🔗 Supported Cloud Objects🔗 Portal🔗 REST API🔗 tuono.com

firewall

Description

Venue

Equivalent Concept(s)

aws

Network ACLs or Security Groups

azure

Security Groups

A firewall restricts network communication based on a list of rules.

When a firewall is applied to a subnet, it is interpreted as a Layer 4 (stateless) packet filter. TCP/IP packets returning from a connection request typically occur in the range of 1024-65535 and you may need to explicitly open that range.

In other situations it is interpreted as a Layer 7 (stateful) firewall.

We recommend that you apply firewalls to all endpoints and not to the subnets.

Required Properties

This object has no required properties, but it likely requires a combination of optional properties to be useful.

Optional Properties

rules (list of dict)

The traffic rules. These control the handling of packets arriving before they are delivered to the consuming object. The rules are applied in the order they are listed. Every inbound rule list automatically gets a deny all rule at the end. If you want to allow all traffic, you must specifically add a rule that does it. Typical inbound rules filter on port number (thus identifying a service), and some will further restrict the service to a number of source addresses. At this time it is recommended you only use allow rules, as some venue implementations do not support deny rules and we do not currently perform the complex translation needed to convert.

description (string)

A description of the rule and why it exists.

from (oneof)

This rule applies to any packets coming from the specified source. Allowed Values:

  • self: Only the object this firewall is being applied to

  • members: This has the same meaning as self

  • any or anywhere or internet: Apply to packets

    coming from or going to anywhere

  • networking.network or networking.subnet fully qualified reference

  • range in CIDR notation

  • IP address

This rule will NOT open up a hole in any outer firewalls, but it does overrule the network's default policy if applied to a subnet in that network. For example, if a subnet firewall limits a port to members, setting a vm firewall to internet will still only allow traffic from members.

In any given firewall rule, either from or to must be one of self or members. This indicates the directionality of the rule. A rule from self indicates an outbound rule.

The default value if not specified is anywhere.

protocols ( networking.protocol)

The protocol(s) to match. At least one protocol or service is required.

services ( networking.service)

The service(s) to match. At least one protocol or service is required. If a service rule overlaps with a protocol rule, the protocol rule wins.

to (oneof)

This rule applies to any packets going to the specified destination. Allowed values:

  • self: Only the object this firewall is being applied to

  • members: This has the same meaning as self

  • any or anywhere or internet: Apply to packets

    coming from or going to anywhere

  • networking.network or networking.subnet fully qualified reference

  • range in CIDR notation

  • IP address

In any given firewall rule, either from or to must be one of self or members. This indicates the directionality of the rule. A rule to self indicates an inbound rule.

The default value if not specified is self.

Common Properties

count (integer)

Indicates how many of this firewall should exist. When count is specified the name of the given resource will have a hyphen and numeric suffix added automatically, unless the count variable is referenced in the blueprint object name.

depends_on ( any)

This property can be used to declare a dependency from this firewall to any other object in the blueprint. This is not necessary for dependencies generated normally by the schema.

folder ( location.folder)

The folder containing this firewall. If this is not specified and there is only one folder defined, that folder is used automatically.

name (string)

The name of this firewall. The name can be different than the blueprint object name. When the name property is not present we apply automatic naming strategies to make resources easier to identify in each venue's management console. When the name property is specified we will use it exactly as specified.

readonly (boolean)

Indicates whether or not this firewall is read-only. If so, we verify only the existence and correctness of this firewall to its specification rather than creating or modifying it.

The default value if not specified is false.

tags (dict)

The tags to place on this firewall. Tags are metadata stored in (key = value, ...) form. Consumers are not allowed to use tags that begin with _tuono as those are reserved.

Discovered Properties

These properties are populated and available in the inventory following a successful apply.

id (string)

The venue-specific identifier of this firewall.

Examples

Define a firewall that allows only inbound SSH, but all outbound:

location:
  folder:
    example-folder:
      region: example-region
  region:
    example-region:
      area: west
      country: USA
networking:
  firewall:
    example-firewall:
      rules:
        - description: Allow SSH
          from: anywhere
          protocols: ssh
          to: self
  network:
    example-network:
      range: 10.0.0.0/8
      scope: public
  protocol:
    ssh:
      ports:
        - port: 6379
          proto: tcp
PreviousdnsNextnetwork

Last updated

Was this helpful?