VMware Networking Community
AYousri
Contributor
Contributor
‎07-07-2020 10:03 PM
Jump to solution

NSX machine isolation through API calls

Dear all,

My client wants to isolate a machine using rest api https://code.vmware.com/apis/329/nsx-for-vsphere​ . this script will run from another solution based on external  criteria.

I found that possible solution maybe distributed firewall calls (adding rules to block any packet contains machine's ip as it's  source or destination )

Is this the right solution or there is a better solution through VXLAN  or something else  ?

I am totally new to nsx v-sphere.  Any help appreciated

1 Solution

Accepted Solutions
mauricioamorim
VMware Employee
VMware Employee
‎07-14-2020 03:59 AM
Jump to solution

If starting to use NSX go for NSX-T, as NSX-V has an announced EOS.

If all you want is to isolate VMs the easiest way is to use the distributed firewall. It has no dependencies on overlay routing. DFW uses groups for rules which can have specific criteria, so you can essentially isolate VMs without even having to call an API. If you want to check something outside of NSX environment and act upon this I think the easiest way to isolate a VM would be to have a DFW rule that matches on VMs with a specific tag setup with the desired isolation. When you effectively want to isolate the VM just send an API call to tag the VM and the DFW rule will start acting. Remove the tag and you remove isolation.

View solution in original post

2 Replies
mauricioamorim
VMware Employee
VMware Employee
‎07-14-2020 03:59 AM
Jump to solution

If starting to use NSX go for NSX-T, as NSX-V has an announced EOS.

If all you want is to isolate VMs the easiest way is to use the distributed firewall. It has no dependencies on overlay routing. DFW uses groups for rules which can have specific criteria, so you can essentially isolate VMs without even having to call an API. If you want to check something outside of NSX environment and act upon this I think the easiest way to isolate a VM would be to have a DFW rule that matches on VMs with a specific tag setup with the desired isolation. When you effectively want to isolate the VM just send an API call to tag the VM and the DFW rule will start acting. Remove the tag and you remove isolation.

AYousri
Contributor
Contributor
‎07-14-2020 07:38 AM
Jump to solution

Thanks for your assistance

0 Kudos