I am working on implementing a DFW rule where the applications communicate to a MS SQL Availability group.
Both VMs have a VM IP , MS Failover Cluster IP and a SQL Availability Listener IP.
At the OS level each VM presents its IP. Only the VM acting as the MS Failover Cluster master will publish its IP to the OS. The same applies for the Availability group, it too will only push its IP to the OS of the VM housing the active copy.
OS Check: PS>Get-NetIPAddress | select IP* , to see IPs the os can see. VMtools Check : Powercli > $DBlist = get-vm "DB" ; $dblist.guest.ipaddress
We leverage Multi-Site and Multi-Subnet aware SQL applications. So the IP address of both nodes is published to DNS. The application being smart enough will periodically check both IPs to see which is holding the active DB copy. This mitigates failovers being reliant on DNS TTL times.
The issue I find is that these Applications being aware of both IPs published to DNS is they reach out to both nodes to see who is the master. When they reach out to the passive node the DFW rule App --> DB is not hit and the traffic hits the Catch All. Currently an Allow but in the near future a block. The issue is that since the OS is not aware of the Availability Group Listener IP the IP is not added to the Inventory for that object and subsequent it not part of the APP-->DB firewall rule.
I would hate to start creating static objects and defining ips as members to ensure the DFW rules work for MS Clusters and Availability groups. Has anyone gotten around this using some dynamic means?
Hi, it's been a while since you asked this but this blog has some great suggestions for building a more dynamic DFW rule base: https://www.vviking.nl/vmware/nsx/designing-a-nsx-security-framework/
Basically, don't use IP addresses but other types of objects like application or VM objects.