In this example, your goal is to create a Distributed Firewall policy in NSX-T Data Center to secure Pod-to-Pod traffic in the Enterprise Human Resource application, which is running in a single Antrea container cluster.
Let us assume that the Pod workloads in the Antrea container cluster are running Web, App, and Database microservices of the Enterprise Human Resource application. You have added Antrea groups in your NSX-T environment by using Pod-based membership criteria, as shown in the following table.
Antrea Group Name | Membership Criteria |
---|---|
HR-Web |
Pod Tag Equals Web Scope Equals HR |
HR-App |
Pod Tag Equals App Scope Equals HR |
HR-DB |
Pod Tag Equals DB Scope Equals HR |
Your objective is to create a security policy in the Application category with three firewall rules, as follows:
- Allow all traffic from HR-Web group to HR-App group.
- Allow all traffic from HR-App group to HR-DB group.
- Reject all traffic from HR-Web to HR-DB group.
Prerequisites
Antrea container cluster is registered to NSX-T Data Center.
Procedure
Results
When the policy is realized successfully, the following results occur in the
Antrea container cluster:
- A Cluster Network Policy is created.
- Rules 1022, 1023, and 1024 are enforced in the container cluster in that order.
- For each firewall rule, a corresponding Ingress rule is created in the Cluster Network Policy.