Say I prepared two clusters for both Firewall and VXLAN, one compute and one management. The Management cluster contains my vcenter, ESG, DLR, NSX Controllers and NSX Manager.
When I configure DFW rules, I think the default setting is to apply the rule on all clusters on which distributed firewall is installed. So does this mean I need to add my controllers, ESG, DLR and NSX manager VMs into the exclusion list to prevent firewall rules been applied? I do not think the NSX related VMs will have the rules applied but want to confirm here...
Also, even I try to add them into exclusion list, those VMs are not really showing up on the list to be selected...
OR, I should only prepare the compute cluster actually for firewall and VXLAN...
NSX Manager and service virtual machines are automatically excluded from firewall protection. But you should exclude the vCenter server ,PSC ,partner service virtual machines etc in the exclusion list.
NSX Manager and service virtual machines are automatically excluded from firewall protection. But you should exclude the vCenter server ,PSC ,partner service virtual machines etc in the exclusion list.
Cool. Assuming I have enough NSX license, is there any use case to prepare the management cluster in reality? I guess securing vsphere management?
End-End to security for all clusters is one way we approach the solution , however based on the functionality/feature ( For eg : only microsegmentation but not context aware) we can opt for NSX Data Center Standard license.
If you are going to deploy NSX Edge Services Gateway on the management cluster, you would need to prepare the cluster for NSX
See this link: Add an Edge Services Gateway
Verify that the host clusters on which the NSX Edge appliance will be installed are prepared for NSX. See "Prepare Host Clusters for NSX" in the NSX Installation Guide.
As mentioned in other replies, some NSX components are excluded from DFW by default.
See this link, it also covers what VMs should be excluded from DFW: Exclude Virtual Machines from Firewall Protection
NSX Manager, NSX Controllers, and NSX Edge virtual machines are automatically excluded from NSX distributed firewall protection. In addition, VMware recommends that you place the following service virtual machines in the Exclusion List to allow traffic to flow freely.
vCenter Server. It can be moved into a cluster that is protected by Firewall, but it must already exist in the exclusion list to avoid connectivity issues.
It is important to add the vCenter Server to the exclusion list before changing the "any any" default rule from allow to block. Failure to do so will result in access to the vCenter Server being blocked after creating a Deny All rule (or modifying default rule to block action). If this occurs, roll back the DFW to the default firewall rule set by running the following API command: https://NSX_Manager_IP/api/4.0/firewall/globalroot-0/config. The request must return a status of 204. This restores the default policy (with a default rule of allow) for DFW and re-enables access to vCenter Server and the vSphere Web Client.
Partner service virtual machines.
Virtual machines that require promiscuous mode. If these virtual machines are protected by NSX distributed firewall, their performance may be adversely affected.
The SQL server that your Windows-based vCenter uses.
vCenter Web server, if you are running it separately.
Thanks, good information