We want to configure some locks, but we are unsure what the best setting would be.
Network LAN Datacenter: 192.168.1.1 (Public NAT Routing)
Network A: 10.10.1.0 - VMware Host Servers
Network B: 10.10.2.0 - Infra-Basic Servers (AD, DNS, etc.)
Network C: 10.10.3.0 - Web Applications Servers A
Network E: 10.10.4.0 - Web Applications Servers B
Network F: 10.10.5.0 - Database Servers
Port Group A: 10.10.1.0 - VMware Host Servers
Port Group B: 10.10.2.0 - Infra-Basic Servers (AD, DNS, etc.)
Port Group C: 10.10.3.0 - Web Applications Servers A
Port Group E: 10.10.4.0 - Web Applications Servers B
Port Group F: 10.10.5.0 - Database Servers
We want to apply the following blocks:
- No Port Group will have outbound restriction, will only have communication receive restriction for some ports and other Port Groups.
- All Port Groups need to receive Port Groups B connections for DNS, Active Directory, NTP, and so on.
a) Port Group F may only allow access to port 1433 for Port Groups C and E;
b) Port Group C and E can only allow access to ports 80 and 443 for the Datacenter LAN Network (NAT Public Routing).
- Database servers can only accept connections from application servers on port 1433;
- Web application servers can only accept connections on port 80 and 443 of the datacenter network that will have public access to the internet;
- DNS, AD, and NTP servers must have connectivity to all existing servers.
- Should we create the release rules first and then a block rule all or vmware as soon as we create the release rules it automatically blocks the other connections automatically?
Moderator: Moved to vSphere vNetwork