VMware Networking Community
durgaprasadnarn
Enthusiast
Enthusiast
‎07-03-2017 02:29 AM

Deny Rule Suggestion

Design :-

Cross VC:-

(1) Management vCenter - All management components are hosted

(2) VDI vCenter :-  dedicated for workloads to end users ( projects)

One NSX Manager for Management vCenter - Primary-- residing on Management vcenter 

Another NSX Manager for VDI vCenter - Secondary --residing on Management vcenter only

NSX firewall on Management vcenter is " any to any" permitted. requirement is to implement deny rule on VDI vcenter so That workloads access can be controlled by Service composer rules.

CVM ( controller virtual machines )are sitting on each ESXi is talking to Nutanix cluster. Could someone help me if I have to add any permit any connections before adding a explicit deny on VDI vcenter .

Thank you in advance

5 Replies
Sreec
VMware Employee
VMware Employee
‎07-03-2017 02:56 AM

I assume both the VC are in same SSO domain ?  It is not a good practice to mix VC for VDI and Management server like that .

NSX firewall on Management vcenter is " any to any" permitted. requirement is to implement deny rule on VDI vcenter so That workloads access can be controlled by Service composer rules.

I don't understand above design logic because this is Cross VC   , To make it simple and clean -> Just exclude VC from firewall protection on both the sites  and protect your workload using supported firewall rules(Local/Global)

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 7x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
durgaprasadnarn
Enthusiast
Enthusiast
‎07-03-2017 04:37 AM

Hi ,

Thank for your reply,

Do we have to exclude CVM connections as well. Can you confirm

Thanks

0 Kudos
Sreec
VMware Employee
VMware Employee
‎07-03-2017 05:01 AM

For sure you can exclude CVM as well. Recommended configuration is -> connect CVM to vlan networks and ensure that CVM can reach other as well as ESXI host over L2/L3 network. So you can create a rule for that rather than simply excluding CVM.

Guarantee Your VMs Access to Essential Compute, Storage, and Network Resources with VMware NSX on - ...

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 7x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
Sreec
VMware Employee
VMware Employee
‎07-04-2017 06:10 AM

Did that help you or is there anything additional you are looking from a network security perspective ?

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 7x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
0 Kudos
durgaprasadnarn
Enthusiast
Enthusiast
‎07-04-2017 06:35 AM

Thanks Sreec.

I understood it now. Because, the CVM is different vendor and it is not managed by NSX manager, We are supposed to " permit" this before We apply deny rule.

Thank you so much again 🙂

0 Kudos