Performance Cloud VMware – How to configure the Edge Gateway (Firewall & NAT rules) 

• Notes
• Definitions
• Locate the edge gateway external IP address
• Configure a source NAT (SNAT) rule
• Configure a firewall rule for SNAT
• Create a destination NAT (DNAT) rule
• Configure the firewall rule for DNAT
• Multi-Network Scenario
• Egress filtering

Notes

To ensure your Edge Gateway is using the latest version available, please follow this article: https://helpdesk.sherweb.com/en/support/solutions/articles/67000693568-performance-cloud-vmware-upgrade-the-edge-gateway
 

If more than one (1) WAN IP address is required in your virtual datacenter, please contact our Cloud Support team. Additional fees may apply.

Definitions

CIDR or "classless interdomain routing" is the simplified way to describe a network and its subnet mask with its binary value. Example: the network 192.168.1.0 with the subnet mask 255.255.255.0 is, in CIDR notation, 192.168.1.0/24

What is an edge gateway?

An edge gateway connects a routed organization vDC network to external networks. It provides services such as load balancing, network address translation, and a firewall.

Locate the edge gateway external IP address

1. Login to the Performance Cloud VMware portal using your credentials.
     
2. Select your virtual datacenter.
   
   
    
3. Under the Networking section, click on Edges. Then, click on your edge gateway.
   
   
    
4. Click on Gateway interfaces, then locate your Primary External IP address.
   74.115.204.14 is the primary WAN IP address in this example.
   
   

Configure a source NAT (SNAT) rule

To change the source IP address from a private to a public IP address, you create a source NAT (SNAT) rule.

Example below to translate a single private network to the primary WAN IP address.

1. Under the Networking section, click on Edges. Then, select your edge gateway and click on SERVICES.
    
    
2. Click on NAT. Then, under NAT44 rules, click on +SNAT RULE.
   
    
3. Configure a SNAT rule as following:
   • Enter the original private Source IP/Range (10.0.1.0/24 in this example)
   • Click on select to pick the desired WAN IP address for the translated Source IP/Range
   • Optional – Enter a description.
   • Make sure the rule is enabled
     
     and click on KEEP
     
      
     
     
4. The new SNAT rule should look like this:
   
    
5. Click on Save changes.
   
   

Configure a firewall rule for SNAT

1. Go to the Firewall tab, make sure it is enabled and click on the + button.
   
   
2. A new rule will appear.
   
   
    
3. Edit fields of the new firewall rule as following:
   • Name: Name your firewall rule (Example: Allow-S_10.0.1.0-D_ANY)
     
     
   • Source: Mouseover the Source field and click on IP to enter an IP address, CIDR or IP range.
     You can also click on the + sign to select an object like virtual machines, gateway interfaces, vDC networks.
     
     
     
     In this example, the entire private network (10.0.1.0/24) is configured.
     
     
   • Destination: Mouseover the Destination field and click on IP to enter an IP address, CIDR or IP range. You can also click on the + sign to select an object like virtual machines, gateway interfaces, vDC networks.
     
     
     
     In this example, the Any value is kept allowing all outgoing traffic.
     
     
   • Service: Mouseover the Service field and click on the + button to choose a protocol, a source port and a destination port if needed.
     In this example, the Any value is kept allowing all outgoing traffic.
     
     
   • Action: Select between Accept or Deny allowing or denying traffic that matches the rule.
     In this example, we keep the Accept value.
     
     
4. The new firewall rule should look like this:
   
   
    
5. Click on Save changes.
   
   
    
6. Test internet from your VM with a ping.
   
   

Create a destination NAT (DNAT) rule

To change the destination IP address from a public to a private IP address, you create a destination NAT (DNAT) rule.

In the example below, we will open a custom port for a single IP address to access a virtual machine through Remote Desktop.
 

1. Under the Networking section, click on Edges. Then, select your edge gateway and click on SERVICES.
     
    
2. Click on NAT. Then, under NAT44 rules, click on +DNAT RULE.
   
   
    
3. Configure a DNAT rule as following:
   • Select the original IP address or range of IP addresses to apply this rule on. (WAN IP address of the Edge Gateway in this example)
   • Select the protocol to apply this rule. To apply this rule on all protocols, select Any. (TCP in this example)
   • Enter the original port to apply this rule to. (Port 7000 in this example)
   • Enter the IP address or range of IP addresses for the destination addresses on inbound packets to be translated to. (The internal IP address of the VM in this example)
   • Enter the port for inbound packets to be translated to the translated port. (3389 in this example)
   • Optional – Enter a description.
     Make sure the rule is enabled and click on KEEP.
     
     
     
     
     
     
4. The new DNAT rule should look like this:
   
   
    
5. Click on Save changes.
   
   

Configure the firewall rule for DNAT

1. Go to the Firewall tab, make sure it is enabled and click on the + button.
   
2. A new rule will appear.
   
   
    
3. Edit fields of the new firewall rule as following:
   • Name: Name your firewall rule (Example: Allow-S_199.244.76.86-D_TCP7000)
     
     
   • Source: Mouseover the Source field and click on IP to enter an IP address, CIDR or IP range.
     You can also click on the + sign to select an object like virtual machines, gateway interfaces, vDC networks.
     
     
     In this example, the WAN IP address of a remote office is configured (199.244.76.86) to only allow the rule this to IP address.
     
     Note: Whenever it is possible, we do not recommend putting “Any” here for security and performance reasons.
     
     
   • Destination: Mouseover the Destination field and click on IP to enter an IP address, CIDR or IP range.
     You can also click on the + sign to select an object like virtual machines, gateway interfaces, vDC networks.
     
     
     In this example, the WAN IP address of the Edge Gateway is configured (74.115.204.14).
     
     
   • Service: Mouseover the Service field and click on the + button to choose a protocol, a source port and a destination port if needed.
     
     In this example, we are matching the original port and protocol previously defined in the DNAT rule.
     
     
     
     
   • Action: Select between Accept or Deny allowing or denying traffic that matches the rule.
     
     In this example, we keep the Accept value.
     
     
4. The new firewall rule should look like this:
   
   
   
   
5. Click on Save changes.
   
   
   
   
6. Test new rules.
   
   In this example, we can now initiate a remote desktop connection from the office having the authorized IP address.
   
   
   
   

   Multi-Network Scenario

   For a more robust environment, we suggest implementing network segmentation and segregation. The goal is to isolate and restrict access to sensitive information.
   
   In the example below, we have a database server on a separate network. All ports are closed from the Web server except the SQL port. This configuration reduces the surface attack for the database server.
   
   
   Here is the necessary firewall configuration to achieve this scenario:
   
   
   

   Egress filtering

   For a more robust environment, we also suggest considering the implementation of ports egress filtering.
   
   You could consider blocking outbound ports or services known to be used for malicious purposes.
   
   Also, some ports or services don't typically need to be available across the Internet and are usually reserved for internal networks. Some of those services can be associated with vulnerabilities or malicious activity.
   
   The decision to block these ports or services must be made with knowledge of your network's requirements.