Service Composer – Resultant Set of Policy


Many people have asked how does someone view what firewall rules are applied to a Virtual Machine. When leveraging Service Composer that provides a policy driven abstraction you can efficiently apply Security Policy to Security Groups. These Security Groups have dynamic and static members defined by rules. These Security Groups can also be nested. With weighting and nesting it can become quite tricky to determine what rules apply to a Virtual machine – A resultant set of policy you might say.


In a previous blog I demonstrated the power of the host-based commands under the vsipioctl. Vsipioctl is only run on a per host basis under 6.1.x  and lower. Many people do not have access to their vSphere host. Due to role functions and separation they may break their posture to allow another team root access to the hypervisor.

Under the desired Virtual Machine select Monitor -> Service Composer and select Firewall Rules.

Screen Shot 2015-04-24 at 6.54.59 pm

This will show the resultant firewall filters applied to the distributed firewall rule. It will also show and hotlink to where this rule was inherited from. This allows an administrator to quickly visualised if a rule is applied to a Virtual machine. When using the Service Composer Security Group abstraction you can use this view to validated dynamic membership. This also includes Guest Introspection Services like Data Security or Network Introspection Service such as Advanced Firewall Services.


It is important to quickly validate, resolve, and troubleshoot issues. Whether it be the CLI and validation at a host level or via the vCenter GUI it is important. Knowing where to validate this and at what object level is paramount to success in running a virtualised network function.

Leave a Reply

Your email address will not be published. Required fields are marked *