Firewall tables

A firewall table lists rules to filter network traffic to and from private cloud resources. Firewall rules control network traffic between a source network or IP address and a destination network or IP address.

After you set up your firewall table and firewall rules, you can attach the table to a subnet to apply the corresponding rules. You can apply a firewall table to multiple subnets, but a subnet can only be associated with one firewall table.

Firewall tables are used to control access to external IP addresses. For all other access controls, manage firewall settings in NSX-T Data Center. For details, see Firewall in Manager Mode.

Creating a firewall table

  1. Access the Google Cloud VMware Engine portal.
  2. Go to Network > Firewall tables.
  3. Click Create new firewall table.
  4. Enter a name for the table.
  5. Optionally, add firewall rules. Each firewall table begins with a set of default firewall rules.
  6. Click Done to save the firewall table.

Attaching a firewall table to a subnet

After you define a firewall table, you can specify the subnets that are subject to the rules in the table.

  1. On the Network > Firewall tables page, select a firewall table.
  2. Select the Attached subnets tab.
  3. Click Attach to a subnet.
  4. Select the private cloud you want to attach the firewall table to.
  5. Select the NsxtEdgeUplink1 subnet of that private cloud.
  6. Click Submit.
  7. Repeat the above steps for the NsxtEdgeUplink2 subnet of that private cloud.

Firewall rules

Firewall rules determine how the firewall treats specific types of traffic. The Rules tab for a selected firewall table lists all of the associated rules.

To create a firewall rule, follow these steps:

  1. Go to Network > Firewall tables.
  2. Select the firewall table.
  3. Click Create new rule.
  4. Set the desired firewall rule properties.
  5. Click Done to save the rule and add it to the list of rules for the firewall table.

Stateful rules

A stateful firewall rule tracks the connections that pass through it. A stateful rule creates a flow record for existing connections. Communication is allowed or denied based on the connection state of the flow record. Use this rule type for public IP addresses to filter traffic from the internet.

Default firewall rules

Every firewall table has the following default firewall rules:

Priority Name Direction Traffic type Protocol Source Source port Destination Destination port Action
65000 allow-tcp-to-internet Outbound Public IP or internet traffic TCP Any Any Any Any Allow
65001 allow-udp-to-internet Outbound Public IP or internet traffic UDP Any Any Any Any Allow
65002 allow-icmp-to-internet Outbound Public IP or internet traffic ICMP Any Any Any Any Allow
65100 deny-all-from-internet Inbound Public IP or internet traffic All protocols Any Any Any Any Deny
65101 allow-all-to-intranet Outbound Private cloud internal or VPN traffic All protocols Any Any Any Any Allow
65102 allow-all-from-intranet Inbound Private cloud internal or VPN traffic All protocols Any Any Any Any Allow

Firewall rule properties

The following table describes the properties in a firewall rule:

Property Description
Name A name that uniquely identifies the firewall rule and its purpose.
Priority A number between 100 and 4096, with 100 being the highest priority. Rules are processed in priority order. When traffic encounters a rule match, rule processing stops. Rules with lower priorities that have the same attributes as rules with higher priorities aren't processed. Take care to avoid conflicting rules.
Protocol Internet protocol covered by the rule.
Direction Whether the rule applies to inbound or outbound traffic. You must define separate rules for inbound and outbound traffic.
Action Allow or deny for the type of traffic defined in the rule.
Source An IP address, classless inter-domain routing (CIDR) block (10.0.0.0/24, for example), or Any.
Source port range Port from which network traffic originates. You can specify an individual port or range of ports, such as 443 or 8000-8080. Specifying a range lets you create fewer security rules.
Destination An IP address, CIDR block (10.0.0.0/24, for example), or Any.
Destination port range Port to which the network traffic flows. You can specify an individual port or range of ports, such as 443 or 8000-8080. Specifying a range lets you create fewer security rules.