This is the multi-page printable view of this section. Click here to print.
Firewall
- 1: Overview
- 2: How-to guides
- 2.1: Firewall Logging
- 3: API Reference
- 4: CLI Reference
- 5: Release Note
1 - Overview
Service Overview
Firewall is a virtual logical firewall service that controls traffic occurring from VPC and Load Balancer of Samsung Cloud Platform.
The target resources that can be applied in the Firewall are Internet Gateway, Direct Connect, Load Balancer, and it is possible to manage a safe network by setting rules for communication between VPC and the internet, and VPC and customer network.
When the Firewall is first created, it blocks all Inbound/Outbound traffic according to the default rule (Any Deny).
Users can create Inbound/Outbound rules by specifying IP addresses, ports, and protocols, and only allowed traffic can communicate with the created rules.
Component
The components that make up the Firewall are as follows.
| Component | Detailed Description |
|---|---|
| Applied target | Firewall applied target resource
|
| Firewall size | Firewall is provided in 5 sizes according to the rule quota
|
| Firewall rules |
|
Constraints
The Samsung Cloud Platform’s Firewall has a quota (limit) for the maximum number of rules that can be created by size. When creating a Firewall, it is created with Extra Small by default, and the Firewall size can be changed on the Firewall details page in the Samsung Cloud Platform Console.
| Size | Rule Allocation | Detailed Description |
|---|---|---|
| Extra Small | 5 items | maximum number of rules that can be created 5 items |
| Small | 100 pieces | maximum number of rules that can be generated 100 pieces |
| Medium | 200 | maximum number of rules that can be generated 200 |
| Large | 500 pieces | maximum number of rules that can be generated 500 pieces |
| Extra Large | 1,000 items | maximum number of rules that can be created 1,000 items |
Preceding Service
This is a list of services that must be pre-configured before creating the Firewall service. Please refer to the user guide (reference link) below for more information and prepare in advance.
| Service Category | Service | Detailed Description |
|---|---|---|
| Networking | VPC | A service that provides an independent virtual network in a cloud environment |
| Networking | Direct Connect | A service that quickly and securely connects the customer’s network and the Samsung Cloud Platform’s network |
| Networking | Load Balancer | A service that distributes traffic to multiple servers to maintain a stable service |
2 - How-to guides
Users can create a Firewall service by entering required information and selecting detailed options through the Samsung Cloud Platform Console.
Creating a Firewall
You can create and use a Firewall service through the Samsung Cloud Platform Console.
The Firewall service must be set to Use in the prerequisite service of Networking to be created. Firewalls set to use can be checked on the Firewall list.
- Firewall cannot be created separately like other services on the Samsung Cloud Platform Console.
To set up Firewall use, follow these steps:
Click the All Services > Networking > Firewall menu. You will be redirected to the Firewall Service Home page.
On the Service Home page, click the prerequisite service to create. You will be redirected to the service creation page.
- Create VPC: Set up Firewall use for Internet Gateway and Transit Gateway of VPC service.
- When creating VPC’s Internet Gateway service, set the Use Firewall item to Use. For detailed instructions, refer to Creating Internet Gateway.
- Create VPC’s Transit Gateway service and apply for the Uplink Firewall associated service. For detailed instructions, refer to Creating Transit Gateway.
- Create Direct Connet: Set the Use Firewall item to Use when creating the Direct Connet service. For detailed instructions, refer to Creating Direct Connect.
- Create Load Balancer: Set the Use Firewall item to Use when creating the Load Balancer service. For detailed instructions, refer to Creating Load Balancer.
- Create VPC: Set up Firewall use for Internet Gateway and Transit Gateway of VPC service.
When the prerequisite service creation is complete, check whether the Firewall resource is displayed on the Firewall List.
Checking Firewall Detailed Information
For the Firewall service, you can view and modify the entire resource list and detailed information from the resource management menu.
To check Firewall detailed information, follow these steps:
- Click the All Services > Networking > Firewall menu. You will be redirected to the Firewall Service Home page.
- On the Service Home page, click Firewall List. You will be redirected to the Firewall List page.
- On the Firewall List page, you can check the following information.
Division Description Firewall Name Automatically created in Firewall prerequisite service type_Firewall format Firewall Division Firewall prerequisite service type (Internet Gateway, Direct Connect, Load Balancer) Size Firewall size selected by user VPC Name VPC name connected to Firewall Connection Name Automatically created in prerequisite service name using Firewall_Firewall format Number of Rules Number of rules in use in the Firewall Use Status Whether Firewall is used (activated) or not used (deactivated) - If not used, Any Allow rule is applied and no billing is charged for Firewall
Status Displays Firewall status - Click the More button to set Use/Not Use
Table. Firewall resource list items
- On the Firewall List page, you can check the following information.
- On the Firewall List page, click the resource for which you want to check detailed information. You will be redirected to the Firewall Details page.
- The Firewall Details page displays status information and additional feature information, and consists of tabs for Detailed Information, Rules, Tags, Operation History.
Division Description Service Status Displays Firewall status - Creating: Creating
- Active: Operating
- Editing: Changing
- Deploying: Deployment complete
- Deleting: Deleting
- Error: Error occurred
Table. Firewall status information
- The Firewall Details page displays status information and additional feature information, and consists of tabs for Detailed Information, Rules, Tags, Operation History.
Detailed Information
On the Firewall List page, you can check the detailed information of the selected resource and modify the information if necessary.
| Division | Description |
|---|---|
| Service | Service name |
| Resource Type | Resource type |
| SRN | Unique resource ID in Samsung Cloud Platform |
| Resource Name | Resource name |
| Resource ID | Unique resource ID in the service |
| Creator | User who created the service |
| Creation Date | Date and time when the service was created |
| Modifier | User who modified the service information |
| Modification Date | Date and time when the service information was modified |
| Firewall Name | Automatically created as resource name_Firewall_connection name |
| Firewall ID | Unique resource ID in the service |
| Firewall Division | Firewall prerequisite service type (Internet Gateway, Direct Connect, Load Balancer) |
| Size | Firewall size selected by user
|
| Firewall Rule Count/Quota | Rule quota and number of rules in use for the Firewall |
| VPC Name | VPC name connected to Firewall
|
| VPC ID | VPC ID connected to Firewall |
| Connection Name | Automatically created as {Firewall prerequisite service name_Firewall}
|
| Log Storage Status | Whether to store Firewall logs
|
Rules
On the Firewall List page, you can check the rule list of the selected resource and add, modify, or delete rules.
| Division | Description |
|---|---|
| Excel Download | Download the currently entered rule list as an Excel (*.xlsx) file |
| Detailed Search | Search for rules matching conditions set by the user
|
| Modify Rule | Modify and delete rules displayed in the rule list
|
| Add Rule | Add a new Firewall rule
|
| Order | Displays rule order, applied Top down according to rule order |
| Rule ID | Unique ID value for the rule
|
| Rule Index | Unique Index value for the rule, used for log analysis |
| Source Address | Source address added to the rule |
| Destination Address | Destination address added to the rule, displayed as IP address according to the entered rule |
| Service | Protocol and destination port |
| Action | Traffic Allow/Deny distinction due to rule
|
| Direction | Access direction of traffic based on Firewall
|
| Active Status | Displays whether the rule is active, rule does not operate if in inactive state |
| Status | Displays rule status |
Tags
On the Firewall List page, you can check the tag information of the selected resource, and add, change, or delete tags.
| Division | Description |
|---|---|
| Tag List | Tag list
|
Operation History
On the Firewall List page, you can check the operation history of the selected resource.
| Division | Description |
|---|---|
| Operation History List | Resource change history
|
Managing Firewall Rules
You can add, modify, or delete Firewall rules.
- Rules can be added or modified only when the Firewall status is Active.
- Rules cannot be added if there is no status view permission for the prerequisite service.
- The firewall periodically caches Domain rules registered by the user and retains IP information for a certain period.
- If the caching result of the registered Domain rule does not match the user’s IP, communication may be restricted.
Creating Rules
You can add Firewall rule information by directly entering it on the Rules tab.
To add a Firewall rule, follow these steps:
- Click the All Services > Networking > Firewall menu. You will be redirected to the Firewall Service Home page.
- On the Service Home page, click Firewall List. You will be redirected to the Firewall List page.
- On the Firewall List page, click the resource to which you want to add rules. You will be redirected to the Firewall Details page.
- On the Firewall Details page, click the Rules tab. You will be redirected to the Rules tab page.
- On the Rules tab, click the Add Rule button. You will be redirected to the Add Rule page.
- Enter the required information on the Direct Input tab page.
- Check the added rule and click the Complete button.
| Division | Required | Description |
|---|---|---|
| Rule Position | Required | Specify the position of the rule to create |
| Rule ID to Copy | Optional | Enter the Firewall rule ID to copy and click the Search button to select |
| Source Address | Required | Source address to add to the rule
|
| Destination Address | Required | Select the type of destination address to add to the rule
|
| Type | Required | Select the protocol type to apply the rule
|
| Type > Protocol | Required | Select the detailed protocol of the type
|
| Action | Required | Distinguish traffic allow/block due to rule
|
| Direction | Required | Access direction of traffic based on Firewall
|
| Description | Optional | Additional description written by the user |
| Added Rule | - | Check list of entered rules
|
Creating Rules in Batch
To add multiple Firewall rules at once, follow these steps:
- Click the All Services > Networking > Firewall menu. You will be redirected to the Firewall Service Home page.
- On the Service Home page, click Firewall List. You will be redirected to the Firewall List page.
- On the Firewall List page, click the resource to which you want to add rules. You will be redirected to the Firewall Details page.
- On the Firewall Details page, click the Rules tab. You will be redirected to the Rules tab page.
- On the Rules tab, click the Add Rule button. You will be redirected to the Add Rule page.
- On the Add Rule page, click the Batch Input Rules tab.
- Select Rule Position. If you do not select a position, it will be added to the last order of the rules.
- On Select File, click the Download Form button. The batch input rule Excel file will be downloaded.
- Enter rule information in the batch input rule Excel file and save it.
- On Select File, click Attach File to attach the created Excel file and click Add.
- If the attached Excel file format is different from the registration form or the file is encrypted, it cannot be uploaded.
- The maximum number of batch registration rules that can be uploaded at once is 100. If the maximum registration rule count is exceeded, it cannot be uploaded.
- If the maximum rule count set according to the firewall size is exceeded, the file cannot be uploaded.
- Check whether the entered rules are displayed on the Added Rules list and adjust the order.
- Check the added rules and click the Complete button.
Modifying Rules
You can select a Firewall rule to check and modify rule information.
To modify a Firewall rule, follow these steps:
Click the All Services > Networking > Firewall menu. You will be redirected to the Firewall Service Home page.
On the Service Home page, click Firewall List. You will be redirected to the Firewall List page.
On the Firewall List page, click the resource for which you want to modify rules. You will be redirected to the Firewall Details page.
On the Firewall Details page, click the Rules tab. You will be redirected to the Rules tab page.
On the Rules tab, click the Modify Rule button. You will be redirected to the Modify Rule page.
- On the rule modification page, you can set the following items:
- Activate: Activates the selected rule.
- Deactivate: Deactivates the selected rule. Deactivated rules are not applied to the prerequisite service.
- Delete: Deletes the selected rule. When you click delete, it is displayed as Delete Scheduled status in the changes.
- Cancel Delete: If in delete scheduled status, you can cancel the rule deletion.
- On the rule modification page, you can set the following items:
On the Modify Rule page, click the Edit button for the item to modify. The Modify Rule popup window will open.
In the Modify Rule popup window, enter the item to modify and click the Confirm button.
Division Required Description Order - Order of the rule, order can be changed by clicking Move Up/Move Down in the added rule list Rule ID - Unique ID value for the rule, cannot be changed Rule Index - Unique Index value for the rule, can be used for log analysis Source Address Required Source address registered in the rule - Can change by entering multiple addresses up to 128 at once using Comma (,), range (-) in CIDR (IP/Subnet Mask) format
Destination Address Required Destination address to add to the rule - Can change by entering multiple addresses up to 128 at once using Comma (,), range (-) in CIDR (IP/Subnet Mask) format
Type Required Set protocol type according to the selected destination address item Action Required Can change traffic Allow/Deny distinction due to rule - Allow: Allow traffic if matches rule
- Deny: Block traffic if matches rule
Direction Required Can change access direction of traffic based on Firewall registered in the rule - Inbound: External → Internal
- Outbound: Internal → External
Rule Position Required Can change rule position Active Status Required Whether the rule is active, rule does not operate if in inactive state Status - Status value for the rule Description Optional Additional description written by the user Table. Firewall rule modification detailed itemsCheck the modified rule and click the Complete button.
Deleting Rules
To delete a Firewall rule, follow these steps:
- Click the All Services > Networking > Firewall menu. You will be redirected to the Firewall Service Home page.
- On the Service Home page, click Firewall List. You will be redirected to the Firewall List page.
- On the Firewall List page, click the resource for which you want to modify rules. You will be redirected to the Firewall Details page.
- On the Firewall Details page, click the Rules tab. You will be redirected to the Rules tab page.
- On the Rules tab, click the Modify Rule button. You will be redirected to the Modify Rule page.
- On the Modify Rule page, select the rule to delete and click the Delete button.
- When the deletion request is completed, it is displayed as Delete Scheduled in the changes item.
- You can cancel rule deletion by clicking Cancel Delete.
- On the Modify Rule page, click the Complete button.
Managing Firewall Resources
You can modify the Firewall size and change the log use settings.
Modifying Firewall Size
To modify the Firewall size, follow these steps:
- Click the All Services > Networking > Firewall menu. You will be redirected to the Firewall Service Home page.
- On the Service Home page, click Firewall List. You will be redirected to the Firewall List page.
- On the Firewall List page, click the resource to modify. You will be redirected to the Firewall Details page.
- On the Firewall Details page, click the Edit icon for Size. You will be redirected to the Modify Size popup window.
- In the Modify Size popup window, select the size to modify and click the Confirm button.
Firewall size is provided as Extra Small (rule quota 5) by default, and you can add Firewall rules by changing the Firewall size to use them. In Nuri SCP, the project/region selection distinction has disappeared, so we comment out the following statement. (25.01.24)
- Firewall fees are charged based on Firewall service size and traffic throughput.
Using Log Storage
To store Firewall logs, you must first create a bucket in Object Storage to store logs, set the bucket as the log storage in Firewall Logging, and then set log storage in Firewall details to store Firewall logs in the Object Storage bucket.
- Log storage settings can be checked in Firewall Logging. For more information, refer to Firewall Logging.
- If log storage is set, Object Storage fees for log storage are charged.
To use Firewall log storage, follow these steps:
- Click the All Services > Networking > Firewall menu. You will be redirected to the Service Home page.
- On the Service Home page, click the Firewall menu. You will be redirected to the Firewall List page.
- On the Firewall List page, click the resource (Firewall) to use log storage. You will be redirected to the Firewall Details page.
- On the Firewall Details page, click the Edit icon for Log Storage Status. You will be redirected to the Modify Log Storage Status popup window.
- In the Modify Log Storage Status popup window, select Use for log storage and click the Confirm button.
Setting Log Storage to Not Use
To set Firewall log storage to not use, follow these steps:
- Click the All Services > Networking > Firewall menu. You will be redirected to the Service Home page.
- On the Service Home page, click the Firewall menu. You will be redirected to the Firewall List page.
- On the Firewall List page, click the resource (Firewall) to set log storage to not use. You will be redirected to the Firewall Details page.
- Click the Modify Log Storage Status button. You will be redirected to the Modify Log Storage Status popup window.
- In the Modify Log Storage Status popup window, deselect Use for log storage and click the Confirm button.
- Check the message in the Notification popup window and click the Confirm button.
Setting Firewall to Not Use
The Firewall service cannot be deleted separately. When you delete the prerequisite service, the connected Firewall is also deleted. If you want to maintain the prerequisite service and not use the Firewall, you can change the Firewall to not use status on the Firewall list page.
- If you change the Firewall to not use status, all previously registered rules will be deleted.
- If the connected Firewall has rules when deleting the prerequisite service, you cannot delete it. Delete the Firewall rules before deleting the prerequisite service.
To set Firewall to not use, follow these steps:
- Click the All Services > Networking > Firewall menu. You will be redirected to the Service Home page.
- On the Service Home page, click the Firewall menu. You will be redirected to the Firewall List page.
- On the Firewall List page, click More > Not Use for the resource to switch to not use.
- When the use status change is complete, check whether the resource’s use status has changed to not use on the Firewall List page.
2.1 - Firewall Logging
To store Firewall logs, you must first create a bucket in Object Storage to store the logs, set the bucket as the log storage in Firewall Logging, and then set log storage on the Firewall Details page to store Firewall logs in the Object Storage bucket.
To store Firewall logs, set up according to the following order:
- To store firewall logs, you can create a bucket in Object Storage or use an already created bucket. To create a bucket, refer to Creating Object Storage.
- To set the bucket as the log storage in Firewall Logging, refer to Using Firewall Logging Log Storage.
- To set log storage status to Use in Firewall details, refer to Using Firewall Log Storage.
Setting Up Firewall Logging Log Storage
To set the Firewall log storage status to Use, you must first set the log storage in Firewall Logging.
To set up Firewall Logging log storage, follow these steps:
- Click the All Services > Management > Network Logging > Firewall Logging menu. You will be redirected to the Firewall Logging List page.
- On the Firewall Logging List page, click the Log Storage Settings button at the top. You will be redirected to the Log Storage Settings popup window.
- In the Log Storage Settings popup window, select the Log Storage Bucket. When you select a bucket, the Log Storage Path is displayed.
- In the Log Storage Settings popup window, check the Log Storage Bucket and Log Storage Path, and then click the Confirm button.
- Check the message in the Notification popup window and click the Confirm button.
Viewing Firewall Logging List
When you set the Firewall Logging log storage bucket, you can view the Firewall Logging list.
To view the Firewall Logging list, follow these steps:
- Click the All Services > Management > Network Logging > Firewall Logging menu. You will be redirected to the Firewall Logging List page.
- On the Firewall Logging List page, check the resources in use and log storage targets.
Division Description Resource ID Firewall ID Storage Target Firewall name Storage Registration Date Firewall log storage registration date Table. Firewall Logging list items
Checking Firewall Logging Detailed Content
Refer to the following content to check the detailed content of stored logs.
Stored log example: 2024-10-11T11:23:43,deny,0,17,4.1.1.100,45499,192.168.10.10,53
| Division | Description |
|---|---|
| 2024-10-11T11:23:43 | Date and time when the log occurred (2024-10-11, 11:23:43) |
| deny | Action (deny / accept) |
| 0 | Firewall Rule ID (Policy ID) where the log occurred |
| 17 | IP Protocol ID
|
| 4.1.1.100 | Source IP |
| 45499 | Source Port |
| 192.168.10.10 | Destination IP |
| 53 | Destination Port |
Setting Firewall Logging Log Storage to Not Use
You can set the log storage in Firewall Logging to not use.
To set Firewall Logging log storage to not use, follow these steps:
- Click the All Services > Management > Network Logging > Firewall Logging menu. You will be redirected to the Firewall Logging List page.
- On the Firewall Logging List page, click the Log Storage Settings button at the top. You will be redirected to the Log Storage Settings popup window.
- In the Log Storage Settings popup window, select Not Use for the Log Storage Bucket and click the Confirm button.
- Log storage settings can be changed when there is no log storage target.
- To change the log storage bucket, first change the setting to not use. Then you can change it by setting it to use again.
3 - API Reference
4 - CLI Reference
5 - Release Note
Firewall
- For user convenience, pages for Firewall rule input and modification/deletion have been added. You can perform desired operations by moving to a separate page when managing Firewall rules.
- Firewall rule input method added
- In KR WEST and KR EAST regions, you can enter the destination address in FQDN (Fully Qualified Domain Name) format.
- Firewall rule input method added
- A function to enter the IP protocol has been added.
- Firewall feature added
- You can use Firewall in the Load Balancer service.
- Samsung Cloud Platform common feature changes
- Common CX changes for Account, IAM, Service Home, tags, etc. have been reflected.
- A function to store Firewall logs has been added.
- You can decide whether to store Firewall logs and store logs in Object Storage.
- You can control inbound and outbound traffic occurring in VPC through the Firewall service.
- The Firewall service has been released.