You can create Distributed Firewall policies (security policies) in NSX and apply them to registered Antrea container clusters to secure traffic between Pods within a container cluster.
An
NSX security policy can be applied to multiple
Antrea container clusters. However, the policy can secure traffic between Pods within a single
Antrea container cluster. The following traffic is not protected:
- Pod-to-Pod traffic between Antrea container clusters.
- Traffic between Pods in an Antrea container cluster and VMs on hosts in the NSX environment.
When an NSX security policy is applied to one or more Antrea container clusters, the Antrea network plug-in enforces this security policy at the Antrea Controller of each container cluster. In other words, the enforcement point of the security policy is the Antrea Controller of each Antrea container cluster.
Security Policy Features Supported for Antrea Container Clusters
- Only Layer 3 and 4 security policies can be applied to Antrea container clusters. Rules in the following firewall categories are supported: Emergency, Infrastructure, Environment, and Application.
- Sources, Destinations, and Applied To of a rule can contain only Antrea groups.
- Applied To is supported at both policy level and rule level. If both are specified, Applied To at the policy level takes precedence.
- Services, including raw port and protocol combination, are supported. However, the following constraints apply:
- Only TCP and UDP services are supported. All other services are not supported.
- In raw port and protocol combinations, TCP and UDP service types are supported.
- Only destination ports are supported.
- Policy statistics and rule statistics are supported. Rule statistics are not aggregated for all the Antrea container clusters to which the security policy is applied. In other words, rule statistics are displayed for each Antrea container cluster.
Security Policy Features Not Supported for Antrea Container Clusters
- Layer 2 (Ethernet) rules based on MAC addresses are not supported.
- Layer 7 rules based on Context Profiles are not supported. For example, rules based on application ID, FQDN, and so on.
- Antrea groups with IP addresses are not supported in the Applied To of the security policy and firewall rules.
- Time-based scheduling of rules is not supported.
- Antrea groups are not supported in a firewall exclusion list. ( ).
- Negating or excluding the Antrea groups that you have selected in the sources or destinations of a firewall rule is not supported.
- Identity Firewall is not supported.
- Global groups created for an NSX Federated environment cannot be used in security policies that are applied to Antrea container clusters.
- Advanced policy configuration does not support the following settings:
- TCP Strict
- Stateful