IaaS Firewall and NAT

The recommended way to provide connectivity to your virtual server is to place it behind an edge gateway, which acts as a firewall and NAT router.

This layout looks like this:

layout.PNG

In this setup, no virtual servers are directly accessible from the internet, increasing security. In order to access the required services on the virtual servers, we will need to both configure the firewall and configure a NAT entry.

By default, each new cloud in a box deployment comes with an edge gateway, setup with firewall and NAT rules to allow virtual servers access to the internet (outgoing traffic).

To access your edge gateway's configuration, select Edge Gateways from the left and click the label of the target edge gateway

edgesel.png

You may wish to note the external (internet facing) IP address of your edge gateway for use in the following steps. This can be seen on the Edge Gateway overview, under the Interfaces list, and will be the one labelled 'X External', where X is your availability zone.

 

Firewall

Select the Firewall Service tab from the top of the edge gateway overview page. This will show you a list of existing firewall rules. By default, there is a rule labelled Egress, which is used for internal virtual servers to connect to the internet. Select Add Rule to configure a new firewall entry.

Provide the details of the port you wish to allow or deny through the firewall, as follows:

- Enabled: Whether or not this firewall rule will be in effect

- Description: Provide a description for your new firewall rule

- Command: Accept allows communication if this rule matches, Drop discards communication if this rule matches

- Source: Enter the source of the connection

- Source Port: If the device connecting uses a static port, set this here. For customers who are behind NAT routers, etc., this will likely need to be Any

- Destination: Enter the target for this connection rule, either by IP address or using a keyword

- Destination Port: Enter the target port for this rule to operate on.

- Protocol: Select the connection protocol or group of protocols this rule should match on.

 

The below example will allow an inbound connection for remote desktop, from the source IP 202.58.48.100 to 103.25.212.200 (the edge gateway's external IP), on TCP port 3389.

edge-fw-1.png

Firewall rules can be setup using keywords in addition to IP addresses. These are:

- internal : any server or IP residing within your org network

- external : any IP outside your org network

- any : either of the above

 

Once your rule is complete, click submit. It will take up to a couple of minutes for the edge gateway's configuration to be updated.

You can revise, disable or enable firewall rules once created by clicking the Cog and then selecting Edit for the desired rule.

 

NAT

Network address translation (NAT) is a method of translating one IP address into another, and is useful for many devices to share a single public IP address.When exposing a service on an Organisation Network to the wider internet, NAT is used to direct the connections to the correct server. 

Select NAT Service from the top of the edge gateway configuration page to access the NAT rules. By default, there is a SNAT (source nat) rule to translate internal Organisation Network addresses to the external IP of the edge gateway, which is used for internal virtual servers to connect to the internet.

Select Add New Rule to create a new NAT entry and provide the details as follows:

- Enabled: Whether or not this firewall rule will be in effect

- Rule Type: DNAT (destination NAT) translates an incoming connection on the public IP address to an internal IP address. SNAT (source NAT) translates an internal source to the public IP address.

- Network: Select the interface to apply the rule on. This will normally be the external interface of the edge gateway

- Original IP: Enter the original IP to be translated. For DNAT, this will be the public IP address, for SNAT, it will be the internal IP or range (in CIDR notation)

- Original Port (DNAT Only): Enter the port the connection will be received on. This is the port you have allowed through the firewall

- Translated IP: Enter the destination IP of the translation. For SNAT, this will be the public IP of the edge gateway. For DNAT, this will be the internal IP of the target server

- Translated Port (DNAT Only): Enter the port of the service on the target server. This does not have to match the original port.

- Protocol (DNAT Only): Select the connection protocol or group of protocols this rule will affect.

 

The example below is an inbound rule for Remote Desktop. The external clients connect to the IP 103.25.212.200 on port 13389, and this is forwarded to the internal server 10.10.10.123 on its remote desktop port 3389.

egde-nat-1.png

 

Default Rules

In case your default rules have been modified and need to be restored, the below table lists each default rule:

Firewall Service Tab

Enabled Description Command Source Destination Protocol
Yes Allow ICMP ACCEPT any any ICMP
Yes Egress ACCEPT internal any any

Nat Service Tab

Enabled Rule Type Network Original IP Translated IP
Yes SNAT Your AZ's External Network Your Org network's IP range (eg. 10.12.13.0/24) Your edge gateway's external IP
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk