This is a joint blog series with Daniel Paluszek .

We will be discussing how to achieve security compliance inside vCloud Director’s future workloads by pre-configuring native NSX DFW rules.

The use-case came from a new cloud provider that wants to deploy a specific vApp when they onboard a new tenant (or organization). This specific vApp will need to have NSX Distributed Firewall rules in place – the vApp will be the same for every tenant and will need to be secured accordingly and hence achieve compliance.

Daniel discussed a great method of creating an NSX security group with Dynamic Membership and that uses VM name as the dynamic construct.The caveat in that is the Provider/Tenant MUST create the vApps with names that match the dynamic membership created natively in NSX.

My method would be based on using the Resource Pool ORG-ID instead of the VM name as the construct used in my dynamic membership criteria with the Caveat that the Provider will have to add each ORG that needs such compliance to this security group.

Tenants can pick any name for their workloads vApps/VMs and still comply with the Firewall rules that are pre-enforced.

Overall Steps:

Creation of a Security Group with Dynamic Membership
Creation of a Security Policy
Activating Security Policy against Security Group
Creating vApp that meets dynamic membership criteria

Creation of a Security Group with Dynamic Membership

Navigate to Menu -> Networking and Security -> Service Composer
The first thing we are going to do is create a Security Group that will associate the dynamic membership based on entity criteria.

3. We want to apply this group to any VM inside the Org vDC. For that, we will be using Resource Pool Org-ID entity in the dynamic membership criteria.

ORG-IDs are generated for each Org vDC inside vCD. We can be import them as a VC object inside Dynamic Security Group Membership by using the “Resource Pool” as an entity . Hence, the Org vDC should pre-exist in order to pre-configure the native Firewall rules to achieve the compliance needed or we can simply add the newly created ones to the same security group on day 2.

Note that you will have to include every Org vDC you create/created that will need this kind of security compliance.

resource pool RP2

4. Click Finish, and we are off to the next step.

Creation of a Security Policy

Let’s click on the Security Policies tab inside of Service Composer and create a new Security Policy –

2. give it a name – We are using Standard vApp DFW Rules.

3. From here, we can click on Firewall Rules and create our rules. In our example, We are going to let HTTPS traffic in and block everything else. Typically, for micro-seg rules, we would create granular rules to secure all types of traffic. We are using these just as an example.

4. Creating DFW policies is fairly straightforward in the Service Composer –

Activating Security Policy against Security Group

Now, we are ready to apply our newly created policy to our group. Click the Apply button while your newly created policy is selected –
From the pop-up window, we will select our Standard vApp Rule group as a Selected Object –
Success – now we can see it has been applied –
From the DFW view, we can see a new section created with associated DFW rules –

No need to go through specifics of creating the vAPP that meets criteria as all vAPPs/VMs that are part of the pre-provisioned Org ID will automatically have the security compliance. However, take note that you will need to add each ORG-VDC’s resource pool into that policy to achieve compliance.

While this is not the only path of securing Provider-managed VM’s for a tenant. Check out Daniel’s bog post for his approach!

The Virtual Any Cloud Network Vision

The network of the future is software-defined. A Virtual Cloud Network, built on VMware NSX technology, is a software layer from on-prem data center to any cloud, any branch and any infrastructure.

VMware NSX is the foundation of the Virtual Cloud Network which consists of : NSX Data Center, NSX Cloud, App Defense , NSX SD-WAN by VeloCloud and NSX Hybrid Connect.

In this blog, I will be focusing on NSX Cloud piece of it to demonstrate its key features and benefits.

NSX Cloud

NSX Cloud is a secure, consistent foundation that makes managing the networking and security of your workloads living literally on any cloud which includes your on-prem private cloud and/or the hyper-scale public clouds (AWS, Azure and GCP).

It solves challenges Cloud Architects face when dealing with public clouds which include Lack of real-time visibility in cloud traffic flows, security policy consistency across hybrid clouds, compliance to enterprise security policies and leveraging existing operational tools.

It also adds a new line of revenue for Cloud Service Providers where NSX Cloud can be utilized to offer managed security services for their tenants’ workloads living on any cloud.

So What Are The Benefits of NSX Cloud in The Virtual Cloud Network?

1. Consistent Security For Apps Running On Any Cloud:

The main benefit in my opinion when utilizing NSX Cloud is the ability to enforce your Firewall security rules from your on-prem NSX Manager to workloads living on-premise and/or Azure and/or AWS and/or Google Cloud Platform using the same firewall rule applied across all clouds.

NSX Cloud brings networking and security capabilities to endpoints across multiple clouds. By integrating with NSX Data Center (deployed on-premises), it enables networking and security management across clouds and data center sites using the same NSX manager deployed on-prem.

Security policy is automatically applied and enforced based on instance attributes and user-defined tags. Policies automatically follow instances when they are moved within and across clouds.Dynamic Policies can based on

VM attributes in cloud – eg VNET ID, Region, Name, Resource Group, etc
Customer defined Cloud resource tags

NSX_Cloud_usecase1

Example:

A 3-tier application (Web VMs / App VMs/ DB VMs) consists of :

Multiple Web servers spread across multiple hyperscale clouds: AWS/Azure/GCP. All of these servers will be tagged its respective native cloud tags: “Web”
App server is a kubernetes container living On-Premises and will be tagged with “App”
DB Server which consists of multiple VMs living On-Premises and will be tagged with “DB”

All of the above 3 tier app workloads will be tagged with a unique tag that will differentiate the application (in this case FE/APP/DB of website X). We will be using this tag to apply-to field in the DFW rules.

Webservers will need to to communicate with App servers living on AWS on port TCP 8443.

App containers would need to communicate with the DB servers on port MySQL TCP 3306.

Any should be able to communicate with the Web Servers on HTTPS TCP 443.
3 Firewall rules will be needed from the NSX Manager living on-prem that will enforce the above security posture using security tags constructs across ALL of the leveraged clouds.

2. Manageability and Visibility Across All Public Clouds

From the NSX Cloud Service Manager “CSM”, you will have the option to add all your Public Cloud accounts (AWS/Azure/GCP).

Once you add all your public cloud accounts, you will be able to view all of the Accounts, Regions, VPCs/VNETs you own along with their respective workloads from the same User Interface. Think of its a single pane of glass across all accounts across Public Clouds.

This will simplify the manageability of your workloads and save a lot of time in troubleshooting and capacity planning.

3. Real Time Operation Monitoring With DFW Syslog and L3SPAN in Public Clouds

From an operational perspective, you want to make sure all these security groups that you have are active and on. Since the Firewall and Security policies are now managed via the NSX manager, we will have the option to use syslog which look very similar to the logs created by hypervisor.

You can collect the data and send it to your Syslog collector, say Splunk and you will be able to run Data Analysis off of it.

This will provide statistics on who are the VMs talking to , what ports are permitted/denied etc.

usecase3

Real Time Operations visibility can also be complimented by using the L3SPAN in public clouds per the below flow:

Enable NSX L3 SPAN/Mirror on a per Logical port or Logical switch basis using Port-mirroring Switching Profile
NSX Agent running inside the VM captures the traffic.
Mirrored traffic forwarded to IP destination (collector) within VPC using GRE

usecase3_2

4. Full Security Compliance with the Quarantine Option

You will have the option for full compliance for policy enforcement where the VMs that are created in the public cloud which are not managed by NSX will be quarantined.

This is done via the Multi-layered security which provides two independent security perimeters, primary security through NSX firewall, second layer of security through the native public cloud security groups which will be utilized by the NSX.

Note– This is optional. You can still have a dev environment that has both NSX managed and non managed workloads without enforcing the quarantine.

usecase4

Note: As of the publishing date of this blog, the NSX-T 2.2 GA version fully supports workloads on-prem and Azure.

The upcoming NSX-T Cloud versions will be supporting AWS and other public Clouds.

In Summary

The virtual any cloud network is the next generation of cloud Networking. Cloud Admins could now utilize NSX Cloud to have full visibility for cloud traffic flows while the Security admins will enforce consistent security policies across all clouds.

Cloud Service Providers can utilize NSX Cloud to offer managed services for their tenant workloads anywhere, creating a new line of revenue.

In my next post, I will discuss the CSM in further details along with deep diving on the architecture of NSX Cloud.