Skip to main content

Security Policy Guide 25.3

Add and Bind a Virtual Service to a Workload

When you add a virtual service, enter a name, select the service, and apply labels to it. Bind it to the workload where the service is running. This binding instructs the PCE where to enforce the rules for this virtual service. When you configure two rules with the same service ports, one is stateless, and the other is stateful. The stateless rule takes precedence.

Add a Virtual Service

Note

A virtual service must be provisioned before it can be bound to a workload.

  1. From the PCE web console menu, choose Policy Objects > Virtual Services.

  2. Click Add.

    The Add Virtual Service page appears.

  3. Enter a name for the service.

  4. Select the service from the Service drop-down list or enter a service name.

  5. Select a Role, Application, Environment, and Location label.

  6. Host-only network: The rules associated with the virtual service are applied over the host network and programmed into the INPUT/OUTPUT chains in Linux iptables.

  7. (Optional) In the IP addresses field, you can override the IP address of the workload bound to the virtual service and specify different IP addresses or CIDR blocks that will be used for programming the virtual service rules.

  8. Click Save.

    The virtual service is created and labeled. Next, it is provisioned and bound to a workload.

Note

SecureConnect is not supported for virtual services.

Bind a Virtual Service to a Workload

Binding a virtual service to a workload enables the PCE to program rules to the VEN on the workload to which the virtual service is bound.

If the workload binding ever changes, the rules of your ruleset are dynamically recalculated for the new binding.

Note

The virtual service must be provisioned before it can be bound to a workload.

  1. From the PCE web console menu, choose Policy Objects > Virtual Services.

  2. Select the virtual service you want to bind to a workload.

    The Virtual Services details page appears.

  3. Click the Workloads tab.

  4. Click Bind.

  5. In the Workloads drop-down list, select the workload to which you want to bind this virtual service.

  6. Select the Override ports checkbox to allow this virtual service to use a port different from the one specified.

    Note

    When you select All Services as the service for the virtual service, you cannot enable port overrides on the workload bindings.

  7. In the Ports/Protocols section, enter the TCP and UDP ports for this virtual service.

  8. Click Save.