Micro-segmentation with Distributed Firewall - Same Network

Updated by Anthony Hakim on Dec 17, 2018
Article Code: kb/1176

Description

In this KB article, we walk through how to use the Distributed Firewall (DFW) that comes with CenturyLink Private Cloud on VMware Cloud Foundation (CPC on vCF). In this particular use case, we have 3 VMs that reside on the same virtual network, and we want to ensure that traffic is not allowed between certain VMs on the same network. We will use micro-segmentation with DFW to do this.

Prerequisites

  • Your base URL, and user credentials for CenturyLink Private Cloud on VMware Cloud Foundation
  • 2 VMs on the same network
  • DFW should be enabled for your environment. If it is not, please refer to Enabling the Distributed Firewall.

Environment/Use Case

For the purposes of this KB, we have the following environment:

  • Server: DB-Server - RHEL 7 (192.168.1.23)
  • Server: Web-Server - RHEL 7 (192.168.1.25)
  • Server: RHEL7-AH1 - RHEL 7 (192.168.1.65)
  • Network: Org VDC Network - (org001-orgvdc-network - 192.168.1.0/24)
  • VDC: Org VDC (org001-vdc)

By default, Web-Server and RHEL7-AH1 have access to DB-Server.

DFW

DFW

Steps

  • Log In to your CPC on vCF environment.

  • Click the Administration tab. In the left side pane, under Cloud Resources, select Virtual Datacenters, then right-click your Virtual Datacenter, and select Manage Firewall...

    DFW

    A new window will open. If you get a message stating Distributed Firewall is not enabled for this Org VDC, please follow the steps outlined in the Enabling the Distributed Firewall KB article.

    Now, let's create a rule to Allow traffic from Web-Server to DB-Server

  • In the Distributed Firewall page, click the + button. Then configure the rule as follows:

    • Name: Allow Web - DB
    • Source: Click the + button in the Source column, change the Browse objects of type to Virtual Machines, then select Web-Server (you can type the name in the Filter... field - this is case-sensitive), click the right-arrow, then click KEEP
    • Destination: Click the + button in the Destination column, change the Browse objects of type to Virtual Machines, then select DB-Server (you can type the name in the Filter... field - this is case-sensitive), click the right-arrow, then click KEEP
    • Service: Any
    • Action: Allow
    • Direction: In/Out
    • Packet Type: Any
    • Applied To: Click the + button in the Applied To column, change the Browse objects of type to Org Vdc Networks, then select org001-orgvdc-network (you can type the name in the Filter... field - this is case-sensitive), click the right-arrow, then click KEEP
  • Click Save changes

    Now, we will add a rule to deny all other traffic to the DB-Server.

  • In the Distributed Firewall page, click the + button.

    • Name: Deny all others to DB
    • Source: Click the + button in the Applied To column, change the Browse objects of type to Org Vdc Networks, then select org001-orgvdc-network (you can type the name in the Filter... field - this is case-sensitive), click the right-arrow, then click KEEP
    • Destination: Click the + button in the Destination column, change the Browse objects of type to Virtual Machines, then select DB-Server (you can type the name in the Filter... field - this is case-sensitive), click the right-arrow, then click KEEP
    • Service: Any
    • Action: Deny
    • Direction: In/Out
    • Packet Type: Any
    • Applied To: Click the + button in the Applied To column, change the Browse objects of type to Org Vdc Networks, then select org001-orgvdc-network (you can type the name in the Filter... field - this is case-sensitive), click the right-arrow, then click KEEP
  • Click Save changes

Let's test this ...

Web-Server should have access to DB-Server, and RHEL7-AH1 should not have access to DB-Server.

DFW

DFW