Design: ESX firewall approach

[hickeng]

We currently have the following issues with configuration of the ESX firewall:

• changes made without a VIB are non-persistent
• updates must be made to every ESX host in the cluster manually
• hosts added to the cluster after vic-machine create may not have appropriate configuration for existing VCHs (same issue if a host with non-persistent config is restarted)
• having a host without an appropriate firewall configuration is not handled well

Additionally customers may have firewall appliances that require more precise detail:

• origin address
• destination port
• destination IP

There are a couple of options that we should investigate:

• [x] using an existing open port in ESX - needs to address 6.0 and 6.5
• [x] configure firewall using signed VIB (requires generation, signing and packaging of VIB)
• [ ] get a port assigned to us in subsequent ESX releases
• [ ] shift away from using connection from management network (vSocket/VMCI approach).

Notes:

• The VMCI approach is a significant amount of work but is the direction in which we are heading so should be mentioned. This should not be investigated in depth in this issue, but is something that the owner should be aware of. Extremely basic details are here

[andrewtchin]

For existing firewall configs there is a rule we can enable that would open all outbound ports - we should be able to do this through vic-machine (with user confirmation) using https://github.com/vmware/govmomi/blob/master/object/host_firewall_system.go For users who don't want all outbound ports open we can provide a VIB that they install that opens our specific port This will allow users to make the choice for their firewall config based on their policies and be much better UX than our current guidelines Future releases that have our VIC specific ruleset in the default config could also be done through vic-machine