[VMC on AWS] Managing Firewall Compute Gateway (CGW) Rules in Custom Policy Groups within VMware Cloud on AWS (VMC) and NSX-T
search cancel

[VMC on AWS] Managing Firewall Compute Gateway (CGW) Rules in Custom Policy Groups within VMware Cloud on AWS (VMC) and NSX-T

book

Article ID: 314089

calendar_today

Updated On:

Products

VMware Cloud on AWS

Issue/Introduction

The purpose of this Knowledge Base (KB) article is to provide comprehensive information and guidance to address the issue faced by customers when managing Firewall Compute Gateway (CGW) rules within custom policy groups in the context of VMware Cloud on AWS (VMC) and NSX-T.


Symptoms:

Encountering difficulty in managing their Firewall (FW) Compute Gateway (CGW) rules, which are created in a custom policy group, through the NSX UI. These rules are not listed in the NSX UI, causing complications in FW rule management. 


Cause

The customer's inability to manage FW CGW rules in custom policy groups via the NSX UI is due to the design of VMware Cloud on AWS and its integration with NSX-T. The NSX UI is intended to manage rules within the default policy group, and custom policy groups are not within its management scope. 

The default policy group is the only one that can be configured by customers in the context of VMC. While the NSX UI allows the management of rules within the default policy group, it does not provide visibility or management capabilities for rules created outside this group. 

Custom policy groups are not considered within the scope of the NSX UI's queries, adhering to the intended design that limits customer configurability to the default policy group.

Resolution

By design, managing FW rules made within custom policy groups is not possible, users are advised to create FW rules using default policy groups. 

If the user wishes to create rules using custom groups, then it is advised to manage those rules from scripting/automation tools.

VMware engineering is considering a second patch to prevent the creation of custom policy groups with CloudAdmin access levels. This suggests that there may be future developments that impact the management of custom policy groups.


Workaround:

The below workaround can be implemented by using an API and automation platform such as Terraform.

1.) Terraform Configuration:
To work within the limitations of the NSX UI, it's recommended to configure Terraform to manage rules only within the following path

 
/infra/domains/cgw/gateway-policies/default/
 

By limiting Terraform's management scope to this path, the customer can ensure that the rules they create are visible within the NSX UI.
 
2.) Consider Default Policy Group:
Since VMC's design emphasizes the use of the default policy group for customer configurability, it's advisable to incorporate FW rules into the default group when possible. This can be achieved through Terraform with the following configuration:

 
# CGW definition
resource "nsxt_policy_gateway_policy" "cgw_policy" {
  category     = "LocalGatewayRules"
  display_name = "default"
  domain       = "cgw"
  lifecycle { prevent_destroy = true }
}

 
This configuration ensures that the customer's rules are within the default policy group and thus manageable through the NSX UI.

Note:

The terraform configuration is an example and not meant to represent a sole workaround. For other tools, please engage the respective vendors


Additional Information

Add or Modify Management Gateway Firewall Rules


Impact/Risks:

Users would be unable to manage Compute Gateway (CGW) Rules in Custom Policy Groups in VMC on AWS.