VMware

Streamlining NSX vCenter Plug-in Deployment with Security-Focused Configuration

NSX vCenter Plug-in Deployment: Security Only Configuration

In our previous post, we explored the deployment of NSX as a plug-in to vCenter server. This time, we will focus on the security only configuration of NSX, which allows organizations to quickly and easily implement advanced security features without having to deploy the full range of NSX networking functionality.

Before we begin, let’s understand the NSX distributed firewall. The distributed firewall is centrally managed via the NSX user interface / API, yet it is external to the VMs themselves (the NSX firewall is substantiated in the kernel of the ESXi host rather than in the O/S of the VMs themselves). Additionally, the NSX distributed firewall is vSphere object aware, meaning that firewall rules may be constructed that reference vSphere objects such as single VMs, collections of VMs, VMs with specific tags, etc.

To begin the configuration, we will select the Security Only Get Started option from the NSX menu in the vSphere client. We will then choose the correct cluster and select Install NSX. As our environment is using a VDS version 8.0, we are good to click Install.

Once the host preparation is complete, we can see that our ESXi host is prepared with the correct version of NSX. We can then start creating some firewall rules. We will create a group for our DNS servers and select the appropriate communication service. We will also apply filtering for TCP and UDP DNS services.

After reviewing and publishing the firewall rule, we can view the distributed firewall from the NSX dashboard. We can see our DNS firewall rule in the infrastructure category. It is important to note that upon a fresh install, out of the box, the very bottom three rules of the application category are set by default to allow any traffic from any source to any destination. Depending on the security stance of your environment, it is advisable to review these default rules and set them as appropriate.

In conclusion, the NSX security only deployment via the vSphere vCenter plug-in is a simple and efficient way to get your NSX environment up and running quickly. However, there are caveats to using this deployment model that need to be considered prior to installation. We will explore those in our next post.