Advanced Networking Services Guide
Table Of Contents
- vCloud Air Advanced Networking Services Guide
- Contents
- Preface
- Introducing Advanced Networking Services for vCloud Air
- Advanced Routing for vCloud Air
- Certificate and Security Group Management
- Network Security and Isolation
- Load Balancing
- Secure Access Using Virtual Private Networks
- IP Service Management: NAT and DHCP
- Index
Network Security and Isolation 4
Advanced Networking Services provides functionality to create robust firewalls to protect your virtual
machines deployed in vCloud Air from outside network traffic as well as to create internal firewalls to
isolate virtual machines from each other.
This chapter includes the following topics:
n
“Types of Firewalls in vCloud Air,” on page 29
n
“Manage Edge Gateway Firewall Rules,” on page 30
n
“Manage Trust Groups Firewall Rules,” on page 35
Types of Firewalls in vCloud Air
You can create firewall rules to establish Trust Groups and firewall rules to apply to an edge gateway to
protect your virtual machines from outside network traffic.
Rules defined on the centralized level are referred to as pre rules. Tenants can then add rules at an
individual edge gateway level, which are referred to as local rules.
Each traffic session is checked against the top rule in the Firewall table before moving down the subsequent
rules in the table. The first rule in the table that matches the traffic parameters is enforced. Rules are
displayed in the following order:
1 User-defined pre rules have the highest priority, and are enforced in top-to-bottom ordering with a per-
virtual NIC level precedence.
2 Auto-plumbed rules (rules that enable control traffic to flow for edge gateway services).
3 Local rules defined at an edge gateway level.
4 Default Trust Group firewall rule
Edge Gateway Firewall
The firewall for the edge gateway helps you meet key perimeter security requirements, such as building
DMZs based on IP/VLAN constructs, tenant-to-tenant isolation in multi-tenant virtual data centers,
Network Address Translation (NAT), partner (extranet) VPNs, and user-based SSL VPNs.
The Edge Gateway Firewall monitors North-South traffic to provide perimeter security functionality
including firewall, Network Address Translation (NAT) as well as site-to-site IPSec and SSL VPN
functionality. This solution is available in the virtual machine form factor and can be deployed in a High
Availability mode.
VMware, Inc.
29