Configure Security Groups and Security Policies in VMware NSX

VMwareNSX

Configure Security Groups

Security Groups are a way to define objects that you want to group together to protect. They can be statically defined or defined dynamically. Security Groups can be defined using some of the following objects:

  • Clusters, port groups, resource pools
  • Security tags, IP Sets, MAC Sets, other security groups
  • Active Directory groups – If the NSX Manager is registered with Active Directory
  • VMs, vNICs, Logical Switch

Grouping objects together can make the application of firewall rules that much easier and cut down on the amount of rules that need to be generated in NSX

To create a security group, navigate to Networking & Security > Service Composer > Security Groups. Click the “New Security Group” icon.

sg01

Enter a name for the security group. Click Next.

sg02

Here, we define any dynamic memberships. Since I want anything that is connected to my Tenant A logical switch to be included, I will select that. Click OK.

sg03

Click Next

sg04

You can also select static objects to include in your security group. Where dynamic memberships can change, these won’t. Click Next.

sg05

You can also select objects to statically exclude from a security group. Click Next.

sg06

Click Finish.

sg07

Now we see the new security group has been created.

sg08

Since I created a dynamic security group, we see the two VMs that were connected ahead of time to the Tenant A switch are included in my newly created security group.

sg09

 Configure Security Policies

A security policy can be a set of firewall rules and guest/network introspection services that are applied to a security group. You assign weights to security policies in order to determine which policy is applied first. By default, the newest policy is assigned the highest weight so that is falls at the top of the list.

To create a security policy, click the Create Security Policy icon

sp01

Enter in a name for the security policy and you can define a weight for the policy. Click Next.

sp02

You can add Guest Introspection. I’m not going to at this point. Click Next to move on to the firewall rules section where I will create a rule that will be applied to our security group later.

sp03

Under the Firewall Rules section, click the green + to add a new rule

sp04

I’m going to create a simple rule to block ping. So I will leave the source and destination as they are. One thing to keep in mind, either the source or the destination or both has to be set to “Policy’s Security Groups” when applying the policy. To add the proper services for ping, click Change next to Service.

sp05

Select the services. Click OK.

sp06

Now that we have the rule setup, click OK.

sp07

Click Next.

sp08

We could also all Network Introspection Services to the security policy. At this time we will not. Click Next.

sp09

Click Finish.

sp10

Now we have our newly created Security Policy. The only thing left to do is to apply it to a security group.

sp11

Under the Canvas tab, locate the Security Group that was created earlier. Click the Apply Security Policy Icon.

sp12

Select the Security Policy. Click OK.

sp13

Now I jump on to VM01 and do a few test pings. As you can see, I can’t ping inside or outside of the logical switch. I was able to do so prior to applying the security policy.

sp17

And it’s that simple. By combining the use of Security Groups and Security Policies, it can greatly reduce administrative overhead and the amount of firewall rules that need to be created, keeping things nice and neat in your NSX environment.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s