VMware has a very nice solution for managing network access between virtual machines. In a physical environment, blocking access between servers would require routing network traffic through a firewall. This might mean several vlans, subnets and routes. Luckily now that many infrastructures are virtual we have an alternative. vCloud Networking and Security (vCNS) is a solution that can be used to block traffic between virtual machines.
vCNS can be a bit intimidating so this is a quick, getting started, guide on how you can test it out in your environment.
Brian Suhr has some VirtualizeTips on his site that I recommend taking a peek at. I highly advise paying attention to this one specifically, not because it totally blew up my lab or anything.
Do not deploy vShield manager appliance to a cluster that it will be protecting, can cause connection to itself and vCenter to be lost.
Deploy vCNS
The initial installation is a typical OVA file that can just be deployed to vSphere. LOVE OVAs!
Configure vCNS General Settings
You can access the vshield manager by going to the web address of the IP you configured in your OVA file deployment. Enter the information to register your vShield Manager with the vCenter. Also, it’s a good idea to set your NTP settings.
Once the OVA has been deployed, you must deploy the vShield App to the hosts.
AGAIN….WARNING….. DO NOT DEPLOY VSHIELD APP TO A CLUSTER THAT IT WILL BE PROTECTING.
Go to the ESXi host in the vCNS app and click the “Install” link for vShield App. This will add a new VMware standard switch on the host as well as deploy a virtual machine as a service VM, to name a few things.
You’ll be asked to enter some added information for the service VM to be deployed. Oh, and if you didn’t notice before, there is a warning on this page about deploying vShield App on a cluster with virtual center.
Once it’s deployed, I would recommend adding your vCenter to the list of excluded VMs, just in case you didn’t pay attention to the warnings’s I mentioned above about deploying vShield to the cluster you’re protecting.
Add a Firewall Rule
Now that the vShield app is deployed, go to your VMware DataCenter and go to the App Firewall tab. Add a standard rule such as blocking HTTP. Be sure to Publish your changes when you’re done.
Prove IT!
Just to prove that it works. We can see the web server works fine before the rule is added.
After the rule is added.
Summary
vCNS is an important tool for vSphere administrators. It is a necessary component for vCAC and vCloud Director to separate traffic. This is also very important for environments that are concerned about their PCI-DSS in-scope networks. Virtual firewalls don’t have to be complicated to be effective!