Distributed Cloud Firewall
Distributed Cloud Firewall enhances security by enforcing network policies between SmartGroups, which you define to manage applications within single or multiple cloud environments.
SmartGroups:
- Logical groupings of applications that can span across various cloud accounts, regions, and VPCs/VNets.
Network Policy Enforcement:
- Policies can be defined to filter and control traffic between applications residing in different SmartGroups.
How to enable it
Once you are logged in on Copilot, go to Security -> Distributed Cloud Firewall. Click on Enable Distributed Cloud Firewall:
Click Beging Using Distributed Cloud Firewall to start configuring it:
A Greenfield Rule will be created to allow traffic that maintains the current state, facilitating the creation of custom rules for specific security needs.
Distributed Cloud Firewall will deny all previously permitted traffic due to its implicit Deny All rule.
SmartGroups
SmartGroup are created outside the Security folder. It accepts as input the following resource types:
- virtual machines
- subnets
- VPC/VNEts
- IPs/CIDRs
By default two SmartGroups are created:
- Anywhere (0.0.0.0/0)
- Public Internet
Logical AND and OR operators are supported:
- multiple conditions inside the same block works as an AND
- multiple blocks with conditions works as an OR
Rules
Rules are created inside the Distributed Cloud Firewall. It defines the communication allowed or not between two SmartGroups:
- protocol
- port
- Enforcement
- Logging
- Action (Permit, Deny)
- TLS
- IDS
- Priority
How to disable it
Distributed Cloud Firewall can be disable from Settings -> Configuration -> Add-on Features:
Local Egress on VPC/VNETs
Local Egress does the following:
- Changes the default route on the VPC/VNET to point to the Spoke Gateway
- Enables SNAT
From Security -> Egress -> Egress VPC/Vnets click on Local Egress on VPC/VNets:
Select the VPCs/VNETs:
Click Add:
Private route tables after the change:
Single IP Source NAT is enabled on the gateways:
What happens if there is a default route present?
The default route is replaced:
If the feature is disabled, the controller restores the previous route:
If you prefer to work from the controller or if you are using automation, the feature can be controlled using the single_ip_snat parameter.
Testing
Internet Access:
Rule allowing internet access:
Rules are saved as draft and a commit is required:
Monitor
Use the Monitor tab to visualize traffic.
