The First Line of Defence: vCenter Server Appliance Firewall
Introduction
Limiting and monitoring access to the vCenter Server Appliance(VCSA) is vital in securing the overall vSphere environment. VCSA firewall enables customers to create firewall rules that can allow or block access to the VCSA from specific servers, hosts, or virtual machines. VCSA firewall can allow or block only network traffic and not the specific ports.
VCSA firewall under the hood
Creating VCSA firewall rules from the Virtual Appliance Management Interface( VAMI) creates corresponding “iptables” rules in the VCSA appliance. iptables are used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. More information on iptables can found on this page.
As a best practice, access to VCSA should be allowed only from trusted hosts or VMs and blocked for the rest of the devices. It is important to note that while blocking access to the VCSA, considerations should be made for other VMware products like vROPs, SRM, etc.
VCSA firewall can be accessed from the VAMI UI(https://vc_fqdn_or_ip:5480). The following GIF shows creating a firewall reject rule for an IPAddress: 10.173.168.30/23
VCSA firewall rules
The following firewall rules can be specified for incoming network traffic in the VCSA firewall:
S. No. |
Rule |
Description |
1 |
Accept |
Allow packet with corresponding IP Address. |
2 |
Ignore |
Drop packet with corresponding IP Address. |
3 |
Reject |
Drop packet with a corresponding IP address while sending destination not reachable. |
4 |
Return |
Apply default or port-specific rules to packet with the corresponding IP address |
Monitoring VCSA firewall
VCSA firewall activities can be monitored from the shell of the VCSA appliance. VCSA, by default, does not log firewall(iptables related activity). To log firewall-related activities following commands must be executed at the shell of VCSA.
# iptables -N LOGGER
# iptables -A LOGGER -j LOG –log-prefix ‘iptable log: ’ ‘ --log-level 7
# iptables -A OUTPUT -j LOGGER
# iptables -I OUTPUT -j LOGGER
# iptables -I INPUT -j LOGGER
After setting the logger, firewall logs can be monitored by executing the following command
# journalctl -k |grep “iptable”
Accessing and Creating VCSA firewall rules through APIs
VCSA firewall supports the following REST methods:
GET https://vcsa_fqdn_or_ip/api/appliance/networking/firewall/inbound
Description
Get method lists the existing firewall rules. Within the list of traffic rules, rules are processed in order of appearance, from top to bottom. When a connection matches a firewall rule, further processing for the connection stops, and the appliance ignores any additional firewall rules.
PUT https://vcsa_fqdn_or_ip/api/appliance/networking/firewall/inbound
Description
PUT method creates the ordered list of firewall rules to allow or deny traffic from one or more incoming IP addresses. This overwrites the existing firewall rules and creates a new rule list. Within the list of traffic rules, rules are processed in order of appearance, from top to bottom
For more information on VCSA firewall APIs and sample code, please refer to developer.vmware.com.
To Conclude
Securing the vCenter Server appliance is a foundational step towards securing the overall vSphere environment. Blocking access from unnecessary systems reduces the overall footprint and minimizes potential attacks on the VCSA. VCSA firewall is an easy yet powerful way to enforce and monitor firewall policies.
For more information on VCSA security best practices, please refer to this document.