Design :-
Cross VC:-
(1) Management vCenter - All management components are hosted
(2) VDI vCenter :- dedicated for workloads to end users ( projects)
One NSX Manager for Management vCenter - Primary-- residing on Management vcenter
Another NSX Manager for VDI vCenter - Secondary --residing on Management vcenter only
NSX firewall on Management vcenter is " any to any" permitted. requirement is to implement deny rule on VDI vcenter so That workloads access can be controlled by Service composer rules.
CVM ( controller virtual machines )are sitting on each ESXi is talking to Nutanix cluster. Could someone help me if I have to add any permit any connections before adding a explicit deny on VDI vcenter .
Thank you in advance
I assume both the VC are in same SSO domain ? It is not a good practice to mix VC for VDI and Management server like that .
NSX firewall on Management vcenter is " any to any" permitted. requirement is to implement deny rule on VDI vcenter so That workloads access can be controlled by Service composer rules.
I don't understand above design logic because this is Cross VC , To make it simple and clean -> Just exclude VC from firewall protection on both the sites and protect your workload using supported firewall rules(Local/Global)
Hi ,
Thank for your reply,
Do we have to exclude CVM connections as well. Can you confirm
Thanks
For sure you can exclude CVM as well. Recommended configuration is -> connect CVM to vlan networks and ensure that CVM can reach other as well as ESXI host over L2/L3 network. So you can create a rule for that rather than simply excluding CVM.
Did that help you or is there anything additional you are looking from a network security perspective ?
Thanks Sreec.
I understood it now. Because, the CVM is different vendor and it is not managed by NSX manager, We are supposed to " permit" this before We apply deny rule.
Thank you so much again 🙂