Getting started with vCNS

March 17, 2014 7 By Eric Shanks

VMware has a very nice solution for managing network access between virtual machines.  In a physical environment, blocking access between servers would require routing network traffic through a firewall.  This might mean several vlans, subnets and routes.  Luckily now that many infrastructures are virtual we have an alternative.  vCloud Networking and Security (vCNS) is a solution that can be used to block traffic between virtual machines.

vCNS can be a bit intimidating so this is a quick, getting started, guide on how you can test it out in your environment.

Brian Suhr has some VirtualizeTips on his site that I recommend taking a peek at.  I highly advise paying attention to this one specifically, not because it totally blew up my lab or anything.

Do not deploy vShield manager appliance to a cluster that it will be protecting, can cause connection to itself and vCenter to be lost.

Deploy vCNS

The initial installation is a typical OVA file that can just be deployed to vSphere.  LOVE OVAs!

deployOVA-vCNS

 

Configure vCNS General Settings

You can access the vshield manager by going to the web address of the  IP you configured in your OVA file deployment.  Enter the information to register your vShield Manager with the vCenter.  Also, it’s a good idea to set your NTP settings.

vCNS1

 

Once the OVA has been deployed, you must deploy the vShield App to the hosts.

AGAIN….WARNING….. DO NOT DEPLOY VSHIELD APP TO A CLUSTER THAT IT WILL BE PROTECTING.

Go to the ESXi host in the vCNS app and click the “Install” link for vShield App.  This will add a new VMware standard switch on the host as well as deploy a virtual machine as a service VM, to name a few things.

vshield3

 

You’ll be asked to enter some added information for the service VM to be deployed.  Oh, and if you didn’t notice before, there is a warning on this page about deploying vShield App on a cluster with virtual center.

vCNS3

 

Once it’s deployed, I would recommend adding your vCenter to the list of excluded VMs, just in case you didn’t pay attention to the warnings’s I mentioned above about deploying vShield to the cluster you’re protecting.

vshield2

Add a Firewall Rule

Now that the vShield app is deployed, go to your VMware DataCenter and go to the App Firewall tab.  Add a standard rule such as blocking HTTP.  Be sure to Publish your changes when you’re done.

vshield5

 Prove IT!

Just to prove that it works.  We can see the web server works fine before the rule is added.

vshield-example1

After the rule is added.

vshield-example2

Summary

vCNS is an important tool for vSphere administrators.  It is a necessary component for vCAC and vCloud Director to separate traffic.  This is also very important for environments that are concerned about their PCI-DSS in-scope networks.  Virtual firewalls don’t have to be complicated to be effective!