Use Case: I have a single data center with two departments on different subnets accessing their respective VDI pools sitting behind a NSX Load Balancer. suppose HR users are having a URL – hr.vdi.com and sales users are having sales.vdi.com hitting to a single NSX LB configured with a VIP and connection manager pool.
Think a scenario where HR users comes to Sales block and try to access its VDI using hr.vdi.com from sales subnet , as per security guidelines this should not be allowed.
Now think another scenario where HR user comes to sales block and try to access its VDI using sales.vdi.com from sales subnet, as per the security guidelines this should not be allowed.
Another requirement is that no user from any other subnet should be able to access any of the VDI URLs and customer does not wants to use firewall for internal traffic. So in short we have to do a subnet to URL mapping on NSX Edge Load Balancer.
To achieve this, we will be using NSX edge LB “Application Rules”. Application Rules – we can write an application rule to directly manipulate and manage IP application traffic.
The procedure is as below….
|1||Log in to the vSphere Web Client.|
|2||Click Networking & Security and then click NSX Edges.|
|3||Double-click an NSX Edge.|
|4||Click Manage and then click the Load Balancer tab.|
|5||In the left navigation panel, click Application Rules and click the Add icon.|
|6||Type the name and script for the rule.
So we have created a NSX edge Load Balancer with Connection Broker VIP and a Pool of Connection servers.
Now to restrict access , the procedure is as below:
Go to NSX edge and click on Load Balancer and go to Virtual Servers and set Deafult Pool – NONE
This will insure that if any user try to access connection broker will get an error because there is no Pool is defined. ( So no User will be able to access any of the services ,default action)
Now we will write Application Rules to allow access.
#ACL for subnet –> acl host_subnet src 10.52.16.0/24 – We are allowing to this subnet
#ACL for URL -> acl host_url hdr(Host) –i abc.xyz.com – We are allowing abc.xyz.com
So if the user is from subnet 10.52.16.0/24 and using the URL abc.xyz.com than only it should be allowed to access Pool , which are hosting Horizon view Connection Broker services.
Rule will be like this – Use_backend CB_Pool if host_subnet host_url
If you see after “if “ there are two acl names and there is nothing between them it means these will be treated as “AND” condition (Default HAProxy setting) , so it has to be verify both the acl and if ok then it will allow user access.
I hope this will be useful in planing security at Load Balancer label where Firewall is not feasible.
Some other examples of Application Rules :
# Block URL
Check if the request starts with “/private” or “/finance” (case insensitive)
# Redirect EVERYTHING to maintenance site