Firewall Service

While a security group sets packet filters on virtual servers, the firewall service sets packet filters on the virtual router.

You can set this service on the virtual router connected to an external network as shown in the following figure.

Figure: Using the Firewall Service

Firewall service settings consist of the following elements and are configured with the information for filtering that is shown below, in the order they are listed. You must associate the firewall with a virtual router in order to perform filtering.

  1. Create firewall rules
  2. Register a collection of rules to create a firewall policy
  3. Specify a policy to create a firewall, and associate it with a virtual router

Creating/Changing a Firewall Rule

Specify the following items to create or change firewall rules.

Table 1. List of Firewall Rule Settings
Item Description Required
Rule Name Specify a name for the rule.  
Description Enter a description.  
Enable/Disable Rule Specify whether to enable or disable the rule.  
Protocol

Specify one of the following protocols:

  • tcp
  • udp
  • icmp
 
IP Version Specify IPv4.  
Source IP Address Specify the IP address of the sender (can be specified in CIDR notation).  
Source Port Number Specify the port number of the sender targeted for communication (a range can be specified in a:b format).  
Destination IP Address Specify the IP address of the destination (can be specified in CIDR notation).  
Destination Port Number Specify the port number of the destination targeted for communication (a range can be specified in a:b format).  
Actions Specify "Allow" or "Deny."  
Availability Zone Name Specify the availability zone where rules will be created. If this setting is omitted, the default availability zone will be used.  
Tip:
  • The firewall service provides a stateful firewall.

    • Only configure allow rules for request packets.

      It is not necessary to configure allow rules for response packets.

    • Configure the same communication route of request packets and response packets.

      If the communication route is not the same, communication will not be possible.

  • When using a combination of a firewall and the NAT function of a virtual router, specify the private IP address corresponding to the global IP address for the IP address

    The firewall is applied at the following timings:

    • When communicating from an internal network to the Internet: Before execution of SNAT
    • When communicating from the Internet to an internal network: After execution of DNAT

Creating/Modifying a Firewall Policy

Define a list of multiple firewall rules as a firewall policy. The traffic is inspected according to the rules in the list, in order of priority, to control whether communication is allowed or not.

Tip:

The "DENY ALL" rule is automatically added to the end of the policy. Therefore, traffic that does not meet the definition for any of the Allow rules is blocked by default. (This is the whitelist method.)

The "DENY ALL" rule that is added automatically is an implicit rule, and does not appear in the policy.

Specify the following items to create or modify a firewall policy.

Table 2. List of Firewall Policy Settings
Item Description Required
Policy Name Specify a name for the policy.  
Description Enter a description.  
List of Firewall Rules Specify as a list the firewall rules that have been created. Traffic is inspected according to the list of rules specified here, in order from the top of the list.  
Availability Zone Name Specify the availability zone where policies will be created. If this setting is omitted, the default availability zone will be used.  

Creating/Modifying a Firewall

Create or modify a firewall on a virtual router by specifying a firewall policy in which rules have been registered.

Table 3. List of Firewall Settings
Item Description Required
Firewall Name Specify a name for the firewall.  
Description Enter a description.  
Firewall Policy ID Specify the ID of a firewall policy that has been created.  
Virtual Router ID

Specify the virtual router ID to which the firewall policy will be applied.

Important: If this setting is omitted, the specified policy will be applied to all virtual routers in the availability zone.
 
Availability Zone Name Specify the availability zone where the firewall will be created. If this setting is omitted, the default availability zone will be used.