After you have applied the security policies to the blueprint in your scenario, you can create the distributed firewalls and associate them with the security policies. Distributed firewall rules allow only network traffic that is required by the web application, thus making the environment more secure.

By default, all incoming and outgoing traffic is blocked. For installing software packages and for other special situations, you can open ports. The scenarios in this guide use yum and wget. This task opens ports for HTTP, HTTPS, and DNS-UDP for looking up a proxy server and the port for connecting to the proxy server. Your firewall rule depends entirely on your environment.

1. Log in to the Compute vCenter Server by using the vSphere Web Client.
   1. Open a Web browser and go to https://sfo01w01vc01.sfo01.rainpole.local/vsphere-client .
   2. Log in using the following credentials.

      Setting	Value
      User name	administrator@vsphere.local
      Password	vsphere_admin_password

2. From the vSphere Web Client home page, select Networking & Security.
3. In the Navigator, select Service Composer.
4. In the main panel, select the Security Policies tab.
5. From the NSX Manager drop-down menu, select 172.16.11.66.
6. Create firewall rules for the Default Web Application Policy.
   1. Right-click Default Web Application Policy and click Edit.
   2. Expand Advanced options and change Weight to 300.
   3. Click Firewall Rules in the left panel.
   4. Click the Add icon, add a firewall rule with following values, and click OK.

      Setting	Value
      Name	Allow outgoing http and https
      Description/Comments	Allow outgoing http and https so we can install software with yum
      Action	Allow
      Source	Policy's Security Groups
      Destination	Any
      Service	HTTP, HTTPS, DNS-UDP

   5. Click the Add icon, add a firewall rule with the following values, and click OK.

      Setting	Value
      Name	Block all incoming traffic
      Action	Block
      Source	Any
      Destination	Policy's Security Groups
      Service	Any

   6. Click the Add icon, add a firewall rule with the following values, click OK, and click Finish.

      Setting	Value
      Name	Block all outgoing traffic
      Action	Block
      Source	Policy's Security Groups
      Destination	Any
      Service	Any

7. Create firewall rules for the Application Server Policy
   1. Right-click Application Server Policy and click Edit.
   2. Click Firewall Rules in the left panel
   3. Click the Add icon to add a firewall rule with the following values.

      Setting	Value
      Name	Allow outgoing MySQL
      Service	MySQL

   4. Click OK and click Finish.
8. Create firewall rules for the Database Server Policy.
   1. Right-click Database Server Policy and click Edit.
   2. Click Firewall Rules in the left panel.
   3. Click the Add icon to add a firewall rule with the following values.

      Setting	Value
      Name	Allow intra-group MySQL
      Destination	Policy's Security Groups
      Service	MySQL

   4. Click OK and click Finish.
9. Create firewall rules for the Web Server Policy
   1. Right-click Web Server Policy and click Edit.
   2. Click Firewall Rules in the left panel.
   3. Click the Add icon to add a firewall rule with the following values and click OK.

      Setting	Value
      Name	Block Internal Web
      Action	Block
      Destination	Policy's Security Groups
      Service	HTTP, HTTPS

   4. Click the Add icon to add another firewall rule with following information, click OK, and click Finish.

      Setting	Value
      Name	Allow incoming Web
      Source	Any
      Destination	Policy's Security Groups
      Service	HTTP, HTTPS

   5. Click OK and click Finish.