Restrict User Access using NSX Load Balancer Application Rules without using Firewall

Use Case: I have a single data center with two departments on different subnets accessing their respective VDI pools sitting behind a NSX Load Balancer. suppose HR users are having a URL – hr.vdi.com and sales users are having sales.vdi.com hitting to a single NSX LB configured with a VIP and connection manager pool.

Think a scenario where HR users comes to Sales block and try to access its VDI using hr.vdi.com from sales subnet , as per security guidelines this should not be allowed.

Now think another scenario where HR user comes to sales block and try to access its VDI using sales.vdi.com from sales subnet, as per the security guidelines this should not be allowed.

Another requirement is that no user from any other subnet should be able to access any of the VDI URLs and customer does not wants to use firewall for internal traffic. So in short we have to do a subnet to URL mapping on NSX Edge Load Balancer.

To achieve this, we will be using NSX edge LB “Application Rules”. Application Rules – we can write an application rule to directly manipulate and manage IP application traffic.

The procedure is as below….

1 Log in to the vSphere Web Client.
2 Click Networking & Security and then click NSX Edges.
3 Double-click an NSX Edge.
4 Click Manage and then click the Load Balancer tab.
5 In the left navigation panel, click Application Rules and click the Add icon.
6 Type the name and script for the rule.

So we have created a NSX edge Load Balancer with Connection Broker VIP and a Pool of Connection servers.

Now to restrict access , the procedure is as below:

Go to NSX edge and click on Load Balancer and go to Virtual Servers and set Deafult Pool – NONE

VIP

This will insure that if any user try to access connection broker will get an error because there is no Pool is defined. ( So no User will be able to access any of the services ,default action)

Now we will write Application Rules to allow access.

rule

#ACL for subnet –> acl host_subnet src 10.52.16.0/24   – We are allowing to this subnet

#ACL for URL ->  acl host_url hdr(Host) –i abc.xyz.com – We are allowing abc.xyz.com

So if the user is from subnet 10.52.16.0/24 and using the URL abc.xyz.com than only it should be allowed to access Pool  , which are hosting Horizon view Connection Broker services.

Rule will be like this – Use_backend CB_Pool if host_subnet host_url

If you see after “if “ there are two acl names and there is nothing between them it means these will be treated as “AND” condition (Default HAProxy setting) , so it has to be verify both the acl and if ok then it will allow user access.

I hope this will be  useful in planing security at Load Balancer label where Firewall is not feasible.

Some other examples of Application Rules :

# Block URL

Check if the request starts with “/private” or “/finance” (case insensitive)
acl block_url_list path_beg -i /private /finance
# If the request is part of the list of forbidden url, reply “Forbidden” (HTTP response code 403)
block if block_url_list

# Redirect EVERYTHING to maintenance site
==================================================
redirect location http://maintenance.xyz.com/maintenance.htm

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: