Edge Firewall Rules:
Tenant can use the edge gateway Firewall tab to add firewall rules for that edge gateway. You can add multiple NSX Edge interfaces and multiple IP address groups as the source and destination for these firewall rules.
The Firewall rules will already have a few entries pre-built in as part of preconfigured services, which you should not need to change in most cases:
When Provider/Tenant creates firewall rules from GUI, the user is allowed to create one firewall rule at a time and at times provider/tenant want to automate firewall rule creation specially if provider/tenant has many rules to create or want to add multiple ports in to firewall rule which reduces their manual efforts..
To overcome with this issue, Cloud Director offers NSX proxy API , which will help provider/tenant to automate rules. Here is process of creating firewall rule using API:
- Find NSX Edge ID using API
- Get Edge FW Configuration
- Post Firewall rules
Find NSX Edge ID:
To find the NSX Edge ID , you need to fire “Get” to this API “https://<vCD>/network/edges”, here is “Get” to my API’s headers information , body will be empty.
Here is API Content:
This call will return All the edges and their related information, note on which edge you want to apply firewall rule and its ID.
Get Edge FW Configuration:
Though this step is not required but if you still want to see what all firewall rules has been configured etc..run “get” against “Edge Id” -“https://<vCD>/network/edges/8417a9fc-c1df-4c03-befd-c79f60d5d0ab/firewall/config”
Post Firewall Rule:
To add firewall rule, we need to do “Post” against URL “https://<vCD>/network/edges/8417a9fc-c1df-4c03-befd-c79f60d5d0ab/firewall/config/rules” with following parameters:
- 417a9fc-c1df-4c03-befd-c79f60d5d0ab – this is Edge ID which we got from Step-1
- Content-Type – Application/xml
- Authorization – Bearer Token
Here is body content which is self explanatory. few important items are as below:
- Entire body must be within <firewallRules></firewallRules>
- Within<firewallRules></firewallRules> you can write various rule within <firewallRule></firewallRule> section.
- <service></service> – In this section you will define “protocol” & “port”.
<firewallRules> <firewallRule> <name>New Rule</name> <ruleType>user</ruleType> <enabled>true</enabled> <loggingEnabled>false</loggingEnabled> <action>accept</action> <destination> <exclude>false</exclude> <vnicGroupId>external</vnicGroupId> <vnicGroupId>internal</vnicGroupId> </destination> <application> <service> <protocol>tcp</protocol> <port>554</port> <sourcePort>any</sourcePort> </service> <service> <protocol>udp</protocol> <port>554</port> <sourcePort>any</sourcePort> </service> <service> <protocol>tcp</protocol> <port>556</port> <sourcePort>any</sourcePort> </service> <service> <protocol>udp</protocol> <port>556</port> <sourcePort>any</sourcePort> </service> </application> </firewallRule> </firewallRules>
if you need to write multiple rules in to single API call, then you can create multiple sections of <firewallRule></firewallRule> with single section of <firewallRules></firewallRules>
Once Header and body is ready, do a post and you should get a valid response of “201 Created”
vCD GUI reflects what you put in to the body of the API call.
I hope this will help Cloud providers/tenants to automate rules which needs to be automated or there are rules which providers need to create by default when onboarding a tenant.