In this lab we are going to start with looking at the basic of creating east-west firewall rules using NSX Distributed Firewall functionality within the SDDC.
Note: There is a requirement in this lab to have completed the steps in the Working with your SDDC Lab concerning Content Library creation and Network creation and firewall rule creation.
Distributed Firewall Rules
The distributed firewall rules are implemented to secure workload groups in the SDDC environment. A firewall is a network security system that monitors and controls the incoming and outgoing network traffic based on predetermined firewall rules.
The source of the rule is a single or multiple workload groups. The source matches to the default any if not defined. The destination of the rule is a single or multiple workloads. The destination matches to the default any if not defined.
When you log into your environment’s VMC console you will see a section called Networking & Security. Navigate to Distributed Firewall under the Security tab.
As you can see the distributed firewall has 5 different sections
Emergency Rules Applies to temporary rules needed in emergency situations. For example, block traffic to a web server due to maliciious content. Firewall rules defined in this section get executed prior to any rules defined in other sections.
Infrastructure Rules Applies to infrastructure rules only. Such as ESXi, vCenter Server or connectivity to on-premise data center
Environment Rules Applies to broad groups. Such as, setting rules so that the production environment cannot reach the test environment. Another common use of Environment rules are to easily create DMZ networks.
Application Rules Applies to specific application rules. In this section is where we can provide microsegmentation like protectin to our workloads. For example blocking east west traffic between two web servers on the same l2.
Default Rules The default rules is set to allow all traffic. This is important to understand since our pertimer firewalls are located at T1 tiers which we discussed in “working with your sddc lab” Our tier 1’s provide perimeter protection while our distributed firewall rules allow us to define policies inside the sddc.
Note: In this lab we will be focusing on Application Rules. We will be deploying two web servers within our SDDC in the same L2 network and block traffic between the two VM’s.
Deploy two web servers
As a first step in our distributed firewall lab, we will be deploying two VM’s acting as our web tiers. These two web servers will reside in the same subnet.
- If not already opened, open your VMware Cloud on AWS vCenter and click on the Menu drop down
- Select Content Libraries
- Click on your previously created Content Library named Student# (where # is your student number)
- Make sure you click on the Template tab
- Right-click on the EFS template
- Select New VM from This Template
- Name the virtual machine student#Web01 (where # is your student#)
- Expand the location and select Workloads
- Click Next
- Expand the destination to select Compute-ResourcePool as the compute resource
- In the “Review details” step click Next
- In the Select storage step, highlight the “WorkloadDatastore”
- Click Next
- Slect the network that elongs to your student number.
- Click Next
- Click Finish
- Repeat steps 1-17 and deploy another web VM and name this instance student#Web02
- Check for completion of the deployment of your VM
- Click Menu
- Select VMs and Templates
- Check to make sure your VMs are powered on. If not power on your VM’s.
Confirm L2 adjacency
Now that we have deployed two virtual machines in the same subnet let’s log into the VM’s and check the network settings and test network connectivity between both web servers.
- Open a console to both student#Web01 and studentWeb02. You can do this by right clicking on the VM and selecting Open Remote Console. Note: ensure that your browser is not blocking popups in case you don’t see a remote console window.
- Log into both web servers with username: root and password VMware1!
- Once you are logged into the servers enter command ifconfig. You should see the server IP address in the proper subnet that you created in lab Working With Your SDDC. Make note of both VM’s IP addresses.
- Now that we have the IP addresses for each server let’s do a ping test to verify connectivity. From student#Web01 ping studdent#Web02 IP address. (Enter ctrl+c to stop pings).
Add a Security Group
Security group is a group that categorizes VMs based on VM names, IP addresses, and matching criteria of VM name and security tag. Based on the matching criteria, you can apply a configuration to all the VMs in the security group instead of applying the configuration to the VMs in the SDDC environment individually. You can use security groups when you configure Edge or distributed firewalls.
For this lab we will create a security group based on vm name matching criteria.
- Log in to the VMC console at (https://vmc.vmware.com/)
- Select Networking & Security > Groups > Workload Groups
- Click Add Group
- Enter security group name securitygroup# under member type select Membership Criteria
- Click Set Membership Criteria
- Click Add Criteria
- For Property select VM Name
- For Conddition select contains
- For Value enter student# (where # is the student number assigned to you) click save
- Click Save Your security group should look similar to the image below:
Check Security Group Members
Now that we have created our security group you can see which members fall under the security group criteria.
From the workload groups, click on the 3 dots next to your security group and select View Members
You should be able to see all of the VM’s you have deployed throughout the lab.
Set Distributed Firewall Rules
The distributed firewall rules are implemented to secure workload groups in the SDDC environment. A firewall is a network security system that monitors and controls the incoming and outgoing network traffic based on predetermined firewall rules. The source of the rule is a single or multiple workload groups. The source matches to the default any if not defined. The destination of the rule is a single or multiple workloads. The destination matches to the default any if not defined.
Note: For any traffic attempting to pass through the firewall, the packet information is subjected to the rules in the order shown in the rules table, beginning at the top and proceeding to the rules at the bottom. In some cases, the order of precedence of two or more rules might be important in determining the disposition of a packet.
The default firewall rules apply to traffic that does not match any of the user-defined firewall rules. The default firewall rules allow all L3 and L2 traffic to pass through all prepared clusters in your infrastructure. The default Layer 3 firewall rule applies to all traffic, including DHCP. If you change the Action to Drop or Reject, DHCP traffic is blocked. You must create a rule to allow DHCP traffic.
Now that we have define dour security group we will use it as the source and destination for our firewall rule.
Create New Section
- Log in to the VMC console at (https://vmc.vmware.com/)
- Select Networking & Security > Distributed Firewall.
Select Application Rules from the right-hand column and click Add New Section
- For name enter student# (where # is the student number assigned to you)
- Click Publish on the top right corner. Your section should look like the screenshot below
Add New Rule
- Click the arrow next to your section
- Click Add New Rule
- For Name enter student# (where student# is the number assigned to you)
- For Source select your security group and click Save
- For Destination select your security group and click Save
- For Services select any and click save
- For Action select reject
- Click Publish on the top right corner Your new rule should look like the screenshot below
Now that our east-west distributed firewall rule is in place let’s re-test our ping test to see if connectivity between the two web servers is being blocked.
- Return to the console of your first web server and re-run the same ping command you did previously. You should see that the traffic is now prohibited.