An essential virtual network appliance

Whatever service you run on any cloud provider, the underlying infrastructure is virtually dedicated to you. Walking through a sample firewall appliance setup, let us elaborate the mysterious links in between physical and logical domains.

Virtual Network Appliance

In our scenario we will be using VMware as the virtualization environment and pfSense as the firewall. So, this will be quite an interesting and cost effective virtual network appliance for SME security departments operating on private networks. Nevertheless, ideas and concepts detailed here are equally applicaple with different naming conventions on public clouds as well.

Scope definition

Our target here is to highlight how software configuration items in virtual platforms are bound to hardware components on physical infrastructure. We will be using a layered architecture to clarify the topology and to figure out the domains for seperation of roles.

Details, such as how distributed or actual switches are configured, how pfSense is installed as a virtual appliance on VMware are out of the scope of this article. But of course, you can find a cool step-by-step guide in Netgate Docs.

Layered architecture

Networking is all about understanding the layered architecture. For those who are familiar with OSI or TCP/IP models, the following diagram might look like an oversimplification of the concepts. But for those who are trying to feel the nature of interconnectivity nowadays, it would probably work like a charm.

Virtual Firewall Setup

2-3 decades ago it was very important to keep track of cabling layout. Though it is still very crucial for Internet service providers, there are new objects for us to configure and take care of on any communication path created in cloud infrastructure by software defined networking principles.

Fortunately, core elements of networking protocols are the same. But the art of applying the right protocol at the right configuration item requires a visualization of the layered architecture in your own topology. In this way you can also improve your troubleshooting cycles. Just for your convenience and for the sake of completeness in this article, below are some of the aspects regarding above diagram:

  1. LACP is enabled for VM NICs 1&2 and 3&4 on server and client switches, respectively.
  2. Specific broadcast domains (VLANs) are created for different server and client zones on relevant switches.
  3. VLAN tagging is enabled on both inside and outside uplinks. It is also possible to group selected VLANs via tagging on dedicated port groups to be connected to virtual firewall and using sub-interfaces within the appliance.
  4. Interface assignments and Inter-VLAN routing is done on the firewall, i.e., virtual network appliance.
  5. And all traffic in between client and/or server zones are subject to defined firewall rules.

Key take aways

After going over such a foundational use case, let us switch back to our cloud mission. From a wider perspective you should always be aware of the following facts:

  • Understand the shared responsibility model.
  • Dig into the underlying physical components and learn about the logical limitations exposed on the services you use.
  • Create as many networks/subnets as required depending on your security posture and global reach.
  • Implement a non-overlapping and tedious IP addressing scheme.
  • If you do not have any specific reason, prefer stateful access control rules.