VMware Cloud Community
Joekeane
Contributor
Contributor

Vcloud 1.5 Firewall rules

Am I confused, or does the firewall UI built into VCD 1.5 not allow for subnet ranges to be placed in the Source or Destination?

I have 2 vAPP's with multiple VMs each connected to a common Org Network. I would like to limit communication between the vAPPs to port 1433 (for example), when I edit the firewall rules, I can only enter an IP address. If I try 10.0.0.0/24 or 10.0.0.0 - 10.0.0.1, it highlights the box with "red" and informs me I have to enter a valid IP 4 address. I have tried to enter just 10.0.0.0 but it doesn't work, and I see the packets getting dropped when viewing the syslog.

This is absolutely stunning, since I can open vshield manager edit the PortGroup and add the /24 to the rule and communication on 1433 starts to work. I don't understand how the VCD GUI cant give me the same options as the vShield GUI. In fact it isn't even that its not available, it is the validation rule isn't allowing me to continue.

I really hope I am missing something, and someone can show me an easy workaround.

Reply
0 Kudos
2 Replies
twm1010
Contributor
Contributor

I am having a similar issue, in that I can't seem to create a rule that will permit traffic from a remote site to egress out the "Internal" interface. I can do this manually from vshield manager, but not from configure services under the org network.

Reply
0 Kudos
b0rbb
Enthusiast
Enthusiast

I'm with you on this.  It's somewhat ridiculous that you're unable to enter in even port ranges through the vCD front end to the vShield Edge firewall functionality, but you can if you work with the vShield Edge directly (through the vShield Manager web UI, or through the vShield Edge tab of the associated vCD generated portgroup in the vSphere client).


Unfortunately, I'm pretty sure adding rules through one of the aforementioned methods is unsupported, and would lead to a mismatch between what vCloud Director has firewall rules for the vShield Edge VM, and what vShield Manager has for the vShield Edge VM.

The ability to add ranges for either source/destination IP/port would be GREATLY appreciated, if it's possible for that to be included in a future update of vCD.

Reply
0 Kudos