VMware Validated Design Distributed Firewall Configuration Guide VMware Validated Design for Software-Defined Data Center 3.0 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs. EN-002310-00
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
VMware Validated Design for Software-Defined Data Center 3.0
This document supports the version of each product listed andsupports all subsequent versions until the document isreplaced by a new edition. To check for more recent editions ofthis document, see http://www.vmware.com/support/pubs.
About the VMware Validated Design Distributed Firewall Configuration Guide 5
1 Distributed Firewall Configuration for Management
Applications 7Add vCenter Server Instances to the NSX Distributed Firewall Exclusion List 7Create IP Sets for All Components of the Management Clusters in the SDDC 9Create Security Groups 11Create Distributed Firewall Rules 14
About the VMware Validated Design DistributedFirewall Configuration Guide
The VMware Validated Design Distributed Firewall Configuration Guide provides step-by-step instructions forconfiguring a distributed firewall for access control to software-defined data center (SDDC) managementapplications.
Configuring a distributed firewall for use with your SDDC increases the security level of your environmentby allowing only the network traffic that is required for the SDDC to run. The firewall rules you define allowaccess to management applications.
Note The VMware Validated Design Distributed Firewall Configuration Guide is compliant and validated foruse with certain VMware product versions. For more information about supported product versions, see VMware Validated Design Release Notes.
Intended AudienceThis information is intended for clould administrators, infrastructure administrators, networkadministrators, and cloud engineers who want to increase network security in their SDDC.
VMware Technical Publications GlossaryVMware Technical Publications provides a glossary of terms that might be unfamiliar to you. For definitionsof terms as they are used in VMware technical documentation, go to http://www.vmware.com/support/pubs.
You define explicit rules for the distributed firewall which allow access to management applications.
Procedure
1 Add vCenter Server Instances to the NSX Distributed Firewall Exclusion List on page 7Exclude vCenter Server from all of your distributed firewall rules. This ensures that network accessbetween vCenter Server and NSX is not blocked.
2 Create IP Sets for All Components of the Management Clusters in the SDDC on page 9Create IP sets for all management applications in the management clusters. You use the IP sets later tocreate security groups for use with the distributed firewall rules.
3 Create Security Groups on page 11Create security groups for use in configuring firewall rules for the groups of applications nodes in theSDDC.
4 Create Distributed Firewall Rules on page 14Create firewall rules that allow administrators to connect to the different VMware solutions.
Add vCenter Server Instances to the NSX Distributed FirewallExclusion List
Exclude vCenter Server from all of your distributed firewall rules. This ensures that network access betweenvCenter Server and NSX is not blocked.
You configure NSX Distributed Firewall using vCenter Server. If a rule prevents access between NSXManager and vCenter Server, you will not be able to manage the distributed firewall. For this reason, youmust exclude vCenter Server from all of your distributed firewall rules, ensuring that access between thetwo products is not blocked.
Procedure
1 Log in to vCenter Server by using the vSphere Web Client.
a Open a Web browser and go to https://mgmt01vc01.sfo01.rainpole.local/vsphere-client.
Create IP Sets for All Components of the Management Clusters in theSDDC
Create IP sets for all management applications in the management clusters. You use the IP sets later to createsecurity groups for use with the distributed firewall rules.
You perform this procedure multiple times to configure all of the necessary IP sets. You allocate one IP setper group of application nodes.
Table 1‑1. IP Sets for the Management Clusters Components in the SDDC
Create Security GroupsCreate security groups for use in configuring firewall rules for the groups of applications nodes in theSDDC.
A security group is a collection of assets (or objects) from your vSphere inventory that you group together.
You perform this procedure multiple times to configure all of the necessary security groups. In addition, youcreate the VMware Appliances and Windows Servers groups from the security groups you add in theprevious repetitions of this procedure.
Table 1‑2. Security Groups for the Management Clusters Components in the SDDC
Name Object Type Selected Object
Site Recovery Manager IP Sets Site Recovery Manager
Platform Services Controller Instances IP Sets Platform Services Controller Instances
vCenter Server Instances IP Sets vCenter Server Instances
vSphere Replication IP Sets vSphere Replication
vRealize Automation Appliances IP Sets vRealize Automation Appliances
vRealize Automation Windows IP Sets vRealize Automation Windows
vRealize Orchestrator IP Sets vRealize Orchestrator
vRealize Business Server IP Sets vRealize Business Server
vRealize Automation Proxy Agents IP Sets vRealize Automation Proxy Agents
Chapter 1 Distributed Firewall Configuration for Management Applications
VMware, Inc. 11
Table 1‑2. Security Groups for the Management Clusters Components in the SDDC (Continued)
Name Object Type Selected Object
vRealize Business Data Collector IP Sets vRealize Business Data Collector
vSphere Data Protection IP Sets vSphere Data Protection
vRealize Operations Manager IP Sets vRealize Operations Manager
vRealize Operations Manager Remote Collectors
IP Sets vRealize Operations Manager Remote Collectors
vRealize Log Insight IP Sets vRealize Log Insight
SDDC IP Sets SDDC
Administrators IP Sets Administrators
Windows Servers Security Groups n Site Recovery Mangern vRealize Automation Windowsn vRealize Automation Proxy Agents
VMware Appliances Security Groups n Platform Services Controller Instancesn vCenter Server Instancesn vSphere Replicationn vRealize Automation Appliancesn vRealize Orchestratorn vRealize Business Servern vRealize Business Data Collectorn vSphere Data Protectionn vRealize Operations Managern vRealize Operations Manager Remote Collectorsn vRealize Log Insight
Procedure
1 Log in to vCenter Server by using the vSphere Web Client.
a Open a Web browser and go to https://mgmt01vc01.sfo01.rainpole.local/vsphere-client.
2 In the Navigator, click Networking & Security and click NSX Managers.
3 Select the 172.16.11.65 NSX Manger instance, and click the Manage tab.
4 Click Grouping Objects, select Security Group, and click the Add new Security Group icon.
The Add Security Group wizard appears.
5 On the Name and description page, enter Site Recovery Manager in the Name text box, select the Markthis object for Universal Synchronization check box, and click Next.
For all security groups that you configure, select the Mark this object for UniversalSynchronization check box.
6 On the Select objects to include page, select IP Sets from the Object Type drop-down menu, select SiteRecovery Manger from the list of available objects, click the Add button, and click Next.
2 Add a section for the rules for the management applications.
a In the Navigator, click Networking & Security and click Firewall.
b From the NSX Manager drop-down menu, select 172.16.11.65.
c Click the Add Section icon.
d In the Add New Section dialog box, enter VMware Management Services in the Section Name textbox, select the Mark this section for Universal Synchronization check box, and click Save.
3 Create a distributed firewall rule to allow SSH access to administrators for the different VMware
appliances.
a Click Add rule in the VMware Management Services section.
b In the Name cell of the new rule, click the Edit icon to change the rule nameto Allow SSH to admins.
c Click the Edit icon in the Source column, change the Object Type to Security Groups, addAdministrators to the Selected Objects list, and click OK.
d Click the Edit icon in the Destination column, change the Object Type to SecurityGroups, add VMware Appliances to the Selected Objects list, and click OK.
e Click the Edit icon in the Service column, enter SSH in the filter, add SSH to the SelectedObjects list, and click OK.
f Click Publish Changes.
4 Repeat the previous step to create the following distributed firewall rules.
Name Source Destination Service
Allow vRA Portal to end users * any vRealize Automation Appliances HTTP HTTPS
Allow vRA Console Proxy to end users * any vRealize Automation Appliances 8444
Allow SDDC to any SDDC * any * any
Allow PSC to admins Administrators Platform Services Controller Instances HTTPS
Allow SSH to admins Administrators VMware Appliances SSH
Allow RDP to admins Administrators Windows Servers RDP
Allow Orchestrator to admins Administrators vRealize Orchestrator 8281,8283
Allow VAMI to admins Administrators VMware Appliances 5480
Allow VDP to Administrators Administrators VMware Appliances 8543
5 Click Publish Changes.
6 Change the default rule action from allow to block for Region A.
a Under Default Section Layer3, in the Action column for the Default Rule, change the action toBlock.
b Click Publish Changes.
7 Change the default rule action from allow to block for Region B.
a From the NSX Manager drop-down menu, select 172.17.11.65.
b Under Default Section Layer3, in the Action column for the Default Rule, change the actionto Block.
c Click Publish Changes.
By allowing only the network traffic that is required by the SDDC to pass, network security is improved.
Chapter 1 Distributed Firewall Configuration for Management Applications