One of the new features in NSX-T 3.0, is a wizard to quickly implement VLAN based micro-segmentation. A misconception with NSX, is that you have to deploy Software Defined Networking to leverage micro-segmentation. That is not the case if you just want to secure workloads backed by VLAN’s.
Check out the release notes for a definitive list of new features https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.0/rn/VMware-NSX-T-Data-Center-30-Release-Notes.html#whats_new
You can leverage the new wizard to quickly get up and running, without the need to deploy Logical Routing, Edge Nodes or TEP’s(Tunnel End Points) on the Transport Nodes.
By the way, you are not getting the full benefit of NSX if you are not leveraging Software Defined Networking, but thats beside the point for this post 🙂
In this post I’ll walk you through this new process in a vSphere 7.0 environment.
Photo by Ján Jakub Naništa on Unsplash
My Compute cluster is made up of two ESXi 7.0 hosts, and I already have a 3-tier application deployed on a vSphere Distributed Switch with VLAN backed port groups. Before implementing NSX, all traffic has to hairpin to the North South Physical Firewall to be inspected, see diagram below
OK, so lets make this more efficient and secure by implemented micro-segmentation with NSX
Note, I already have deployed a NSX Manager, but have not performed any post installation configuration.
Simplified VLAN micro-segmentation workflow
- Login to the NSX Manager https://nsxmgr-fqgn
- Within the System section, bottom right, click Get Started
- Select Add Compute Manager
- Click +ADD in the next window and enter the details for your vCenter Server. As this is a vCenter running v7.0 I chose to toggle the Enable Trust feature to trust the compute manager for authentication. Click Add when you have enter the relevant details for your environment. Validate the thumbprint and click Add(Screenshot not shown)
- Click Refresh a couple of times, until the Compute Manager shows as Registered and has a Connection Status of Up
- Now lets click Home (top left) and the Getting Started button as in step 1
- We can now see that the we can start the Prepare Clusters for VLAN Micro-segmentation wizard by clicking the Get Started button
- You’ll be presented with the clusters with your Compute Manager. Note, if you already have clusters with a transport node profile applied this will not show in the list. In my case the 3-tier app I want to micro-segment is deployed in the cluster named Compute, so I select that and click Next
- I select my existing Compute-vDS, and map Uplink1 & Uplink2 and click Next
- In my example I am not changing the physical uplink configuration, so I can click Finish
- You can now view progress, install will take a few minutes. A transport node profile is being created, assigned to the cluster and the NSX-T vibs are being installed. A VLAN backed Transport Zone named ‘nsx-vlan-transportzone‘ is automatically created and applied to the Transport Nodes as part of the Transport Node Profile.
- Go to System -> Fabric -> Nodes -> Managed by vCenter to view progress. Within 5 minutes installation was completed on my Compute cluster. I can see NSX Configuration reports success along with the NSX Version. NOTE – the TEP(Tunnel End Point) field is blank. This is to be expected, as we are only configuring micro-segmentation for VLAN backed networks.
Wow, that was easy compared to previous versions of NSX! Now we have leveraged the wizard to prepare the Transport Nodes, we are ready to create some Segments and migrate the Virtual Machines
Create Segments and Migrate Virtual Machines
I now need to create Segments in NSX that represent my application. i.e Web(VLAN 10), App(VLAN 20) & DB(VLAN 30). Refer to the diagram earlier in this post
- Click Networking -> Segments -> Add Segment
- I give it a name of Web, select the nsx-vlan-transportzone, and enter the appropriate VLAN. Scroll down and click Save(you may have to scroll down to see the Save button)
- When presented with the Want to continue configuring this Segment? click No
- In my case I need to repeat steps 1-3 to configure App & Web Segments Once completed, I can now see the 3 newly created VLAN backed segments
- I now need to login to the vSphere Client https://<vcenter-fqdn/ui
- Looking in the networking section of the vSphere Client, I can see the new segments. Note the N icon to denote they are NSX managed port groups
- I can now start migrating Virtual Machines to the new Segments. Before I start the migration I validate I can ping the VM’s that make up my 3-Tier and access the web front end.
- Once my validation is complete, I right click the non NSX managed Web port group. i.e. the one the web VM’s currently reside on and select Migrate VMs to Another Network
- Within Destination Network I click Browse
- In the top right of the Select Network window I can optionally type web to filter the results. I choose Web(the one with the N icon) and click OK
- Back on the Migrate VMs to Another Network screen, verify you have the correct Source & Destination network specified then click Next
- I filter for web, select my 2 web VM’s and click Next
- On the Ready to complete screen I click Finish
- I then repeated steps 8 – 13 to migrate App VM to the new App Segment, and DB VM to the new DG Segment
- Once the migration is complete I validated I can still ping the VM’s and connect to the Web Front End.
At this point I am ready to build my security policy for the 3-tier application. Creating the policy is out of scope for this post, here is what my finished policy looks like. My 3-tier application, residing on a VLAN backed network is now protected by the NSX Distributed Firewall.
In summary, I hope you can now see how the new Simplified VLAN micro-segmentation workflow in NSX-T 3.0 helps you deploy the NSX Distributed Firewall for VLAN backed workloads quickly and easily!
6 thoughts on “Prepare Clusters for VLAN Micro-segmentation with NSX-T 3.0”
thanks for sharing this, may I know where are the three VLAN-backed logical segments get routed? At physical router?
Thats correct Nicolas. The NSX distributed router handles routing for the Overlay networks
Hi Dave, it looks like each of the segments are aligned to separate Vlans, would this still work if I had a scenario where my web, app and db were all on the same ‘server’ Vlan? This looks a little like normal subnet to subnet enforcement but without tromboning to the perimeter FW.
Hi Gregor! Absolutely this would still work if all the VM’s were on the same VLAN. With NSX no need to trombone the packet for inspection