VMWare NSX 6.7 Micro-Segmentation Configuration steps

Securing the Data Center with a Data Center & perimeter firewall is not enough. Last year attacks like wannacry and other effected many data centers and brought down services. All those data Centers has all the security devices in place, Still they could spread widely due to no micro segmentation with in the same vLan or L2 broadcast domain. With NSX micro-segmentation which is indeed true segmentation every machine can be isolated and in a easy way. Most of the web servers residing on one subnet don’t talk to each other, But if one got hit all are gone. With NSX its a couple of clicks away.

As the saying goes 100% secured product cannot be used, But its not the case with NSX micro segmentation. It is 100% secured but user will never notice any impact and its easy for Security team to configure such granular level policies with few clicks and managed centrally from one place.

The distributed firewalling will be applied for every individual VM at the kernel level, So there is no change of getting bypassed like infecting other vLans and same vLan.

This post will cover the micro segmentation configuration for NSX. Please click here for NSX Manager 6.7 Installation & Configuration post if you wanted to setup NSX manager from scratch.

Create Distributed vSwitch & Add Hosts

Distributed fire walling is supported on Distributed switch only, even though in practical it works with standard switch. So our first step is to create Distributed switch , port groups , add hosts to vDS and move VM’s to distributed port group.

Creating Distributed vSwitch

Step : Login to vCenter server – Menu – Networking


Step : Right Click on the Data Center – Distributed switch – New Distributed switch


Step : Provide Name and next


Step : Select ESXi support


Step : Provide no of Uplinks that you want to use for this vDS, in my case 2


Step : review and finish


Add ESXi Hosts to Distributed Switch

Step : Right click the Distributed switch just created – Add and Manage Hosts


Step : Add hosts


Step :New Hosts


Step : Select Hosts


Step : Review hosts and Next


Step : Click on Link – Assign link


Step : Select uplink 1


Step : Similarly do for all hosts for uplink 1,2


Step : Next


Step :Next


Step :Finish

Now move all the VM’s to distributed port groups.

Micro-Segmentation Configuration

Host Preparation for NSX

NSX will install VIB’s on the ESXi hosts to prepare them, so that micro-segmentation ( distributed fire walling) will work.

Step : Menu – Network and Security


Step : Select Installation and Upgrade – Host preparation – select cluster – Install NSX.


Step : Yes


Step : VIB’s will install and shows the version and fire walling status as below. If for some reason its failed, it can be reinstalled easily.

Security Group Creation with dynamic inclusion

Now we need to create security groups for virtual machines, It can be done based on Dynamic inclusion where all web, app, db is grouped automatically once they have the name as group criteria or statically.

Step : Home – network and security


Step : Select Service Composer – security groups – Add


Step : provide Name ( web-VMs)


Step : Name contains – web


Step : Next


Step : Next


Step : Finish


Step : Similarly create for App VM’s as well.

Distributed Firewall Configuration

In this section will create some rules to implement micro segmentation and allow only required traffic.

  • We will allow user to web server – Https.
  • Web servers to app servers – SAP app port
  • Web servers to web servers – Deny all ports

Step : Click on Firewall – Expand Default Section – Default rule – Block – Publish


Step : Click on Firewall – Add Section


Step : Provide Section Name – Add


Step : Expand the section created and click on add rule


Step : Provide a name to the rule , select source , Destination – Edit


Step : select the security group created before.


Step :Select the rule – Right click – add rule below – Create web – web traffic block all – click publish

Conclusion for Micro-Segmentation

Step : Rules can be added or deleted as shown below.

Step : All the necessary rules can be created below and this can be done with built in capabilities of NSX.

 

With this no web server will be able to communicate with other web server, Web to app only allowed port and User to Web server specific ports also can be opened.

 

Hope this post is useful, leave your comments and feedback.

Siva Sankar

Siva Sankar works as Solution Architect in Abu Dhabi with primary focus on SDDC, Mobility, Virtualization, VDI, HCI and Network Virtualization products from VMWare, Citrix and Microsoft.

Leave a Reply

Your email address will not be published. Required fields are marked *

Show Buttons
Hide Buttons