You can use two different firewalls in vCloud.
Distributed firewall scans traffic between virtual machines within the same network, heading east to west. Should be used when all virtual servers have their own public IP address. Configuring a Distributed Firewall effectively protects all external or internal network security incidents.
However, the Edge gateway firewall controls north-south traffic. This is used, for example, when you would like to hide virtual servers on the intranet. Of course a mixed solution can be used, where some servers have public IP addresses, while others are located behind the NAT on the intranet.
Both firewalls can be configured similarly. However, the Edge gateway firewall is part of the Edge package, whose great functionality can be found here: LINK
vCloud Firewalls have several advantages over firewalls installed in specific virtual servers.
- From one central point you can control the entire firewall work of the infrastructure
- An error in the firewall settings will not get you accidentally locked out from virtual server (for example, closing the SSH port)
- Add a security layer. It will be much more difficult for hacker to add backdoor to the server as they cannot open new ports, so they need to put a back door instead of an existing service. And this will be easier to spot.
- The high load of the virtual server will not affect the work of vCloud firewalls. Adding new virtual servers automatically adds resources to vCloud firewalls.
- Rules can be applied to a wide variety of parameters (for example, virtual server name, IP, MAC address, service groups, etc.)
By default, firewall allows all network traffic.
As a first step, we will change the default rule so that the firewall will block all network traffic. We're changing the "Default Allow" rule. In the “Action” column, replace "Allow" with "Deny". After clicking the "Save changes" button, any network traffic with virtual servers that have already been created will stop.
Then you can take another step by opening all the ports that are necessary for the services to work. For example, open ICMP will allow you to ping your server.
We also will open ports 80 and 443 to allow http and https traffic to and from the server.
Rule no. 3 allows SSH access to port 22. Source address can be for example office IP address. Then you can access the server only from office network.
The "Allow SSH" rule made in the previous step applies only to a virtual server "test".
"In the column "Applied To" you can change for which virtual servers the rule will work.
You can find detailed instructions on the VMware website.