Abiquo Documentation Cookies Policy

Our Documentation website uses cookies to improve your experience. Please visit our Cookie Policy page for more information about cookies and how we use them.


Documentation

Skip to end of metadata
Go to start of metadata

Introduction to firewalls

Abiquo supports firewalls in the following providers and configurations:

  • Public cloud
    • AWS
  • Private cloud
    • Abiquo OpenStack Neutron integration
    • Abiquo VMware NSX integration
    • Customer integration

The implementation of firewalls may vary across different cloud providers. Abiquo checks each location for firewall capabilities.

In Abiquo 3.8.x, the OSN firewall will only filter traffic between an exterior network and a load balancer.  OSN firewalls will not apply to a virtual machines, even though users can assign them.

In Abiquo 3.8.x, the NSX firewall will only filter traffic to virtual machines.  NSX firewalls will not apply to a load balancer, even though users can assign them.

Cloud provider firewall documentation

Reference information from the cloud provider documentation.

Provider

Documentation

AWS

AWS security groups:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html .

Information about SDK and security groups included in this tutorial:
http://docs.aws.amazon.com/AWSSdkDocsJava/latest/DeveloperGuide/prog-services-ec2.html 

OpenStack Neutron

Complete OpenStack Neutron guide:

http://docs.openstack.org/liberty/networking-guide/

VMware NSXVMware NSX Documentation Center

 

Synchronize firewalls functionality

The synchronize functionality works slightly differently between public cloud and private cloud.

  • In public cloud in AWS, the synchronize function will import new firewalls created in the provider and update existing firewalls with any changes made in AWS
    • A firewall that exists in AWS will have a provider-ID
  • In private cloud, the synchronize function will work with firewalls that comply with the Abiquo specifications, i.e. that were created by Abiquo and not modified by the user outside of Abiquo

 

Synchronize firewalls for your enterprise in the AWS region

To import and synchronize rules for all existing security groups for a location, select All in the Virtual datacenters list, select a location, then click the  synchronize button. If you have no firewalls, the synchronize feature will import the default security group for the location and each virtual datacenter. The default security group typically allows all outbound access.

 

When you click synchronize, Abiquo will only update the firewall rules of firewalls that currently exist in the public cloud provider, i.e. firewalls assigned to a virtual datacenter that have a provider ID

The following screenshot shows the default firewall for several different VDCs. The "webDB" firewall currently exists in AWS. The other firewalls have been created in Abiquo but are not assigned to a virtual datacenter and do not currently exist in AWS.

 

Synchronize firewalls for an AWS virtual datacenter

When you synchronize an AWS virtual datacenter, or when you synchronize its firewalls, the platform will update your firewalls accordingly.

When you click synchronize, Abiquo will only update the firewall rules of firewalls that currently exist in the public cloud provider, i.e. firewalls assigned to a virtual datacenter that have a provider ID

To synchronize firewalls for one virtual datacenter only, select the virtual datacenter name in the list and click the  synchronize button. If you have no firewalls, the synchronize feature will import the existing firewalls, for example, default security group for the VPC. The default AWS security group generally allows all outbound access.

For example, If you have firewalls in the provider, Abiquo will:

  • import any firewalls that only exist in the provider

  • import the rules for any firewalls that exist in Abiquo and the provider

  • for AWS: delete the provider ID for any firewalls that were deleted in the provider

Move a firewall to another VDC

To move a firewall to another virtual datacenter:

  • In Neutron

    • Edit the firewall in Abiquo and change the VDC
  • In AWS

    • Delete the firewall directly in AWS
    • Synchronize your Abiquo firewalls
      • The provider ID will be removed from the deleted firewall
    • Edit the firewall and change the virtual datacenter

You cannot directly edit firewalls in AWS, which means that you cannot move a firewall from one virtual datacenter to another. If you have a large number of firewall rules, in Abiquo you can reuse these firewall rules, instead of deleting them and recreating them as you would have to do in AWS. The following screenshot shows a firewall after the AWS security group was deleted. The firewall rules are preserved for you to edit or apply to another virtual datacenter.

 

Delete a virtual datacenter and reuse a firewall

If you delete a virtual datacenter, the firewalls will be deleted in the cloud provider but they will still be present in Abiquo (in AWS with no Provider ID) or Neutron (with Provider ID). Edit these firewalls as required and assign them to another virtual datacenter.

Assign a firewall to a virtual datacenter

Edit the firewall and select the virtual datacenter that you want the firewall to belong to. In AWS, when you save the changes, Abiquo will create the firewall in the AWS VPC and add a Provider ID to the Abiquo firewall.

To check the firewall, click the synchronize button.

If you delete a firewall in AWS and then create it again by assigning it to a virtual datacenter, AWS will give the new firewall a new provider-ID.

Filter firewalls

Enter text in the search box to search by the namedescription and provider ID in the firewall list.

Create a firewall

To create a new firewall, open a virtual datacenter and click on the Firewall tab.

  1. Click the add button

  2. Enter the name of the firewall

  3. Select a location from the pulldown list

  4. Select a virtual datacenter or no virtual datacenter: Synchronize firewall rules with existing rules

    • No virtual datacenter :
      • AWS
        • Your firewall will be created in  Abiquo only  for your enterprise in the public cloud region. Its rules will NOT be synchronized with AWS in the next step.  It will not be created in AWS until you select a virtual datacenter
      • Neutron 
        • This option is not allowed and when you try to save the firewall, an error message will display
    • Virtual datacenter:
      • Your firewall will be created in the cloud provider. A provider-ID will be added to its entry on the main Firewalls page.  Its rules will be synchronized with the cloud provider in the next step
  5. Add new firewall rules

After the firewall is created and synchronized with the existing default firewall rules, it should at least have an outbound rule to allow all traffic.

Edit firewall rules

Before you add new firewall rules, you should synchronize the firewall to update any rules that exist in your cloud provider.

Synchronize firewall rules

Select All or select your virtual datacenter and click the synchronize button  to load existing rules into your new firewall. The predefined rule is typically a default security group rule that allows all outbound traffic.

Add firewall rules

 

Cannot duplicate existing rules

AWS will not allow you to create a rule that already exists in the security group. Before you add rules, synchronize your virtual datacenter firewalls to import any rules that already exist.

Also remember that it may take some time for firewall rules to propagate throughout AWS. Until the rules have propagated, Abiquo will not be able to detect them. See http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/query-api-troubleshooting.html#eventual-consistency

To add a new firewall rule:

  1. Click the Add button on the firewall rules panel

  2. Select the Inbound or Outbound tab for the traffic direction you wish to control

  3. Enter the protocol and the source or target IP address range (network address and netmask). 

  4. The From port and To port are the start and end of a port range that this rule will apply to, in case you wish to apply the rule to a number of ports at the same time

  5. Click Add Click Save when you have finished editing the rules for the current tab

    1. The firewall rules will be added to the rule list

 

Delete firewall rules

To delete firewall rules, click the X next to the rule in the Edit firewall rules popup, then click Save.

Delete a firewall

To delete a firewall, first remove the firewall from all virtual machines that it is associated with.

Assign a firewall to a virtual machine

See Configure Virtual Machines

Troubleshooting firewalls

If a firewall has a provider ID, then it exists in AWS. The provider ID is the AWS security group ID.

In the Abiquo API, the firewall object contains a link to the virtual datacenter it is associated with.

Users are not allowed to modify firewalls in AWS. If you try to modify the firewall, you will receive an error message. However, you can update firewall rules.

Remember that changes in AWS may not be immediately propagated throughout the AWS system. See http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/query-api-troubleshooting.html#eventual-consistency

Notes about use of the firewall provider-ID

 

  • In AWS, Abiquo will assign a provider-ID to the Abiquo AWS firewall when it:
    • Imports a firewall from AWS 
    • Creates a new firewall in AWS
  • The provider-ID shows that the firewall exists in AWS in a specific VPC
    • The provider-ID is the AWS security group ID for the VPC
    • If you remove a VPC in AWS and assign the firewall to a new VDC then a new provider-ID will be assigned
  • In private cloud, Neutron assigns the provider ID to the firewall and it remains the same. The provider-ID does not indicate if the firewall is assigned to a VDC or not.