THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
Indroduction:
This document talks about the egress firewall rules feature for cloudstack created isolated guest networks in the external device Juniper SRX.
The egress rules for the cloudstack virtual rotuer guest network is already added to cloudstack.
The egress rules for the VR guest networks is discussed in below FS. Please go through the below FS, more explanation about egress rule for guest network is available in the below FS.
https://cwiki.apache.org/confluence/display/CLOUDSTACK/Egress+firewall+rules+for+guest+network
Requirement:
https://issues.apache.org/jira/browse/CLOUDSTACK-779
Feature specification:
This feature is enhancement of egress firewall rules for isolated guest network in external firewall devices Juniper SRX.
The Egress traffic originates from the guest network and sent to public network.
This features controls the Egress (outgoing) traffic from the guest network in Advanced zone.
The egress firewall rules applied will restrict the traffic from SRX guest network.
APIs:
We use the below APIs[1] to configure the egress firewall rules on SRX.
createEgressFirewallRule: To configure the egress firewall rule on the guest network.
deleteEgressFirewallRule: To delete egress firewall on the guest network.
listEgressFirewallRules: To list egress firewall rules configured for the guest network
Default policy:
By default all the guest network traffic is blocked and we can configure the egress rules rules to allow the specified traffic.
Supported Networks:
1. Advanced isolated networks
Back end changes for SRX:
Currently from the SRX all the guest traffic is allowed to public side by default. As part of this feature, traffic from guest network to public network is blocked.
We can configure the egress firewall rules to allow the specified traffic from guest network to public network.
In SRX we have the two zones trust and untrust.
trust - Guest network zone.
Untrust - Public network zone.
Make sure there is no security policy to accept the traffic from trust to untrust.
Example egress rule:
guest network vlan id: 1127
Source address: Guest network CIDR 10.0.112.0/20
Policy name:policy egress-trust-untrust-1127, where 1127is the guest network vlan id
egress rules configuration on SRX:
Ex: Egress rule to allow the port 22 (ssh) traffic from guest cidr 10.0.112.0/20.
set security policies from-zone trust to-zone untrust policy egress-trust-untrust-1127 match source-address 10-0-112-0-20
set security policies from-zone trust to-zone untrust policy egress-trust-untrust-1127 match destination-address any
set security policies from-zone trust to-zone untrust policy egress-trust-untrust-1127 match application tcp-22-22
set security policies from-zone trust to-zone untrust policy egress-trust-untrust-1127 then permit
set security policies from-zone trust to-zone untrust policy egress-trust-untrust-1127 then count
After configuring the above rule only tcp 22 traffic is allowed from 10.0.112.0/20 and remaining is blocked from the guest network 10.0.112.0/20
UI Changes:
Currently using cloudstack networks UI page we can configure the egress firewall rules for VR guest network.
From cloudstack Networks UI page we should able to configure the egress firewall rules for SRX guest networks.
Upgrade Scenario:
After update the existing SRX guest networks default egress behaviour should remain same.
Supported Hypervisors:
Xen
KVM
VmWare
Enhancements:
Support egress rules feature for shared networks in SRX.
References:
[1] https://cwiki.apache.org/confluence/display/CLOUDSTACK/Egress+firewall+rules+for+guest+network
Overview
Content Tools
Apps