VMware Networking Community
MrVmware9423
Expert
Expert
‎08-26-2022 03:54 AM

compromise security during v2t migration

Dear Team,

 

In NSX3.2 we have a new step in the process called “Prepare Infrastructure”, we won't see this step in NSX-T 3.1 and earlier. This step would create temporary IP Sets in NSX-V to maintain security during the migration. When you migrate a VM from one vCenter (NSX-V) to another vCenter (NSX-T), the VM will no longer be included in the Security Groups in NSX-V since the object is no longer present there. Before NSX-T 3.2 we had to create these IP Sets manually in NSX-V. Please find the below NSX-T 3.2 docs for your reference.

Migrate the Distributed Firewall Configuration (vmware.com)

In the above link "You can skip the Prepare Infrastructure step. However, doing so may compromise security until the finalize infrastructure phase is complete." Just wanted to know once we migrate a VM from old to new environment, DFW will not take effect until we migrate all VMs (which we take several weeks) and  Finalize the infrastructure to finish the migration.

POST https://{nsxt-mgr-ip}/api/v1/migration?action=finalize_infra

 

Post finalizing only, DFW for all VMs will start working?? Please let me know if my understanding is correct.

 

Thank you in advance

Reply
0 Kudos
3 Replies
CyberNils
Hot Shot
Hot Shot
‎08-26-2022 04:11 AM

Hi,

I would recommend upgrading to 3.2 or later before migrating just for this reason.

If you are unable to upgrade, check out these scripts that may help creating the IPsets:

https://github.com/lcamarda/v2tlivefire/blob/main/nsxv-secgroups-to-ipsets.ps1

https://github.com/lcamarda/blog/blob/master/nsxv-secgroups-to-ipsets.ps1

They are the same thing, only difference the first one you specify the SG to which you want to add the IPset, the second does the same for all the SGs in the NSX-V configuration.

DFW will be in effect on both NSX-V and NSX-T during migration, but your VMs will not be protected when they are migrated out of the source vCenter since the VM object is no longer there, so you need to use IPsets.



Nils Kristiansen
https://cybernils.net/
Reply
MrVmware9423
Expert
Expert
‎08-28-2022 12:05 AM

Thank you Chris,

 

If we create the IPSET in NSX-V environment then during migration and after migration we wont compromise security, Please correct me if I'm wrong.

 

Also need to know, In the second script we just need to just modify the highlighted components and run the script., Please confirm.

 

if ( !(Get-Module -Name VMware.VimAutomation.Core -ErrorAction SilentlyContinue) ) {
. 'C:\Program Files (x86)\VMware\Infrastructure\PowerCLI\Scripts\Initialize-PowerCLIEnvironment.ps1'
}

Connect-VIServer vcsa-01a.corp.local -User administrator@vsphere.local -Password VMware1!

Connect-NsxServer 192.168.110.16 -Username admin -Password VMware1!

$NSXUsername = "admin"
$NSXPassword = "VMware1!"
$uri = "https://192.168.110.16"
# Create authentication header with base64 encoding
$EncodedAuthorization = [System.Text.Encoding]::UTF8.GetBytes($NSXUsername + ':' + $NSXPassword)
$EncodedPassword = [System.Convert]::ToBase64String($EncodedAuthorization)
# Construct headers with authentication data + expected Accept header (xml / json)
$head = @{"Authorization" = "Basic $EncodedPassword"}

 

$secGroups = Get-NsxSecurityGroup

foreach ($secGroup in $secgroups) {
$secGroupId= $secGroup.objectId

$Url = $uri + "/api/2.0/services/securitygroup/" + $secGroup.objectId + "/translation/ipaddresses"
[xml]$r = Invoke-WebRequest -Uri $Url -Method:Get -Headers $head -Body $body -ContentType "application/xml"

$ipv4name = "ipsv4-" + $secGroup.name
$ipv6name = "ipsv6-" + $secGroup.name

$ipSetv4 = New-NsxIpSet -name $ipv4name
$ipSetv6 = New-NsxIpSet -name $ipv6name

foreach ($item in $r.ipNodes.ipNode.ipAddresses ) {
$ipAddresses = $item.string
$ipAddressesElemets=$ipAddresses.split(' ')
foreach ( $i in $ipAddressesElemets) {
$checkifip = [IPAddress] $i.ToString()
if ( $checkifip.AddressFamily.ToString() -eq "InterNetwork" ) {
Get-NsxIpSet -objectId $ipSetv4.objectId | Add-NsxIpSetMember -IPAddress ($i.ToString() + "/32")
}
if ( $checkifip.AddressFamily.ToString() -eq "InterNetworkV6" ) {
Get-NsxIpSet -objectId $ipSetv6.objectId | Add-NsxIpSetMember -IPAddress ($i.ToString() + "/128" )
}
}
}


Get-NsxSecurityGroup -objectId $secGroupId | Add-NsxSecurityGroupMember -Member $ipSetv4
Get-NsxSecurityGroup -objectId $secGroupId | Add-NsxSecurityGroupMember -Member $ipSetv6
}

Reply
0 Kudos
CyberNils
Hot Shot
Hot Shot
‎08-29-2022 12:31 AM

Hi,

I have never used these scripts myself, so please make sure you understand how they work and use at your own risk.



Nils Kristiansen
https://cybernils.net/
Reply