VMware Cloud Community
prakash9339
Enthusiast
Enthusiast
‎08-29-2013 12:40 AM
Jump to solution

How to Restrict Access

Ca we restrict the communication between to VM's in the same host,

i.e i have 3 VM's in one host, i don't want to communicate the vm,s each other how we can do this

esxi 5.0.0 am using

1 Solution

Accepted Solutions
admin
Immortal
Immortal
‎11-14-2013 09:17 AM
Jump to solution

In VMware, you can manage these user and group rights with roles and privileges. There are 11 predefined roles that determine what actions a user or group is allowed to take in vCenter Server or ESX/ESXi. Some roles have one or more privileges, while others have no privileges at all. You can’t assign privileges to a user without first assigning a role to that user.

Three of the pre-established roles are permanent, meaning that the privileges associated with that role cannot be modified. These permanent roles are available to a stand-alone ESX or ESXi server, or to vCenter Server. The remaining eight are sample roles which can be modified as needed. These eight roles are exclusive to vCenter Server.

Below are the pre-established roles:

  • No Access: A permanent role that is assigned to new users and groups. Prevents a user or group from viewing or making changes to an object
  • Read-Only: A permanent role that allows users to check the state of an object or view its details, but not make changes to it
  • Administrator: A permanent role that enables a user complete access to all of the objects on the server. The root user is assigned this role by default, as are all of the users who are part of the local Windows Administrators group associated with vCenter Server. At least one user must have administrative permissions in VMware.
  • Virtual Machine Administrator: A sample role that allows a user complete and total control of a virtual machine or a host, up to and including removing that VM or host
  • Virtual Machine Power User: A sample role that grants a user access rights only to virtual machines; can alter the virtual hardware or create snapshots of the VM
  • Virtual Machine User: Grants user access rights exclusively to VMs. The user can power on, power off, and reset the virtual machine, as well as run media from the virtual discs.
  • Resource Pool Administrator: Allows the user to create resource pools (RAM and CPU reserved for use) and assign these pools to virtual machines
  • Datacenter Administrator: Permits a user to add new datacenter objects
  • VMware Consolidated Backup User: Required to allow VMware Consolidated Backup to run
  • Datastore Consumer: Allows the user to consume space on a datastore
  • Network Consumer: Allows the user to assign a network to a virtual machine or a host

The privileges assigned to a pre-defined role are more comprehensive than described as above, so if you want to know exactly what permissions a role allows to a user, you can view the selected privileges when assigning the role to a user or group.

VMware automatically allows users access to child objects. For example, if a user has been given read-only rights for a folder, that user will have read-only rights for all of the sub-folders as well. You can disable this setting, if necessary, when allocating roles.

You can change the privileges associated with the sample roles listed above. Before editing a role, however, it’s recommended that you clone the role first.

Cloning and Editing a Role

1. Log in to vSphere with administrative rights. Click “Home,” then “Roles.”

roles

2. Select the role from the left pane and then click “Clone Role” to create an exact copy of the role.

3. Choose the clone from the left pane. Click “Administration,” “Role,” and then “Edit Role.”

4. Select or deselect the appropriate privileges from the options. Expand a privilege to see the child privileges. If you aren’t sure what a privilege does, select it and then read the description on the bottom of the window.

privileges

5. Give the role a descriptive name and then click “OK” to modify the role.

You can also create custom roles if the pre-established roles don’t meet your needs.

Creating a Role

1. In vSphere, click “Home” and then click “Roles.”

2. Click “Add Role.” Select the preferred options from the list, and then create a name for the new role.

add role

3. Click “OK.”

Once you’ve created or modified the roles as needed, you can assign the roles to the users and groups associated with your ESX/ESXi host or vCenter Server.

There a few things to keep in mind when configuring access controls in VMware, however. First of all, if a group is assigned a role, all of the users in that group are given those same privileges unless the users have roles of their own assigned. Second of all, if a user is assigned privileges in VMware, those privileges take precedence over the privileges of the group.

For example, User A and User B are assigned to Group 1. Group 1 has been assigned the Read-Only role. User A doesn’t have a role assigned to it, so it automatically gets all of the permissions given to Group 1. User B, however, has been assigned the No Access role, so User B has no permissions at all.

VMware also validates the users and groups in Windows Active Directory against the users and groups in vCenter Server. So, if a user or group exists in vCenter Server, but doesn’t exist in the domain, VMware will delete all of the permissions associated with the user or group during validation.

You can also assign privileges to multiple inventory objects in VMware by creating a folder and moving all of the appropriate objects to that folder.

Assigning a Role

1. Go to Home, Inventory, and then Hosts and Clusters. Click the inventory object and then click “Permissions.”

2. Right-click an empty area in the right pane, then click “Add Permissions” to open the Assign Permissions window.

add permissions

3. Click “Add” and insert the appropriate user(s) or group(s). Select the desired role for the user(s) from the drop-down menu.

add users and groups

4. Review the list of permissions in the right pane. To prevent access to child objects, uncheck “Propagate to Child Objects.”

5. Click “OK” to assign the permissions to the selected user(s) or group(s).

To change permissions for a user or group, select the appropriate user or group from the right pane. Click “Inventory,” “Permissions,” and then “Properties.” To remove permissions, click “Inventory,” “Permissions,” and then “Delete.”

VMware provides administrators with several other options for managing users and groups — administrators can limit access to the vSphere client, for example, and instead provide access only to the Web-based client — but the above instructions describe the fundamental basics for managing access control in vSphere.

View solution in original post

4 Replies
schepp
Leadership
Leadership
‎08-29-2013 01:16 AM
Jump to solution

Hi,

you could for example configure the firewall of the guest OS to block communication or put the VMs in different VLANs.

Regards

akkayyakapisett
Enthusiast
Enthusiast
‎08-29-2013 05:02 AM
Jump to solution

You have couple of options

Create different port groups and place the VM's in separate groups

vLan's

Use vCloud Networking suite which will do isolation

Firewall on OS.

Venkat

http://www.peeradmin.com

admin
Immortal
Immortal
‎11-14-2013 09:17 AM
Jump to solution

In VMware, you can manage these user and group rights with roles and privileges. There are 11 predefined roles that determine what actions a user or group is allowed to take in vCenter Server or ESX/ESXi. Some roles have one or more privileges, while others have no privileges at all. You can’t assign privileges to a user without first assigning a role to that user.

Three of the pre-established roles are permanent, meaning that the privileges associated with that role cannot be modified. These permanent roles are available to a stand-alone ESX or ESXi server, or to vCenter Server. The remaining eight are sample roles which can be modified as needed. These eight roles are exclusive to vCenter Server.

Below are the pre-established roles:

  • No Access: A permanent role that is assigned to new users and groups. Prevents a user or group from viewing or making changes to an object
  • Read-Only: A permanent role that allows users to check the state of an object or view its details, but not make changes to it
  • Administrator: A permanent role that enables a user complete access to all of the objects on the server. The root user is assigned this role by default, as are all of the users who are part of the local Windows Administrators group associated with vCenter Server. At least one user must have administrative permissions in VMware.
  • Virtual Machine Administrator: A sample role that allows a user complete and total control of a virtual machine or a host, up to and including removing that VM or host
  • Virtual Machine Power User: A sample role that grants a user access rights only to virtual machines; can alter the virtual hardware or create snapshots of the VM
  • Virtual Machine User: Grants user access rights exclusively to VMs. The user can power on, power off, and reset the virtual machine, as well as run media from the virtual discs.
  • Resource Pool Administrator: Allows the user to create resource pools (RAM and CPU reserved for use) and assign these pools to virtual machines
  • Datacenter Administrator: Permits a user to add new datacenter objects
  • VMware Consolidated Backup User: Required to allow VMware Consolidated Backup to run
  • Datastore Consumer: Allows the user to consume space on a datastore
  • Network Consumer: Allows the user to assign a network to a virtual machine or a host

The privileges assigned to a pre-defined role are more comprehensive than described as above, so if you want to know exactly what permissions a role allows to a user, you can view the selected privileges when assigning the role to a user or group.

VMware automatically allows users access to child objects. For example, if a user has been given read-only rights for a folder, that user will have read-only rights for all of the sub-folders as well. You can disable this setting, if necessary, when allocating roles.

You can change the privileges associated with the sample roles listed above. Before editing a role, however, it’s recommended that you clone the role first.

Cloning and Editing a Role

1. Log in to vSphere with administrative rights. Click “Home,” then “Roles.”

roles

2. Select the role from the left pane and then click “Clone Role” to create an exact copy of the role.

3. Choose the clone from the left pane. Click “Administration,” “Role,” and then “Edit Role.”

4. Select or deselect the appropriate privileges from the options. Expand a privilege to see the child privileges. If you aren’t sure what a privilege does, select it and then read the description on the bottom of the window.

privileges

5. Give the role a descriptive name and then click “OK” to modify the role.

You can also create custom roles if the pre-established roles don’t meet your needs.

Creating a Role

1. In vSphere, click “Home” and then click “Roles.”

2. Click “Add Role.” Select the preferred options from the list, and then create a name for the new role.

add role

3. Click “OK.”

Once you’ve created or modified the roles as needed, you can assign the roles to the users and groups associated with your ESX/ESXi host or vCenter Server.

There a few things to keep in mind when configuring access controls in VMware, however. First of all, if a group is assigned a role, all of the users in that group are given those same privileges unless the users have roles of their own assigned. Second of all, if a user is assigned privileges in VMware, those privileges take precedence over the privileges of the group.

For example, User A and User B are assigned to Group 1. Group 1 has been assigned the Read-Only role. User A doesn’t have a role assigned to it, so it automatically gets all of the permissions given to Group 1. User B, however, has been assigned the No Access role, so User B has no permissions at all.

VMware also validates the users and groups in Windows Active Directory against the users and groups in vCenter Server. So, if a user or group exists in vCenter Server, but doesn’t exist in the domain, VMware will delete all of the permissions associated with the user or group during validation.

You can also assign privileges to multiple inventory objects in VMware by creating a folder and moving all of the appropriate objects to that folder.

Assigning a Role

1. Go to Home, Inventory, and then Hosts and Clusters. Click the inventory object and then click “Permissions.”

2. Right-click an empty area in the right pane, then click “Add Permissions” to open the Assign Permissions window.

add permissions

3. Click “Add” and insert the appropriate user(s) or group(s). Select the desired role for the user(s) from the drop-down menu.

add users and groups

4. Review the list of permissions in the right pane. To prevent access to child objects, uncheck “Propagate to Child Objects.”

5. Click “OK” to assign the permissions to the selected user(s) or group(s).

To change permissions for a user or group, select the appropriate user or group from the right pane. Click “Inventory,” “Permissions,” and then “Properties.” To remove permissions, click “Inventory,” “Permissions,” and then “Delete.”

VMware provides administrators with several other options for managing users and groups — administrators can limit access to the vSphere client, for example, and instead provide access only to the Web-based client — but the above instructions describe the fundamental basics for managing access control in vSphere.

tomtom901
Commander
Commander
‎11-14-2013 09:28 AM
Jump to solution

@Fillips: Besides quoting a full article, the question is how to block VM guest networking..

@akkayyakapisetti: Communication (with the exception of VLANs) per port group is allowed, so this won't help.

@Prakash: You can use (Private) VLANs to block this communication, configure the guest firewall, or use vShield.

0 Kudos