Part 2: VMWare NSX 6.4.x Micro-Segmentation Configuration steps
Securing the Data Center with a Data Center & perimeter firewall is not enough. Last year attacks like wannacry and other effected many data centers and brought down services. All those data Centers has all the security devices in place, Still they could spread widely due to no micro segmentation with in the same vLan or L2 broadcast domain. With NSX micro-segmentation which is indeed true segmentation every machine can be isolated and in a easy way. Most of the web servers residing on one subnet don’t talk to each other, But if one got hit all are gone. With NSX its a couple of clicks away.
As the saying goes 100% secured product cannot be used, But its not the case with NSX micro segmentation. It is 100% secured but user will never notice any impact and its easy for Security team to configure such granular level policies with few clicks and managed centrally from one place.
The distributed firewalling will be applied for every individual VM at the kernel level, So there is no change of getting bypassed like infecting other vLans and same vLan.
This post will cover the micro segmentation configuration for NSX. Please click here for NSX Manager 6.7 Installation & Configuration post if you wanted to setup NSX manager from scratch.
To make it easy this series is split in to 5 parts.
Part-1 : VMWare NSX Manager 6.4.x Installation and Initial Configuration
Part 2: VMWare NSX 6.4.x Micro-Segmentation Configuration steps
Part 3: VMWare NSX Cluster preparation and Controllers Installation
Part 4: VMWare NSX Logical Switching and DLR Configuration
Part 5: VMWare NSX EDGE and OSPF Routing Configuration
Contents of the Post
Introduction
Below diagram illustrates the micro segmentation and Distributed switch design
Create Distributed vSwitch & Add Hosts
Distributed fire walling is supported on Distributed switch only, even though in practical it works with standard switch. So our first step is to create Distributed switch , port groups , add hosts to vDS and move VM’s to distributed port group.
Creating Distributed vSwitch
Step : Login to vCenter server – Menu – Networking
Step : Right Click on the Data Center – Distributed switch – New Distributed switch
Step : Provide no of Uplinks that you want to use for this vDS, in my case 2

Add ESXi Hosts to Distributed Switch
Step : Right click the Distributed switch just created – Add and Manage Hosts
Step : Click on Link – Assign link
Step : Similarly do for all hosts for uplink 1,2
Now move all the VM’s to distributed port groups.
Micro-Segmentation Configuration
Host Preparation for NSX
NSX will install VIB’s on the ESXi hosts to prepare them, so that micro-segmentation ( distributed fire walling) will work.
Step : Menu – Network and Security
Step : Select Installation and Upgrade – Host preparation – select cluster – Install NSX.
Step : VIB’s will install and shows the version and fire walling status as below. If for some reason its failed, it can be reinstalled easily.
Security Group Creation with dynamic inclusion
Now we need to create security groups for virtual machines, It can be done based on Dynamic inclusion where all web, app, db is grouped automatically once they have the name as group criteria or statically.
Step : Home – network and security
Step : Select Service Composer – security groups – Add
Step : provide Name ( web-VMs)
Step : Similarly create for App VM’s as well.
Distributed Firewall Configuration
In this section will create some rules to implement micro segmentation and allow only required traffic.
- We will allow user to web server – Https.
- Web servers to app servers – SAP app port
- Web servers to web servers – Deny all ports
Step : Click on Firewall – Expand Default Section – Default rule – Block – Publish
Step : Click on Firewall – Add Section
Step : Provide Section Name – Add
Step : Expand the section created and click on add rule
Step : Provide a name to the rule , select source , Destination – Edit
Step : select the security group created before.
Step :Select the rule – Right click – add rule below – Create web – web traffic block all – click publish
Conclusion for Micro-Segmentation
Step : Rules can be added or deleted as shown below.
Step : All the necessary rules can be created below and this can be done with built in capabilities of NSX.
With this no web server will be able to communicate with other web server, Web to app only allowed port and User to Web server specific ports also can be opened.
Below are the complete list of posts part of the series
Part-1 : VMWare NSX Manager 6.4.x Installation and Initial Configuration
Part 2: VMWare NSX 6.4.x Micro-Segmentation Configuration steps
Part 3: VMWare NSX Cluster preparation and Controllers Installation
Part 4: VMWare NSX Logical Switching and DLR Configuration
Part 5: VMWare NSX EDGE and OSPF Routing Configuration
Hope this post and series is useful. leave your comments below.
Awesome series.
Please keep up the good work. It has been put up in such an easy to understand way.
Thank you.