Advanced Networking Services Guide
Table Of Contents
- vCloud Air Advanced Networking Services Guide
- Contents
- Preface
- Introducing Advanced Networking Services for vCloud Air
- Advanced Routing for vCloud Air
- Certificate and Security Group Management
- Network Security and Isolation
- Load Balancing
- Secure Access Using Virtual Private Networks
- IP Service Management: NAT and DHCP
- Index
Firewall for Trust Groups
The Trust Group firewall allows you to segment virtual data center entities like virtual machines based on
virtual machine names and attributes.
The Trust Groups firewall is a hyper visor kernel-embedded firewall that provides visibility and control for
virtualized workloads and networks. You can create access control policies based on objects like data centers
and virtual machine names; and network constructs like IP addresses or IP set addresses. Firewall rules are
enforced at the vNIC level of each virtual machine to provide consistent access control even when the
virtual machine gets motioned. The hyper visor-embedded nature of the firewall delivers close to line rate
throughput to enable higher workload consolidation on physical servers. The distributed nature of the
firewall provides a scale-out architecture that automatically extends firewall capacity when additional hosts
are added to a data center.
For L2 packets, the Trust Groups firewall creates a cache for performance boost. L3 packets are processed in
the following sequence:
1 All packets are checked for an existing state. This is done for SANS too so that bogus or retransmitted
SANS for existing sessions can be detected.
2 When a state match is found, the packets are processed.
3 When a state match is not found, the packets are processed through the rules until a match is found.
n
For TCP packets, a state is set only for packets with a SYN flag. However, rules that do not specify a
protocol (service ANY), can match TCP packets with any combination of flags.
n
For UDP packets, 5-tuple details are extracted from the packet. When a state does not exist in the state
table, a new state is created using the extracted 5-tuple details. Subsequently received packets are
matched against the state that was just created.
n
For ICMP packets, ICMP type, code, and packet direction are used to create a state.
The Trust Group firewall can help in creating identity-based rules as well. Administrators can enforce access
control based on the user's group membership as defined in the enterprise Active Directory. The following
scenarios show ways to use identity-based firewall rules:
n
User accessing virtual applications using a laptop or mobile device where AD is used for user
authentication
n
User accessing virtual applications using VDI infrastructure where the virtual machines are Microsoft
Windows based
If you have a third-party vendor firewall solution deployed in your environment, see Redirecting Traffic to
a Vendor Solution through Logical Firewall in the NSX Administration Guide.
Running open VMware Tools on guest or workload virtual machines has not been validated with the Trust
Groups firewall.
Manage Edge Gateway Firewall Rules
You can navigate to an edge gateway to see the rules that apply to it.
Firewall rules applied to an edge gateway router only protect traffic to and from the router. They do not
protect traffic traveling between virtual machines within a virtual data center. To protect intra-virtual data
center traffic, create Trust Groups firewall rules for East-West protection.
Rules created on the firewall user interface applicable to an edge gateway are displayed in a read-only
mode.
Rules are displayed and enforced in the following order:
1 User-defined rules from the Firewall user interface (Read Only).
vCloud Air Advanced Networking Services Guide
30 VMware, Inc.