Managing RackConnect Network Policies
One of the main benefits of RackConnect is that you do not have to set software firewall rules (IPTables or Windows Firewall) on individual Cloud Servers—you can modify network connectivity between all servers (Cloud and Dedicated) and the Internet by adding Network Policies.
Network Policies are configurable under each individual Cloud Account in the RackConnect Management Interface (available in the MyRackspace Portal), and can be added to control access between your Cloud Servers, your Dedicated environment, and the Internet.
A Network Policy defines access that you wish to have applied for one of five RackConnect traffic scenarios. Here are the available Network Policies, along with their effect on Network Device Access Lists and/or software firewalls (IPTables or Windows Firewall):
- Cloud Server(s) to Dedicated – Updates Connected Network Device Access Lists
- Cloud Server(s) to Internet – Updates Connected Network Device Access Lists
- Cloud Server(s) to Cloud Server(s) – Updates Inbound software firewalls on Cloud Server(s)
- Dedicated to Cloud Server(s) – Updates Inbound software firewalls on Cloud Server(s)
- Internet to Cloud Server(s) – Updates Edge Network Device Access Lists and Inbound software firewalls on Cloud Server(s)
Note: Software firewalls are configured to allow unrestricted outbound access from your Cloud Servers.
Network Policies provide you the ability to match based on certain criteria (Hosts, Networks, Cloud Server Name Matches, Cloud Server ID Matches) and can limit access to specific protocols (TCP, UDP, ICMP) and ports or port ranges (port ranges limited to 100 ports).
To manage your Network Policies, select the Cloud Account to customize in the RackConnect Management Interface, click on the “Network Policies” tab, and follow the on-screen instructions to add and remove Network Policies.
When defining a Network Policy, enter a “Policy Name,” select an “Access Scenario” from the drop-down list (one of the five listed above), enter a “Source Type”, a “Destination Type”, and a “Destination Protocol”, along with a “Destination Port or Port Range”. These fields are context sensitive. That means that based on the Access Scenario you choose, the options for other tabs can change.
- Selecting “All” refers to all hosts within a network or account
- Selecting “Server Name Match” performs a match of your entered text. It is not case sensitive and you do not need to enter any wildcards. For instance, “Web” matches a Cloud Server named WEB001, as well as Mywebserver
- Selecting “Server ID Match” performs an exact match of the Server ID from the Cloud Servers API. When you begin typing the server name, a dropdown will appear where you can select the Server and it will populate the Server ID for you
- Selecting “Network” allows you to define a network and subnet that will include all IPs within the subnet. Enter it in the format: xxx.xxx.xxx.xxx/xx using CIDR notation (for example, 172.16.1.0/24 enters the entire 172.16.1.0 class C network, which corresponds to 172.16.1.0 with a subnet mask of 255.255.255.0)
- Selecting “Host” allows you to enter the IP address of the host to define.
Example Internet to Cloud Server(s) Network Policy
From the Network Policy screen, you also have the ability to apply a Network Policy Template. Network Policy Templates provide you a quick way to get started using RackConnect. Review the description of each template for details of the type of access it will grant in your environment.
Any time you alter a Network Policy, the automation status indicators will show you when the Network Policy is being deployed (or removed) and when the changes are complete. You can also track details of the status on the Tasks tab. You will have to refresh the page in the MyRackspace Portal to view the updated status indicators.
Here the circles are all green, which means the Network Policies were successfully “Deployed”
IMPORTANT NOTE: Network Policy “Destination Port Range” entries are limited to 100 ports, and they have valid integer values between 0 and 65535 with a range of the form xxxxxx-xxxxxx.
Frequently Asked Questions
I've written my own software firewall rules. What will happen to them?
All software firewall rules should be managed using Network Policies. RackConnect automation rebuilds the entire firewall ruleset when it updates a system. As a result, any custom software firewall rules not created by Network Policies will be overwritten. This behavior can be changed on Linux Cloud Servers to allow custom iptables rules (within certain limitations - see here for details), but due to technical limitations of Windows Firewall, all firewall rules on Windows Cloud Servers must be managed through Network Policies alone.
Why am I limited to port ranges of 100 ports or less?
Due to a technical limitation in Windows Firewall which prevents port-range rules from being executed in the correct order, a separate firewall rule must be created for every port in the range. For Network Policies such as Cloud Server Name-Match rules which allow multiple source systems, the number of rules created on each destination server can be as large as the number of ports allowed multiplied by the number of systems allowed. In an effort to prevent Windows servers from becoming so bogged down with firewall rules that they become unresponsive, we limit Network Policies to port ranges of 100 ports or less.
How should I setup Network Policies for use with Cloud Monitoring?
By default, the Cloud Monitoring systems have access to your RackConnected Cloud Servers. You should not need to create any custom Network Policies to allow the Cloud Monitoring systems to connect.
© 2011-2013 Rackspace US, Inc.
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License
See license specifics and DISCLAIMER