ZeMiracle
Enthusiast
Enthusiast

Changing the Firewall rules of Tenant Edge router in a floating ip scenario

Jump to solution

Hello,

We natively use a full routed network to deploy instance.

We use a update server on our Datacenter to force VM update as part as the enterprise security Policy

After some time, we choose to implement floating ip to ease ip management.

With floating IP, you deploy instance on a private network and use a tenant router to access the external network.

For each floating ip, you have a Snat/Dnat rule in the tenant router.

A Snat default route is configured to allow vm with no floating ip to communicate using the router external IP.

tenant router.PNG

Unfortunaly, the VM with no floating IP no longer communicate with the update server

Looking into the NSX configuration of the tenant router, we see that the firewall is enabled and there is no rule to permit access.

We want to create a permanent rule that allow the private network to communicate with our update server.

How can we modify the VIO configuration to push this modification into the tenant router ?

Thanks a lor for help Smiley Happy

Cédric.

0 Kudos
1 Solution

Accepted Solutions
xgao3
VMware Employee
VMware Employee

Hi,

We don't support manual updates of NSX edge device outside of VIO CLI/API.  If you access is limited due to security group, you should create a new secgroup and apply it to the VM. 

Default security group allows all egress traffic, I don't suspect this is the issue. 

Without understanding more about your setup, it's hard to say what is causing the issue.  Can you provide source / destination IP of your setup & additional info on sec groups for both src & destination VM?

View solution in original post

0 Kudos
2 Replies
xgao3
VMware Employee
VMware Employee

Hi,

We don't support manual updates of NSX edge device outside of VIO CLI/API.  If you access is limited due to security group, you should create a new secgroup and apply it to the VM. 

Default security group allows all egress traffic, I don't suspect this is the issue. 

Without understanding more about your setup, it's hard to say what is causing the issue.  Can you provide source / destination IP of your setup & additional info on sec groups for both src & destination VM?

0 Kudos
ZeMiracle
Enthusiast
Enthusiast

Hello,

You are right, we made a mistake during our test 😞

All VM connected to the Provider Network trough a Tenant Router have a default Egress access, even if no floating ip is assigned.

The VM will use the defaut Snat rule and use the Tenant Router IP.

Ced.

0 Kudos