VPC Firewall

A VPC firewall manages the south-north traffics of VPC networks, and allows you to manage the access control policies by configuring rule sets and rules.

Each rule set only applies to inbound or outbound traffics, not both, in a VPC vRouter. That is, you can only add one inbound or outbound rule set to a VPC vRouter. A rule set contains multiple rules, which effectively secure the entire VPC communication and the VPC vRouter. This complements the security groups that can be applied to VM NICs and mainly protects the east-west communication security.

Firewall rule set:

A firewall rule set can be divided into the following two types according to the direction of traffics:
- Inbound rule set: Manages traffics that come a source through networks to VPC vRouters.
- Outbound rule: Manages traffics that are sent from VPC vRouters to a destination through networks.

Firewall rule:

You can customize the firewall rule priority, which is an integer, as needed. Lower integers indicate higher priorities.
- System rule: A system rule is a predefined rule that supports system services. Priority range: 1-1000 or 4000-9999.
- Custom rule: A custom rule is a rule set by users. Priority range: 1001-2999.
Firewall rules let you allow or deny incoming and outgoing traffics.
- The source and destination IP addresses can be a static IP address, an IP range, or a CIDR. A combination of the above three formats is supported.
- If you enter multiple IP addresses which include one or more CIDR formats, note that the CIDR format supports only the /24 mask range. If only one CIDR is entered, the mask range is not restricted.
- You can add up to 10 firewall rules at a time. Note that you need to separate each rule by using a comma (,).

The VPC firewall topology is shown in VPC Firewall.

Assume that VM-1 attempts to access VM-3: The traffic from VM-1 will match the inbound rule set of the public NIC on the VPC vRouter. If malicious traffics are detected, the access is denied.
Assume that VM-2 attempts to access VM-4: The traffic from VM-2 will match the inbound rule set of the public NIC on the VPC vRouter, and then will match the outbound rule set of the private NIC on the VPC vRouter. If trusted traffics are detected, the access is allowed.
Assume that Server-2 attempts to access Server-1: The traffic from Sever-2 will match the inbound rule set of the private NIC on the VPC vRouter, and then will match the outbound rule set of the public NIC on the VPC vRouter. If trusted traffics are detected, the access is allowed.

Difference between a VPC firewall and a security group: A VPC firewall manages the south-north traffic, and can be applied to the entire VPC. On the contrary, a security group mainly manages the east-west traffic, and can be applied to VM NICs. They can complement each other. The detailed differences are as follows.


Comparison	Security Group	VPC Firewall
Application scope	VM NIC	The entire VPC network
Deployment mode	Distributed	Centralized
Deployment location	VM instance	VPC vRouter
Configuration policy	Supports only allowed policies	Enables you to customize the accept policy, drop policy, or reject policy as needed
Priority	Takes effect according to the configuration sequence	Enables you to customize priorities
Matching rules	Source IP address, source port, and source protocol	Source IP address, source port, destination IP address, destination port, protocol, and packet status

To use a VPC firewall rule

Create a VPC firewall.
Add an inbound/outbound rule set to a VPC firewall.
Add a corresponding rule to a rule set.

Create VPC Firewall

In the navigation pane of the ZStack Private Cloud UI, choose Network Service > VPC Firewall. On the VPC Firewall page, click Create VPC Firewall. On the displayed Create VPC Firewall page, set the following parameters:

Name: Enter a name for the VPC firewall.
Description: Optional. Enter a description for the VPC firewall.
VPC vRouter: Select the VPC vRouter that needs to be protected.
Note: When you create a VPC firewall, make sure that the corresponding VPC vRouter is in the running state, and is not attached to any firewall.

You can create a VPC firewall, as shown in Figure 2.

Add Rule Set

On the VPC Firewall page, select the target VPC firewall, and choose Actions > Add Rule Set. On the displayed Add Rule Set page, set the following parameters:

Name: Enter a name for the rule set.
Default Action: Select the action to handle network requests. Options: Accept | Drop | Reject.
- Accept: Network requests sent to the VPC vRouter are allowed.
- Drop: Network requests sent to the VPC vRouter are not allowed, and no feedback is sent to the request endpoint.
- Reject: Network requests sent to the VPC vRouter are not allowed, and a feedback is sent to the request endpoint.
Network: Select the network to which the rule set is added.
Note:
- Only outbound rule sets can be created. Outbound rule sets apply to the outbound direction of the NIC.
- The inbound rule sets are created by the system by default. You can customize your rules in an inbound rule set.
- Inbound rule sets cannot be deleted.

You can create a rule set, as shown in Figure 3.

Add Rule

On the Rule Set tab page, select a rule set of the target network, and choose Actions > Add Rule. On the displayed Add Rule page, set the following parameters:

Rule Set: Select the target rule set to add a rule.
Priority: Set the priority of the rule.
Note:
- The priority is an integer from 1001 to 2999, inclusive. Lower integers indicate higher priorities.
- Rules with the priority range 1-1000 and 4000-9999 are preconfigured rules that support system services. Note that system rules cannot be added, modified, or deleted.
- The rule priorities cannot be identical in the same rule set.
Action: Select an action to handle network requests. Options: Accept | Drop | Reject.
- Accept: Allows network requests sent to the VPC vRouter.
- Drop: Disallows network requests sent to the VPC vRouter, and does not relay feedback to the request endpoint.
- Reject: Disallows network requests sent to the VPC vRouter, and relays feedback to the request endpoint.
Packet State: Optional. Select the packet whose state is to be matched by the VPC firewall. For example, if you select new, all packets in the new state will be handled according to the current rule.
- new: new connection
- established: established connection
- invalid: unknown connection
- related: related connection. The current connection is a new request and belongs to an existing connection.
Protocol: Required. Select the protocol to be used by the VPC firewall to match rules. For example, if you select TCP, all TCP requests will be handled according to the current rule.
Source IP/Destination IP: Optional. Set the source IP address and the destination IP address to be matched by the current rule.
- You can enter a fixed IP address, an IP range, or a CIDR. If you enter an IP range, use an en dash (-) to connect the source IP address and the destination IP address, for example, 192.168.0.1-192.168.0.100.
- You can add up to 10 single formats or a combination of the 10 formats, and use a comma (,) to separate them.
- If you enter multiple IP addresses which include one or more CIDR formats, note that the CIDR format supports only the /24 mask range. If only one CIDR is entered, the mask range is not restricted.
Apply immediately: If selected, the rule will take effect immediately after you add it. If cleared, the rule will be in the disabled state after you create it. You need to enable it manually for it to take effect.

You can add a rule, as shown in Figure 4.

VPC Firewall Operations

You can perform the following operations on a VPC firewall:

Create VPC firewall: Create a VPC firewall.
Update configuration: Modify the configurations of the VPC firewall.
Note: When you add a new network service, such as OSPF, to a VPC vRouter, some firewall rules will be created at the same time. However, these rules will not be displayed in the UI. To display the rules in the UI, click the update configuration button, and then the rules will be synchronized from the VPC vRouter to the database of the Cloud.
Add rule set: Add a rule set to the VPC firewall.
Add rule: Select a rule set and add a rule to it.
Delete: Delete the VPC firewall.

Rule Set Operations

You can perform the following operations on a rule set:

Add rule set: Add the rule set to your current VPC firewall.
Add rule: Add a rule to the rule set.
Bind network: Bind a network to the rule set.
Delete: Delete the rule set.
Note: Inbound rule sets cannot be deleted.

Notice

When you use a VPC firewall, note the following:

One VPC vRouter can be used to create only one VPC firewall.
One NIC includes an inbound direction and an outbound direction. You can configure only one rule set for each direction.
The control mechanism of a VPC vRouter will restrict external access to VM instances without an EIP. If you are using static routing or OSPF, note that the static routing and OSPF will not be available when the firewall with the priority 9999 is disabled. If you still want to use static routing and OSPF, add an inbound rule to the public network NIC.

When you use a rule set, note the following:

One rule set can have up to 9999 rules attached.
Only outbound rule sets can be created. Outbound rule sets apply to the outbound direction of the NIC.
Exercise caution. The inbound and outbound directions of a rule set are designed for VPC vRouters.
The inbound rule sets are created by the system by default. You can customize your rules in an inbound rule set, but you cannot delete inbound rule sets.
The rule sets of the same outbound direction can be reused on multiple NICs.

When you use a rule, note the following:

A rule is a part of a rule set, and cannot be reused on multiple rule sets.
A system rule is a preconfigured rule that supports system services. The system rule has two priority ranges: 1-1000 and 4000-9999. The priority range of a custom rule is 1001-2999. The system reserved priority range is 3000-3999. Lower integers indicate higher priorities.
System rules cannot be added, modified, or deleted.