App N/A Any HR-DB Allow Web-to-DB 1024 HR-Web N/A Any HR-DB Reject
The rule IDs in the table are only sample values for this example. The rule IDs can vary in your NSX-T environment.
- Publish the rules.
- A Cluster Network Policy is created.
- Rules 1022, 1023, and 1024 are enforced in the container cluster in that order.
- For each firewall rule, a corresponding Ingress rule is created in the Cluster Network Policy.