mirror of
https://github.com/apache/cloudstack.git
synced 2025-11-02 11:52:28 +01:00
169 lines
8.0 KiB
XML
169 lines
8.0 KiB
XML
<?xml version='1.0' encoding='utf-8' ?>
|
|
<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
|
<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
|
|
%BOOK_ENTITIES;
|
|
]>
|
|
<!-- Licensed to the Apache Software Foundation (ASF) under one
|
|
or more contributor license agreements. See the NOTICE file
|
|
distributed with this work for additional information
|
|
regarding copyright ownership. The ASF licenses this file
|
|
to you under the Apache License, Version 2.0 (the
|
|
"License"); you may not use this file except in compliance
|
|
with the License. You may obtain a copy of the License at
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
Unless required by applicable law or agreed to in writing,
|
|
software distributed under the License is distributed on an
|
|
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
|
KIND, either express or implied. See the License for the
|
|
specific language governing permissions and limitations
|
|
under the License.
|
|
-->
|
|
<section id="egress-firewall-rule">
|
|
<title>Egress Firewall Rules in an Advanced Zone</title>
|
|
<para>The egress traffic originates from a private network to a public network, such as the
|
|
Internet. By default, the egress traffic is blocked in default network offerings, so no outgoing
|
|
traffic is allowed from a guest network to the Internet. However, you can control the egress
|
|
traffic in an Advanced zone by creating egress firewall rules. When an egress firewall rule is
|
|
applied, the traffic specific to the rule is allowed and the remaining traffic is blocked. When
|
|
all the firewall rules are removed the default policy, Block, is applied.</para>
|
|
<section id="prereq-egress">
|
|
<title>Prerequisites and Guidelines</title>
|
|
<para>Consider the following scenarios to apply egress firewall rules:</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Egress firewall rules are supported on Juniper SRX and virtual router.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>The egress firewall rules are not supported on shared networks.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Allow the egress traffic from specified source CIDR. The Source CIDR is part of guest
|
|
network CIDR.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Allow the egress traffic with protocol TCP,UDP,ICMP, or ALL.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Allow the egress traffic with protocol and destination port range. The port range is
|
|
specified for TCP, UDP or for ICMP type and code.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>The default policy is Allow for the new network offerings, whereas on upgrade existing
|
|
network offerings with firewall service providers will have the default egress policy
|
|
Deny.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
<section>
|
|
<title>Configuring an Egress Firewall Rule</title>
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>Log in to the &PRODUCT; UI as an administrator or end user. </para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>In the left navigation, choose Network.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>In Select view, choose Guest networks, then click the Guest network you want.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>To add an egress rule, click the Egress rules tab and fill out the following fields to
|
|
specify what type of traffic is allowed to be sent out of VM instances in this guest
|
|
network:</para>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata fileref="./images/egress-firewall-rule.png"/>
|
|
</imageobject>
|
|
<textobject>
|
|
<phrase>egress-firewall-rule.png: adding an egress firewall rule</phrase>
|
|
</textobject>
|
|
</mediaobject>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para><emphasis role="bold">CIDR</emphasis>: (Add by CIDR only) To send traffic only to
|
|
the IP addresses within a particular address block, enter a CIDR or a comma-separated
|
|
list of CIDRs. The CIDR is the base IP address of the destination. For example,
|
|
192.168.0.0/22. To allow all CIDRs, set to 0.0.0.0/0.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><emphasis role="bold">Protocol</emphasis>: The networking protocol that VMs uses
|
|
to send outgoing traffic. The TCP and UDP protocols are typically used for data
|
|
exchange and end-user communications. The ICMP protocol is typically used to send
|
|
error messages or network monitoring data.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><emphasis role="bold">Start Port, End Port</emphasis>: (TCP, UDP only) A range of
|
|
listening ports that are the destination for the outgoing traffic. If you are opening
|
|
a single port, use the same number in both fields.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><emphasis role="bold">ICMP Type, ICMP Code</emphasis>: (ICMP only) The type of
|
|
message and error code that are sent.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Click Add.</para>
|
|
</listitem>
|
|
</orderedlist>
|
|
</section>
|
|
<section id="default-egress-policy">
|
|
<title>Changing the Default Egress Policy</title>
|
|
<para>You can configure the default policy of egress firewall rules in Isolated Advanced
|
|
networks. Use the create network offering option to determine whether the default policy
|
|
should be block or allow all the traffic to the public network from a guest network. If no
|
|
policy is specified, by default all the traffic is allowed from the guest network that you
|
|
create by using this network offering.</para>
|
|
<para>You have two options: Allow and Deny.</para>
|
|
<formalpara>
|
|
<title>Allow</title>
|
|
<para>If you select Allow for a network offering, by default egress traffic is allowed.
|
|
However, when an egress rule is configured for a guest network, rules are applied to block
|
|
the specified traffic and rest are allowed. If no egress rules are configured for the
|
|
network, egress traffic is accepted.</para>
|
|
</formalpara>
|
|
<formalpara>
|
|
<title>Deny</title>
|
|
<para>If you select Deny for a network offering, by default egress traffic for the guest
|
|
network is blocked. However, when an egress rules is configured for a guest network, rules
|
|
are applied to allow the specified traffic. While implementing a guest network, &PRODUCT;
|
|
adds the firewall egress rule specific to the default egress policy for the guest
|
|
network.</para>
|
|
</formalpara>
|
|
<para>This feature is supported only on virtual router and Juniper SRX.</para>
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>Create a network offering with your desirable default egress policy:</para>
|
|
<orderedlist numeration="loweralpha">
|
|
<listitem>
|
|
<para>Log in with admin privileges to the &PRODUCT; UI.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>In the left navigation bar, click Service Offerings.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>In Select Offering, choose Network Offering.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Click Add Network Offering.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>In the dialog, make necessary choices, including firewall provider.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>In the Default egress policy field, specify the behaviour.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Click OK.</para>
|
|
</listitem>
|
|
</orderedlist>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Create an isolated network by using this network offering.</para>
|
|
<para>Based on your selection, the network will have the egress public traffic blocked or
|
|
allowed.</para>
|
|
</listitem>
|
|
</orderedlist>
|
|
</section>
|
|
</section>
|