VMware Cloud Community
sandroalvesbras
Enthusiast
Enthusiast

Created a traffic rule releasing access from (Ingress) and created a Drop everyth

Hello friends,

I have been talking to the vmware support team and we concluded that we were unable to use traffic rules to apply a blocking logic that we are used to configuring in traditional firewalls.

In other words, I cannot create a deny all rule with the above priority, releasing what I need, because there are conflicts of ingress.

The orientation of the support team is that the traffic rule was developed to deny access that we want. This was tested in the laboratory.

So I wondered what type of configuration I could use with this type of logic. Does anyone use or have used this resource that can help me with idea?

I need to ensure that only a few ports are released between networks (port groups) and the rest are blocked.

Example:

- Access entry for a specific port to be released for example TCP / UDP (3389, 445, 139 and etc.) - Windows services;
- SQL services access entry (TCP 1433);
- Access entry for ICMP is released;
- Any other incoming traffic that is not on the priority list above for this port group must be blocked is what we call (Drop All);

Thanks.

Reply
0 Kudos
9 Replies
scott28tt
VMware Employee
VMware Employee

@sandroalvesbras 

Is this for regular vSphere or with a product such as NSX?

 


-------------------------------------------------------------------------------------------------------------------------------------------------------------

Although I am a VMware employee I contribute to VMware Communities voluntarily (ie. not in any official capacity)
VMware Training & Certification blog
Reply
0 Kudos
sandroalvesbras
Enthusiast
Enthusiast

Hi @scott28tt ,

is a vSphere cluster with three servers using a vSAN solution.

Thanks.

Reply
0 Kudos
scott28tt
VMware Employee
VMware Employee

@sandroalvesbras 

Pretty sure you would need NSX to do that at a software level (with only VMware products) - the firewall in both ESXi and the vCenter Server Appliance are about controlling communications to their own services, not whatever you're running in your VMs.

 


-------------------------------------------------------------------------------------------------------------------------------------------------------------

Although I am a VMware employee I contribute to VMware Communities voluntarily (ie. not in any official capacity)
VMware Training & Certification blog
Reply
0 Kudos
sandroalvesbras
Enthusiast
Enthusiast

Hi @scott28tt ,

what bad information. We were excited to enforce restrictions to ensure better security.

when I saw the examples of blocking ICMP for example and even for some services hosted on VMs, I believed it could be useful for restricting access as we are used to in traditional firewall.

I already read that in NSX there are more recruits, but it is not our case.

Thanks.

Reply
0 Kudos
scott28tt
VMware Employee
VMware Employee

@sandroalvesbras 

Where have you seen the configuration you describe, or what documents or articles have you read that told you what you believe?

 


-------------------------------------------------------------------------------------------------------------------------------------------------------------

Although I am a VMware employee I contribute to VMware Communities voluntarily (ie. not in any official capacity)
VMware Training & Certification blog
Reply
0 Kudos
sandroalvesbras
Enthusiast
Enthusiast

Hi @scott28tt ,

I don't know if I understood your question.

Did you yourself say that on NSX I could have these options or did I get it wrong?

Regarding ICMP blocks and other ports like SQL TCP (1433) between VMs I have tested it myself numerous times. Which is exactly how vSphere intends to do. That is, you must inform what you want to block individually.

Thanks.

Reply
0 Kudos
scott28tt
VMware Employee
VMware Employee

@sandroalvesbras 

You seem to have an expectation that there are capabilities built into native vSphere (without NSX) that can control traffic related to applications and services running in your VMs, I’m trying to understand why you think that.

 


-------------------------------------------------------------------------------------------------------------------------------------------------------------

Although I am a VMware employee I contribute to VMware Communities voluntarily (ie. not in any official capacity)
VMware Training & Certification blog
Reply
0 Kudos
sandroalvesbras
Enthusiast
Enthusiast

Hi @scott28tt ,

 

I read and tested it when working with distributed swith we have the feature of traffic rules.

 

This feature allows you to create entry and exit rules at the network layer 2. Initially if we research and even VMware itself in its simulation it shows that we can block the ICMP of origin and destination.

 

So I did a test using the same logic blocking port 1433 (SQL), preventing other servers from being able to access SQL Server.

 

Believing that I tried to use the concept of releasing what I need and blocking everything, but it doesn't work like that.

 

The vSphere traffic rule with vDS works basically for you to always inform the blockages only, either between hosts or even between VMs.

 

A colleague said that with NSX it could be different or he meant that on NSX it would be possible, as you mentioned earlier.

 

My goal is to find out why the traffice rule has the possibility to block and release, but it doesn't work well. I understood that there is a feature in vSphere but it is limited which caused me an expectation above what in practice managed to show me.

 

Thanks.

Reply
0 Kudos
scott28tt
VMware Employee
VMware Employee

@sandroalvesbras 

Thanks for the clarification.

 


-------------------------------------------------------------------------------------------------------------------------------------------------------------

Although I am a VMware employee I contribute to VMware Communities voluntarily (ie. not in any official capacity)
VMware Training & Certification blog
Reply
0 Kudos