NSX Edge Gateway Service

Owned by Matteo Iacovitti
Feb 04, 2019

The Edge Gateway is a virtual router accessible by clients’ VMs. The Edge can utilize firewall and NAT rules, IPSec and SSL VPN, and load balancers.

Each Org vDC can have multiple Edge gateways, and each Edge Gateway can be connected to a routed org network.


The Edge Gateway screen has three sub-sections:

  • Edge Information – Name, size, status, and Gateway IP. For convenience, a hyperlink is provided for the Edge connected org vDC.
  • Edge Management – Modify the Edge name, enable/disable features, and view log details.
  • Edge Features – Add firewall and NAT rules, create VPN’s and set up load balancers.

FIREWALL RULES

Firewall Rules help control traffic over the network by allowing and denying packets. The client can create rules that allow or block certain ports going to and from IPs or VMs. The Firewall table displays each rule in use, along with the rule’s name, source, destination IP or VM, which ports are affected, and if traffic is being allowed or blocked.

To create a new rule, click the “Add” button to open the “Add a Firewall” modal.

There are four parts to creating a new firewall rule:

  1. Name – Choose a name for the rule
  2. Action – Will the rule block or accept packets.
  3. Source and destination – Set VMs or IP Addresses as the source and destination
  4. Ports – Select the ports that apply to the rule. If set to any, it will look at all ports.

Once completed, click “Submit”. The rule will be added to the Edge in order based on:

  • Default Accept All Rule
  • User Defined Rules
  • Default Deny all Rule

NAT RULES

Network Address Translation (NAT) is a method of remapping one IP address to another. You can create both a Source NAT (SNAT) rule or a Destination NAT (DNAT) rule.

To create a SNAT rule click on the “Add SNAT” button to open the “Add SNAT Rule” modal.

Select which external network the traffic will translate on, and the original and translated addresses.  Also, select if the rule is enabled or disabled, and if it is logging all Edge related events. Click “Submit” once completed.


To create a DNAT rule, click on the “Add a DNAT” button to open the “Add DNAT Rule” modal.

Select which external network the traffic will translate on, the protocol type (TCP, UDP, ICMP, or ANY), and the original and translated IP addresses and ports.  Also, select if the rule is enabled or disabled, and if you want the Edge to log all events. Click “Submit” once completed.

CERTIFICATES

Certificates are used to setup SSL authentication with IPSec and SSL VPN. Hyalto supports service certificates, private key, certificate authority, and certificate revoke lists.  Certificates must be in PEM format to upload. To add a certificate, click on one of the three buttons. You can either upload a .pem file or paste the PEM formatted certificate in the text window. Click “Submit” when you’re ready to upload.

IPSEC VPN

IPSec VPN allows two Gateways (Edge or others) to connect via a VPN tunnel using the IPSec protocol.

There are three sections to IPSec VPN:

  • Global and Logging Configuration – Global settings are stored here, as are any certificates uploaded.
  • IPSec VPN Sites – Displays all VPN tunnel sites created.
  • IPSec Statistics – VPN tunnel information as well as the current tunnel status.

To create a VPN Site, click on the “IPSec VPN Sites” Tab, followed by the “Add Site” Button. This will open the “Add Site” modal.

Name the site and fill in local and peer details.

  • Local: The ID and IP are the Edge Gateway IP. The Local Subnet is the network you want the Peer user to use in CIDR format (i.e. 192.168.0.0/24).
  • Peer: The ID and IP are the Peer’s Gateway IP. The Peer Subnet is the network you want the Local user to use in CIDR format (i.e. 192.168.1.0/24).

Note: The subnets MUST be different, or an IP overlapping error will occur.

The final step is to select an encryption algorithm and which DH Group to utilize. For authentication, you can choose a Pre-Shared Key (PSK) or a certificate. The PSK must be an alphanumeric string that both sites use. Click the Enable button, then click submit to create the site. Once the site is created, you must enable the IPsec VPN service status under the Global and Logging Configuration Tab. This will enable the VPN Services.

If you click on the IPSec Statistics, you may notice that even though you’ve created the VPN site, the status shows DOWN. This is because the site cannot find the peer site. In this case, you will have to create an IPSec VPN site on the peer system, whether it’s another Edge (reverse the Local/Peer ID’s, IP’s and Subnets and use the same PSK if you're using one) or another Gateway. Once the peer site is up, you will see the status display as UP in the statistics. The tunnel is now enabled.

SSL-VPN

SSL VPN lets you create a VPN tunnel using the SSL protocol. There are several sections to the SSL VPN, and each must have at least one entry for the SSL VPN to function.

Here are the sections in summary:

  • General Settings - General settings hold the basic settings of the SSL VPN including session timeout, idle timeout, and other options. There is also a client notification text box which can send the client a message if their session times out.
  • Client Configuration - The VPN client options allow you to set up a full or split tunnel, set a default Gateway IP, auto connect if the VPN goes down, etc.
  • Users - Users allow you to create the VPN clients.
  • IP Pools - IP Pool is the network the VPN client will acquire when connected to the SSL VPN.
  • Installation Package - Installation package allows you to create the VPN client app to install on a Desktop.
  • Private Networks - Private Networks are the networks VPN clients have at their disposal.
  • Authentication - Authentication allows you to set up password rules for VPN clients. Each value must be set before you enable the password policy.
  • Server Settings - Once properties are set, you can enable the SSL VPN in the server settings. Before the process can be complete you must select the Gateway IP, optional port and at least one encryption method.

LOAD BALANCERS

Load balancers enable network traffic to follow multiple paths to a specific destination.  They distribute incoming service requests evenly among multiple virtual servers.

There are several sections related to Load Balancers. They are:

  • Application Profiles - Application profiles define the type of traffic your application is expecting.  You can set up the profile using the TCP, HTTP, HTTPS, or UDP protocol, and select different persistence methods.
  • Services Monitoring - Service monitors watch load balancers and traffic between the load balancers and servers to make sure everything is UP. By default, the load balancer has a monitor for TCP, HTTP, and HTTPS traffic.
  • Pools - Pools contain the list of IP addresses for load balanced servers.
  • Application Rules - Application rules allow you to specify HTTP/HTTPS redirection.
  • Virtual Servers - The Virtual Server (VS) is the point of entry for load-balanced traffic.
  • Global Configuration - Click on “Enable”, then “Save Settings” to start the load balancer. Other options you can set include logging, log level, and enabling acceleration.