VMware NSX-T Data Center for Intrinsic Security [V3.1]

hi all,

let's say we have 3 VMs in the same subnet.

VM A is 10.10.1.1

VM B is 10.10.1.2

VM C is 10.10.1.3

Can we apply micro-segmentation to prevent VM A not able to communicate with VM B? If can, how do we configure the firewall rules &  policy?

Thanks-

regards

Jason

What would be the problem with denying source A destination B and source B destination A, for example ?

Because of the placement of the DFW filter on the IOChain of the virtual NIC, we can filter traffic between VMs on the same subnet.

You'd just create a rule that says

Source: VMA, Destination: VMB, Service: Any, Profile: None, Action: Drop/Reject.

That rule only denies traffic coming from VMA headed to VMB. What  says is 100% correct - you could create a second rule from VMB to VMA.

Another option might be to put both of the VMs in a Group - Group-1, then create a rule that says

Source: Group-1, Destination: Group-2, Service: Any, Profile: None, Action: Drop/Reject.

When the source of that rule is evaluated, either of the VMs would be matched. Same for the destination. So traffic from VMA to VMB, or VMB to VMA would be blocked by the rule, assuming both VMA and VMB are a member of Group-1.

Thanks 

We need to block all ports and protocols between VMs over same IP subnets. 

I believe this can be done! Thank again! 

Zero trust - just configure the default rule to block any traffic. Above the default rule, create rules for the traffic which should be allowed. Thats all.

Hi Jason,

I do not understand your question... if your default rule is to deny any traffic, they cannot talk to each other. So unless you do not allow communication in between those VMs, there is no need to deny anything. Thats what the DFW is all about.

If you though allowed communications within the segment/network, just put an explicit deny rule anywhere above those (A to B any deny).

BR
Steffen

 In brief, we need to block VMs on same subnet to communicate with each other.