Last week I blogged about how to get started with PowerNSX.

Reason for me to dive into the wonderful world of PowerNSX was because I needed to implement Application Fencing.
More about Application Fencing can be found here and here.

The whole purpose of implementing Application Fencing is to get visibility what VM / Application is talking to what VM / Application with what protocol and port.

Detailed steps for this exercise are found on my wiki because I believe this can be better documented in wiki format.

This information can be used to implement an Zero Trust Security Architecture.

I will write a seperate blog about Application Fencing in the future but in order to get there there are some steps that needs to be done.

In my example I will use the traditional 3-tier Bookstore App.
This vApp has the following VM’s:

  1. Web01
  2. Web02
  3. App01
  4. App02
  5. DB01

Right now we only have 5 VM’s so creating the Security Tags, Security Groups, Assigning the tags to specific VM’s and Creating the Distributed Firewall Rules is done pretty fast.

BUT WHAT IF … you need to implement Application Fencing in an infrastructure with more than 1000 VM’s with 500 security tags and 500 security groups and the corresponding firewall rules?

This could take a while right?

You can speed this up with the use of PowerNSX!

Below you will find a method to run PowerNSX in combination with external Comma Separated Value (CSV) files.
This will save you a lot of time!

The steps to implement Application Fencing are:

  1. Add Security Tags and Tier based Security Groups (and statically make the security tag an member of the tier security group)
  2. Assign the Security Tags to the correct VM’s (so that the VM’s are placed in the correct tier group)
  3. Add separate Application based Security Groups (so that the Tier based Security Groups can be nested inside an Application Security Group)
  4. Nest the Tier based Security Groups into the Application Security Group
  5. Add Distributed Firewall Sections to add in the Distributed Firewall Rules
  6. Add in the Tier based Distributed Firewall Rules
  7. Add in the Application based Distributed Firewall Rules

NOTE: This example will only have 5 VM’s spread across 3 tiers all forming 1 application so this approach looks like its a bit overkill, but when you need to implement this in an organisation with a lot of VM’s and a lot of applications that are segmented into different tenants then you will love it!

The scripts and CSV files that I used for this exercise are found on my wiki together with detailed steps for this exercise because I believe this can be better documented in wiki format.


Comments are closed.