Skip to content

Firewall Appliance

In some cases, you may be required to use dedicated firewall appliance from a specific vendor (e.g. specific certification requirements).

  • Firewall appliances from known vendors can be found in the Compute catalog.
  • Alternatively, a specific vendor's firewall appliance can be downloaded from the vendor's website as a virtual machine image (OVA, QCOW2). Create a request to the Support Team to deploy this appliance in the account infrastructure.

A firewall (or router) appliance can be deployed into VPC networks by two networking schemes:

  • Firewall VM with interfaces
  • Firewall-on-a-stick

Firewall VM with interfaces

This deployment scheme implies adding NICs from all networks to the Firewall virtual machine and routing all traffic between network through the Firewall VM.

Steps

  1. In the application VPC > Networks, create a special transit network (router_net) to connect Firewall appliance to the VPC router.
  2. In the application VPC > Networks, add a network interface to the Firewall VM for each network.
  3. In the application VPC > Routes, add a route via Firewall's IP in the transit network (router_net) for each subnet.
  4. Configure the default route on the Firewall appliance as internet gateway on the VPC router. This action is specific to Firewall appliance vendor.
  5. In the application VPC > Routes, change the default route (0.0.0.0/0) via Firewall's IP in the transit network (router_net).

Changes Requiring Support Team Assistance

The following changes require submitting a request to the Support Team:

  1. Configure DHCP in each subnet (network) to use Firewall's IP interface as the default gateway.
  2. Disconnect each subnet from the VPC router.
  3. Reassign the primary IP address as a floating IP to the Firewall VM.

Limitations

The deployment scheme is limited to 16 NICs per Firewall virtual machine. As a result, a single firewall VM cannot manage more than 15 networks.

High Availability

For high-availability, it is recommended to deploy at least 2 virtual machines with the Firewall appliance.
The first IP address in each subnet is reserved in DHCP for the router. Use protocols like HSRP, VRRP to configure it as a virtual IP address on both Firewall appliances.
Then, use the virtual IP address as the default gateway in the DHCP.