After you have applied the security policies to the blueprint in your scenario, you can create the distributed firewalls and associate them with the security policies. Distributed firewall rules allow only network traffic that is required by the web application, thus making the environment more secure.

About this task

By default, all incoming and outgoing traffic is blocked. For installing software packages and for other special situations, you can open ports. The scenarios in this guide use yum and wget. This task opens ports for HTTP, HTTPS, and DNS-UDP for looking up a proxy server and the port for connecting to the proxy server. Your firewall rule depends entirely on your environment.

Procedure

  1. Log in to the Compute vCenter Server by using the vSphere Web Client.
    1. Open a Web browser and go to https://sfo01w01vc01.sfo01.rainpole.local/vsphere-client .
    2. Log in using the following credentials.

      Option

      Description

      User name

      administrator@vsphere.local

      Password

      vsphere_admin_password

  2. From the vSphere Web Client home page, select Networking & Security.
  3. In the Navigator, select Service Composer.
  4. In the main panel, select the Security Policies tab.
  5. From the NSX Manager drop-down menu, select 172.16.11.66.
  6. Create firewall rules for the Default Web Application Policy.
    1. Right-click Default Web Application Policy and click Edit.
    2. Expand Advanced options and change Weight to 300.
    3. Click Firewall Rules in the left panel.
    4. Click the Add icon, add a firewall rule with following values, and click OK.

      Setting

      Value

      Name

      Allow outgoing http and https

      Description/Comments

      Allow outgoing http and https so we can install software with yum

      Action

      Allow

      Source

      Policy's Security Groups

      Destination

      Any

      Service

      HTTP, HTTPS, DNS-UDP

    5. Click the Add icon, add a firewall rule with the following values, and click OK.

      Setting

      Value

      Name

      Block all incoming traffic

      Action

      Block

      Source

      Any

      Destination

      Policy's Security Groups

      Service

      Any

    6. Click the Add icon, add a firewall rule with the following values, click OK, and click Finish.

      Setting

      Value

      Name

      Block all outgoing traffic

      Action

      Block

      Source

      Policy's Security Groups

      Destination

      Any

      Service

      Any

  7. Create firewall rules for the Application Server Policy
    1. Right-click Application Server Policy and click Edit.
    2. Click Firewall Rules in the left panel
    3. Click the Add icon to add a firewall rule with the following values.

      Setting

      Value

      Name

      Allow outgoing MySQL

      Service

      MySQL

    4. Click OK and click Finish.
  8. Create firewall rules for the Database Server Policy.
    1. Right-click Database Server Policy and click Edit.
    2. Click Firewall Rules in the left panel.
    3. Click the Add icon to add a firewall rule with the following values.

      Setting

      Value

      Name

      Allow intra-group MySQL

      Destination

      Policy's Security Groups

      Service

      MySQL

    4. Click OK and click Finish.
  9. Create firewall rules for the Web Server Policy
    1. Right-click Web Server Policy and click Edit.
    2. Click Firewall Rules in the left panel.
    3. Click the Add icon to add a firewall rule with the following values and click OK.

      Setting

      Value

      Name

      Block Internal Web

      Action

      Block

      Destination

      Policy's Security Groups

      Service

      HTTP, HTTPS

    4. Click the Add icon to add another firewall rule with following information, click OK, and click Finish.

      Setting

      Value

      Name

      Allow incoming Web

      Source

      Any

      Destination

      Policy's Security Groups

      Service

      HTTP, HTTPS

    5. Click OK and click Finish.