docs/en-US/egress-firewall-rule.xml - cloudstack - Git at Google

 <?xml version='1.0' encoding='utf-8' ?>
 <!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
 <!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
 %BOOK_ENTITIES;
 ]>
 <!-- Licensed to the Apache Software Foundation (ASF) under one
   or more contributor license agreements.  See the NOTICE file
   distributed with this work for additional information
   regarding copyright ownership.  The ASF licenses this file
   to you under the Apache License, Version 2.0 (the
   "License"); you may not use this file except in compliance
   with the License.  You may obtain a copy of the License at
   http://www.apache.org/licenses/LICENSE-2.0
   Unless required by applicable law or agreed to in writing,
   software distributed under the License is distributed on an
   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
   KIND, either express or implied.  See the License for the
   specific language governing permissions and limitations
   under the License.
 -->
 <section id="egress-firewall-rule">
   <title>Creating Egress Firewall Rules in an Advanced Zone</title>
   <note>
     <para>The egress firewall rules are supported only on virtual routers.</para>
   </note>
   <para/>
   <para>The egress traffic originates from a private network to a public network, such as the
     Internet. By default, the egress traffic is blocked, so no outgoing traffic is allowed from a
     guest network to the Internet. However, you can control the egress traffic in an Advanced zone
     by creating egress firewall rules. When an egress firewall rule is applied, the traffic specific
     to the rule is allowed and the remaining traffic is blocked. When all the firewall rules are
     removed the default policy, Block, is applied.</para>
   <para>Consider the following scenarios to apply egress firewall rules:</para>
   <itemizedlist>
     <listitem>
       <para>Allow the egress traffic from specified source CIDR. The Source CIDR is part of guest
         network CIDR.</para>
     </listitem>
     <listitem>
       <para>Allow the egress traffic with destination protocol TCP,UDP,ICMP, or ALL.</para>
     </listitem>
     <listitem>
       <para>Allow the egress traffic with destination protocol and port range. The port range is
         specified for TCP, UDP or for ICMP type and code.</para>
     </listitem>
   </itemizedlist>
   <para>To configure an egress firewall rule:</para>
   <orderedlist>
     <listitem>
       <para>Log in to the &PRODUCT; UI as an administrator or end user. </para>
     </listitem>
     <listitem>
       <para>In the left navigation, choose Network.</para>
     </listitem>
     <listitem>
       <para>In Select view, choose Guest networks, then click the Guest network you want.</para>
     </listitem>
     <listitem>
       <para>To add an egress rule, click the Egress rules tab and fill out the following fields to
         specify what type of traffic is allowed to be sent out of VM instances in this guest
         network:</para>
       <mediaobject>
         <imageobject>
           <imagedata fileref="./images/egress-firewall-rule.png"/>
         </imageobject>
         <textobject>
           <phrase>egress-firewall-rule.png: adding an egress firewall rule</phrase>
         </textobject>
       </mediaobject>
       <itemizedlist>
         <listitem>
           <para><emphasis role="bold">CIDR</emphasis>: (Add by CIDR only) To send traffic only to
             the IP addresses within a particular address block, enter a CIDR or a comma-separated
             list of CIDRs. The CIDR is the base IP address of the destination. For example,
             192.168.0.0/22. To allow all CIDRs, set to 0.0.0.0/0.</para>
         </listitem>
         <listitem>
           <para><emphasis role="bold">Protocol</emphasis>: The networking protocol that VMs uses to
             send outgoing traffic. The TCP and UDP protocols are typically used for data exchange
             and end-user communications. The ICMP protocol is typically used to send error messages
             or network monitoring data.</para>
         </listitem>
         <listitem>
           <para><emphasis role="bold">Start Port, End Port</emphasis>: (TCP, UDP only) A range of
             listening ports that are the destination for the outgoing traffic. If you are opening a
             single port, use the same number in both fields.</para>
         </listitem>
         <listitem>
           <para><emphasis role="bold">ICMP Type, ICMP Code</emphasis>: (ICMP only) The type of
             message and error code that are sent.</para>
         </listitem>
       </itemizedlist>
     </listitem>
     <listitem>
       <para>Click Add.</para>
     </listitem>
   </orderedlist>
 </section>
	<?xml version='1.0' encoding='utf-8' ?>
	<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
	<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
	%BOOK_ENTITIES;
	]>
	<!-- Licensed to the Apache Software Foundation (ASF) under one
	or more contributor license agreements. See the NOTICE file
	distributed with this work for additional information
	regarding copyright ownership. The ASF licenses this file
	to you under the Apache License, Version 2.0 (the
	"License"); you may not use this file except in compliance
	with the License. You may obtain a copy of the License at
	http://www.apache.org/licenses/LICENSE-2.0
	Unless required by applicable law or agreed to in writing,
	software distributed under the License is distributed on an
	"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	KIND, either express or implied. See the License for the
	specific language governing permissions and limitations
	under the License.
	-->
	<section id="egress-firewall-rule">
	<title>Creating Egress Firewall Rules in an Advanced Zone</title>
	<note>
	<para>The egress firewall rules are supported only on virtual routers.</para>
	</note>
	<para/>
	<para>The egress traffic originates from a private network to a public network, such as the
	Internet. By default, the egress traffic is blocked, so no outgoing traffic is allowed from a
	guest network to the Internet. However, you can control the egress traffic in an Advanced zone
	by creating egress firewall rules. When an egress firewall rule is applied, the traffic specific
	to the rule is allowed and the remaining traffic is blocked. When all the firewall rules are
	removed the default policy, Block, is applied.</para>
	<para>Consider the following scenarios to apply egress firewall rules:</para>
	<itemizedlist>
	<listitem>
	<para>Allow the egress traffic from specified source CIDR. The Source CIDR is part of guest
	network CIDR.</para>
	</listitem>
	<listitem>
	<para>Allow the egress traffic with destination protocol TCP,UDP,ICMP, or ALL.</para>
	</listitem>
	<listitem>
	<para>Allow the egress traffic with destination protocol and port range. The port range is
	specified for TCP, UDP or for ICMP type and code.</para>
	</listitem>
	</itemizedlist>
	<para>To configure an egress firewall rule:</para>
	<orderedlist>
	<listitem>
	<para>Log in to the &PRODUCT; UI as an administrator or end user. </para>
	</listitem>
	<listitem>
	<para>In the left navigation, choose Network.</para>
	</listitem>
	<listitem>
	<para>In Select view, choose Guest networks, then click the Guest network you want.</para>
	</listitem>
	<listitem>
	<para>To add an egress rule, click the Egress rules tab and fill out the following fields to
	specify what type of traffic is allowed to be sent out of VM instances in this guest
	network:</para>
	<mediaobject>
	<imageobject>
	<imagedata fileref="./images/egress-firewall-rule.png"/>
	</imageobject>
	<textobject>
	<phrase>egress-firewall-rule.png: adding an egress firewall rule</phrase>
	</textobject>
	</mediaobject>
	<itemizedlist>
	<listitem>
	<para><emphasis role="bold">CIDR</emphasis>: (Add by CIDR only) To send traffic only to
	the IP addresses within a particular address block, enter a CIDR or a comma-separated
	list of CIDRs. The CIDR is the base IP address of the destination. For example,
	192.168.0.0/22. To allow all CIDRs, set to 0.0.0.0/0.</para>
	</listitem>
	<listitem>
	<para><emphasis role="bold">Protocol</emphasis>: The networking protocol that VMs uses to
	send outgoing traffic. The TCP and UDP protocols are typically used for data exchange
	and end-user communications. The ICMP protocol is typically used to send error messages
	or network monitoring data.</para>
	</listitem>
	<listitem>
	<para><emphasis role="bold">Start Port, End Port</emphasis>: (TCP, UDP only) A range of
	listening ports that are the destination for the outgoing traffic. If you are opening a
	single port, use the same number in both fields.</para>
	</listitem>
	<listitem>
	<para><emphasis role="bold">ICMP Type, ICMP Code</emphasis>: (ICMP only) The type of
	message and error code that are sent.</para>
	</listitem>
	</itemizedlist>
	</listitem>
	<listitem>
	<para>Click Add.</para>
	</listitem>
	</orderedlist>
	</section>