Category Archives: Security

NSX Inventory Groups and Memberships to Manage Edge Firewall Rules in VMware Cloud on AWS

I have been using this feature of NSX heavily as of late so I wanted to highlight the power and flexibility of inventory groups that allow you to configure firewall rules that best fit your organization. The grouping of VMs and network services within VMware Cloud on AWS allows you put VMs that have common characteristics such as databases, web servers, operating systems, IP addresses and tags together to more easily publish firewall rules. By default, VMware Cloud on AWS creates two primary management groups and a service inventory when the SDDC is created. The two “parent groups” as I will call them are the Management Group and Workload Group respectively. The Management groups are system defined groups of infrastructure components such as ESX hosts, vCenter, NSX Manager or any other management appliances such as HCX. Workload groups are user defined groups of Virtual Machines or IP addresses.

Network and Security Inventory Groups

As you can see above, I added sub groups to the Workload Group based on function (Web, SQL, etc.). Recently, I have been testing the Membership Criteria option as this feature leverages tags and can also group based on Virtual Machine names that contain or start with a defined string. To add a new group, select Add Group, name your group, and then choose one of three membership types, Virtual Machine, IP Address or Membership Criteria. For this example, I used Membership Criteria. Once Membership Criteria is selected, pick the member VMs based on one of the two criteria (VM Name or Tag). For VM name you can choose contains or equals to categorize your VM grouping. The tag criteria can only be leveraged by having the tag name be equal to the VM(s) that is defined. In order to leverage the tag membership criteria, the the VM must be already tagged.

**Public Service Announcement** vCenter Tags and Attributes are NOT manifest in Networking & Security in the SDDC. These tags can only be added via Virtual Machines under Networking & Security > Inventory > Groups > Virtual Machines. Right click on the VM, select Edit and add your tag.

For the sake of this blog, I have created several VMs with different names but the same tag to show how tagging is leveraged.

VMs with their respective tags

Once VMs are tagged correctly, verify tagging is working by going to the Workload Groups by selecting the group > View Members.

Web Server members based on tags.

Now that VMs are properly grouped and tagged, Compute Gateway rules can now be configured and published. Go to Networking & Security > Compute Gateway > Add New Rule > Name the rule and select your source and destination. You should see your newly created group in the selection.

To verify that the rule is applied correctly, go to Networking & Security > Inventory > Groups > Workload Groups > Select the group that was added to the edge firewall rule > Select View Reference.

Below is a demo showing how VMs (tagged “Web”) on different Network segments can all access the internet with one rule.

Refer to the Networking & Security Guide what was updated on January 27,2020. Lastly, if you want to see how to leverage the Distributed Firewall (DFW) to protect 3 Tier Applications be sure to check out Michael Armstrong’s latest blog!!!

AWS re:Invent 2018 – Day 1

This is where things really get moving. I’m happy to say I didn’t regret gorging myself with wings the night before and was ready to hit the ground running to see re:Invent in full swing. Day 1 step count…15,308 (7.57 mi). I started off the morning by attending everyone’s favorite topic….SECURITY!!! This session was spent debunking 13 Cloud Security Myths. A few things that I already knew were reinforced. One, public clouds are more secure that on-prem data centers. Two, security should be the first thing you think about when deploying everything from applications to infrastructure. Three, if you continue to follow older security models that have been around for years, you are missing the entire point of the cloud!

 

IMG_5143IMG_5144

Next up was a two-hour workshop getting some hands-on experience with the AWS Virtual Private Cloud (VPC). VPCs are the backbone to everything AWS including VMware Cloud on AWS. Although I have taken some online classes via AWS and A Cloud Guru, it was great to spend more time setting up VPCs as it is core to understanding how AWS works. We worked in groups of six where we set up VPC peering with each other. My main takeaway….have a concrete plan for the CIDR blocks you choose for your VPCs. If you don’t plan correctly, you will have to start over. A tool given out by the architects running the session was http://subnet-calculator.org/cidr.php . Bookmark it! An added benefit to the workshop was $25 in AWS credits!

Next stop was the Expo Hall and welcome reception. Of course, the hall was massive with hundreds of booths and all the SWAG you can handle. I decided to take a look around beforehand so I knew where to get “the good stuff.” Since I’m a VMware guy, it was awesome to see us well represented we even have our newest members of the family in Heptio (met Joe Beda at the booth) and Cloud Health with booths of their own.

The last session of the day was a VMware Cloud on AWS Deep Dive with Andy Reedy and Jin Zhang. If you ever get a chance to spend time with Andy, I would recommend it. I met him two years ago at some customer meetings and he is a fantastic architect. He got into the weeds with VMWonAWS regarding the host hardware and the interconnectivity between the vSphere hosts and AWS native services. We even went into the i3 and r5 models for EBS backed VSAN. It was a great session. As I have said before, AWS and VMware have a deep partnership to make this service available. The pace of innovation is blinding! Day 2 is next!!

This slideshow requires JavaScript.