NSX Home Lab (5/6) – Micro Segmentation

In this post we will see how to implement micro segmentation

1) Environment

  • Networks
    • VXLAN 5001 – 10.10.10.0/24 – Web Servers – http 80
    • VXLAN 5002 – 10.10.20.0/24 – DB Servers – mysql 3306
  • VMs
    • VXLAN 5001 : web01,web02
    • VXLAN 5002 : db01

2) Micro Segmentation Plan

  • Create Security group for VMs in VXLAN 5001
  • Create Security group for VMs in VXLAN 5002
  • Block Default Firewall rule
  • Create security policy to secure VXLAN 5002. Secure Communication between logical networks.
  • Create security policy to secure VMs within VXLAN 5001. Secure Communication within logical network.

3) VMs

  • VMs on VXLAN 5001


  • VM on VXLAN 5002

4) Create Security groups

  • Create Security Group for VMs in Web VXLAN 5001
  • Create Security Group for VMs in DB VXLAN 5002

5) Block Default Firewall rule

  • Set Default firewall policy to “Block”

6) Create Security Policy to allow 3306 from Web Servers to DB Servers.

Firewall Rule Source: Policy’s Security Groups
Firewall Rule Destination: DB Servers Security Group

  • Create Security Policy to allow port 3306 to DB VMs

7) Assign the Security Policy to Web Servers Security group

  • Assign Security Policy
  • See what firewall rules are applied on Web Servers.

7) Test connectivity from Web Servers to DB Servers

  • Test1 : Telnet 3306 from VM (web01) in Web Servers security group to DB Server VM (db01)
  • Test2:Block 3306 and Test

    Edit firewall rule in the security policy and Block 3306

    Telnet 3306 from VM (web01) in Web Servers security group to DB Server VM (db01)

    Allow 3306

 

8) Create Security Policy to block http within Web Servers.

Web01 should not able to connect Web02 on port 80

Firewall Rule Source: Policy’s Security Groups
Firewall Rule Destination: Policy’s Security Groups

  • Ensure default firewall policy is blocked
  • Ensure no other firewall rule is allowing HTTP & ICMP. If such firewall exists due to inheritance, then create a new security policy with higher priority to block the ports
  • As there is a firewall rule to allow https from L2-Production-Web Servers , Create a new Security policy to block https within the security group

  • Assign security policy to Web Servers
  • See the firewall rules on Web Servers

9) Test connectivity from a VM in Web Servers to other VM in Web Servers

  • Test1: Test connectivity from web01 to web02 and db01

    Web01 is able communicate to db01 on port 3306
    Web01 is not able to communicate to web02 on port 80

NSX Home Lab (4/6) - DFW Firewall Service
NSX Design Notes (1/10) - Functional Components
No tags for this post.

Leave a Comment