About Ranga Maddipudi

Ranga Maddipudi is a Senior Technical Marketing Manager within the Cloud Infrastructure Technical Marketing group at VMware. He is responsible for technical marketing of vCloud Networking and Security suite.

vCloud Networking and Security 5.1 App Firewall Best Practices

This blog provides best practices for deploying vCloud Networking and Security 5.1 App Firewall. Thanks to Shubha Bheemarao, Ray Budavari and Rob Randell for helping me in compiling this.

Installation

  • Install vCloud Networking and Security Manager (aka vShield Manager) on a dedicated management cluster. Other components that get installed on this cluster are VMware vCenter Server, vCloud Director etc.
  • vCloud Networking and Security Manager should be run on an ESXi host that is not affected by downtime, such as frequent reboots or maintenance mode operations. Use vSphere HA to increase the resilience of the Manager. Thus, a cluster with more than one ESXi host is recommended.
  • Install vCloud Networking and Security App Firewall on all vSphere hosts within a cluster so that virtual machines remain protected as they migrate between vSphere hosts.
  • The management interfaces of vCloud Networking and Security components should be placed in a common network, such as the vSphere management network. Manager requires IP connectivity to the vCenter Server, ESXi host, and App Firewall virtual machine. Refer the KB article for the network port requirements for vCloud Networking and Security. It is a best practice to separate management traffic from the production traffic.
  • If the vCenter Server or vCenter Server database virtual machines are on the ESXi host on which you are installing App Firewall, migrate them to another host before installing App Firewall or exclude these virtual machines from vCloud Networking and Security App Firewall protection.
  • Install VMware Tools on each Virtual Machine. The vCloud Networking and Security Manager collects the IP addresses of virtual machines from VMware Tools on each virtual machine. Use App Firewall SpoofGuard to authorize the IP addresses reported by VMware Tools to prevent spoofing.  With SpoofGuard use trust on first use to reduce the administrative overhead.

Continue reading

Download DMZ Design and Deployment Guide

I am happy to announce the availability of the VMware vCloud Networking and Security – DMZ Design and Deployment Guide. This paper highlights how securing a virtual DMZ environment using vCloud Networking and Security can be a strategic enabler to your organization as it helps you to reduce your capital expenditure and increase agility, while building a cloud ready, secure and scalable environment for business applications. The paper also highlights the different design approaches to securing business critical applications and enables you to make the choice that is most suited to your organization in the cloud journey. Further, it gives prescriptive configuration guidance to help you get started with the deployment of your preferred approach.

Get notification of these blogs and more vCloud Networking and Security information by following me on Twitter @vCloudNetSec.

Using App Firewall with VXLAN Networks

VMware vCloud Networking and Security App Firewall is a hypervisor-based firewall that protects applications in the virtual datacenter from network-based attacks. In this blog, let’s look at how to micro-segment a VXLAN network to deploy a 3-tier application using vCloud Networking and Security 5.1 App Firewall.

Use Case

Each application is deployed using a separate VXLAN network as shown below.  To keep the diagram simple, only one application is shown below.  The application has three tiers – web, app and db.

Continue reading

New Hands-on Lab – An In-depth Exploration of vCloud Networking and Security

Over the last few months, you have seen my blog articles on the vCloud Networking and Security solution.  Some of you may have even been inspired to try it, but were not able to set aside or configure infrastructure to do any testing.  Well, here’s your chance to get hands-on experience on everything that I wrote, without committing any equipment in your lab.

HOL-SDC-1303 – An In-depth Exploration of vCloud Networking and Security is a brand-new hands-on lab that walks you through vCloud Networking and Security with a use-case based approach.  You can explore all of the following areas using this lab.

  • Prepare vSphere clusters for VXLAN logical network deployment
  • Logical network (VXLAN) provisioning
  • Connect the three-tier application virtual machines to logical networks and test connectivity between virtual machines on the same logical network
  • Deploy Edge Gateway and connect logical networks. Verify connectivity between virtual machines connected to different logical networks by using Edge Gateway
  • Define SNAT rule for accessing external (VLAN) network from virtual machines connected to VXLAN networks
  • Publish three-tier application web service using Edge load balancing
  • Configure Edge firewall rules to only open required ports and protocols between tiers of the application
  • Configure Edge High Availability
  • Micro-segmentation using App Firewall
  • Flow monitoring using App Firewall

This lab is now available in the VMware Hands-on Lab portal.  This online environment lets you run a wide variety of labs from any web browser, and is free to anyone.  You can register for access by visiting http://hol.vmware.com, where you can also find documentation, community discussions, and the HOL blog. Search for HOL-SDC-1303 in the catalog after logging to Hands-on Lab portal.

I would like to thank Ray Budavari, Bill Call, Charu Chaubal, Joseph Dieckhans, Andrew Hald and Pablo Roesch for all their help in making this hands-on-lab available.

Get notification of these blogs and more vCloud Networking and Security information by following me on Twitter @vCloudNetSec.

vCloud Networking and Security 5.1 Edge SSL VPN Configuration

The content for this blog is created by Trevor Gerdes (@trevorgerdes). Posting it here with minor changes.

VMware vCloud Networking and Security Edge Gateway is part of the vCloud Networking and Security solution and provides network edge security and gateway services such as DHCP, VPN, NAT, Firewall, Load Balancing, IPSEC VPN and SSL VPN. In this blog, we will look at the details in configuring the SSL VPN function to allow remote users connect securely to private networks behind an Edge Gateway.

Edge Gateway supports 25 simultaneous connections from SSL VPN clients on the Compact version and 100 simultaneous connections from SSL VPN clients on the Large  version. The X-Large appliance does not support SSL VPN.

Continue reading

vCloud Networking and Security 5.1 App Firewall – Part 3

In the previous two vCloud Networking and Security App Firewall blogs we looked at  installation and policy management. In this blog, let’s take a look at how to handle day-to-day operations of App Firewall. Following topics are covered in this blog.

  • App Firewall Flow Monitoring Capabilities
  • App Firewall Syslog Management
  • App Firewall Show History and Load History options
  • App Firewall Configuration Backup
  • App Firewall CLIs

Continue reading

vCloud Networking and Security 5.1 App Firewall – Part 2

In the previous blog, we looked at how to install vCloud Networking and Security App Firewall. In this blog, let’s take a look at how to configure firewall policies to protect applications in the virtual datacenter by using a simple use case.

Use Case

Two applications are deployed on a shared network segment – “App-PortGroup” as shown below.  Each application has three tiers – web, app and db.

Continue reading

vCloud Networking and Security 5.1 App Firewall – Part 1

VMware vCloud Networking and Security App Firewall is a hypervisor-based firewall that protects applications in the virtual datacenter. Using App Firewall, organizations gain visibility and control over network communications between virtual machines. App Firewall installs as a hypervisor module and firewall service virtual appliance. In this blog, I am going to go show how to install vCloud Networking and Security App Firewall.

Continue reading

vCloud Networking and Security 5.1 Edge Gateway High Availability

One of the many noticeable changes introduced with the vCloud Networking and Security 5.1 release is the availability of different sizes of Edge Gateway appliances: compact, large, and x-large. Large and x-large Edge Gateway appliances are deployed with 2 vCPUs. The vSphere Fault Tolerance for workloads with multiple vCPUs is currently not supported. To ensure high availability (HA), a built-in high availability (HA) mechanism implemented in 5.1, where two Edge Gateways are deployed to work in Active-Standby mode. The vSphere HA can be used in conjunction with the Edge Gateway HA to handle host failure scenarios.

The vCloud Networking and Security Manager manages the life cycle of both Active and Standby Edge Gateway instances and will push user configurations as they are made to both simultaneously. The Active Edge Gateway will push run-time state information to the Standby Edge Gateway. It is a best practice to create the primary and secondary Edge Gateway appliances on separate resource pools and data stores. When the data store is shared across all hosts in the cluster, the vCloud Networking and Security Manager deploys active and standby Edge Gateway appliances on different hosts and sets up anti-affinity rule to separate virtual machines as shown below. This ensures that the two HA Edge Gateway virtual machines are not on the same ESXi host even after a host failure. If the data store is a local storage, both virtual machines are deployed on the same host.

Continue reading

Configuring syslog servers and logging in vCloud Networking and Security 5.1

I received multiple requests about setting up syslog servers and logging in vCloud Networking and Security 5.1 App Firewall and Edge Gateway. In this blog, I am going to show how to setup syslog servers and enable logging in vCloud Networking Security 5.1 Manager, App Firewall and Edge Gateway.

Manager syslog configuration

Login to Manager web interface and select Settings & Reports -> Configuration -> General tab and click Edit button next to Syslog Server to configure the syslog server.

Continue reading