Firewall Rules
Firewall rules, also called firewall policies, control whether communication is blocked or allowed based on rule criteria.
What are Firewall Rules
Firewall rules inspect packet information and enforce network security by allowing or blocking communication according to defined criteria.
Rule components include:
| Component | Description |
|---|---|
| Direction | Whether traffic is incoming to or outgoing from the resource. |
| Policy Type | The source and destination zones for the rule. |
| Sources | Where the traffic comes from. |
| Destinations | Where the traffic goes. |
| Services | Protocols and ports used by the communication. |
| Description | Optional reference text for the rule. |
Viewing Firewall Rules
For a VM
- Open Compute.
- Open Virtual Machines.
- Search by VM ID or VM IP.
- Open the VM.
- Open the Firewall Rules tab.
Across Environments
Open Networking > Firewall Rules to view and search firewall rules across environments.
Creating a Firewall Rule
Firewall rules can be added from the Firewall Rules tab on a VM page or load balancer page.
Direction
Direction specifies traffic direction on the VM or load balancer:
- Incoming to the VM or load balancer.
- Outgoing from the VM. Load balancers do not have an outgoing interface.
Add the rule on the destination as Incoming when the destination is in SITE Cloud.
Add the rule on the source as Outgoing when the destination is not in SITE Cloud or is not in the same environment, such as internet, MAN/on-premises, or another region environment.
Policy Type
Policy type describes the source and destination zones.
| Zone | Meaning |
|---|---|
| INTERNET / NET | Public IP on the internet outside SITE Cloud. Internet access is conditional and applies only when the VM or load balancer is in SSA and has a public IP. |
| ON-PREM / MAN | Private IP in an on-premises MAN connection, or a VM/load balancer in a different environment. |
| HSA | High Security Assurance zone for restricted workloads. |
| SSA | Standard Security Assurance zone for workloads that can connect to and from the internet with appropriate controls. |
Sources and Destinations
The source must match the source type selected in the policy type. Enter one or more valid IPs, subnets, or virtual machines.
The destination must match where traffic is going. Enter one or more valid IPs or subnets.
Services
Services use one or more ports and protocols for the required communication. Supported protocol types include TCP, UDP, and ICMP.
Description
Use a short optional description so future reviewers understand the rule purpose.
Tip
Descriptions are optional, but they make future audits and troubleshooting much easier.
Editing a Firewall Rule
Click the edit icon on the far right of the firewall rule row.
Deleting a Firewall Rule
Click the delete icon on the far right of the firewall rule row.
Exporting Firewall Rules
- Sign in to Cloud Portal.
- Open Networking.
- Open Firewall Rules.
- Filter by business group, resource type, direction, or policy type as needed.
- Export the filtered firewall rule list.