In this blog I will show you how to create aliases for grouping servers with the NSX Edge in vCloud director.
Using aliases makes firewall rules more meaningful because I can give them names like “Domain Controller” or “Webserver”. I think meaningful names are easier maintain than a list of IP’s representing the Domain controllers for instance.
It can also be handy if I need to update a set of servers to allow an extra incoming port or something. Where without aliases I have to update each firewall rule for each server one at a time but with aliases I can just update 1 rule for all servers.
The reason for this blog is that the other day I was in a meeting and got the question if it was possible to create aliases for the NSX Edge firewall. The client was used to working with a pFsense which support this feature.
My first reaction was that this was not possible with the NSX Edge. However fellow vblog.nl blogger Marc found out it is possible.
So with this information I decided to find out for myself how this works and share my findings in this blog.
First of all I do have to state that the alias feature is not identical to the one found in for instance the pFsense of OPNsense. However, with “IP Sets” I have the ability to create a similar feature making maintaining firewall rules much easier.
Creating a rule set
So let’s start shall we? As you can see in the screenshot below I already opened the Edge services view.
To start using aliases we need to group objects, this is done by going to the “Grouping Objects” tab as show above.
As you can see you can also create groups based on other Objects like for instance a “MAC adress”
Now I can start creating a IP Set (a group of servers) by clicking on the + sign.
The next step is to add some IP’s to the IP Set. In the example below I have added 3 IP’s. I also gave the IP set a name and a description that makes sense for me.
Using the IP Set
So now that I created the IP Set I can start using it for a firewall rule.
The first thing I need to do is create a new rule to which I will link the “IP Set”.
Now that I have created the new rule I have to link the “IP Set” to the new rule.
This is done by clicking on the + sign in the destination part of the firewall rule.
Now all I have to do is select the “IP Set” like so:
After this was done I also added a Service to allow acces via port 443 and gave the rule a name:
So in conclusion, I was able to create an alias in the NSX Edge. This will make my life a easier when setting up new Firewall rules.
If you enjoyed this blog please have a look at our other interesting topics on vCloud here
585 total views, 1 views today