Distributed Firewall – Using vCenter objects to provide policy enforcement for VM to VM traffic
This use case demonstrates the use of NSX’s distributed firewall in conjunction with vCenter object. In addition to Source and Destination IP address and Port matching the vCenter objects such as logical switch, VMtag, VMname, Datacenter or vApp level fire walling provide very granular control.
- vCenter and NSX manager configured.
- NSX host and cluster preparation complete.
- IP connectivity between hosts.
- (Optional) Applications to ensure firewall service policies are enforced.
Success End Condition
- Set firewall policy is distributed throughout environment to relevant end points requiring enforcement.
Failure End Condition
- Distributed Firewall fails to update due to communication plane error.
- Incorrect ruleset applied to end point resulting in no enforcement.
- Distributed Firewall delivers a partial match against ruleset due to operator error.
- Virtual Machines initiate communication with desired end point. As a packet leaves the VM’s vNIC the distributed firewall function, residing between the vNIC and vSwitch, enforcement occurs based on defined security policy.
Use Case Expected Flow
- Log into Networking and Security plugin of vCenter
- Configure the Firewall section of NSX.
- Populate desired rulesets through applying business requirements.
- Commit and save the firewall change.
Use Case Variations
- NSX Distributed Firewall function can be replicated with an NSX edge device although the enforcement is not within the hypervisor kernel therefore is far less effective due to virtual appliance overhead.
Active Directory will be an integration point if contextual rules based on objects are using Security Groups polled from Active Directory. E.G – Permit ‘Domain Administrators’ to ‘Management Logical Switch’
Suggested Test Metrics
- Test application availability after permitting or denying the service port.
- Confirm expected behaviour if tiering or nesting policy.
- Confirm rulesets are being distributed to hosts via VSIP through the command line.