Fast ACLs

Objective

This guide provides instructions on how to configure Volterra Fast Access Control Lists (ACL). A Fast ACL protects Volterra sites from the Denial of Service (DoS) attacks and can be applied to both Customer Edge (CE) site and Regional Edge (RE) site. For more information on Volterra sites, see Volterra Site.

Using the Volterra Fast ACLs, you can block traffic from specific source or apply rate limit to the traffic from the specific source. You can also enhance protection by filtering traffic based on source address, source port, destination address, destination port, and protocol.

The Volterra Fast ACL consists of the following 3 types of objects:

  • Fast ACL Rule - A rule specifies the source to which the incoming traffic belongs and the action for those packets. The source can be an IP prefix or prefix set. Action can be allow or reject or a policer specifying rate limit. You can also specify the protocol of the source packets using the policer.
  • Fast ACL - The Fast ACL object combines one or more rules and specifies the destination for the packets. You can also specify protocol for the destination using the policer.
  • Fast ACL Set - The set combines one or more Fast ACLs and is applied on a CE using the fleet configuration or on a RE using the fast-acl-set-regional-edge name for the set.

Unlike session based ACLs where action is calculated only on first packet in session, the Fast ACL rules are evaluated for each ingress packet. Also, the Fast ACL picks source based on the longest prefix match for faster processing. This differs from traditional ACL where rules are evaluated in order.

Note: If none of the rules match, then default action is to forward the packet.


Prerequisites

The following prerequisites apply:

  • Volterra Account

  • A Volterra CE site in case of applying the fast ACLs on CE site.

    • Note: If you do not have a site, create a site using the instructions included in the Create a Site guide.
  • A fleet in case of applying the fast ACLs on CE site.

    • Note: See Create Fleet guide for instructions on creating fleet.
  • An application deployed using Volterra vK8s or served using the HTTP load balancer.


Configuration

Applying Fast ACLs for a CE site requires you to associate the Fast ACLs to a fleet in which that CE site is a member. The following image illustrates the sequence of applying Fast ACLs to a CE site:

CnfSeqCE
Figure: Fast ACL Configuration Sequence For CE Site

Applying Fast ACLs for an RE site requires you to create the Fast ACL set with the fast-acl-set-regional-edge name and Fast ACL with site type as regional edge. The following image illustrates the sequence of applying Fast ACLs to a RE site:

CnfSeqRE
Figure:Fast ACL Configuration Sequence For RE Site

Creating Fast ACLs and applying on CE site requires you to create Fast ACL set with the ACL and rules in VoltConsole and applying it in the network firewall that is assoicated with a fleet. The fleet label is then applied to the CE site for which you want to apply the Fast ACLs.

Note: You can create and apply fast ACLs and network firewall as part of fleet creation itself. Alternatively, you can create fast ACLs and apply them to existing network firewall that is associated with an existing fleet.


Configure Fast ACLs

Configuring fast ACLs for the CE site requires you to create fast ACLs, apply them to network firewall, apply the firewall to fleet, and adding the fleet label to the CE site.

In case of RE site, creating Fast ACL rules, Fast ACLs, and Fast ACL set is sufficient. However, the Fast ACL set name should be configured as fast-acl-set-regional-edge.

Note: This example assume that you have an application provisioned using a Volterra HTTP load balancer and another application deployed using Volterra vK8s.

Step 1: Start Fast ACL set creation.

Log into the VoltConsole and select Security from the configuration menu. Select Advanced -> Fast ACL Sets in the options. Click Add fast ACL set. The Fast ACL set creation form loads.

facl set ce 1
Figure: Fast ACL Set Creation

Step 2: Add or create a Fast ACL.
  • Click Select ACL list object in the ACL list section. Click Add new Fast ACL in the ACL list configuration form.
  • Enter a name for the fast ACL object and click Configure in the Fast ACL Type section.

facl pol ce 1
Figure: Fast ACL Configuration

Note: The site type is selected as customer edge by default.

  • Configure the Destination section as per the following guidelines:
  • Select a destination type for the Select Network field for CE sites.

facl pol ce 2
Figure: Fast ACL Source Configuration

  • Select an option for the Select VIP(s) field for RE sites. Default is fast ACL is applied to all public VIPs. You can set it to tenant VIP by default or specify a list of VIPs using the List of Specific VIP(s) option. You can select VIPs using the Select Public VIP(s) option. Use Add item to specify more than one VIP.

facl pol re 2
Figure: Fast ACL Destination Configuration

  • Click Configure in the Source section to create a rule.
Step 3: Add or create a Fast ACL rule.

Enter a name for the rule and perform the following steps:

Step 3.1: Configure an action.

Select an action for the Action field as per the following guidelines:

  • Select Simple Action and select Deny or Allow for the Simple Action field. This simply creates a rule that either rejects or allows the traffic from the configured source.
  • Select Policer Action and click Select ref to select and apply a policer. This applies rate limiting for the traffic originating from the configured source.
  • Select Protocol Policer Action and click Select ref to select and apply a protocol policer. This applies rate limiting for the traffic of the specified protocol originating from the configured source. The supported protocols are TCP, UDP, ICMP, and DNS.

Note: Before applying policer or protocol policer, it is required to create them using the Policer or Protocol Policer options in the Security configuration.

Step 3.2: Set a source prefix or prefix set.

Select Prefix or IP prefix set for the Source field. Enter an IP prefix or IP prefix set accordingly using the Prefix or Select ref options. This example adds a prefix using the Prefix option.

facl rule ce 1
Figure: Fast ACL Rule Creation

Click Apply to add the source rules and return to fast ACL configuration form.

Step 3.3: Set destination IP address for the Fast ACL.

Configure the Select Destination IP field as per the following guidelines for CE site:

Note: This field is only enabled for CE sites.

  • Select All Interface IP(s) as VIP to set any IP assigned to the interface as the destination VIP.
  • Select Configured VIP(s) to set the configured VIP as the destination.
  • Select All VIP(s) to set all assigned IP addresses of interfaces and configured VIPs as destinations.
  • Select Custom Destination to specify a custom IP address. Click Add item under the IP Address field and enter an IPv4 or IPv6 address as destination for which the fast ACL applies. Optionally specify a port and protocol.

This example sets a destination IP address.

facl pol ce dest
Figure: Fast ACL Destination Configuration

Click Apply to apply the source and destination settings to the fast ACL object. Click Apply again to create the fast ACL and return to the ACL list object selection form.

Step 4: Complete creating the Fast ACL set.
  • Click Select ACL list object in the ACL list screen.
  • Click Save and Exit in the fast ACL set configuration form. This creates the fast ACL set object.

facl set ce final
Figure: Fast ACL Set Created

Note: In case of RE sites, there could be rule overlapping due to the following:

  • The ves.io tenant and non ves.io tenant create rules for same destination.
  • ves.io tenant creates rules for subnet which contains destination IP configured by the non ves.io tenant. The conflict due to the overlapping is addressed using the following mechanism:
  • Any rule which has action DENY has highest priority irrespective of tenant.
  • If action is not DENY, then rules from the ves.io tenant gets priority over the non ves.io tenant.

Apply Fast ACLs to a Site

Fast ACLs created for a CE site requires you to add the fast ACL to the network firewall associated with the fleet which includes that CE site. See Create a Fleet for information fleet creation. See Network Firewall for information on firewall creation. This example shows how to apply fast ACL to an existing firewall associated with a fleet of sites.

Note: Fast ACLs created for RE sites do not require any further action.

To enable fast ACLs for a CE site, perform the following actions:

  • Navigate to Security -> Firewall -> Network Firewall. Click ... -> Edit for your firewall that is part of the fleet to which your site belongs.
  • Go to the fast ACL section in the firewall configuration and select Active Fast ACL(s) or Fast ACL Set(Legacy) for the Select Fast ACL Configuration field. Select a fast ACL or fast ACL set accordingly from the displayed selection field. This example selects an existing fast ACL.

nw fw facl
Figure: Apply Fast ACL to Network Firewall

  • Click Save and Exit.

Concepts


API References