This post is part of my VMware VCIX-NV Study Guide and covers the Service Composer, which allows the chaining of (third party) services to virtual machines.

Documentation

Index

 

Service Composer
Some say the Service Composer inside VMware is the most powerful feature of the entire NSX platform, I tend to agree. With the service composer, you can ‘compose’ chains of services which network traffic of a virtual machine is directed through. For instance, you can construct a chain where the network traffic of virtual machines that contain high sensitive data, automatically pass through advanced firewalls (such as Palo Alto). Or automatically pushing web servers towards advanced load balancers (such as F5).

The word automatically refers to the Security Groups. You might remember these security groups from a few chapters back, from where the firewall capabilities of NSX were discussed. To refresh the specifics: Security Groups are groups of virtual machines that you can configure to be dynamically filled with virtual machines. You can define criteria to match virtual machines on. These criteria are: Computer OS Name, Computer Name, VM Name, Security Tag, Entity (vSphere Object). Even more, you can match these criteria in a few ways: you can enter text that the object should contain (“Contains”), what the object should end with (“Ends with”), or the object should completely equal (“Equals”), or the object should not equal to (“Not Equals To”), or what it should start with (“Starts With”). But wait, there’s even more! You can also use multiple criteria and match any or all criteria specified.

Using these security groups, you can make a lot of imaginable matches. For instance, you can create a group that has all virtual machines which are called Web-XXX, have the ‘webfire’ tag, have the hostname webfireXXXX.backend.local and run CentOS 6.1. Your imagination is the limit here.

If you’ve got your security groups, you can attach Security Policies to them to actually do something with the security groups. You might remember the security groups from the distributed firewall as well, they have their own distributed firewall section and can have specific firewall rules applied to them. Besides from having special firewall rules, you can also specify Guest Introspection Services and Network Introspection Services to them (these are usually the third party services).

When you put the security groups and security policies together, you can create a policed situation where a virtual machine that has a simple tag called ‘quarantine’ – it would be automatically put in a security group which is linked to a security policy which in turn has specific firewall rules defined to quarantine the virtual machine from the network. Pretty amazing, huh? 🙂

Let’s dive in to the tasks for this chapter.

 

Create/Modify/Delete Security Groups

Requirements:

  • NSX Environment.

VMware Documentation: Create a Security Group in Service Composer

Lets start with creating a simple security group which matches virtual machines that have a name starting with ‘Web’

Registering a Windows domain to NSX Manager

  • Login to your vSphere Web Client.
  • Navigate to “Networking & Security” and select the “Service Composer” menu.
  • Select the “Security Groups” tab and click the “+” icon to start the wizard.
  • In the popup window, give your new security group a name, an optional description and click “Next” to proceed.
  • The next page is where the magic happens, this is where you define the criteria. In this example we’re only adding a single criteria, but you can add as many as you want.
  • Add a criteria for the “VM Name”, select “Starts With” and enter “Web” into the text field. Click “Next”.
  • Security Groups can have a scope to limit the gathering of virtual machines (Other Security Groups, Cluster, Virtual wire, Network, Virtual App, Datacenter, IP sets, AD groups, MAC Sets, Security tag, vNIC, Virtual Machine, Resource Pool, Distributed Virtual Port Group). If you want to limit the scope, configure the scope here. If you don’t want to limit the scope, leave it unconfigured (as that uses global perspective). Click “Next”.
  • You can also exclude virtual machines using the same objects as to limit the scope. For instance, exclude a certain resource pool or virtual machine. Click “Next”.
  • Review your configuration and click “Finish” to create the security group.

After adding a security group, you can check which virtual machines are discovered by clicking on the number in the “Virtual Machines” column. This number is also the amount of discovered virtual machines.

 

Create/Modify/Delete Security Policies

Requirements:

  • NSX Environment.

VMware Documentation: Create a Security Policy

After creating the security group, you’ll want to do something with it. As mentioned before, you can use them in firewall rules, but security policies is what it’s really about.

Creating a Security Policy

  • Login to your vSphere Web Client.
  • Navigate to “Networking & Security” and select the “Service Composer” menu.
  • Select the “Security Policies” tab and click the “+” icon to start the wizard:
  • In the popup window, give the security policy and name and optional description. You can also choose to inherit configuration from another security policy here. Click “Next” when you’re done.
  • Next, add any Guest Introspection Services you would like to add to the policy. Antivirus services is an example. These services need to be registered within the “Service Definitions” before you are able to select them here. Click “Next” when you’re done.
  • In the next window, you are able to add specific firewall rules for the virtual machines. If you don’t want to add them here (which I can totally understand, it’s a small window), you can always add or edit them later from the distributed firewall management page. Click “Next” when you’re done.
  • Next, add the Network Introspection Services you want to use. Examples are advanced firewalls (Palo Alto) or load balancing (F5). Again, these services need to be registered with the “Service Definitions”, just like the Guest Introspection Services. Click “Next” when you’re done.
  • Review your configuration and click “Finish” to create the Security Policy.

 

Map Security Policies to Security Groups

Requirements:

  • NSX Environment.
  • Existing Security Group and Security Policy.

VMware Documentation: Map a Security Policy to a Security Group

After creating Security Groups and Security Policies, you might have noticed that there’s no link between them yet. The relationship between a security policy and security group is many to many. One security group can be mapped to multiple security policies and one security policy can contain multiple security groups. To create these mappings, do the following:

Create a Security Group to Security Policy relation

  • Login to your vSphere Web Client.
  • Navigate to “Networking & Security” and select the “Service Composer” menu.
  • Select the “Security Policies” tab, select your security policy and click the “Apply Security Policy” icon:
  • In the popup window, select the security groups to map and click “OK” to apply your changes.

 

Add/Assign/Edit/Delete Security Tags

Requirements:

  • NSX Environment.

VMware Documentation: Working with Security Tags

Security Tags are certain tags that a third party service (or VMware Data Security) can put on a virtual machine. The most basic example is an Antivirus scanner that tags a virtual machine with “Virus Found!”. You can create custom security tags and apply them manually to virtual machines, but the most sensible is to let the third party service create the tags and assign them, while you just use them in security groups to match and police the virtual machines. The whole concept is to automate these things.

But we still need to cover it because it’s on the blueprint, so lets go!

Creating a custom Security Tag

  • Login to your vSphere Web Client.
  • Navigate to “Networking & Security” and select the “NSX Manager” menu.
  • Select your NSX Manager and click the “Manage” tab, then the “Security Tags” sub-tab.
  • Click the “New Security Tag” icon to add a new security tag:
  • In the name field, enter the entire tag name in a format as: TagName=TagValue
  • The enter an optional description and click “OK” to add the tag.

After creating the security tag, you can manually assign it to virtual machines using this procedure:

Assigning a Security Tag

  • Login to your vSphere Web Client.
  • Navigate to “Networking & Security” and select the “NSX Manager” menu.
  • Select your NSX Manager and click the “Manage” tab, then the “Security Tags” sub-tab.
  • Select the security tag to assign virtual machines to and click the “Assign Security Tag” icon:
  • In the popup window, select the virtual machines you want to assign this security tag to and click “OK” when you’re done.


 

View and manage effective services and failures for a Security Policy

Requirements:

  • NSX Environment.
  • Existing Security Policy and active mapping.

VMware Documentation: Viewing Effective Services

After creating a security policy and mapping it to security groups, the magic happens and spongebob, rainbows and unicorns. Luckily, you can verify if those rainbows actually are shining. Inside the security policy, you can check if the services and firewall rules are applied properly and (maybe most importantly) if there are any errors with the configuration from applying to the virtual infrastructure. Lets start by verifying if the configuration has been applied.

Check Security Policy settings

  • Login to your vSphere Web Client.
  • Navigate to “Networking & Security” and select the “Service Composer” menu.
  • Select the “Security Policies” tab and double click the security policy you want to check.
  • Inside the security policy, navigate to the “Manage” tab and select the “Information Security” sub-tab.
  • Once there, you can double check and possibly edit the Guest Introspection Services, Firewall Rules and Network Introspection Services.

Next, lets check the enforcement of the security policy. Maybe there’s an error actually applying the policy.

Check Security Policy application

  • Login to your vSphere Web Client.
  • Navigate to “Networking & Security” and select the “Service Composer” menu.
  • Select the “Security Policies” tab and double click the security policy you want to check.
  • Inside the security policy, navigate to the “Monitor” tab and select the “Service Errors” sub-tab.
  • If there are any errors, they should show here. If it’s empty, good! In the example below, there’s an obvious reason for the VMware Data Security service to not have applied on the virtual machine called Web01. VMware Data Security is not installed.

 

Manage Security Policy priorities

Requirements:

  • NSX Environment.
  • Multiple Security Policies mapped to Security Groups.

VMware Documentation: Manage Security Policy Priority

Because you can map security policies to several security groups and a security group could end up with multiple security policies, there’s a chance that one security policy may override another security policy. They can certainly complement each other (one security policy only for advanced firewall service, another only for load balancing), so VMware has devised to implement security policy priorities. Much like firewall rules, the security policies act like on a first-come first-serve basis and you can arrange their priorities. Here’s how:

Re-ordering Security Policies

  • Login to your vSphere Web Client.
  • Navigate to “Networking & Security” and select the “Service Composer” menu.
  • Select the “Security Policies” tab, select a security policy and click the “Manage Priority: icon:
  • In the popup window, select a policy you want to move up or down and click the “Move Up” or “Move Down” icons to do so:
  • Click “OK” when you’re done re-ordering.

 



Share the wealth!