You can set the applied to setting for all firewall rules created though Service Composer to either Distributed Firewall or Policy's Security Groups. By default, the applied to is set to Distributed Firewall.

About this task

When Service Composer firewall rules have an applied to setting of distributed firewall, the rules are applied to all clusters on which distributed firewall is installed. If the firewall rules are set to apply to the policy's security groups, you have more granular control over the firewall rules, but may need multiple security policies or firewall rules to get the desired result.

Procedure

  1. Log in to the vSphere Web Client.
  2. Click Networking & Security, click Service Composer, and click the Security Policies tab.
  3. Click Actions > Edit Firewall Policy Settings. Select a default setting for Applied To and click OK.

    Option

    Description

    Distributed Firewall

    Firewall rules are applied to all clusters on which Distributed Firewall is installed.

    Policy's Security Groups

    Firewall rules are applied to security groups on which the security policy is applied.

    The default Applied To setting can also be viewed and changed via the API. See the NSX API Guide.

Applied To Behavior

In this example scenario, your default firewall rule action is set to block. You have two security groups: web-servers and app-servers, which contain VMs. You create a security policy, allow-ssh-from-web, which contains the following firewall rule, and apply it to the security group app-servers.

  • Name: allow-ssh-from-web

  • Source: web-servers

  • Destination: Policy's Security Group

  • Service: ssh

  • Action: allow

If the firewall rule applies to Distributed Firewall, you will be able to ssh from a VM in the security group web-servers to a VM in the security group app-servers.

If the firewall rule applies to Policy's Security Group, you will not be able to ssh, as the traffic will be blocked from reaching the app servers. You will need to create an additional security policy to allow ssh to the app servers, and apply this policy to the security group web-servers.

  • Name: allow-ssh-to-app

  • Source: Policy's Security Group

  • Destination: app-servers

  • Service: ssh

  • Action: allow