Distributed Firewall Management in NSX

The distributed firewall feature in NSX allows filtering with all elements in your VMware cluster that are on Overlay or VLAN segments. It should be used normally on east-west connections (ovh-T1-gw), but it also works with elements of the VMware cluster that are connected on the north-south gateway (ovh-T0-gw). Filtering applies from the source (VM, segment, network, etc.).

To simplify the administration of NSX, it is possible to place tags on your elements (segments, virtual machines, roles, etc..) and create groups that contain the objects associated with the tags or IP address ranges (this solution should not be preferred).

Learn how to manage the distributed firewall by creating a rule that blocks traffic between a virtual machine and all virtual machines in another segment.

Requirements

• Being an administrative contact of your Hosted Private Cloud infrastructure to receive login credentials.
• A user account with access to the OVHcloud Control Panel.
• Having NSX deployed with two segments configured in your NSX configuration, you can use our guide on Segment Management in NSX for more information.

Instructions

We will isolate communication between a virtual machine and all virtual machines in a segment bi-directionally by performing these operations :

• Create two tags, one on a virtual machine and one on a segment.
• Create two associated groups, one containing the first tag and the other the second.
• Create a policy in the distributed firewall that will contain two rules:
  • A rule that will forbid traffic from the first group to the second.
  • Another rule that will forbid traffic from the second group to the first.

Creating tags

In the NSX interface...

• Go to the Networking tab.
• Click Segments to the left in Connectivity.
• Click on the three vertical dots to the left of the segment you want to tag.
• Choose Edit from the menu.

 

To the right of Tags, enter ovsegment instead of tag and click Add Item(s) ovsegment below the input box.

 

Enter ov1 instead of Scope and click Add Item(s) ov1 below the input box.

 

Click the + button to the left of your tag.

 

The created tag is displayed in the bottom right of Tags, you can create more tags depending on your needs.

• Click SAVE.
• Click CLOSE EDITING to complete the markup for your segment.

 

Go to the Inventory tab and click Virtual Machines on the left in the inventory to view the list of virtual machines.

Then click on the three vertical dots to the left of the virtual machine that you want to tag and choose Edit from the menu.

 

Enter vm instead of Tag and click Add Item(s) vm below the input box.

 

Enter ov2 instead of Scope and click Add Item(s) ov2 below the input box.

 

Click the + button to the left of your tag.

 

The tag is created, click SAVE to save your changes.

 

Stay in the inventory and click Tags on the left to see the list of tags.

Add groups that contain tags

In the inventory, go to Groups on the left and click ADD GROUP to create a group.

 

Type g-segment01 below the Name column and click Set under the Compute Members column.

 

Leave Generic selected and click + ADD CRITERION.

Choose these settings :

• Type : NSX Segment.
• Tags : Equals ovsegment.
• Scope: Equals ov1.

Click APPLY.

 

Click SAVE.

 

The group is created. Click View Members in the row of your group to display the members list.

 

Click IP Addresses to view the IP addresses that are used on your segment and which have been automatically added to your group.

 

Click NSX Segments to display the member segment of this group which has been automatically added from the criteria. You can click on CLOSE to close this window.

 

Click ADD GROUP to create a second group.

 

Type g-vm below the Name column and click Set under the Compute Members column.

 

Leave Generic selected and click + ADD CRITERION.

Choose these settings :

• Type : Virtual Machine.
• Tags : Equals vm.
• Scope: Equals ov2.

Click on APPLY.

 

Click SAVE.

 

Click View Members in the row of your group to view the members.

 

In the Virtual Machines section, you can see the tagged virtual machine that has been automatically added.

Click CLOSE to close this window.

Setting up a distributed firewall rule

We will now create a two-way blocking rule, on the distributed firewall, between the two created groups.

Go to the Security tab, select Distributed Firewall and click + ADD POLICY.

 

Name your strategy Isolate vm and segment.

 

Click the three vertical dots to the left of your policy and choose Add Rule from the menu.

 

Click the Pen icon to the right of Any in the Sources column.

 

Stay on the groups tab, check the g-segment01 group and click APPLY.

 

Click the Pen icon to the right of Any in the Destinations column.

 

Select the g-vm group and click APPLY.

 

Choose Drop to remove packages on this rule and click the three vertical dots to the left of your policy.

 

Click Add Rule in the menu.

 

Click the Pen icon to the right of Any in the Sources column.

 

Select the g-vm group and click APPLY.

 

Click the Pen icon to the right of Any in the Destinations column.

 

Select the g-segment01 group and click APPLY.

 

Choose Drop to remove packages from this rule and click publish to validate the creation of the policy and its two associated rules.

Your rule is active, the traffic between the virtual machine member of the g-vm group and the segment member of the g-segment group is no longer possible.

 

Conclusion

Having read this guide, you should have been able to manage a distributed firewall to isolate communication between a virtual machine and all virtual machines in a segment bi-directionally, including the creation of tags, associated groups, and a policy.