Configuring Gateway Firewall Rules

If we see the integration of your on-premises to vmware cloud especially on vmc on aws for hybrid cloud, we need to have a clear understanding about the security which should be in place and what all consideration we need to have before dealing with the requirement. In the VMware Cloud on AWS SDDC, you configure firewall rules on the Tier-1 gateways: Management and Compute. Firewall rules are sets of instructions that determine whether the network traffic should be blocked or allowed based on specific criteria.

Management Gateway Firewall

By default, the management gateway firewall blocks traffic to all management network destinations from all sources. The rule called Default Deny All drops all network traffic.

Compute Gateway Firewall

By default, the compute gateway blocks traffics to all uplinks. The rule called Default Uplink Rule drops all network traffic.

Add compute gateway firewall rules to allow traffic as needed. These rules specify actions to take on network traffic from a specified source to a specified destination.

For any network services, we need to either use default functionality or edit and use the custom service option ( Networking & Security -> ADD SERVICE -> Set Service Entries [Service Type/ Source & Destination Ports] )

Configuring Distributed Firewall Rules

The distributed firewall is stateful and protects all east-west traffic.

Distributed firewall rules are grouped into policies, and policies are organized into categories. Each category can contain one or more policies. Each policy can contain one or more rules.

Categories are a convenient way to organize security policies. They are an organizational tool only. Firewall rules are enforced in the categories, from left to right (Ethernet > Emergency > Infrastructure > Environment > Application), and top to bottom in each category.