VMware Cloud Director and NSX-T Distributed Firewall

Welcome to NSX-T Distributed Firewall (DFW) Bonus lab.

Through this short lab, you will learn how to integrate the VMware NSX-T DFW with the latest version of VMware Cloud Director (VCD) 10.2 and test the functionality of the DFW through VCD

Topics that will be covered are:

  • VCD Pre-Requisites
  • Enabling DFW for tenant
  • Pre Microsegmentation Baselining
  • Configuring DFW Rules
  • Testing the DFW Rules

VMware Cloud Director Pre-Requisite

In this section, you will configure the Compute Provider Scope used to enable the NSX-T DFW functionalities. This is a special call-out because we do not usually configure this particular setting when setting up the VCD and vCenter integration

Access the vCenter Server Instances Configuration

Assuming you've already logged in to the VCD Provider Portal:

  1. Go to Resources
  2. Click on the Infrastructure Resources tab at the top
  3. Click on vCenter Server Instances
  4. On the General tab
  5. Click Edit on the right

Edit vCenter Server Settings

  1. Key in name for Compute Provider Scope : vcsa-01a-CPScope
  2. Click Save

Enabling DFW for the Tenant

In this section we'll be enabling the Distributed Firewall capabilities for the tenant.

Creating Data Center Groups

Assuming you've already logged in to the VCD e-corp Tenant Portal:

  1. Click on Networking tab at the top
  2. Click on Data Center Groups tab
  3. Click on New

Select Starting VDC

To create a VDC group, we will need a starting VDC:

  1. Select e-corp-nextgen-paygo VDC
  2. Click Next

Data Center Group General Settings

At the General Settings:

  1. Name : e-corp DC Group
  2. Click Next

Select Participating VDCs

To select the participating VDCs in this Data Center group:

  1. Select e-corp-nextgen-paygo VDC
  2. Click Next

Review Data Center Group Settings

  1. Review the configurations, and if all is accurate, click on Finish

Enabling Distributed Firewall

  1. After successfully creating the Data Center group, click on the e-corp DC Group to access the configuration

Activate Distributed Firewall

  1. To enable the firewall, click on Activate

Confirm Distributed Firewall Activation

  1. To confirm the DFW activation, click on Activate

Add Edge Gateway into Data Center Group

To be able to implement distributed firewall rules for VMs or vApps, we must add the Edge Gateways of those VMs or vApps into the Data Center Group.

  1. Click on Edge Gateway
  2. Click on Add Edge

Add Edge Gateway

  1. Select the existing Edge Gateway ecorp-gw
  2. Click on Save

Pre MicroSegmentation Baselining

This section we will perform some benchmarking to understand the environment before applying the distributed firewall policies.

IP address and Ping verification

Verify IP address of VM web-singap and that it can ping the other 2 VMs at 172.16.30.22 and 172.16.30.23

Verify Network Port open

Verify whether the network port is open by:

  1. Initiate telnet 172.16.30.22 80
  2. Key in any character ("a" in this example) and hit Enter
  3. If the network port is open, you'll get a HTTP return
  4. Initiate telnet 172.16.30.22 81
  5. If the network port is closed, you'll get a Connection refused

Perform the same for 172.16.30.23

Configuring the Distributed Firewall

This section we will be configuring the microsegmentation rules on the NSX-T Distributed Firewall

Create IP Sets

Access the IP Sets configuration page:

  1. Click on Networking
  2. Go to Data Center Groups > e-corp DC Group
  3. Click on IP Sets on the left pane
  4. Click on New

New IP Set

To create new IP set:

  1. Name : web-net
  2. IP Addresses : 172.16.30.0/24
  3. Click Add
  4. Click Save

Create Distributed Firewall Rule

Access the Distributed Firewall configuration page:

  1. Click on Networking
  2. Go to Data Center Groups > e-corp DC Group
  3. Click on Distributed Firewall on the left pane
  4. Click on Edit Rules

Edit Rules

Create a new rule:

  1. Click on New On Top
  2. Rule Name : web-to-web HTTP deny
  3. Click on the pencil (edit) button under Applications
Select Applications

To select the specific application:

  1. Click on the Choose a specific application toggle
  2. Click on the filter button under Name
  3. Type in http
  4. Select HTTP service
  5. Click Save

Edit Rules (cont.)

  1. Under Source, click on the pencil (edit) button

TIPS: We'll not be configuring Context in this lab. This is for the L7 firewall capabilities

Select Source Firewall Groups
  1. Click on the web-net IP Set
  2. Click on Keep

Edit Rules (cont.)

  1. Click on the pencil (edit) button under Destination, use the same IP set : web-net
  2. Change the Action from Permit to Deny
  3. Click on Save

TIPS: This effectively prevents HTTP traffic between 172.16.30.0/24 network, but allow all other traffic coming in.

Testing the Distributed Firewall Rules

After configuring the firewall rules, we will test the firewall rules created.

Connectivity Test

  1. Initiate ping 172.16.30.22
  2. Results should return 0% packet loss. Press Ctrl-C to escape
  3. Initiate ping 172.16.30.23
  4. Results should return 0% packet loss. Press Ctrl-C to escape

Network Port Test

  1. Initiate telnet 172.16.30.22 80
  2. Enter any character ("a" in this example) and hit Enter
  3. We should notice no HTTP response

Do the same for 172.16.30.23

TIPS: This is an expected result because we configured the firewall rule to block HTTP traffic