VMware NSX Security Groups and Policies
VMware NSX has Security Group which are very powerful that can allow on group of objects collection in vSphere. It can be implemented as on objects for example Virtual Machine, Cluster, Datacentre etc. After creation of Security Group, need to be created the security policy or firewall rules and should be applied on it. The policy should be created a outbound and inbound policy to block the traffic and apply on Security Group.
Create an NSX security group
Logon to vCenter Server > Networking & Security > Service Composer > Security Groups > Click New Security Group ()
Input the name of security group in Name and description options.
It can be filtered the traffic through the restrict Membership criteria in the Define Dynamic Membership.
In Select objects to include > Go to Object Type > Select Cluster and move the NSX cluster that contains the VMs to protect to the Selected Objectscolumn > Click Finish
Now new Security Group has created.
Security Group has created, where we want to implement the security. To apply the security, we have to create two types of security policy first Inbound Security Policy & second Outbound Security Policy.
Create NSX security policy
Networking and Security > Service Composer > Security Policies > Click New Security Policy
Input the Name and Description of security policy > Click Next.
Click the green plus sign + to add Guest Introspection Services > Input the Name & Description > Action: Apply > Service Name: Select the service name > Service Profile: select “Default (EBT) > State: Enabled > Enforce: Yes > Click OK > click Next.
Firewall Rules (No change) > Click Next.
Note: In Network Introspection Services, there is require to add two Network Introspection Services to the NSX Security Policy. First one for outbound traffic, and second for inbound traffic.
Click + sign to create Network Introspection Services > Input the Name & Description for outbound traffic > Action: Redirect to service > Service Name: Input the name > Profile: Default > Source: Policy’s Security Groups > Destination: Any > Service: Any > State: Enabled > Log: Do not log
Click + sign to create Network Introspection Services > Input the Name & Description for outbound traffic > Action: Redirect to service > Service Name: Input the name > Profile: Default > Source: Policy’s Security Groups > Destination: Any > Service: Any > State: Enabled > Log: Do not log > Click OK > Add Network Inspection Service > Finish
Apply the NSX security policy to the security group
Security Group, Outbound Security Policy and Inbound Security Policy have been created, now going to apply the security policy on security group.
Networking & Security > Service Composer > click on Apply Security Policy icon () > In the Apply Policy to Security Groups window, select the Security Group that contains the VMs we want to protect and click OK.
NSX Security Policy is now applied to the VMs in the NSX Security Group.
Thanks for visiting !!