Firewall tables
A firewall table lists rules to filter network traffic to and from private cloud resources. Firewall rules control network traffic between a source network or IP address and a destination network or IP address.
After you set up your firewall table and firewall rules, you can attach the table to a subnet to apply the corresponding rules. You can apply a firewall table to multiple subnets, but a subnet can only be associated with one firewall table.
Firewall tables are used to control access to external IP addresses. For all other access controls, manage firewall settings in NSX-T Data Center. For details, see Firewall in Manager Mode.
Creating a firewall table
- Access the Google Cloud VMware Engine portal.
- Go to Network > Firewall tables.
- Click Create new firewall table.
- Enter a name for the table.
- Optionally, add firewall rules. Each firewall table begins with a set of default firewall rules.
- Click Done to save the firewall table.
Attaching a firewall table to a subnet
After you define a firewall table, you can specify the subnets that are subject to the rules in the table.
- On the Network > Firewall tables page, select a firewall table.
- Select the Attached subnets tab.
- Click Attach to a subnet.
- Select the private cloud you want to attach the firewall table to.
- Select the NsxtEdgeUplink1 subnet of that private cloud.
- Click Submit.
- Repeat the above steps for the NsxtEdgeUplink2 subnet of that private cloud.
Firewall rules
Firewall rules determine how the firewall treats specific types of traffic. The Rules tab for a selected firewall table lists all of the associated rules.
To create a firewall rule, follow these steps:
- Go to Network > Firewall tables.
- Select the firewall table.
- Click Create new rule.
- Set the desired firewall rule properties.
- Click Done to save the rule and add it to the list of rules for the firewall table.
Stateful rules
A stateful firewall rule tracks the connections that pass through it. A stateful rule creates a flow record for existing connections. Communication is allowed or denied based on the connection state of the flow record. Use this rule type for public IP addresses to filter traffic from the internet.
Default firewall rules
Every firewall table has the following default firewall rules:
Priority | Name | Direction | Traffic type | Protocol | Source | Source port | Destination | Destination port | Action |
---|---|---|---|---|---|---|---|---|---|
65000 | allow-tcp-to-internet | Outbound | Public IP or internet traffic | TCP | Any | Any | Any | Any | Allow |
65001 | allow-udp-to-internet | Outbound | Public IP or internet traffic | UDP | Any | Any | Any | Any | Allow |
65002 | allow-icmp-to-internet | Outbound | Public IP or internet traffic | ICMP | Any | Any | Any | Any | Allow |
65100 | deny-all-from-internet | Inbound | Public IP or internet traffic | All protocols | Any | Any | Any | Any | Deny |
65101 | allow-all-to-intranet | Outbound | Private cloud internal or VPN traffic | All protocols | Any | Any | Any | Any | Allow |
65102 | allow-all-from-intranet | Inbound | Private cloud internal or VPN traffic | All protocols | Any | Any | Any | Any | Allow |
Firewall rule properties
The following table describes the properties in a firewall rule:
Property | Description |
---|---|
Name | A name that uniquely identifies the firewall rule and its purpose. |
Priority | A number between 100 and 4096, with 100 being the highest priority. Rules are processed in priority order. When traffic encounters a rule match, rule processing stops. Rules with lower priorities that have the same attributes as rules with higher priorities aren't processed. Take care to avoid conflicting rules. |
Protocol | Internet protocol covered by the rule. |
Direction | Whether the rule applies to inbound or outbound traffic. You must define separate rules for inbound and outbound traffic. |
Action | Allow or deny for the type of traffic defined in the rule. |
Source | An IP address, classless inter-domain routing (CIDR) block (10.0.0.0/24, for example), or Any. |
Source port range | Port from which network traffic originates. You can specify an individual port or range of ports, such as 443 or 8000-8080. Specifying a range lets you create fewer security rules. |
Destination | An IP address, CIDR block (10.0.0.0/24, for example), or Any. |
Destination port range | Port to which the network traffic flows. You can specify an individual port or range of ports, such as 443 or 8000-8080. Specifying a range lets you create fewer security rules. |