The VMware NSX network virtualization platform is a critical pillar of VMware’s Software Defined Data Center (SDDC) architecture. NSX network virtualization delivers for networking what VMware has already delivered for compute and storage. In much the same way that server virtualization allows operators to programmatically create, snapshot, delete and restore software-based virtual machines (VMs) on demand, NSX enables virtual networks to be created, saved and deleted and restored on demand without requiring any reconfiguration of the physical network.
The result fundamentally transforms the data center network operational model, reduces network provisioning time from days or weeks to minutes and dramatically simplifies network operations.
Due to the critical role NSX plays within an organization, hardening of the product along with secure topology will reduce the risk an organization may face. This document is intended to provide configuration information and topology recommendations to ensure a more secure deployment.
This paper is a draft document which covers some fundamentals of how one can securely deploy network virtualization with NSX. Updated with correct document.
NSX Traffic [Control, Management, and Data]
The main components of NSX include the NSX Manager, NSX Edge/Gateway, NSX Controllers, and NSX vSwitch. Great care must be given toward the placement and connectivity of these components within an organization’s network. NSX functions can be grouped into three categories: management plane, control plane, and data plane.
The consumption of NSX can be driven directly via the NSX manager UI. In a vSphere environment this is available via the vSphere web interface. Typically end-users tie in network virtualization to their cloud management platform for deploying applications. NSX provides a rich set of integration into virtually any CMP via the REST API. Out of the box integration is also available through VMware vCloud Automation Center.
The NSX management plane is built by the NSX Manager. The NSX manager provides the single point of configuration and the REST API entry-points in a vSphere environment for NSX. The NSX Manager is also the integration point with vCenter.
Network traffic to and from the NSX Manager should be restricted and it’s recommended that it be placed on a management network where access is limited.
Access to the NSX manager utilizes a web redirect to only allow access via HTTPS.
Traffic from the NSX manager to other components such as vCenter and the ESXi is encrypted. These safe guards reduce some of the risk to the NSX manager, but it is recommended that it be separated from other traffic via physical or VLAN separation, at a minimum. The VMware vSphere Hardening Guides (http://www.vmware.com/security/hardening-guides.html) can be used to further explore protection of the management network.
The NSX Controller is the heart of the control plane. In a vSphere-optimized environment where VMware’s virtual distributed switches (VDS) are deployed, the controllers enable multicast free network virtualization and control plane programming of elements that enable logical distributed routing and logical network traffic within and across hypervisors.
In all cases, the controller is purely a part of the control plane and does not have any data plane traffic passing through it. The controller nodes are also deployed in a cluster of odd members in order to enable high-availability and scale. Any failure of the controller nodes does not impact any existing data plane traffic.
These communications does not carry any sensitive application data, but it is required for NSX to work properly. As of version 6.0.4 of NSX, controller to controller communication is unencrypted along with hypervisor to controller communication. Hence, it’s recommended that it be separated from other traffic via physical or VLAN separation, at a minimum. No user machines should be on this network.
The NSX Data plane consists of the NSX vSwitch. The vSwitch in NSX for vSphere is based on the vSphere Distributed Switch (VDS) with additional components to enable rich services. The add-on NSX components include kernel modules (VIBs) which run within the hypervisor kernel providing services such as distributed routing, distributed firewall and enable VXLAN bridging capabilities.
The NSX vSwitch (VDS) abstracts the physical network and provides access-level switching in the hypervisor. It is central to network virtualization because it enables logical networks that are independent of physical constructs such as VLAN. Some of the benefits of the VDS are:
- Support for overlay networking leveraging the VXLAN and centralized network configuration. Overlay networking enables the following capabilities:
- o Creation of a flexible logical layer 2 (L2) overlay over existing IP networks on existing physical infrastructure without the need to re-architect any of the data center networks
o Provisioning of communications (east–west and north–south) while maintaining isolation between tenants
o Application workloads and virtual machines that are agnostic of the overlay network and operate as if they were connected to a physical L2 network
- NSX vSwitch facilitates massive scale of hypervisors.
- Multiple features—such as Port Mirroring, NetFlow/IPFIX, Configuration Backup and Restore, Network Health Check, QoS, and LACP—provide a comprehensive toolkit for traffic management, monitoring and troubleshooting within a virtual network.
Additionally, the data plane also consists of gateway devices that can either provide L2 bridging from the logical networking space (VXLAN) to the physical network (VLAN).
The gateway device is typically an NSX Edge virtual appliance. NSX Edge offers L2, L3, perimeter firewall, load balancing and other services such as SSL VPN, DHCP, etc
Topology and the NSX Manager Virtual Machine
The NSX Manager virtual machine (VM) is part of the management plane, certain considerations must be taken into account when deciding where to install and connect the VM.
1. Placement: Best practices dictate that the NSX Manager should be placed in a segmented and secured network. Since the NSX manager and vCenter are in continuous communication, it is recommended they be placed on the same network. Typically, the NSX manager and vCenter are placed on a management network where access is limited to specific users and/or systems. The management network should not contain any user or general network traffic.
2. Physical and network security: The following table provide ports use for communication with the NSX Manager. If you are securing the NSX manager from other network services, make sure the appropriate ports are open.
Download a full Securing VMware® NSX Technical White paper