VMware NSX Firewalling using AD Groups

This particular use-case is to implement network security to allow or block network access to certain applications/servers in the datacenter, depending on the logged-on user in a horizon view environment.

This we will achieve using a feature of VMware NSX that is Identity based firewalling.

Let’s first connect NSX to Active Directory. This step can be completed on the NSX Manager under manage -> domains. Add the domain you want to use to NSX:

1

2

3

4

5

6

Once AD sync is completed. now , we need to chose an AD group inside NSX “Grouping Object”.

  1. Go to Grouping Objects
  2. Click on + sign, a New Window will open, provide a proper Name.
  3. Click on + sign
  4. Choose “Entity” from drop down.
  5. Click on the next box , it will open a list of AD groups.
  6. Choose your AD group

7

8

Go to IP Sets and lets create an IP set , these will contain the list of IPs which we don’t want users to access.

  1. Click on + Sign.
  2. Enter descriptive Name.
  3. Enter IP address to block.
  4. Click OK.

10

9

Now Lets’ go to Firewall and create a Rule.

  • Click in Firewall
  • Click on + Sign.
  • Give a descriptive Name.
  • Chose Group , that we have created in Grouping Object , in our case it is “Demo”.
  • Choose IP Set , that we have created in IP set , in our case “no_access_server”.
  • Chose “Block” as we would need to block the traffic.

11

I hope this should be useful and helpful. Please Review and comment.

Add a Static Route to DLR

In my last post i have created a DLR using API , now as per requirement we have to add a default route on DLR.

Request Type : PUT

https://<NSX-MGR-IP>/api/4.0/edges/edge-35/routing/config/static

Request Body:
<staticRouting>
<staticRoutes>
<route>
<description>route2</description>
<vnic>2</vnic>
<network>0.0.0.0/0</network>
<nextHop>192.168.10.2</nextHop>
<mtu>1500</mtu>
<type>user</type>
</route>
</staticRoutes>
</staticRouting>

route

 

Deploy Distributed Logical Router using NSX API

I am working on a NSX Design and Deployment engagement, this includes deployment of NSX on many sites and all sites spread across many cities of India and working on web client from the central location was very slow due to bandwidth issues. so we decided to deploy all the NSX components using NSX API.this will also help in keeping this code as a backup handy , so can be executed in case of restore required.

In my first post i have shown how to create Logical Switch , Now lets create a Distributed Logical Router….

Since we are using static Routing and there is no Firewall requirement  , so we have decided to not to deploy DLR edge VM at this point of time.

Request Type :POST   https://<NSX-MGR-IP>/api/4.0/edges

Request Body:

<edge>
<datacenterMoid>datacenter-21</datacenterMoid>
<name>ODC-A1</name>
<type>distributedRouter</type>
<appliances>
<deployAppliances>false</deployAppliances>
</appliances>
<mgmtInterface>
<connectedToId>dvportgroup-50</connectedToId>
</mgmtInterface>
<interfaces>
<interface>
<name>Towards_Transit</name>
<addressGroups>
<addressGroup>
<primaryAddress>192.168.10.1</primaryAddress>
<subnetMask>255.255.255.0</subnetMask>
<subnetPrefixLength>24</subnetPrefixLength>
</addressGroup>
</addressGroups>
<mtu>1500</mtu>
<type>uplink</type>
<isConnected>true</isConnected>
<isSharedNetwork>false</isSharedNetwork>
<connectedToId>virtualwire-16</connectedToId>
<connectedToName>vxw-dvs-35-virtualwire-16-sid-5011-LS_ODC_A_Transit</connectedToName>
</interface>
<interface>
<name>Towards_ODC_LS</name>
<addressGroups>
<addressGroup>
<primaryAddress>10.112.203.1</primaryAddress>
<subnetMask>255.255.255.0</subnetMask>
<subnetPrefixLength>24</subnetPrefixLength>
</addressGroup>
</addressGroups>
<mtu>1500</mtu>
<type>internal</type>
<isConnected>true</isConnected>
<connectedToId>virtualwire-15</connectedToId>
<connectedToName>vxw-dvs-35-virtualwire-15-sid-5010-LS_ODC_A</connectedToName>
</interface>
</interfaces>
</edge>

dlr

Distributed Logical Router successfully created.

Note – At the time of Writing with NSX 6.2.2,The example given in the API doc in the DLR section is actually for an ESG. the use of “vnic” for DLR does not work. we must use <interface> </interface>.