Type, indicating the direction (inbound or outbound)
A priority (101–65,000 for user ranges)
Action (allow or deny)For example, consider the following policy:
Name: InternetRDP
Source Address: Internet
Source Port: 3389
Destination Address: 10.1.2.0/24
Destination Port: TCP
Protocol: 3389
Type: Inbound
Priority: 105
Action: AllowThis policy allows RDP traffic inbound to subnet 10.1.2.0/24 from the Internet.
(Internet is a special tag I cover later in this section.) You would apply this policy to
the 10.1.2.0/24 virtual subnet. All other traffic inbound from the Internet would be
blocked because there are default inbound and outbound rules indicating the
following:
Allow all inbound and outbound traffic within the virtual network (which is the
known connected address space).
Allow inbound communication from the SLB.
Allow outbound communication to the Internet.
Block all other types of inbound and outbound traffic.These default rules all have low priorities (65,000 and above), which means that you
can override them with your own policies that would have a higher priority and take
precedence. Consider Figure 3.36, which shows a typical three-tier application. Here
only the frontend tier should be able to communicate with the Internet, while the
other tiers are blocked. The front end tier can communicate with only the middle tier
and not directly to the backend tier. The backend tier can communicate only to the
middle tier. By creating a set of policies and applying them to the subnets, this can be
enforced. It should be noted that although I talk about applying ACLs to a subnet, it is
also possible to assign a policy directly to a specific vmNIC. However, this gets
complicated to manage. It is therefore a best practice to assign policies to the subnet
and the Network Controller, which will then deploy the policies to the VMSwitch
connected to the various vmNICs where the policies are enforced. If you apply policies
to the subnet and the vmNIC, the subnet policies are applied first and then the vmNIC