NSX Distributed Firewall can enforce firewall functionality directly at a Virtual Machine's vNIC, and supports a micro‐segmentation security model where East‐West traffic can be inspected at near line rate processing.
■
|
API-URL is a URL of the form https://vcloud.example.com/network. |
■
|
id is a vCloud Director unique identifier in the form of a UUID, as defined by RFC 4122. |
■
|
Three rights control access to distributed firewall configuration:
■
| |
■
| |
■
|
An organization administrator role has ORG_VDC_DISTRIBUTED_FIREWALL_VIEW and ORG_VDC_DISTRIBUTED_FIREWALL_CONFIGURE rights by default. Only the system administrator has ORG_VDC_DISTRIBUTED_FIREWALL_ENABLE right by default.
The vCloud Director API for NSX makes use of etag headers in responses. Requests that modify an object returned in a response must include the etag value from that response in an if-match header. For example, this request to retrieve a section of a firewall rule returns the requested section and includes an etag in the response header.
GET https://10.17.124.244/network/firewall/globalroot-0/config/layer3sections/c02d1603-af97-4310-80b9-4f3beaa456c4
Content-Type:application/xml Date:... ETag:1487090590214 Expires: ... <?xml version="1.0" encoding="UTF-8"?> <sections> <section id="1048" name="vdc-01(c02d1603-af97-4310-80b9-4f3beaa456c4)" generationNumber="1474037046864" timestamp="1474037046864"> <rule id="1020" disabled="false" logged="false"> <name>testrule3</name> <action>allow</action> <appliedToList> <appliedTo> <name>vdc-01(c02d1603-af97-4310-80b9-4f3beaa456c4) </name> <value>securitygroup-28</value> <type>SecurityGroup</type> <isValid>true</isValid> </appliedTo> </appliedToList> <sectionId>1048</sectionId> <direction>inout</direction> <packetType>any</packetType> </rule> </section> </sections>
A subsequent request to modify the section by adding a rule must include the etag as the value of an if-match request header.
POST https://10.17.124.244/network/firewall/globalroot-0/config/layer3sections/c02d1603-af97-4310-80b9-4f3beaa456c4/rules ... if-match:1487090590214 ... <?xml version="1.0" encoding="UTF-8"?> <rule disabled="false" logged="false"> <name>testrule3</name> <action>allow</action> <appliedToList> <appliedTo> <name>testrule3</name> <value>securitygroup-28</value> <type>SecurityGroup</type> <isValid>true</isValid> </appliedTo> </appliedToList> <direction>inout</direction> <packetType>any</packetType> </rule>