Configure and Manage NSX Service Composer

VMwareNSX

The NSX service composer is one of my favorite features of NSX. I’ve never really considered myself to be lazy when it comes to doing something the right way…but I’ve never been one to overwork myself to do that. Dad always said “Work smarter, not harder”. The service composer is a combination of both. It’s a way to create multiple rules in your virtual infrastructure for items that are alike or that need to have the same type of services allowed or denied. For you Cisco guys, this is a familiar concept. Think objects and object groups on a ASA. For example, say I have a group of 6 web servers that I want to block ICMP traffic. Well that would normally mean that I would have to create 6 individual rules, one for each web server, to block this. With the service composer, however, I can create one rule. With the use of security groups and security policies, service composer makes life easy…and that doesn’t mean that you’re lazy 🙂

In this blog post, I will show you how to use the service composer to create a security policy and apply it to multiple servers.

First navigate to Networking & Security > Service Composer

sc2

The first tab that we are presented with is the Security Groups tab. Security groups are the actual assets that you want to protect. Once again, Cisco guys, think object groups. We will create a new security group for our webs servers. Click the new security group button. Enter a name for the security group. Click Next.

sc3

Security groups can have both dynamic and static memberships. With static memberships you define specific VMs that you want to protect. With dynamic memberships, VMs can be defined based off a certain criteria that you set. Also with dynamic memberships, new VMs will be added automatically if they meet the criteria that is set.

sc4

For our web servers, the criteria will be VM Name containing the word “web”. Click Next.

sc5

Here is where we can define static memberships. If your security group is not going to change much or at all, then create a static security group membership. Click Next.

sc6

This screen show the exclusion list. If we have VMs that we would not want to be a part of our security group, they would go here. Click Next.

sc7

Click Finish.

sc8

Notice our newly created security group

sc9

Under the Virtual Machines column, there is a number. If we click that number, it will show us what VMs are a part of our group.

sc10

Notice under the Canvas tab, we now have a canvas object for the Web Servers security group that we just created.

sc27

Navigate to the Security Policies tab. Click New Security Policy button.

sc11

Enter a name for the security policy. Also notice under the advanced options, there’s number under Weight. This is used when you have multiple security policies. The policy with the higher number has higher precedence. Click Next.

sc12

Click Next on the Guest Introspection Services page

sc13

Click the green + on the Firewall Rules page

sc14

Here is where we define our firewall policy. Enter in a name for the rule and next to Action, select Block. Next to Service click Change.

sc15

Here is where you define what services you want to allow or block. In our case we just want to block ICMP. So search for icmp and double click ICMP Echo and ICMP Echo Reply. Click OK.

sc16

Now we have our firewall rule created. Click Next.

sc17

Click Next on the Network Introspection Services page.

sc18

Verify that all of our settings are correct and click Finish.

sc19

Now under the security policies tab we will see our newly created policy

sc20

Now we need to apply the security policy to the security group that we created earlier. Right click the security policy and select Apply Policy

sc22

Select the Web Servers security group that we created. Click OK.

sc23

Now if we navigate over to the Canvas tab, we will see that our Web Servers canvas object has a security policy and a firewall rule associated with it. Only thing left to do is to test our firewall rule.

sc24

Here are the ping results from one of my web servers that is a part of the Web Servers security group.

sc26

Here’s the output for the ping results after removing the security policy from the security group.

sc25

That’s it! Now can’t you see how simple and efficient it is to use the service composer to create security groups and security policies for VMs rather than creating individual firewall rules for each VM? So “work smarter, not harder”.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s