Home > Blogs > VMware vSphere Blog


Using App Firewall with VXLAN Networks

VMware vCloud Networking and Security App Firewall is a hypervisor-based firewall that protects applications in the virtual datacenter from network-based attacks. In this blog, let’s look at how to micro-segment a VXLAN network to deploy a 3-tier application using vCloud Networking and Security 5.1 App Firewall.

Use Case

Each application is deployed using a separate VXLAN network as shown below.  To keep the diagram simple, only one application is shown below.  The application has three tiers – web, app and db.

 

Enforce the following separation between tiers of the application using vCloud Networking and Security App Firewall.

  1. Isolate Web Servers from one another
  2. Allow HTTP/HTTPS traffic to Web Servers from any network other than Application VXLAN network.
  3. Allow Web Server to App Server communication on port 8080
  4. Allow App Server to Db Server communication on port 3036
  5. Block all other traffic

vCenter Network view of the Application

vCenter Network view of the Application is shown below, where all virtual machines of the application are connected to the VXLAN port group vxw-dvs-127-virtualwire-27-sid-5001-App1-vWireas highlighted below.

App Firewall with VXLAN

In vCloud Networking and Security 5.1 release, each VXLAN network is created with an independent namespace for App Firewall. Datacenter level firewall rules no longer apply to the virtual machines attached to the VXLAN networks. We need to use Network Virtualization –> Networks section to define the App Firewall policy objects and rules.

Clicking on VXLAN network “App1-vWire”, you will see the following.Click on “Security” tab to create the App Firewall policy objects and rules for the VXLAN segment “App1-vWire”.

Firewall Rule Policy Objects

Security Groups

Security groups can include virtual network adapters, virtual wire, and other security groups. Let’s create three security groups Web-Srvr-SG, App-Srvr-SG, and Db-Srvr-SG.

Click on “+” icon in “Grouping” section to create a Security Group as highlighted below. Give a Name to the Security Group and select the Members.

Web-Srvr-SG is created with “App1-WebServer1” and “App1-WebServer2” network adapters as members. Similarly create two other security groups – App-Srvr-SG and Db-Srvr-SG. All the three security groups created are shown below.

Service and Service Groups

A service is a protocol-port combination and a service group is a combination of two or more services. Most commonly used services are pre-defined for convenience and ease of use. Create additional services and service groups from “Services” section. Services and service groups created for the application in this Use Case are highlighted below.

Firewall Rule Management

App Firewall Ethernet Rules

The first Ethernet rule below ensures micro-segmentation of web servers i.e. one web server cannot talk to another web server. If one of the web servers is compromised, it cannot be used to directly attack the other servers, even ARP and RARP will be denied. The second rule specifies a default Allow Ethernet rule. This is because Ethernet rules operate before General rules and a default deny Ethernet rule would not allow any traffic flow out of any virtual machine in this example. These rules satisfy the requirement 1 from the Use Case section.

App Firewall General Rules

The following General firewall rules are set up for the application to function properly satisfying the requirements 2 to 5 from the Use Case section.

  • Rule 1 – Web-Access: Allows HTTP and HTTPS traffic to Web servers. Notice the negation used in the Source, wherein HTTP and HTTPS traffic to Web servers allowed from any network other than the “App1-vWire” VXLAN network. (Requirement 2)
  • Rule 2 – Web-to-App-Access : Allow Web Server to App Server communication on App Port (Requirement 3).
  • Rule 3 – App-to-Db-Access : Allow App Server to Db Server Communication on Db Port (Requirement 4).
  • Rule 4 – Default Rule: Block all other traffic (Requirement 5).

Flow Monitoring

Flow Monitoring dashboard for the VXLAN network is shown below. The dashboard shows the percentage of allowed flows in green and blocked flows in red.

Clicking the Details link on the Flow Monitoring dashboard shows Allowed Flows and Blocked Flows for various services. Clicking on the rule id of the Flow Monitoring Details Allowed or Blocked Flow shows the details of the rule that allowed or blocked the traffic as shown below. Use Add Rule / Edit Rule link to create/edit the firewall rule.

In summary, we looked at how to use App Firewall rules and flow monitoring with vCloud Networking and Security 5.1 VXLAN networks.

Get notification of these blogs and more vCloud Networking and Security information by following me on Twitter @vCloudNetSec.

2 thoughts on “Using App Firewall with VXLAN Networks

  1. balaji patnala

    Hi,

    Can you give some more information on the following doubts like

    i) Same VXLAN [VNI-5001] will be created on all the hosts of each tier like Web,App and DB.?

    ii) where does Firewall sits on these tiers or is it a seperate hardware?

    iii) For every tenant , are we going to create a new VXLAN on the host.?

    iv) when a VM is launched for the first time on Host, VXLAN will be created on the host before launching VM on the host?

    Thanks in advance.

    Regards,
    Balaji.P

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>