Defining Network Profile for Distributed Firewall Section Marking

Page last updated:

This topic describes how to define network profiles to create markers for NSX-T distributed firewall (DFW).

About DFW Section Markers

NSX-T applies distributed firewall (DFW) rules on ESXi transport nodes to control north-south traffic into and out of the virtual network environment. Edge firewall (EFW) rules run on Edge transport nodes and control east-west traffic.

When a Kubernetes developer creates a network policy, NCP translates that policy into a DFW rule. “Allow” rules are placed at the top. “Deny” or “Drop” rules placed at the bottom, after the allow rules. All “Allow” rules are created above all “Deny” rules. This means the “Allow” rules take higher precedence than “Deny” rules.

NCP does not place the network policy DFW rule in any particular order in the stack of allow and deny rules. If multiple “Allow” rules are created, they are executed in chronological order: the previously created “Allow” rule takes precedence over the recently created one. This may not be the ordering that network administrators want, or it may disrupt the presumed ordering. Similarly, if a network policy results in an NCP-defined deny rule, it is placed at the top of the deny/drop stack. Again, this may not be the desired location.

With the top section marker, the operational rules can be created in the top section, NCP will create any rules when Kubernetes network policies are created always below this top section marker. Thus, the operational rules created will not be over-ridden by developers. Drop/deny rules operate in the bottom section. You can define a bottom section marker so that drop/deny rules created by NCP do not displace allow rules defined.

Top Firewall Section Marker

Using the top_firewall_section_marker, the operational rules can be created in the top section, NCP will create any rules when Kubernetes network policies are created always below this top section marker. Thus, the operational rules created will not be over-ridden by developers.

{
 "name": "Example network profile",
 "description": "Network profile to enable DFW section marking",
 "parameters": {
   "cni_configurations":
   {
      "type":"nsxt",
      "parameters": {
        "top_firewall_section_marker":"section-id",
        "bottom_firewall_section_marker":"section-id"        
      }
    }
  }
}

Bottom Firewall Section Marker

Drop/deny rules operate in the bottom section. You can define a bottom_firewall_section_marker so that drop/deny rules created by NCP do not displace existing rules.

{
 "name": "Example network profile",
 "description": "Network profile to enable DFW section marking",
 "parameters": {
   "cni_configurations":
   {
      "type":"nsxt",
      "parameters": {
        "top_firewall_section_marker":"section-id",
        "bottom_firewall_section_marker":"section-id"        
      }
    }
  }
}

Please send any feedback you have to pks-feedback@pivotal.io.