Microsegmentation with VMware NSX and vRealize Automation

Micro Net

Configuring NSX vRealize Automation

You need to configure some settings on the vRealize Automation side. First, customize the vSphere endpoint by changing to the Infrastructure | Endpoints | Endpoints page in the graphical user interface. When you get there, edit the corresponding vSphere endpoint (Figure 2). Now check the Specify Manager for Network and Security Platform box, enter the URL of the NSX Manager below Address , and enter the corresponding NSX access data before closing the dialog box by pressing OK and saving the changes.

Figure 2: Editing the endpoint configuration.

You also have to run an inventory scan so that vRealize Automation is notified of NSX. To run an inventory scan, navigate to the Infrastructure | Compute Resources | Compute Resources menu and start data collection for the appropriate resource.

Creating Network Profiles

The next step is to configure the network profiles in vRealize Automation. Network profiles store information that vRealize Automation needs at run time to create a new network. vRealize Automation uses four different types of network profiles:

  • External network profiles point to existing networks (i.e., vSphere port groups). This type of network profile stores network information such as DNS servers, gateway, or IP addresses that can be assigned when provisioning VMs.
  • Routed network profiles allow the dynamic creation of a network with various subnets and a matching routing table. They enable end-to-end communication between machines on different networks with separately allocated IP addresses.
  • One-to-one network profiles ensure that the machines generated are given an internal NAT network address, as well as an external IP address.
  • One-to-many network profiles behave just like one-to-one network profiles, except that all internal machines share a single external IP address. In both cases, Orchestrator creates corresponding source NAT rules in the NSX.

If a routed network profile is used for the deployment, vRealize Automation creates a new network with the help of Orchestrator and registers this network with the DLR so that the newly-created network can be routed through the L3 gateway.

To create a routed network profile, you need to create the routed network profile and then link the profile with the vRealize Automation reservations you wish to use.

Because an external network profile is already present in most environments, you can jump right to creating the routed network profile. Navigate in the vRealize Automation GUI to the Infrastructure | Reservations | Network Files page, press the [+ New] button, and then choose the Routed option. During the configuration, you first need to type a name and optionally a description. Then select the external network profile with which outside communication will take place from the External Network Profiles drop-down list. Once this value is set, vRealize Automation automatically populates the DNS/WINS settings at the bottom of the screen. The fields Subnet Mask , Range Subnet Mask , and Base IP are of particular interest. The Subnet Mask defines the start of the subnet bit range in the 32-bit IP address. The Range Subnet Mask defines the end of the subnet range. According to VMware documentation, "vRealize Automation generates 255 IP ranges if the subnet mask is 255.255.0.0 and the range subnet mask is 255.255.255.0." Base IP defines the start of the IP address range. Before you save the network profile, go to the IP Ranges tab and generate the n to reflect the previously defined values. Then save the network profile by clicking OK . In some cases, you might need to adjust the firewall rules to match your configuration (Figure 3).

Figure 3: In some circumstances, it may be necessary to adjust the firewall rules in existing security groups.

Now you only need to assign the profile to a reservation, so that you can use the network profile when creating a blueprint. To assign a profile to a reservation, go to the GUI below Infrastructure | Reservations | Reservations in the Network tab. You need to assign the external uplink network profile to the appropriate network in the Network section. Below Advanced Settings , make sure that the Transport Zone is set correctly. In the Routed Gateway section, you need to install the distributed load balancer with the network path and network profiles from the external network profile (this was configured when setting up external communication). After this configuration work, you are done at this point and can start creating blueprints. See the box entitled "NAT Profiles" for more on configuring network address translation.

NAT Profiles

Network Address Translation (NAT) network profiles are particularly well-suited to settings such as a lab or training environment. Behind the scenes, vRealize Automation creates a dedicated edge gateway for NAT networks; the gateway handles the address translation and provides a route to the overlying L3 gateway.

Conclusions

vSphere, NSX, and vRealize Automation give admins the ability to create dynamic networks and, at the same time, control network traffic with microsegmentation. The interaction between NSX and vRealize Automation is critical to the configuration. Security rules can be defined centrally in NSX for use with vRealize Automation.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • VMware vRealize Automation 7
    We look at VMware's tool for managing and provisioning cloud infrastructures.
  • New Features in PowerCLI 6.0 R3
    PowerCLI in the current version 6 R3 supports access to nearly all VMware data center and cloud products with around 500 cmdlets, including numerous additional features, APIs, and interfaces. In this article, we show you the most important innovations.
  • Microsegmentation in the data center
    Microsegmentation promises substantial improvements over classic architectures for the protection of applications and increased security when building out the efficiency of a data center.
  • Real World AWS for Everyone
    Sure you've heard about Amazon Web Services, but have you tried it? This article shows how to configure a web server and mirrored back-end database for a small-to-midsized business environment.
  • Successful protocol analysis in modern network structures
    Virtual networks and server structures require additional mechanisms to ensure visibility of data streams. We show how to monitor and analyze network functions, even when virtualization is involved.
comments powered by Disqus