Edge Firewalls

The Management Domain is protected by a Management Gateway [MGW], which is an NSX Edge Security gateway that provides north-south network connectivity for the vCenter Server and NSX Manager running in the SDDC.

The Internet-facing IP address is automatically assigned from the pool of AWS public IP addresses when the SDDC is created. The management logical network internal to your SDDC is assigned the CIDR block 10.0.0.0/16 by default. When you create your SDDC, you can assign a different address block to prevent address conflicts with other environments that you connect to your SDDC.

The Compute Domain is protected by a Compute Gateway [CGW]. The CGW provides north-south network connectivity for virtual machines running in the SDDC. VMware Cloud on AWS creates a default logical network to provide networking for these VMs. You can create additional logical networks in the VMC console and attach these VMs to these networks via vCenter.

The CGW and MGW provides firewall capabilities.

CGW and MGW

Edge Firewall Rules

By default, the firewall for the compute gateway is set to deny all uplink interfaces which include, internet, Amazon Direct Connect, and Amazon VPC interface and VPN tunnel interface traffic. Add additional firewall rules to allow workload traffic as needed.

Firewall rules control what traffic is allowed based upon the following criteria:

  • Source
  • Destination
  • Services (TCP/UDP ports)
  • Action (Allow, Drop or Reject)
  • Logging

For the Management Gateway, by default, the firewall is set to deny all inbound and outbound traffic. Add additional firewall rules to allow traffic as needed.

For the Compute Gateway, we can apply the firewalling on different interfaces:

  • Customer Native AWS VPC Interface
  • Direct Connect Interface
  • Internet Interface
  • VPN Tunnel Interface
Edge Firewall FW

You will see in the “Apply to” Firewall Rules the uplinks where you can apply the rules:

Firewall Rules Interfaces
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s