Fast ACLs-Old
Objective
This guide provides instructions on how to configure Volterra Fast Access Control Lists (ACL). A Fast ACL protects Volterra sites from the Denial of Service (DoS) attacks and can be applied to both Customer Edge (CE) site and Regional Edge (RE) site. For more information on Volterra sites, see Volterra Site.
Using the Volterra Fast ACLs, you can block traffic from specific source or apply rate limit to the traffic from the specific source. You can also enhance protection by filtering traffic based on source address, source port, destination address, destination port, and protocol.
The Volterra Fast ACL consists of the following 3 types of objects:
-
Fast ACL Rule - A rule specifies the source to which the incoming traffic belongs and the action for those packets. The source can be an IP prefix or prefix set. Action can be allow or reject or a policer specifying rate limit. You can also specify the protocol of the source packets using the policer.
-
Fast ACL - The Fast ACL object combines one or more rules and specifies the destination for the packets. You can also specify protocol for the destination using the policer.
-
Fast ACL Set - The set combines one or more Fast ACLs and is applied on a CE using the fleet configuration or on a RE using the
fast-acl-set-regional-edge
name for the set.
Unlike session based ACLs where action is calculated only on first packet in session, the Fast ACL rules are evaluated for each ingress packet. Also, the Fast ACL picks source based on the longest prefix match for faster processing. This differs from traditional ACL where rules are evaluated in order.
Note: If none of the rules match, then default action is to forward the packet.
Prerequisites
The following prerequisites apply:
- Note: If you do not have an account, see Getting Started with Console.
- A Volterra CE site in case of applying the fast ACLs on CE site.
- Note: If you do not have a site, create a site using the instructions included in the Create a Site guide.
- A fleet in case of applying the fast ACLs on CE site.
- Note: See Create Fleet guide for instructions on creating fleet.
- An application deployed using Volterra vK8s or served using the HTTP load balancer.
- Note: See vK8s Deployment guide to deploy your applications on Volterra network cloud or edge cloud. See Create HTTP Load Balancer for instructions on configuring load balancer.
Configuration
Applying Fast ACLs for a CE site requires you to associate the Fast ACLs to a fleet in which that CE site is a member. The following image illustrates the sequence of applying Fast ACLs to a CE site:

Figure: Fast ACL Configuration Sequence For CE Site
Applying Fast ACLs for an RE site requires you to create the Fast ACL set with the fast-acl-set-regional-edge
name. The following image illustrates the sequence of applying Fast ACLs to a RE site:

Figure:Fast ACL Configuration Sequence For RE Site
Configuration Sequence
Creating Fast ACLs and applying on CE site requires you to perform the following sequence of actions.
Phase | Description |
---|---|
Create Fast ACL Rule | Create a rule object specifying the IP prefix, action, and optional policer. |
Create Fast ACL | Create a Fast ACL object with the created rule, destination, and optional policer. |
Create Fast ACL Set | Create a Fast ACL set with the created Fast ACL. |
Create Network Firewall | Create a network firewall applying the Fast ACL set. |
Create Fleet | Create a fleet with the network firewall. |
Add Site to Fleet | Update your CE site by adding it to the created fleet. |
Note: You can also add Fast ACL to an existing network firewall that is associated with an existing fleet.
Creating Fast ACLs and applying on RE site requires you to perform the following sequence of actions.
Phase | Description |
---|---|
Create Fast ACL Rule | Create a rule object specifying the IP prefix, action, and optional policer. |
Create Fast ACL | Create a Fast ACL object with the created rule, destination, and optional policer. |
Create Fast ACL Set | Create a Fast ACL set with the created Fast ACL. |
Configure Fast ACLs
Configuring fast ACLs for the CE site requires you to create fast ACLs, apply them to network firewall, apply the firewall to fleet, and adding the fleet label to the CE site.
In case of RE site, creating Fast ACL rules, Fast ACLs, and Fast ACL set is sufficient. However, the Fast ACL set name should be configured as fast-acl-set-regional-edge
.
Note: This example assume that you have one application provisioned using a Volterra virtual host and another application deployed using Volterra vK8s.
Create Fast ACL Rule
Step 1: Log into the VoltConsole and select Security
from the configuration menu. Select Fast ACL Rules
under the Network Security
in the options. Click Add fast ACL rule
. The Fast ACL rule creation form loads.
Step 2: Set a name and select Prefix
or IP prefix set
for the Source
field. Enter an IP prefix or IP prefix set accordingly using the Add prefix
or Select ref
options. This example adds a prefix using the Add prefix
option.

Figure: Fast ACL Rule Creation
Step 3: Select an action for the Action
field as per the following guidelines:
- Select
Simple Action
and selectDeny
orAllow
for theSimple Action
field. This simply creates a rule that either rejects or allows the traffic from the configured source. - Select
Policer Action
and clickSelect ref
to select and apply a policer. This applies rate limiting for the traffic originating from the configured source. - Select
Protocol Policer Action
and clickSelect ref
to select and apply a protocol policer. This applies rate limiting for the traffic of the specified protocol originating from the configured source. The supported protocols are TCP, UDP, ICMP, and DNS.
Note: Before applying policer or protocol policer, it is required to create them using the
Policer
orProtocol Policer
options in theSecurity
configuration.
Step 4: Click Add fast ACL rule
to complete creating the Fast ACL rule.

Figure: Fast ACL Rule Configuration
In case of RE sites, there could be rule overlapping due to the following:
- The ves.io tenant and non ves.io tenant create rules for same destination.
- ves.io tenant creates rules for subnet which contains destination IP configured by the non ves.io tenant.
The conflict due to the overlapping is addressed using the following mechanism:
- Any rule which has action
DENY
has highest priority irrespective of tenant. - If action is not
DENY
, then rules from the ves.io tenant gets priority over the non ves.io tenant.
Create Fast ACL
Step 1: Log into the VoltConsole and select Security
from the configuration menu. Select Fast ACLs
under the Network Security
in the options. Click Add fast ACL
. The Fast ACL creation form loads.
Step 2: Set a name and select a choice for the Virtual Network Type
field. This example selects Site Local Network
.
Note: In case of Fast ACL for RE site, only the
Public Network
is supported.
Step 3: Select a choice for the Ip Type
field as per the following guidelines:
- Select
VIP services
to set the VIP configured for the service. In case of CE site, the ves.io tenant cannot set this. In case of RE site, if the ves.io tenant sets this, all VIPs assigned for all tenants are selected. If non ves.io tenant sets this, then only the VIP assigned for that tenant is selected.
Note: Selecting
VIP services
does not include the VIP from the interface of the service.
-
Select
All services
to set the VIP configured for the service. In case of CE site, the ves.io tenant cannot set this and the non ves.io tenant selects all VIPs including the VIP of the service interface. In case of RE site, if the ves.io tenant sets this, all VIPs assigned for all tenants including the VIP of the service interface are selected. If non ves.io tenant sets this, then only the VIP assigned for that tenant is selected. -
Select
Destination IP Address
and specify the IP address using theAdd address
option. This option is supported only for the RE site and the ves.io tenant. When this option is selected, you can also specify a destination port using theAdd port
option. -
Select
Interface Services
to set the IP address of the interface configured for the service. The ves.io tenant cannot set this on the CE site. The non ves.io tenant cannot set this on the RE site.
This example sets a destination IP address.

Figure: Fast ACL IP Type and Destination
Step 4: Click Select source rule
and select the rule you created in the Create Fast ACL Rule chapter. Click Select source rule
again to apply the rule.

Figure: Fast ACL Source Rule Addition
Step 5: Optionally, apply a protocol policer using the Select default protocol policer
field. The supported protocols are TCP, UDP, ICMP, and DNS.
Step 6: Click Add fast ACL
to complete creating the Fast ACL.
Create Fast ACL Set
Step 1: Log into the VoltConsole and select Security
from the configuration menu. Select Fast ACL Sets
under the Network Security
in the options. Click Add fast ACL set
. The Fast ACL set creation form loads.
Step 2: Set a name and click Select ACL list
. Select the ACL created in the Create Fast ACL chapter and click Select ACL list
to apply the ACL.

Figure: Fast ACL Set Creation
Note: Set the name as
fast-acl-set-regional-edge
in case of configuring Fast ACLs for RE site.
Step 3: Click Add fast ACL set
to complete creating the Fast ACL set.
Note: In case of configuring Fast ACLs for the RE site, sets from all tenants are applied. However, if there is an overlap between ves.io and non ves.io tenant, action of ves.io tenant is applied.
Create Network Firewall and Fleet
Creating a network firewall with the Fast ACL set and associating it with a fleet is required only if you are configuring the Fast ACLs for a CE site.
Step 1: Log into the VoltConsole and select Security
from the configuration menu. Select Network Firewall
under the Network Security
in the options. Click Add network firewall
to open the network firewall creation form.
Step 2: Set a name and apply network policy or forward proxy service policy as per your choice.
Step 3: Click Select fast ACL set
and select the Fast ACL set created in the Create Fast ACL Set chapter. Click Create Fast ACL Set
to add the Fast ACL set to the network firewall configuration.

Figure: Addition of Fast ACL Set to Network Firewall
Note: You can also update an existing firewall using the
...
->Edit
option.
Step 4: Click Add network firewall
to complete creating the network firewall.
Step 5: Create a fleet as per the instructions in the Create a Fleet the guide. Apply the network firewall created in Step 4 to the fleet.
Note: You can also update an existing fleet.
Add Site to the Fleet
Adding site to the fleet to apply Fast ACLs is required only if you are configuring Fast ACLs for a CE site.
Step 1: Log into the VoltConsole and select Sites
from the configuration pane. Select Site List
from the options.
Step 2: Select your site from the list of displayed sites and click ...
->Edit
to open the site edit form.
Step 3: Select the ves.io/fleet
label in the Labels
field and select your fleet label.
Step 4: Click Save changes
to add your site to the fleet.

Figure: Site Addition to Fleet