On This Page:
This guide provides instructions on how to configure Volterra Fast Access Control Lists (ACL). A Fast ACL protects Volterra sites from the Denial of Service (DoS) attacks and can be applied to both Customer Edge (CE) site and Regional Edge (RE) site. For more information on Volterra sites, see Volterra Site.
Using the Volterra Fast ACLs, you can block traffic from specific source or apply rate limit to the traffic from the specific source. You can also enhance protection by filtering traffic based on source address, source port, destination address, destination port, and protocol.
The Volterra Fast ACL consists of the following 3 types of objects:
- Fast ACL Rule - A rule specifies the source to which the incoming traffic belongs and the action for those packets. The source can be an IP prefix or prefix set. Action can be allow or reject or a policer specifying rate limit. You can also specify the protocol of the source packets using the policer.
- Fast ACL - The Fast ACL object combines one or more rules and specifies the destination for the packets. You can also specify protocol for the destination using the policer.
- Fast ACL Set - The set combines one or more Fast ACLs and is applied on a CE using the fleet configuration or on a RE using the
fast-acl-set-regional-edgename for the set.
Unlike session based ACLs where action is calculated only on first packet in session, the Fast ACL rules are evaluated for each ingress packet. Also, the Fast ACL picks source based on the longest prefix match for faster processing. This differs from traditional ACL where rules are evaluated in order.
Note: If none of the rules match, then default action is to forward the packet.
The following prerequisites apply:
- Note: If you do not have an account, see Create a Volterra Account.
A Volterra CE site in case of applying the fast ACLs on CE site.
- Note: If you do not have a site, create a site using the instructions included in the Create a Site guide.
A fleet in case of applying the fast ACLs on CE site.
- Note: See Create Fleet guide for instructions on creating fleet.
An application deployed using Volterra vK8s or served using the HTTP load balancer.
Applying Fast ACLs for a CE site requires you to associate the Fast ACLs to a fleet in which that CE site is a member. The following image illustrates the sequence of applying Fast ACLs to a CE site:
Applying Fast ACLs for an RE site requires you to create the Fast ACL set with the
fast-acl-set-regional-edge name and Fast ACL with site type as regional edge. The following image illustrates the sequence of applying Fast ACLs to a RE site:
Creating Fast ACLs and applying on CE site requires you to create Fast ACL set with the ACL and rules in VoltConsole and applying it in the network firewall that is assoicated with a fleet. The fleet label is then applied to the CE site for which you want to apply the Fast ACLs.
Note: You can create and apply fast ACLs and network firewall as part of fleet creation itself. Alternatively, you can create fast ACLs and apply them to existing network firewall that is associated with an existing fleet.
Configure Fast ACLs
Configuring fast ACLs for the CE site requires you to create fast ACLs, apply them to network firewall, apply the firewall to fleet, and adding the fleet label to the CE site.
In case of RE site, creating Fast ACL rules, Fast ACLs, and Fast ACL set is sufficient. However, the Fast ACL set name should be configured as
Note: This example assume that you have an application provisioned using a Volterra HTTP load balancer and another application deployed using Volterra vK8s.
Step 1: Start Fast ACL set creation.
Log into the VoltConsole and select
Security from the configuration menu. Select
Fast ACL Sets in the options. Click
Add fast ACL set. The Fast ACL set creation form loads.
Step 2: Add or create a Fast ACL.
Select ACL list objectin the ACL list section. Click
Add new Fast ACLin the ACL list configuration form.
- Enter a name for the fast ACL object and click
Fast ACL Typesection.
Note: The site type is selected as customer edge by default.
- Configure the
Destinationsection as per the following guidelines:
- Select a destination type for the
Select Networkfield for CE sites.
- Select an option for the
Select VIP(s)field for RE sites. Default is fast ACL is applied to all public VIPs. You can set it to tenant VIP by default or specify a list of VIPs using the
List of Specific VIP(s)option. You can select VIPs using the
Select Public VIP(s)option. Use
Add itemto specify more than one VIP.
Sourcesection to create a rule.
Step 3: Add or create a Fast ACL rule.
Enter a name for the rule and perform the following steps:
Step 3.1: Configure an action.
Select an action for the
Action field as per the following guidelines:
Simple Actionand select
Simple Actionfield. This simply creates a rule that either rejects or allows the traffic from the configured source.
Policer Actionand click
Select refto select and apply a policer. This applies rate limiting for the traffic originating from the configured source.
Protocol Policer Actionand click
Select refto select and apply a protocol policer. This applies rate limiting for the traffic of the specified protocol originating from the configured source. The supported protocols are TCP, UDP, ICMP, and DNS.
Note: Before applying policer or protocol policer, it is required to create them using the
Protocol Policeroptions in the
Step 3.2: Set a source prefix or prefix set.
IP prefix set for the
Source field. Enter an IP prefix or IP prefix set accordingly using the
Select ref options. This example adds a prefix using the
Apply to add the source rules and return to fast ACL configuration form.
Step 3.3: Set destination IP address for the Fast ACL.
Select Destination IP field as per the following guidelines for CE site:
Note: This field is only enabled for CE sites.
All Interface IP(s) as VIPto set any IP assigned to the interface as the destination VIP.
Configured VIP(s)to set the configured VIP as the destination.
All VIP(s)to set all assigned IP addresses of interfaces and configured VIPs as destinations.
Custom Destinationto specify a custom IP address. Click
Add itemunder the
IP Addressfield and enter an IPv4 or IPv6 address as destination for which the fast ACL applies. Optionally specify a port and protocol.
This example sets a destination IP address.
Apply to apply the source and destination settings to the fast ACL object. Click
Apply again to create the fast ACL and return to the ACL list object selection form.
Step 4: Complete creating the Fast ACL set.
Select ACL list objectin the ACL list screen.
Save and Exitin the fast ACL set configuration form. This creates the fast ACL set object.
Note: In case of RE sites, there could be rule overlapping due to the following:
- The ves.io tenant and non ves.io tenant create rules for same destination.
- ves.io tenant creates rules for subnet which contains destination IP configured by the non ves.io tenant. The conflict due to the overlapping is addressed using the following mechanism:
- Any rule which has action
DENYhas highest priority irrespective of tenant.
- If action is not
DENY, then rules from the ves.io tenant gets priority over the non ves.io tenant.
Apply Fast ACLs to a Site
Fast ACLs created for a CE site requires you to add the fast ACL to the network firewall associated with the fleet which includes that CE site. See Create a Fleet for information fleet creation. See Network Firewall for information on firewall creation. This example shows how to apply fast ACL to an existing firewall associated with a fleet of sites.
Note: Fast ACLs created for RE sites do not require any further action.
To enable fast ACLs for a CE site, perform the following actions:
- Navigate to
Network Firewall. Click
Editfor your firewall that is part of the fleet to which your site belongs.
- Go to the fast ACL section in the firewall configuration and select
Active Fast ACL(s)or
Fast ACL Set(Legacy)for the
Select Fast ACL Configurationfield. Select a fast ACL or fast ACL set accordingly from the displayed selection field. This example selects an existing fast ACL.
Save and Exit.