Introducing Packet Filtering on Megaport Cloud Router
By Ryan Tucker, Solutions Architect
Megaport Cloud Router's new feature is here to cut complexity and secure your network even faster.
If you’re already a Megaport customer, Megaport Cloud Router (MCR) likely needs no introduction. This popular and long-standing solution allows customers to spin up routing capabilities on-demand within Megaport’s global Network as a Service (NaaS) platform and can be utilized across a variety of use cases.
Megaport has recently released one of the most highly requested features for MCR: packet filters. This new feature gives customers the ability to perform Layer 3 and 4 firewalling directly on their MCR, reducing costs and complexity and allowing for many new use cases.
What are packet filters?
Packet filters, also called Access Control Lists (ACLs) or Firewall Rules, allow traffic to be permitted or denied based on specific criteria. MCR supports Layer 3 and 4 rules, so traffic can be matched based on its:
- source and destination IP
- IP protocol
- source and destination port.
This combination of fields is also known as a 5-tuple.
Packet Filters are stateless, so return traffic isn’t allowed automatically; a rule has to be created to allow the return traffic. Each MCR can have up to 20 packet filter lists, and each list can have up to 20 rules. The rules are evaluated from top to bottom as traffic enters or leaves the MCR on the associated interface, and if no rule is matched, the packet is dropped.
Why use packet filtering on MCR?
The ability to perform network traffic filtering directly on MCR can allow customers to achieve the required security controls without needing to deploy, license, and manage additional appliances.
MCR can now directly control which hosts can talk to which others, and on which ports. As well as increasing security for existing architectures, this also makes MCR suitable for additional use cases like connecting to the internet, connecting between untrusted networks, or isolating internal workloads.
Deploying packet filters on MCR
Packet filter lists are created at the MCR level, then applied to individual Virtual Cross Connects (VXCs) as required – either inbound or outbound, or both. All traffic is allowed on a VXC by default, however once a packet filter list is applied, all traffic not allowed by the list will be dropped (this is referred to as a “default deny” or “implicit deny”).
You can get full details on how to create and use packet filter lists on the Megaport Docs Portal, but we’ve shared a summary below.
You can also see the process for yourself in our on-demand recording of a recent Live Tech Drop-In session.
To deploy packet filters, you’ll need an MCR first – we have a step-by-step guide to creating one.
1. Creating a packet filter list
First, log into your Megaport Portal account.
The first step is to create a packet filter list on the MCR which specifies the rules to be evaluated, in order. You can duplicate an existing list to streamline the process and use the position column to reorder the rules. Lists have an implicit deny as the final rule.
2. Applying a packet filter list
Then, you need to apply your list to a VXC. You can apply a filter list as either inbound or outbound, or both.
And that’s it – your packet filters are active.
Want to learn more about how packet filtering can support your network? Book a chat with our Solutions team for a personalized demo.
