Getting started with vCNS
March 17, 2014VMware has a very nice solution for managing network access between virtual machines. In a physical environment, blocking access between servers would require routing network traffic through a firewall. This might mean several vlans, subnets and routes. Luckily now that many infrastructures are virtual we have an alternative. vCloud Networking and Security (vCNS) is a solution that can be used to block traffic between virtual machines.
vCNS can be a bit intimidating so this is a quick, getting started, guide on how you can test it out in your environment.
Brian Suhr has some VirtualizeTips on his site that I recommend taking a peek at. I highly advise paying attention to this one specifically, not because it totally blew up my lab or anything.
Do not deploy vShield manager appliance to a cluster that it will be protecting, can cause connection to itself and vCenter to be lost.
Deploy vCNS
The initial installation is a typical OVA file that can just be deployed to vSphere. LOVE OVAs!
Configure vCNS General Settings
You can access the vshield manager by going to the web address of the IP you configured in your OVA file deployment. Enter the information to register your vShield Manager with the vCenter. Also, it’s a good idea to set your NTP settings.
Once the OVA has been deployed, you must deploy the vShield App to the hosts.
AGAIN….WARNING….. DO NOT DEPLOY VSHIELD APP TO A CLUSTER THAT IT WILL BE PROTECTING.
Go to the ESXi host in the vCNS app and click the “Install” link for vShield App. This will add a new VMware standard switch on the host as well as deploy a virtual machine as a service VM, to name a few things.
You’ll be asked to enter some added information for the service VM to be deployed. Oh, and if you didn’t notice before, there is a warning on this page about deploying vShield App on a cluster with virtual center.
Once it’s deployed, I would recommend adding your vCenter to the list of excluded VMs, just in case you didn’t pay attention to the warnings’s I mentioned above about deploying vShield to the cluster you’re protecting.
Add a Firewall Rule
Now that the vShield app is deployed, go to your VMware DataCenter and go to the App Firewall tab. Add a standard rule such as blocking HTTP. Be sure to Publish your changes when you’re done.
Prove IT!
Just to prove that it works. We can see the web server works fine before the rule is added.
After the rule is added.
Summary
vCNS is an important tool for vSphere administrators. It is a necessary component for vCAC and vCloud Director to separate traffic. This is also very important for environments that are concerned about their PCI-DSS in-scope networks. Virtual firewalls don’t have to be complicated to be effective!
[…] first step is to have your vCNS Manager deployed. I’ve done this in a previous post, so if you haven’t done this yet, you’ll need to do this first. Remember that Edge […]
[…] previous posts, I’ve walked through installing vCNS Manager and installing vCNS Edge appliances. These are prerequisites to setting up DHCP on the VMware […]
[…] previous posts, I’ve walked through installing vCNS Manager and installing vCNS Edge appliances. These are prerequisites to setting up SSL VPN on the […]
Hi there,
i just found your helpful article about the deployment of deep security here. I’ve got a question about your hint concerning the installation method
“AGAIN….WARNING….. DO NOT DEPLOY VSHIELD APP TO A CLUSTER THAT IT WILL BE PROTECTING.”
What does that mean? Should i not install it virtually on that cluster were the VMs are running on and which need to be protected? So should that appliance be installed on a standalone host. Is it possible to point this out? What should the installation environment look like?
Thank you really much
Jan
I apologize if I wasn’t clear. The Shield App ideally should be on a different cluster than the cluster it’s protecting. If it isn’t, a firewall rule that is added may block you from getting to your own vApp to change the setting back and could cause you a serious amount of time to fix a silly mistake. It is possible to do it, but don’t do it. I hope this helps.
Yes this helps a lot. I’ll do a complete installation from scratch next week. So I can check if your install-series works out 🙂 For any reason the customer decided to deploy only one cluster but hey it is a Nutanix block – so it’s quite fun to working with it. I’ll keep that firewall issue in mind! Thanks!!
I am trying to learn vCloud and was wondering where exactly you specify the information regarding the external IPs and how it is made to point to actual IPs of the VMs created for customers.