VMware Networking Community
rajeevsrikant
Expert
Expert
‎03-29-2017 10:35 PM
Jump to solution

DFW Exception

I have 4 clusters , each cluster has 2 hosts. All are part of VXLAN

DFW is configured & all the clusters VM are part of the DFW.

Now i am creating a distributed port group & it will be associated with VLAN (Not VXLAN)

I don't what the VMs in this port group to be part of DFW, No DFW firewall rules to be applied to the VMs.

What is the best & the recommended way to achieve this.

0 Kudos
1 Solution

Accepted Solutions
bayupw
Leadership
Leadership
‎03-30-2017 01:57 AM
Jump to solution

Your method can be slightly changed into something like below:

- Create Security Group for all VLAN-backed VMs e.g. SG-VLAN-VMs

- Create Security Group for all VXLAN-backed VMs e.g. SG-VXLAN-VMs

- For the VLAN-backed VMs, create a firewall rule to Allow Any to Any and Applied To SG-VLAN-VMs

- For any other rules, edit the default Applied To Distributed Firewall to SG-VXLAN-VMs. You can even create more small application group for applying the Apply To if you want.

Using Apply To will also help to reduce the DFW rules per VMware-sfw.

If you are using PowerCLI/PowerNSX, it would be quite easy to add VMs to exclusion list

Distributed Firewall operations

Get-VM <VM name> | Add-NsxFirewallExclusionListMember

If all the VXLAN-backed VMs inside a same folder, you can grab them in one line command and add to exclusion list, something like below:

Get-Folder "First Folder" | Get-Folder "Second Folder" | Get-VM | Add-NsxFirewallExclusionListMember

Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw

View solution in original post

0 Kudos
7 Replies
bayupw
Leadership
Leadership
‎03-29-2017 11:13 PM
Jump to solution

You can use Negate Source/Destination to exclude VM from specific rules Add a Firewall Rule or Applied To only to specific VMs/Security Group.

But the VM will still hit the last default rule.

If you want to exclude the VM from any DFW rules I think the only way is by adding the VMs to the DFW Exclusion List

Exclude Virtual Machines from Firewall Protection

pastedImage_17.png

Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw
0 Kudos
rajeevsrikant
Expert
Expert
‎03-30-2017 12:38 AM
Jump to solution

I did consider this option.

Since no of VM will be more & it will be difficult to add the VMs manually into the exception list & it will be a continuous option.

The other option i am thinking is that for that particular distributed port group i will create the policy to allow all & place the rule in the top,

But the VM will be receiving all the firewall rules along with the permit all rules at the top.

For the existing firewall configurations for most of the rules I have chosen the `Applied To` field as Distributed firewall & it will be difficult to change.

So can i conclude that there is no way i can provide exception so that the particular distributed port group will not receive any firewall rules.

0 Kudos
rajeevsrikant
Expert
Expert
‎03-30-2017 12:39 AM
Jump to solution

Since no of VM will be more & it will be difficult to add the VMs manually into the exception list & it will be a continuous operation.

0 Kudos
hansroeder
Enthusiast
Enthusiast
‎03-30-2017 12:50 AM
Jump to solution

I think this will be the only solution which will really give you what you need. You just need to make sure that there is no overlap in IP addresses between the VMs on this Port Group and VMs in VXLAN, so you should use the "Applied To" field if this is the case. If you configure the firewall rule correctly (which shouldn't be that hard), the VMs will allow all incoming and outgoing traffic. So the traffic will still go through the DFW (there simply is no other option, if the Exclusion List isn't a viable option), but everything will simply be allowed.

rajeevsrikant
Expert
Expert
‎03-30-2017 01:20 AM
Jump to solution

VLAN & VXLAN network segment will be different & there will be no chance to have over lapping IP address.

If VMware comes up with this required functionality in future it will be useful

Any how thanks for the clarification.

0 Kudos
bayupw
Leadership
Leadership
‎03-30-2017 01:57 AM
Jump to solution

Your method can be slightly changed into something like below:

- Create Security Group for all VLAN-backed VMs e.g. SG-VLAN-VMs

- Create Security Group for all VXLAN-backed VMs e.g. SG-VXLAN-VMs

- For the VLAN-backed VMs, create a firewall rule to Allow Any to Any and Applied To SG-VLAN-VMs

- For any other rules, edit the default Applied To Distributed Firewall to SG-VXLAN-VMs. You can even create more small application group for applying the Apply To if you want.

Using Apply To will also help to reduce the DFW rules per VMware-sfw.

If you are using PowerCLI/PowerNSX, it would be quite easy to add VMs to exclusion list

Distributed Firewall operations

Get-VM <VM name> | Add-NsxFirewallExclusionListMember

If all the VXLAN-backed VMs inside a same folder, you can grab them in one line command and add to exclusion list, something like below:

Get-Folder "First Folder" | Get-Folder "Second Folder" | Get-VM | Add-NsxFirewallExclusionListMember

Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw
0 Kudos
rajeevsrikant
Expert
Expert
‎03-30-2017 03:54 AM
Jump to solution

Thanks.

0 Kudos