kwg66
Hot Shot
Hot Shot

Hostname URL resolution in NSX DFW

Jump to solution

Hostname resolution doesn't work in NSX-V DFW...  does it work in NSX-T?   We have been integrating with cloud services and connecting from on premise to hostname URLs (example would www.s3.amazon.com) 

Using an IP range in the firewall to get to the S3 bucket is not the way to go in the opinion of many within my organization and its understandable.  If the range changes your configuration will fail along with the services that are relying on the rules. As a result, many of our workloads that need cloud access have been migrated from NSX to our Cisco FW that supports this.  

I found a script on Github that claims to bridge this gap, details about it are here https://networkinferno.net/fqdn-based-ip-sets-in-dfw-rules#comment-37755

Before I attempt to set this up and test I really want to know if NSX-T provides the ability to use hostname URLs in the rules.   If this is the case, I would probably look to migrate from NSX-V to NSX-T.

Please advise

0 Kudos
1 Solution

Accepted Solutions
mauricioamorim
VMware Employee
VMware Employee

NSX-T supports FQDN in firewall rules, although not customizable yet. As of now only preset FQDNs can be used. More information here: Filtering Specific Domains (FQDN/URLs)

---------------------------------------------------------------------------------------------------------

Was it helpful? Let us know by completing this short survey here.

View solution in original post

0 Kudos
5 Replies
mauricioamorim
VMware Employee
VMware Employee

NSX-T supports FQDN in firewall rules, although not customizable yet. As of now only preset FQDNs can be used. More information here: Filtering Specific Domains (FQDN/URLs)

---------------------------------------------------------------------------------------------------------

Was it helpful? Let us know by completing this short survey here.

View solution in original post

0 Kudos
kwg66
Hot Shot
Hot Shot

Thanks for the reply, I did get this answer from my account rep and his associate who is the NSX expert for the Government \ EDU sector in my area.  

However, unfortunately it requires and upgrade to the Enterprise plus licensing and you are correct that customization is not possible yet.  It currently doesn't include amazon.com in the list of pre-defined URLs.   It is just me or has amazon.com been left out intentionally so that people are nudged toward VMC on AWS?? 

0 Kudos
A13xxx
Enthusiast
Enthusiast

as mentioned previously NSX-T does not support URL and vmware advise to use IPs for now. We are using IPs so firewall rules continue to work when migrating vms from on prem to cloud and back etc. The URL onprem is too slow and often delayed.

One way would be to use a scheduled script that could update the ip rule based on the fqdn automatically using powershell or api direct. You also will not have to worry about DNS issues and if nsx is unable to resolve the firewall rule is invalid.

kwg66
Hot Shot
Hot Shot

Hell A13xxx - you must be referring to this:

https://networkinferno.net/fqdn-based-ip-sets-in-dfw-rules#comment-37755

Smiley Happy 

I like the idea of shifting to NSX-T,  but a scripting server will still need to be used if someone wants amazon.com as a URL in the rules because in the long list of pre-defined URLs VMware has made available for configuration in the NSX-T product, they also deliberately excluded this domain name.  

0 Kudos
A13xxx
Enthusiast
Enthusiast

We use NSX v a lot on prem and the DFW of NSX t is still very basic, its pretty much a battle and it baffles me why you cannot migrate between them and why there is no universal tag system. I raised many cases and each time i have been told use IP.

Its still a mission getting the logs out for troubleshooting compared to onprem nsx

0 Kudos