- 19 Sep 2023
- 4 Minutes to read
- Print
- DarkLight
Manage your NSX Edge Gateway in VDC
- Updated on 19 Sep 2023
- 4 Minutes to read
- Print
- DarkLight
Managing your Edge Gateway in VDC
Edges represent an NSX Edge Gateway, which is the built-in router and firewall appliance included with your VDC.
We provide you with a single edge appliance, which can manage multiple separate networks.
Navigate to Networking > Edge Gateways.
Select your Edge Gateway. From here you have a variety of features you can select and modify.
These are covered below:
IP Sets
Before you start creating firewall rules, you'll need to define 'IP Sets', which are groups of IP addresses (one or many).
IP sets allow you to cover multiple IP addresses in a single rule.
Once you click the 'New' button, set the Name, Description, and IP addresses that the group will contain.
Once you have defined the IP set, you can use it later in the firewall section.
Application Port Profiles
Application port profiles are grouping of TCP or UDP ports which can be used in firewall rules to allow or deny traffic through the firewall.
There are many pre-defined profiles that you can use in your firewall rules, however, sometimes you may need to create your own.
To do this, navigate to "Aplication Port Profiles", and click "New" under "Custom Applications"
Once the dialog appears, give it a name and add the port/protocols required.
Then hit save. You can now use this application port profile in your firewall rules.
Firewall
The firewall section allows you to set and modify firewall rules for your VDC. From first provisioning, two “default” rules are created:
Allow Local Network Out permits VMs to access the Internet. This is because:
- Source is “Local Network”. Further information on these names is included in “IP Sets”.
- Destination is “Any”, meaning any destination.
Default Rule drops any incoming traffic. Think of this as the “catch-all” rule that should be the last rule applied, when no other rule matches.
To add, edit or delete rules select Edit Rules. An in-browser window will appear.
Select New On Top to create a new rule. You will be prompted for a number of options:
- Name: A user-friendly name for your reference of what this rule allows or denies.
- State: This can be either enabled or disabled.
- Applications: This allows you to define specific TCP or UDP ports that will match the rule. Many well-known applications are included in the available list.
- Source: An applicable “IP Set” which will be checked for the source of traffic. Further information on these names is included in “IP Sets”.
- Destination: An applicable “IP Set” which will be checked for the source of traffic. Further information on these names is included in “IP Sets”.
- Action: An option of either Allow, Drop or Reject.
- Drop is considered “silent”, no acknowledgement or return is sent from the failure of this packet.
- Reject is a “friendly rejection”. Commonly this is seen as an “unreachable” message returned to the sender.
- IP Protocol: Define either IPv4, IPv6 or dual-stack (both).
- Logging: Whether to enable logging for this rule.
For example, We want to publish a web server (listening on Port 80 and Port 443), which will be allowed from Any source to our Primary Public IP. We will then create a NAT rule to process this to reach our VM.
NAT
The NAT section allows you to set and modify NAT rules for your VDC. From first provisioning, one “default” NAT rule is created:
The Local IPs out via Primary IP rule lets all VMs on the local network (192.168.0.0/24) communicate out to the Internet. This means from the initial setup, VMs can reach out to update/package servers as required.
To allow inbound communication you will need to configure additional NAT rules. Select New to begin. There are a number of options available:
- Name: A user-friendly name for the NAT rule. It is recommended to reference the VM or application this links to.
- Description: Further text to associate the purpose of this NAT rule.
- Interface Type: This defines either “Destination NAT (DNAT) or Source NAT (SNAT)”
- DNAT should be used for “inbound” NAT rules when a Public IP must be translated to a Private IP.
- SNAT should be used for “outbound” NAT rules when a Private IP must be translated to a Public IP.
- External IP: Enter the public IP address you want to NAT to.
- External Port (DNAT only): Enter the external port to NAT.
- Internal IP: The IP of the virtual machine you want the NAT rule to apply to.
- Application: Defines the port or ports you want to NAT to.
- State: Enable or Disable the rule.
- Logging: Enable or Disable logging of the NAT rule. The logs are only available to Servers Australia, so we suggest leaving this OFF unless you have a support case open to debug specific rules.
- Priority: If an address has multiple NAT rules, the rule with the highest priority is applied. A lower value means higher precedence for this rule.
- Firewall Match: Determines how the firewall matches the address during NATing if firewall stage is not skipped. Below are valid values:
- Match Internal Address: Indicates the firewall will be applied to the internal address of a NAT rule. For SNAT, the internal address is the original source address before NAT is done. For DNAT, the internal address is the translated destination address after NAT is done.
- Match External Address: Indicates the firewall will be applied to the external address of a NAT rule. For SNAT, the external address is the translated source address after NAT is done. For DNAT, the external address is the original destination address before NAT is done.
Bypass: Firewall stage will be skipped.
IPSec VPN
Create or edit IPsec VPN connections that facilitate secure connections between sites. IPsec allows your private network to be accessible from your other sites, home, or office.
The below screenshot shows an example configuration.
Load Balancer - Available on Request
NSX-T Advanced Load balancer (AVI) is available on request. Please submit a support case if you'd like this enabled on your VDC.
For more information on how to manage this service please see the following documentation.