A firewall table lists rules to filter network traffic to and from private cloud resources. Firewall rules control network traffic between a source network or IP address and a destination network or IP address.
After you set up your firewall table and firewall rules, you can attach the table to a subnet to apply the corresponding rules. You can apply a firewall table to multiple subnets, but a subnet can only be associated with one firewall table.
Firewall tables can only be applied to management subnets. For subnets containing workload VMs, manage firewall settings in NSX-T Data Center instead. For details, see Firewall in Manager Mode.
Creating a firewall table
- Access the Google Cloud VMware Engine portal
- Go to Network > Firewall tables.
- Click Create new firewall table.
- Enter a name for the table.
- Optionally, add firewall rules. Each firewall table begins with a set of default firewall rules.
- Click Done to save the firewall table.
Attaching a firewall table to a subnet
After you define a firewall table, you can specify the subnets that are subject to the rules in the table.
- On the Network > Firewall tables page, select a firewall table.
- Open the Attached subnets tab.
- Click Attach to a subnet.
- Select the private cloud and subnet. If the user-created rules in your table only apply to public IP addresses or the internet, attach the table to the System management subnet.
- Click Submit.
Firewall rules determine how the firewall treats specific types of traffic. The Rules tab for a selected firewall table lists all of the associated rules.
To create a firewall rule, follow these steps:
- Go to Network > Firewall tables.
- Select the firewall table.
- Click Create new rule.
- Set the desired firewall rule properties.
- Click Done to save the rule and add it to the list of rules for the firewall table.
A stateless firewall rule looks only at individual packets, and filters them based on the rule. Use stateless rules for traffic between the following points:
- Subnets of private clouds
- On-premises subnet and a private cloud subnet
- Internet traffic from the private clouds
A stateful firewall rule tracks the connections that pass through it. A stateful rule creates a flow record for existing connections. Communication is allowed or denied based on the connection state of the flow record. Use this rule type for public IP addresses to filter traffic from the internet.
Default firewall rules
Every firewall table has the following default firewall rules:
|Priority||Name||State tracking||Direction||Traffic type||Protocol||Source||Source port||Destination||Destination port||Action|
|65000||allow-all-to-internet||Stateful||Outbound||Public IP or internet traffic||All||Any||Any||Any||Any||Allow|
|65001||deny-all-from-internet||Stateful||Inbound||Public IP or internet traffic||All||Any||Any||Any||Any||Deny|
|65002||allow-all-to-intranet||Stateless||Outbound||Private cloud internal or VPN traffic||All||Any||Any||Any||Any||Allow|
|65003||allow-all-from-intranet||Stateless||Inbound||Private cloud internal or VPN traffic||All||Any||Any||Any||Any||Allow|
Firewall rule properties
The following table describes the properties in a firewall rule:
|Name||A name that uniquely identifies the firewall rule and its purpose.|
|Priority||A number between 100 and 4096, with 100 being the highest priority. Rules are processed in priority order. When traffic encounters a rule match, rule processing stops. Rules with lower priorities that have the same attributes as rules with higher priorities aren't processed. Take care to avoid conflicting rules.|
|Traffic type||Tracking can be stateless (private cloud, internet, or VPN) or stateful (public IP).|
|Protocol||Whether the rule covers the TCP or UDP protocol.|
|Direction||Whether the rule applies to inbound or outbound traffic. You must define separate rules for inbound and outbound traffic.|
|Action||Allow or deny for the type of traffic defined in the rule.|
|Source||An IP address, classless inter-domain routing (CIDR) block (10.0.0.0/24, for example), or Any. Specifying a range, a service tag, or application security group lets you create fewer security rules.|
|Source port range||Port from which network traffic originates. You can specify an individual port or range of ports, such as 443 or 8000-8080. Specifying a range lets you create fewer security rules.|
|Destination||An IP address, CIDR block (10.0.0.0/24, for example), or Any. Specifying a range, a service tag, or application security group lets you create fewer security rules.|
|Destination port range||Port to which the network traffic flows. You can specify an individual port or range of ports, such as 443 or 8000-8080. Specifying a range lets you create fewer security rules.|