VMware NSX for vSphere, release 6.0.x.
This document guides you through the step-by-step configuration and validation of NSX-v for microsegmentation services. Microsegmentation makes the data center network more secure by isolating each related group of virtual machines onto a distinct logical network segment, allowing the administrator to firewall traffic traveling from one segment of the data center to another (east-west traffic). This limits attackers’ ability to move laterally in the data center.
VMware NSX uniquely makes microsegmentation scalable, operationally feasible, and cost-effective. This security service provided to applications is now agnostic to virtual network topology. The security configurations we explain in this document can be used to secure traffic among VMs on different L2 broadcast domains or to secure traffic within a L2 broadcast domain.
Microsegmentation is powered by the Distributed Firewall (DFW) component of NSX. DFW operates at the ESXi hypervisor kernel layer and processes packets at near line-rate speed. Each VM has its own firewall rules and context. Workload mobility (vMotion) is fully supported with DFW, and active connections remain intact during the move.
This paper will guide you through two microsegmentation use cases and highlight steps to implement
them in your own environment.
Use Case and Solution Scenarios
This document presents two solution scenarios that use east-west firewalling to handle the use case of
securing network traffic inside the data center. The solution scenarios are:
- Scenario 1: Microsegmentation for a three-tier application using three different layer-2 logical segments (here implemented using NSX logical switches connected over VXLAN tunnels):
In Scenario 1, there are two VMs per tier, and each tier hosts a dedicated function (WEB / APP / DB
services). Traffic protection is provided within the tier and between tiers. Logical switches are used to
group VMs of same function together.
- Scenario 2: Microsegmentation for a three-tier application using a single layer-2 logical segment:
In Scenario 2, all VMs are located on same tier. Traffic protection is provided within tier and per function (WEB/ APP/ DB services). Security Groups (SG) are used to logically group VMs of same function together.
For both Scenario 1 and Scenario 2, the following security policies are enforced:
For Scenario 1, a logical switch object is used for source and destination fields. For Scenario 2, a Service Composer / Security Group object is used for source and destination fields. By using these vCenterdefined objects, we optimize the number of needed firewall rules irrespective of number of VMs per tier (or per function).
NOTE: TCP port 1433 simulates the SQL service.
Two ESXi hosts in the same cluster are used. Each host has following connectivity to the physical
- one VLAN for management, vMotion, and storage. Communication between the ESXi host and the NSX Controllers also travels over this VLAN.
- one VLAN for data traffic: VXLAN-tunneled, VM-to-VM data traffic uses this VLAN.
- Web-01, app-01 and db-01 VMs are hosted on the first ESXi host.
- Web-02, app-02 and db-02 VMs are hosted on the second ESXi host.
The purpose of this implementation is to demonstrate complete decoupling of the physical infrastructure from the logical functions such as logical network segments, logical distributed routing and DFW.
In other words, microsegmentation is a logical service offered to an application infrastructure irrespective of physical component. There is no dependency on where each VM is physically located.
VMware NSX Hardening Guide Authors: Pravin Goyal, Greg Christopher, Michael Haines, Roberto Mari, Kausum Kumar, Wade Holmes
This is the Version 1.6 of the VMware® NSX for vSphere Hardening Guide.
This guide provides prescriptive guidance for customers on how to deploy and operate VMware® NSX in a secure manner.
Acknowledgements to the following contributors for reviewing and providing feedback to various sections of the document: Kausum Kumar, Roberto Mari, Scott Lowe, Ben Lin, Bob Motanagh, Dmitri Kalintsev, Greg Frascadore, Hadar Freehling, Kiran Kumar Thota, Pierre Ernst, Rob Randell, Roie Ben Haim, Yves Fauser
Guide is provided in an easy to consume spreadsheet format, with rich metadata (i.e. similar to existing VMware vSphere Hardening Guides) to allow for guideline classification and risk assessment.
Feedback and Comments to the Authors and the NSX Solution Team can be posted as comments to this community Post (Note: users must login on vmware communities before posting a comment).
Download a full NSX-v Security Hardering Guide
The intended audience for this document includes virtualization and network architects seeking to deploy VMware® NSX™ for vSphere® in combination with F5® BIG-IP® Local Traffic Manager™ devices.
Note: A solid understanding based on hands-on experience with both NSX-v and F5 BIG-IP LTM is a pre-requisite to successfully understanding this design guide.
NSX deployments can be today coupled with F5 BIG-IP appliances or Virtual Edition.
Such deployment gives to NSX customers a flexible, powerful, and agile infrastructure with the richness of F5 ADC service.
Note: F5 deployment + configuration done from F5.
The Software Defined Data Center is defined by server virtualization, storage virtualization and network virtualization and server virtualization has already proved the value of SDDC architectures in reducing costs and complexity of compute infrastructure. VMware NSX network virtualization provides the third critical pillar of the SDDC and extends the same benefits to the data center network to accelerate network service provisioning, simplify network operations and improve network economics.
VMware NSX-v is the leading network virtualization solution in the market today and is being deployed across all vertical markets and market segments. NSX reproduces L2-L7 networking and security including L2 Switching, L3 Routing, Firewalling, Load Balancing, and IPSEC/VPN secure access. services completely in software and allows programmatic provisioning and management of these services. More information about these functions is available in the NSX Design Guide.
F5 BIG-IP is the leading application delivery controller in the market today. The BIG-IP product family provides Software-Defined Application Services™ (SDAS) designed to improve the performance, reliability and security of mission-critical applications. BIG-IP is available in a variety of form factors, ranging from ASIC-based physical appliances to vSphere-based virtual appliances. NSX deployments can be coupled with F5 BIG-IP appliances or Virtual Edition form factors.
Furthermore, F5 offers a centralized management and orchestration platform called BIG-IQ.
By deploying BIG-IP and NSX together, organizations are able to achieve service provisioning automation and agility enabled by the SDDC combined with the richness of the F5 application delivery services they have come to expect.
This design guide provides recommended practices and topologies to optimize interoperability between the NSX platform and F5 BIG-IP physical and virtual appliances. This interoperability design guide is intended for those customers who would like to adopt the SDDC while ensuring compatibility and minimal disruption to their existing BIGIP environment. The Recommended practice guide will provide step-by-step guidance to implement the topologies outlined in this document.
NSX/F5 Topology Options
“BIG-IP Form Factor” / “NSX overlay or not” / “BIG-IP placement” Relationships
There are about 20 possible topologies that can be used when connecting BIG-IP to an NSX environment but this Design Guide will focus on the three that best represent the form factor, connection method, and logical topology combinations. In addition, the Design Guide will highlight the Pros and Cons of each of the three topologies.
The following figure describes the relationship of:
- BIG-IP form factor:
o BIG-IP Virtual Edition (“VE”)
o BIG-IP physical appliance
- With NSX overlay/Without NSX overlay:
o non-VXLAN (VLAN tagged on untagged)
- BIG-IP placement:
o BIG-IP parallel to NSX Edge
o BIG-IP parallel to DLR
o BIG-IP One-Arm connected to server network(s)
o BIG-IP on top of NSX Edge
o BIG-IP on top of NSX DLR
This design guide provides recommended practices and topologies to optimize interoperability between the NSX platform and F5 BIG-IP physical and virtual appliances.
Download a full NSX F5 Design Guide v1.6
VMware NSX is the network virtualization platform that delivers the operational model of a VM for the network to transform data center operations and economics.
VMware vRealize Automation (vRA) is the powerful automation engine within VMware’s vRealize Cloud Management Platform (CMP). vRA is designed to automate not just applications and service delivery, but also the infrastructure ecosystem around them, resulting in an app-centric authoring, provisioning and lifecycle management solution. A critical component of that infrastructure is a Networking and Security strategy that can meet the demands of new and existing applications while protecting enterprises against a modern threat.
While vRA has provided enhanced networking and security integration in the form of NSX in the past, the latest release, vRA 7.x, ups the ante to make building, consuming, and lifecycle managing application-centric network services a core function of service delivery.
This presentation is a technical overview of the integration, services and capabilities delivered with vRA 7 + NSX.
NOTE: This video is roughly 50 minutes in length so it would be worth blocking out some time to watch it!
This guide shows how to perform day-to-day management of an NSX for vSphere (“NSX-v”) deployment. This information can be used to help plan and carry out operational monitoring and management of your NSX-v implementation.
To monitor physical network operations, administrators have traditionally collected various types of data from the devices that provide network connectivity and services. Broadly the data can be categorized as:
■ Statistics and events
■ Flow level data
■ Packet level data
Monitoring and troubleshooting tools use the above types of data and help administrators manage and operate networks. Collectively, these types of information are referred to as “network and performance monitoring and diagnostics” (NPMD) data. The diagram below summarizes the types of NPMD data and the tools that consume this information.
The tools used for monitoring physical networks can be used to monitor virtual networks as well. Using standard protocols, the NSX platform provides network monitoring data similar to that provided by physical devices, giving administrators a clear view of virtual network conditions.
In this document, we’ll describe how an administrator can monitor and retrieve network statistics, network flow information, packet information, and NSX system events.
This document is intended for those involved in the configuration, maintenance, and administration of VMware NSX-v. The intended audience includes the following business roles:
- – Architects and planners responsible for driving architecture-level decisions.
– Security decision makers responsible for business continuity planning.
– Consultants, partners, and IT personnel, who need the knowledge for deploying the solution.
This guide is written with the assumption that an administrator who will use these procedures is familiar with VMware vSphere and NSX-v, and we assume the reader has as strong networking background. For detailed explanations of NSX-v concepts and terminology, please refer to the NSX for vSphere documentation website.
This guide covers NSX-v and its integration with core VMware technologies such as vSphere and Virtual Distributed Switch (vDS). It does not attempt to cover architectural design decisions or installation. Also, while there are third-party integrations and extensive APIs available to programmatically program and manage NSX, this document does not focus on APIs or third-party integration including other VMware products. We do mention specific APIs when they offer a recommended or efficient method for configuring NSX, and when there is no direct UI function available to perform the desired action.
Download out the full NSX-v Operations Guide, rev 1.5
VMworld 2014 MGT1969 vCloud Automation Center and NSX Integration Technical Deep Dive.
NOTE: This video is roughly 60 minutes in length so it would be worth blocking out some time to watch it!
Tech Data hosted a live stream event with special guests from VMware for a training and demo on NSX.
NOTE: This video is roughly 18 minutes in length so it would be worth blocking out some time to watch it!
Raj is back to tell the team all about one of VMware NSX’s top security benefit, micro segmentation!
This session will focus on introducing NSX. It will detail the product and its components, the key use cases, partner integrations and pricing and packaging.
NOTE: This video is roughly 50 minutes in length so it would be worth blocking out some time to watch it!