Security

Overview

The security features available on Cloud Avenue are integrated at several levels:

platform “output” level, via the embedded services into the internet and BVPN connectivity
vCD “Organization / Tenant” level, through vmware NSX-T and AVI products.

Internet

Internet access is provided by Orange Business, and includes the following protection services:

redundant access
blackhole DDOS protection, on demand (removal of traffic to a public IP address)

In option, the Customer can subscribe to an additional offer which includes the Cleanpipe service that will redirect the trafic to a cleaning center.

https://www.orange-business.com/en/products/ddos-protection

BVPN

The Orange Business MPLS network is EAL2+ certified.

Portals protection

All portals exposed on the internet are protected by a WAF.

To reinforce security a little more, a Customer can request the deactivation of the internet exposure of the access url to its VCD portal. He will then have to access the VCD portal (and the APIs) via his BVPN access.

NSX-T

Perimeter firewall

The T1 gateway embeds a perimeter firewall, allowing North-South flows to be filtered, exactly as a physical firewall does. It manages the address translation rules (NAT) and thus makes it possible to protect the VMs of the organization networks carried by the T1.

Distributed firewall

NSX-T also makes it possible to deploy a distributed firewall, which can manage security in the scope of :

one vDC
several vDC, if they are grouped into a Datacenter Group.

This implementation, carried out at the ESXi level, makes it possible to manage east-west flows between the VMs. The rules can be based on tags placed on the VMs, in order to facilitate the propagation of the rules. For example, VMs tagged DEV will not have access to the internet, while VMs tagged PROD will have access.

VPN

NSX-T allows to create tunnels on the internet of 2 types:

L2VPN
L3VPN (IPSEC),

For the 2 types of tunnel, transmission security is entrusted to an AES GCM 128 encryption algorithm, and Diffie-Hellman group 14 for the key exchange algorithm.

Orange templates

The VM templates available in the vCD catalogs (Orange and Linux) have “hardened” OS (ports and services disabled), and include a Sophos antivirus agent (Windows template only). The Sophos agent is regularly updated via a centralized console, not visible to the Customer.

Billing

The security services integrated into Cloud Avenue are not subject to any specific billing.

For more information, see the Cloud Avenue White Paper.

Overview

Practical sheets

API

Backup

Cloud Customer Space

Contractual documents

Help and technical assistance

Online help

Roles and users

Technical Dashboards

The Support

Virtual Data Center ressources

Kubernetes

Additional components

KaaS

Tooling & Troubleshooting

Network

Networks and External Interconnections (links)

VDC Networks

Security

Services Area

Log in to the service area

Services

Storage

Objet Storage (S3)

Advanced features implementation guide

Getting Started

Service user manual

Shared storage (Network storage)

VDC & Virtual Machines

vCOD

Virtual Machines

Advanced Operations

Known Issues

Main Operations

VMware Cloud Director (VCD)

Catalogs

VMWare Cloud Director Availability (vCDA)

Q & A

Services

Virtual datacenter

Security

Overview

Internet

BVPN

Portals protection

NSX-T

Perimeter firewall

Distributed firewall

VPN

Orange templates

Billing