Alright. So let me see if I remember what I've done so far, whether this seems fine:
- Set datacenter input policy to ACCEPT and use no rules, as I use an external firewall.
- Enable datacenter firewall.
- Enable nftables on each node.
- For each VNet that needs internal isolation; create a subnet including gateway address, enable the VNet firewall and add a rule dropping traffic with src and dst
- Leave port isolation disabled, as that's handled by the VNet firewall.
- Any guest specific firewall exceptions to be added in the VNet firewall.
- Set datacenter input policy to ACCEPT and use no rules, as I use an external firewall.
- Enable datacenter firewall.
- Enable nftables on each node.
- For each VNet that needs internal isolation; create a subnet including gateway address, enable the VNet firewall and add a rule dropping traffic with src and dst
-no-gateway.- Leave port isolation disabled, as that's handled by the VNet firewall.
- Any guest specific firewall exceptions to be added in the VNet firewall.