VMware NSX

  • Private Community
 View Only

  • 1.  Deny Rule Suggestion

    Posted Jul 03, 2017 09:29 AM

    Design :-

    Cross VC:-

    (1) Management vCenter - All management components are hosted

    (2) VDI vCenter :-  dedicated for workloads to end users ( projects)

    One NSX Manager for Management vCenter - Primary-- residing on Management vcenter 

    Another NSX Manager for VDI vCenter - Secondary --residing on Management vcenter only

    NSX firewall on Management vcenter is " any to any" permitted. requirement is to implement deny rule on VDI vcenter so That workloads access can be controlled by Service composer rules.

    CVM ( controller virtual machines )are sitting on each ESXi is talking to Nutanix cluster. Could someone help me if I have to add any permit any connections before adding a explicit deny on VDI vcenter .

    Thank you in advance



  • 2.  RE: Deny Rule Suggestion

    Broadcom Employee
    Posted Jul 03, 2017 09:57 AM

    I assume both the VC are in same SSO domain ?  It is not a good practice to mix VC for VDI and Management server like that .

    NSX firewall on Management vcenter is " any to any" permitted. requirement is to implement deny rule on VDI vcenter so That workloads access can be controlled by Service composer rules.

    I don't understand above design logic because this is Cross VC   , To make it simple and clean -> Just exclude VC from firewall protection on both the sites  and protect your workload using supported firewall rules(Local/Global)



  • 3.  RE: Deny Rule Suggestion

    Posted Jul 03, 2017 11:37 AM

    Hi ,

    Thank for your reply,

    Do we have to exclude CVM connections as well. Can you confirm

    Thanks



  • 4.  RE: Deny Rule Suggestion

    Broadcom Employee
    Posted Jul 03, 2017 12:01 PM

    For sure you can exclude CVM as well. Recommended configuration is -> connect CVM to vlan networks and ensure that CVM can reach other as well as ESXI host over L2/L3 network. So you can create a rule for that rather than simply excluding CVM.

    Guarantee Your VMs Access to Essential Compute, Storage, and Network Resources with VMware NSX on - Nutanix Community



  • 5.  RE: Deny Rule Suggestion

    Posted Jul 04, 2017 01:35 PM

    Thanks Sreec.

    I understood it now. Because, the CVM is different vendor and it is not managed by NSX manager, We are supposed to " permit" this before We apply deny rule.

    Thank you so much again :-)



  • 6.  RE: Deny Rule Suggestion

    Broadcom Employee
    Posted Jul 04, 2017 01:10 PM

    Did that help you or is there anything additional you are looking from a network security perspective ?