Product SiteDocumentation Site

13.5. Hardware Firewall

All deployments should have a firewall protecting the management server; see Generic Firewall Provisions. Optionally, some deployments may also have a Juniper SRX firewall that will be the default gateway for the guest networks; see Section 13.5.2, “External Guest Firewall Integration for Juniper SRX (Optional)”.

13.5.1. Generic Firewall Provisions

The hardware firewall is required to serve two purposes:
  • Protect the Management Servers. NAT and port forwarding should be configured to direct traffic from the public Internet to the Management Servers.
  • Route management network traffic between multiple zones. Site-to-site VPN should be configured between multiple zones.
To achieve the above purposes you must set up fixed configurations for the firewall. Firewall rules and policies need not change as users are provisioned into the cloud. Any brand of hardware firewall that supports NAT and site-to-site VPN can be used.

13.5.2. External Guest Firewall Integration for Juniper SRX (Optional)

Note

Available only for guests using advanced networking.
CloudStack provides for direct management of the Juniper SRX series of firewalls. This enables CloudStack to establish static NAT mappings from public IPs to guest VMs, and to use the Juniper device in place of the virtual router for firewall services. You can have one or more Juniper SRX per zone. This feature is optional. If Juniper integration is not provisioned, CloudStack will use the virtual router for these services.
The Juniper SRX can optionally be used in conjunction with an external load balancer. External Network elements can be deployed in a side-by-side or inline configuration.
parallel-mode.png: adding a firewall and load balancer in parallel mode.
CloudStack requires the Juniper to be configured as follows:

Note

Supported SRX software version is 10.3 or higher.
  1. Install your SRX appliance according to the vendor's instructions.
  2. Connect one interface to the management network and one interface to the public network. Alternatively, you can connect the same interface to both networks and a use a VLAN for the public network.
  3. Make sure "vlan-tagging" is enabled on the private interface.
  4. Record the public and private interface names. If you used a VLAN for the public interface, add a ".[VLAN TAG]" after the interface name. For example, if you are using ge-0/0/3 for your public interface and VLAN tag 301, your public interface name would be "ge-0/0/3.301". Your private interface name should always be untagged because the CloudStack software automatically creates tagged logical interfaces.
  5. Create a public security zone and a private security zone. By default, these will already exist and will be called "untrust" and "trust". Add the public interface to the public zone and the private interface to the private zone. Note down the security zone names.
  6. Make sure there is a security policy from the private zone to the public zone that allows all traffic.
  7. Note the username and password of the account you want the CloudStack software to log in to when it is programming rules.
  8. Make sure the "ssh" and "xnm-clear-text" system services are enabled.
  9. If traffic metering is desired:
    1. a. Create an incoming firewall filter and an outgoing firewall filter. These filters should be the same names as your public security zone name and private security zone name respectively. The filters should be set to be "interface-specific". For example, here is the configuration where the public zone is "untrust" and the private zone is "trust": 
      root@cloud-srx# show firewall
filter trust {
    interface-specific;
}
filter untrust {
    interface-specific;
}
    2. Add the firewall filters to your public interface. For example, a sample configuration output (for public interface ge-0/0/3.0, public security zone untrust, and private security zone trust) is: 
      ge-0/0/3 {
    unit 0 {
        family inet {
            filter {
                input untrust;
                output trust;
            }
            address 172.25.0.252/16;
        }
    }
}
  10. Make sure all VLANs are brought to the private interface of the SRX.
  11. After the CloudStack Management Server is installed, log in to the CloudStack UI as administrator.
  12. In the left navigation bar, click Infrastructure.
  13. In Zones, click View More.
  14. Choose the zone you want to work with.
  15. Click the Network tab.
  16. In the Network Service Providers node of the diagram, click Configure. (You might have to scroll down to see this.)
  17. Click SRX.
  18. Click the Add New SRX button (+) and provide the following:
    • IP Address: The IP address of the SRX.
    • Username: The user name of the account on the SRX that CloudStack should use.
    • Password: The password of the account.
    • Public Interface. The name of the public interface on the SRX. For example, ge-0/0/2. A ".x" at the end of the interface indicates the VLAN that is in use.
    • Private Interface: The name of the private interface on the SRX. For example, ge-0/0/1.
    • Usage Interface: (Optional) Typically, the public interface is used to meter traffic. If you want to use a different interface, specify its name here
    • Number of Retries: The number of times to attempt a command on the SRX before failing. The default value is 2.
    • Timeout (seconds): The time to wait for a command on the SRX before considering it failed. Default is 300 seconds.
    • Public Network: The name of the public network on the SRX. For example, trust.
    • Private Network: The name of the private network on the SRX. For example, untrust.
    • Capacity: The number of networks the device can handle
    • Dedicated: When marked as dedicated, this device will be dedicated to a single account. When Dedicated is checked, the value in the Capacity field has no significance implicitly, its value is 1
  19. Click OK.
  20. Click Global Settings. Set the parameter external.network.stats.interval to indicate how often you want CloudStack to fetch network usage statistics from the Juniper SRX. If you are not using the SRX to gather network usage statistics, set to 0.

13.5.3. External Guest Firewall Integration for Cisco VNMC (Optional)

Cisco Virtual Network Management Center (VNMC) provides centralized multi-device and policy management for Cisco Network Virtual Services. You can integrate Cisco VNMC with CloudStack to leverage the firewall and NAT service offered by ASA 1000v Cloud Firewall. Use it in a Cisco Nexus 1000v dvSwitch-enabled cluster in CloudStack. In such a deployment, you will be able to:
  • Configure Cisco ASA 1000v firewalls. You can configure one per guest network.
  • Use Cisco ASA 1000v firewalls to create and apply security profiles that contain ACL policy sets for both ingress and egress traffic.
  • Use Cisco ASA 1000v firewalls to create and apply Source NAT, Port Forwarding, and Static NAT policy sets.
CloudStack supports Cisco VNMC on Cisco Nexus 1000v dvSwich-enabled VMware hypervisors.

13.5.3.1. Using Cisco ASA 1000v Firewall, Cisco Nexus 1000v dvSwitch, and Cisco VNMC in a Deployment

13.5.3.1.1. Guidelines
  • Cisco ASA 1000v firewall is supported only in Isolated Guest Networks.
  • Cisco ASA 1000v firewall is not supported on VPC.
  • Cisco ASA 1000v firewall is not supported for load balancing.
  • When a guest network is created with Cisco VNMC firewall provider, an additional public IP is acquired along with the Source NAT IP. The Source NAT IP is used for the rules, whereas the additional IP is used to for the ASA outside interface. Ensure that this additional public IP is not released. You can identify this IP as soon as the network is in implemented state and before acquiring any further public IPs. The additional IP is the one that is not marked as Source NAT. You can find the IP used for the ASA outside interface by looking at the Cisco VNMC used in your guest network.
  • Use the public IP address range from a single subnet. You cannot add IP addresses from different subnets.
  • Only one ASA instance per VLAN is allowed because multiple VLANS cannot be trunked to ASA ports. Therefore, you can use only one ASA instance in a guest network.
  • Only one Cisco VNMC per zone is allowed.
  • Supported only in Inline mode deployment with load balancer.
  • The ASA firewall rule is applicable to all the public IPs in the guest network. Unlike the firewall rules created on virtual router, a rule created on the ASA device is not tied to a specific public IP.
  • Use a version of Cisco Nexus 1000v dvSwitch that support the vservice command. For example: nexus-1000v.4.2.1.SV1.5.2b.bin
    Cisco VNMC requires the vservice command to be available on the Nexus switch to create a guest network in CloudStack.
13.5.3.1.2. Prerequisites
  1. Configure Cisco Nexus 1000v dvSwitch in a vCenter environment.
    Create Port profiles for both internal and external network interfaces on Cisco Nexus 1000v dvSwitch. Note down the inside port profile, which needs to be provided while adding the ASA appliance to CloudStack.
    For information on configuration, see Section 8.3.6, “Configuring a vSphere Cluster with Nexus 1000v Virtual Switch”.
  2. Deploy and configure Cisco VNMC.
    For more information, see Installing Cisco Virtual Network Management Center and Configuring Cisco Virtual Network Management Center.
  3. Register Cisco Nexus 1000v dvSwitch with Cisco VNMC.
    For more information, see Registering a Cisco Nexus 1000V with Cisco VNMC.
  4. Create Inside and Outside port profiles in Cisco Nexus 1000v dvSwitch.
    For more information, see Section 8.3.6, “Configuring a vSphere Cluster with Nexus 1000v Virtual Switch”.
  5. Deploy and Cisco ASA 1000v appliance.
    For more information, see Setting Up the ASA 1000V Using VNMC.
    Typically, you create a pool of ASA 1000v appliances and register them with CloudStack.
    Specify the following while setting up a Cisco ASA 1000v instance:
    • VNMC host IP.
    • Ensure that you add ASA appliance in VNMC mode.
    • Port profiles for the Management and HA network interfaces. This need to be pre-created on Cisco Nexus 1000v dvSwitch.
    • Internal and external port profiles.
    • The Management IP for Cisco ASA 1000v appliance. Specify the gateway such that the VNMC IP is reachable.
    • Administrator credentials
    • VNMC credentials
  6. Register Cisco ASA 1000v with VNMC.
    After Cisco ASA 1000v instance is powered on, register VNMC from the ASA console.
13.5.3.1.3. Using Cisco ASA 1000v Services
  1. Ensure that all the prerequisites are met.
    See Section 13.5.3.1.2, “Prerequisites”.
  2. Add a VNMC instance.
    See Section 13.5.3.2, “Adding a VNMC Instance”.
  3. Add a ASA 1000v instance.
    See Section 13.5.3.3, “Adding an ASA 1000v Instance”.
  4. Create a Network Offering and use Cisco VNMC as the service provider for desired services.
    See Section 13.5.3.4, “Creating a Network Offering Using Cisco ASA 1000v”.
  5. Create an Isolated Guest Network by using the network offering you just created.

13.5.3.2. Adding a VNMC Instance

  1. Log in to the CloudStack UI as administrator.
  2. In the left navigation bar, click Infrastructure.
  3. In Zones, click View More.
  4. Choose the zone you want to work with.
  5. Click the Physical Network tab.
  6. In the Network Service Providers node of the diagram, click Configure.
    You might have to scroll down to see this.
  7. Click Cisco VNMC.
  8. Click View VNMC Devices.
  9. Click the Add VNMC Device and provide the following:
    • Host: The IP address of the VNMC instance.
    • Username: The user name of the account on the VNMC instance that CloudStack should use.
    • Password: The password of the account.
  10. Click OK.

13.5.3.3. Adding an ASA 1000v Instance

  1. Log in to the CloudStack UI as administrator.
  2. In the left navigation bar, click Infrastructure.
  3. In Zones, click View More.
  4. Choose the zone you want to work with.
  5. Click the Physical Network tab.
  6. In the Network Service Providers node of the diagram, click Configure.
    You might have to scroll down to see this.
  7. Click Cisco VNMC.
  8. Click View ASA 1000v.
  9. Click the Add CiscoASA1000v Resource and provide the following:
    • Host: The management IP address of the ASA 1000v instance. The IP address is used to connect to ASA 1000V.
    • Inside Port Profile: The Inside Port Profile configured on Cisco Nexus1000v dvSwitch.
    • Cluster: The VMware cluster to which you are adding the ASA 1000v instance.
      Ensure that the cluster is Cisco Nexus 1000v dvSwitch enabled.
  10. Click OK.

13.5.3.4. Creating a Network Offering Using Cisco ASA 1000v

To have Cisco ASA 1000v support for a guest network, create a network offering as follows:
  1. Log in to the CloudStack UI as a user or admin.
  2. From the Select Offering drop-down, choose Network Offering.
  3. Click Add Network Offering.
  4. In the dialog, make the following choices:
    • Name: Any desired name for the network offering.
    • Description: A short description of the offering that can be displayed to users.
    • Network Rate: Allowed data transfer rate in MB per second.
    • Traffic Type: The type of network traffic that will be carried on the network.
    • Guest Type: Choose whether the guest network is isolated or shared.
    • Persistent: Indicate whether the guest network is persistent or not. The network that you can provision without having to deploy a VM on it is termed persistent network.
    • VPC: This option indicate whether the guest network is Virtual Private Cloud-enabled. A Virtual Private Cloud (VPC) is a private, isolated part of CloudStack. A VPC can have its own virtual network topology that resembles a traditional physical network. For more information on VPCs, see Section 15.27.1, “About Virtual Private Clouds”.
    • Specify VLAN: (Isolated guest networks only) Indicate whether a VLAN should be specified when this offering is used.
    • Supported Services: Use Cisco VNMC as the service provider for Firewall, Source NAT, Port Forwarding, and Static NAT to create an Isolated guest network offering.
    • System Offering: Choose the system service offering that you want virtual routers to use in this network.
    • Conserve mode: Indicate whether to use conserve mode. In this mode, network resources are allocated only when the first virtual machine starts in the network.
  5. Click OK
    The network offering is created.

13.5.3.5. Reusing ASA 1000v Appliance in new Guest Networks

You can reuse an ASA 1000v appliance in a new guest network after the necessary cleanup. Typically, ASA 1000v is cleaned up when the logical edge firewall is cleaned up in VNMC. If this cleanup does not happen, you need to reset the appliance to its factory settings for use in new guest networks. As part of this, enable SSH on the appliance and store the SSH credentials by registering on VNMC.
  1. Open a command line on the ASA appliance:
    1. Run the following: 
      ASA1000V(config)# reload
      You are prompted with the following message: 
      System config has been modified. Save? [Y]es/[N]o:"
    2. Enter N.
      You will get the following confirmation message: 
      "Proceed with reload? [confirm]"
    3. Restart the appliance.
  2. Register the ASA 1000v appliance with the VNMC: 
    ASA1000V(config)# vnmc policy-agent
ASA1000V(config-vnmc-policy-agent)# registration host vnmc_ip_address
ASA1000V(config-vnmc-policy-agent)# shared-secret key where key is the shared secret for authentication of the ASA 1000V connection to the Cisco VNMC

13.5.4. External Guest Load Balancer Integration (Optional)

CloudStack can optionally use a Citrix NetScaler or BigIP F5 load balancer to provide load balancing services to guests. If this is not enabled, CloudStack will use the software load balancer in the virtual router.
To install and enable an external load balancer for CloudStack management:
  1. Set up the appliance according to the vendor's directions.
  2. Connect it to the networks carrying public traffic and management traffic (these could be the same network).
  3. Record the IP address, username, password, public interface name, and private interface name. The interface names will be something like "1.1" or "1.2".
  4. Make sure that the VLANs are trunked to the management network interface.
  5. After the CloudStack Management Server is installed, log in as administrator to the CloudStack UI.
  6. In the left navigation bar, click Infrastructure.
  7. In Zones, click View More.
  8. Choose the zone you want to work with.
  9. Click the Network tab.
  10. In the Network Service Providers node of the diagram, click Configure. (You might have to scroll down to see this.)
  11. Click NetScaler or F5.
  12. Click the Add button (+) and provide the following:
    For NetScaler:
    • IP Address: The IP address of the SRX.
    • Username/Password: The authentication credentials to access the device. CloudStack uses these credentials to access the device.
    • Type: The type of device that is being added. It could be F5 Big Ip Load Balancer, NetScaler VPX, NetScaler MPX, or NetScaler SDX. For a comparison of the NetScaler types, see the CloudStack Administration Guide.
    • Public interface: Interface of device that is configured to be part of the public network.
    • Private interface: Interface of device that is configured to be part of the private network.
    • Number of retries. Number of times to attempt a command on the device before considering the operation failed. Default is 2.
    • Capacity: The number of networks the device can handle.
    • Dedicated: When marked as dedicated, this device will be dedicated to a single account. When Dedicated is checked, the value in the Capacity field has no significance implicitly, its value is 1.
  13. Click OK.
The installation and provisioning of the external load balancer is finished. You can proceed to add VMs and NAT or load balancing rules.