5 Replies Latest reply on Sep 25, 2019 6:26 AM by A13xxx

    Hostname URL resolution in NSX DFW

    kwg66 Enthusiast

      Hostname resolution doesn't work in NSX-V DFW...  does it work in NSX-T?   We have been integrating with cloud services and connecting from on premise to hostname URLs (example would www.s3.amazon.com) 

       

      Using an IP range in the firewall to get to the S3 bucket is not the way to go in the opinion of many within my organization and its understandable.  If the range changes your configuration will fail along with the services that are relying on the rules. As a result, many of our workloads that need cloud access have been migrated from NSX to our Cisco FW that supports this.  

       

      I found a script on Github that claims to bridge this gap, details about it are here https://networkinferno.net/fqdn-based-ip-sets-in-dfw-rules#comment-37755

       

      Before I attempt to set this up and test I really want to know if NSX-T provides the ability to use hostname URLs in the rules.   If this is the case, I would probably look to migrate from NSX-V to NSX-T.

       

      Please advise

        • 1. Re: Hostname URL resolution in NSX DFW
          mauricioamorim Hot Shot
          VMware Employees

          NSX-T supports FQDN in firewall rules, although not customizable yet. As of now only preset FQDNs can be used. More information here: Filtering Specific Domains (FQDN/URLs)

           

          ---------------------------------------------------------------------------------------------------------

          Was it helpful? Let us know by completing this short survey here.

           

           

          • 2. Re: Hostname URL resolution in NSX DFW
            kwg66 Enthusiast

            Thanks for the reply, I did get this answer from my account rep and his associate who is the NSX expert for the Government \ EDU sector in my area.  

             

            However, unfortunately it requires and upgrade to the Enterprise plus licensing and you are correct that customization is not possible yet.  It currently doesn't include amazon.com in the list of pre-defined URLs.   It is just me or has amazon.com been left out intentionally so that people are nudged toward VMC on AWS?? 

            • 3. Re: Hostname URL resolution in NSX DFW
              A13xxx Enthusiast

              as mentioned previously NSX-T does not support URL and vmware advise to use IPs for now. We are using IPs so firewall rules continue to work when migrating vms from on prem to cloud and back etc. The URL onprem is too slow and often delayed.

               

              One way would be to use a scheduled script that could update the ip rule based on the fqdn automatically using powershell or api direct. You also will not have to worry about DNS issues and if nsx is unable to resolve the firewall rule is invalid.

              1 person found this helpful
              • 4. Re: Hostname URL resolution in NSX DFW
                kwg66 Enthusiast

                Hell A13xxx - you must be referring to this:

                 

                https://networkinferno.net/fqdn-based-ip-sets-in-dfw-rules#comment-37755

                 

                 

                 

                I like the idea of shifting to NSX-T,  but a scripting server will still need to be used if someone wants amazon.com as a URL in the rules because in the long list of pre-defined URLs VMware has made available for configuration in the NSX-T product, they also deliberately excluded this domain name.  

                • 5. Re: Hostname URL resolution in NSX DFW
                  A13xxx Enthusiast

                  We use NSX v a lot on prem and the DFW of NSX t is still very basic, its pretty much a battle and it baffles me why you cannot migrate between them and why there is no universal tag system. I raised many cases and each time i have been told use IP.

                   

                  Its still a mission getting the logs out for troubleshooting compared to onprem nsx