In this example, your goal is to create a distributed firewall policy in NSX to secure pod-to-pod traffic in the Enterprise Human Resource application, which is running in a single Antrea Kubernetes cluster.
Let us assume that the pod workloads in the Antrea Kubernetes cluster are running Web, App, and Database microservices of the Enterprise Human Resource application. You have added Antrea groups in your NSX environment by using pod-based membership criteria, as shown in the following table.
Antrea Group Name | Membership Criteria |
---|---|
HR-Web |
Pod Tag Equals Web Scope Equals HR |
HR-App |
Pod Tag Equals App Scope Equals HR |
HR-DB |
Pod Tag Equals DB Scope Equals HR |
Your objective is to create a security policy in the Application category with three firewall rules, as follows:
- Allow all traffic from HR-Web group to HR-App group.
- Allow all traffic from HR-App group to HR-DB group.
- Reject all traffic from HR-Web to HR-DB group.
Prerequisites
- Antrea Kubernetes cluster is registered to NSX.
- Apply an appropriate security license in your NSX deployment that entitles the system to configure distributed firewall security policies.
Procedure
Results
When the policy is realized successfully, the following results occur in the
Antrea Kubernetes cluster:
- An Antrea cluster network policy (ACNP) is created.
- Rules 1022, 1023, and 1024 are enforced in the Kubernetes cluster in that order.
- For each firewall rule, a corresponding ingress rule is created in the cluster network policy.