Preamble: An article introduces the principle NSX firewall, meaning and function advantages, continue to explain the contents of the last today, especially micro-segments to achieve NSX firewall technology.
The essence of the above-mentioned micro-segmentation technology is the NSX distributed firewall arranged on each virtual machine, go down deep to say, on a per-virtual machine vNIC created when each distributed firewall instance. Said simply, a virtual machine if you have three vNIC, then there should be three NSX distributed firewall instance is associated with the virtual machine to be. Another point to know, and then the next NSX network virtualization environment, a distributed firewall and then create a virtual machine has generated. If a virtual machine does not require a distributed firewall service, you can add it to the "exclusion list", why is there such a choice? Too many reasons I do not know, but one thing is clear to me the reason, that is, by default, NSX Manager, NSX Controller, NSX Edge Services Gateway is in the exclusion list. Since vNIC NSX distributed firewall running in a virtual machine level, so that regardless of how the virtual machine is connected to a logic network (VLAN-based port-group or embodiment VDS connection of port-group based VXLAN distributed logical switch connection way), will not avoid distributed firewall protection, which is its advantage.
First, the relevant components NSX distributed firewall
has been previously mentioned by vsfwd NSX distributed firewall service process to communicate directly with the NSX Manager, so here talk about NSX distributed firewall management plane, control plane and data plane components:
** vCenter Server: ** in NSX distributed firewall deployment, as the vCenter management plane, creating a distributed firewall policy rules through vSphere Web Client, then, in every vCenter cluster, VDS port-group, logic switches, virtual machine, vNIC, resource pools can be used on these policy rules based on source and destination.
** NSX Manager: *NSX distributed firewall deployment, the NSX Manager as its management and control planes. After NSX Manager receives the policy rules from vCenter, it will store them to a local database and the distributed firewall policy synchronization (using TCP 5671 port
) to ESXI host, in this process, if the firewall policy rules changed , the system real-time synchronization and push release.
ESXI host: the NSX distributed firewall deployment, as its data to the host ESXI plane. ESXI host will come from a firewall policy rules NSX Manager to translate, applied to the kernel space, in order to perform real-time strategy. Thus, all virtual machine traffic will be checked and executed ESXI at the host.
The above content is actually very simple, for example, such as virtual machine traffic 1 to reach the virtual machine is different hosts 2, then the flow of the virtual machine 1 reaches ESXI1 host will be processed firewall rules, after reaching ESXI2 host , the firewall rules will be processed, before finally reaching the virtual machine 2.
Second, the micro-segmentation technology to achieve
NSX distributed firewall is enabled by VMKernel kernel module VIB at ESXI host to achieve. After the deployment is complete it will be posted to each host by NSX Manager. Distributed firewall policy rules in the reconciliation package after the traffic is performed in the package before VTEP vNIC end. Picture Talk: 
As can be seen from the figure: Once the deployment of firewall policy, the firewall will process into the flow of the traffic from virtual machines and virtual machines check arrived, no traffic can ignore inspection firewall, this is the time without concern for connection virtual machine, because the distributed firewall strategy is based on a vNIC.
Mentioned micro-segments, it is inevitable to mention "security group" concept, there is a feature called Service Composer in the NSX, this feature can be a role similar to a set of virtual machines assigned to an organization, and function in the Service Composer there is also an important function calledSecurity Group (SG) , a security group to allow dynamic or static objects will be added to a "container" in which the vessel will target the source and destination of the distributed firewall policy rules.
NSX distributed firewall is very flexible and very intelligent, administrators can virtual machine name, operating system, virtual machine virtual machine attributes to define security groups, which provides that only the same security group can access each virtual machine, the virtual machine is like these connections in the same physical segment, the virtual network called "micro-segments (micro Segementation) ." In fact, these virtual machines may be distributed on different physical servers, these servers may be physically located in different physical network segment, the micro-segment in the virtual machine and the virtual network to these other networks isolated.
We can use micro-segmentation to isolate virtual machines within the data center, the different business units separate virtual servers in different micro-segments, in the virtual network level, across the micro-segmentation of access is absolutely not going to happen . At the same micro-segmentation inside, we can also set up business needs a firewall between the virtual machine, make sure that only carry out the necessary network communications between virtual machines to maximize the safety of the virtual server.
The figure is to create a six security groups: three for Finance (FIN) departments, three for Human Resources (hr) departments, within each level, each of the same organization at the same level servers can ping each other with each other, For example, Fin-web-01 can ping Fin-web-02, but Fin-web-01 can not ping HR-web-01, z which is said earlier, "cross access to micro-segment is absolutely not going to happen,"
above chart for example, talk about the flow of network traffic between all levels: from the Internet to the Web server, allowing HTTP and HTTPS traffic, the traffic all the rest is discarded (north-south traffic); from the Web to App layer, release TCP port 1234 and SSH traffic flow; discards all the remaining traffic (east-west flow rate); from the APP layer of the database to allow flow MySQL, lost all the remaining flow (the flow rate things).
Third, the summary
study on micro segment here today, how funeral, Let's hear next decomposition.
