You can create firewall rules to establish Trust Groups and firewall rules to apply to an edge gateway to protect your virtual machines from outside network traffic.
Advanced Networking Services includes two types of firewalls—the edge gateway firewall and the firewall to establish Trust Groups (referred to as a distributed firewall in the Advanced Networking Services Web UI). Configuring the edge gateway firewall is available for both Dedicated Cloud and Virtual Private Cloud subscription services. However, configuring the firewall to establish Trust Groups is possible only when you have the vCloud Air Dedicated Cloud subscription service.
An edge gateway firewall monitors North-South traffic to provide perimeter security functionality including firewall, Network Address Translation (NAT) as well as site-to-site IPSec and SSL VPN functionality.
Trust Groups, implemented through stateful distributed firewalls, isolate and secure each virtual machine and application down to the Layer 2 level. Configuring Trust Groups effectively quarantines any external or internal network security compromise, isolating East-West traffic between virtual machines on the same network segment. Security policies are centrally managed, inheritable, and nestable, so networking and security administrators can manage them at scale. Additionally, once deployed, defined security policies follow the virtual machines or applications when they move into vCloud Air.
Rules defined on the centralized level are referred to as pre rules. Tenants can then add rules at an individual edge gateway level, which are referred to as local rules.
Each traffic session is checked against the top rule in the Firewall table before moving down the subsequent rules in the table. The first rule in the table that matches the traffic parameters is enforced. Rules are displayed in the following order: