VMware Networking Community
snochico1
Enthusiast
Enthusiast
‎03-03-2021 01:17 PM

DFW rule where the applications communicate to a MS SQL Availability group.

HI All, 

I am working on implementing a DFW rule where the applications communicate to a MS SQL Availability group. 

Both VMs have a VM IP , MS Failover Cluster IP and a SQL Availability Listener IP.

At the OS level each VM presents its IP.  Only the VM acting as the MS Failover Cluster master will publish its IP to the OS. The same applies for the Availability group, it too will only push its IP to the OS of the VM housing the active copy. 

OS Check:  PS>Get-NetIPAddress | select IP* , to see IPs the os can see. VMtools Check : Powercli >  $DBlist  = get-vm "DB"  ; $dblist.guest.ipaddress 

We leverage Multi-Site and Multi-Subnet aware SQL applications. So the IP address of both nodes is published to DNS.  The application being smart enough will periodically check both IPs to see which is holding the active DB copy. This mitigates failovers being reliant on DNS TTL times. 

The issue I find is that these Applications being aware of both IPs published to DNS is they reach out to both nodes to see who is the master.  When they reach out to the passive node the DFW rule App --> DB is not hit and the traffic hits the Catch All. Currently an Allow but in the near future a block.   The issue is that since the OS is not aware of the Availability Group Listener IP the IP is not added to the Inventory for that object and subsequent it not part of the APP-->DB firewall rule. 

 I would hate to start creating static objects and defining ips as members to ensure the DFW rules work for MS Clusters and Availability groups.  Has anyone gotten around this using some dynamic means? 

2 Replies
jburen
Expert
Expert
‎03-22-2021 06:30 AM

Hi, it's been a while since you asked this but this blog has some great suggestions for building a more dynamic DFW rule base: https://www.vviking.nl/vmware/nsx/designing-a-nsx-security-framework/

Basically, don't use IP addresses but other types of objects like application or VM objects.

 

Consider giving Kudos if you think my response helped you in any way.
0 Kudos
snochico1
Enthusiast
Enthusiast
‎09-22-2021 11:46 AM

Call to the VMWare Distributed Firewall Guys out there.  

Anyone come up with a solution for this.  The only options I have are as follows.  I was hoping there was something dynamic that could be done.

 

  • Don't do anything, when the Availability group flips so do the ips and NSX-T recognizes that quickly. 
    • We would see drop packets for those applications that are Multi-Site / Subnet Aware as they reach out to both nodes and verify which IP is the active SQL node
  • Create Object and populate it with all Availability group IP addresses . I could even add the VMs to this Object to better keep track when decommission comes into play. 
    • This option will not have any dropped packets but comes with management overhead as this is a static object and not a VM
  • IP discovery does not add the IPs for the Availability group member(s) that passive as the IP is not known to the OS until it becomes the Active node
0 Kudos