The First Line of Defence: vCenter Server Appliance Firewall

May 25, 2021

Introduction

Limiting and monitoring access to the vCenter Server Appliance(VCSA) is vital in securing the overall vSphere environment. VCSA firewall enables customers to create firewall rules that can allow or block access to the VCSA from specific servers, hosts, or virtual machines.  VCSA firewall can allow or block only network traffic and not the specific ports.

VCSA firewall under the hood

Creating VCSA firewall rules from the Virtual Appliance Management Interface( VAMI) creates corresponding “iptables” rules in the VCSA appliance. iptables are used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. More information on iptables can found on this page.

As a best practice, access to VCSA should be allowed only from trusted hosts or VMs and blocked for the rest of the devices. It is important to note that while blocking access to the VCSA, considerations should be made for other VMware products like vROPs, SRM, etc.

VCSA firewall can be accessed from the VAMI UI(https://vc_fqdn_or_ip:5480). The following GIF shows creating a firewall reject rule for an IPAddress: 10.173.168.30/23

VCSA firewall

VCSA firewall rules

The following firewall rules can be specified for incoming network traffic in the VCSA firewall:

S. No.

Rule

Description

1

Accept

Allow packet with corresponding IP Address.

2

Ignore

Drop packet with corresponding IP Address.

3

Reject

Drop packet with a corresponding IP address while sending destination not reachable.

4

Return

Apply default or port-specific rules to packet with the corresponding IP address

Monitoring VCSA firewall

VCSA firewall activities can be monitored from the shell of the VCSA appliance. VCSA, by default, does not log firewall(iptables related activity). To log firewall-related activities following commands must be executed at the shell of VCSA.

# iptables  -N LOGGER
# iptables  -A LOGGER -j LOG –log-prefix ‘iptable log: ’ ‘ --log-level 7
# iptables  -A OUTPUT -j LOGGER
# iptables  -I OUTPUT -j LOGGER
# iptables -I INPUT -j LOGGER	

After setting the logger, firewall logs can be monitored by executing the following command

#  journalctl -k |grep “iptable”

Accessing and Creating VCSA firewall rules through APIs

VCSA firewall supports the following REST methods:

GET  https://vcsa_fqdn_or_ip/api/appliance/networking/firewall/inbound

Description

Get method lists the existing firewall rules. Within the list of traffic rules, rules are processed in order of appearance, from top to bottom. When a connection matches a firewall rule, further processing for the connection stops, and the appliance ignores any additional firewall rules.

PUT  https://vcsa_fqdn_or_ip/api/appliance/networking/firewall/inbound

Description

PUT method creates the ordered list of firewall rules to allow or deny traffic from one or more incoming IP addresses. This overwrites the existing firewall rules and creates a new rule list. Within the list of traffic rules, rules are processed in order of appearance, from top to bottom

 

For more information on VCSA firewall APIs and sample code, please refer to developer.vmware.com.

To Conclude

Securing the vCenter Server appliance is a foundational step towards securing the overall vSphere environment.  Blocking access from unnecessary systems reduces the overall footprint and minimizes potential attacks on the VCSA. VCSA firewall is an easy yet powerful way to enforce and monitor firewall policies.

For more information on VCSA security best practices, please refer to this document.

Filter Tags

Networking Security vCenter Server vSphere vSphere 6.5 vSphere 6.7 vSphere 7 vSphere Client Blog Technical Overview Tool Overview

Aditya Sahu

Read More from the Author

Aditya Sahu works as a Senior Technical Marketing Manager for VMware in the Cloud Platform Business Unit. In his role he covers core vSphere and vSphere with Tanzu. You can also reach out to him on twitter @ adityasahu_29