By Tristan Todd, Architect, End-User Computing, VMware
I love riding bikes! For years I have served as my own bike mechanic. And for about the last 10 years I have hand-built my own bicycle wheels. I do this because I like to choose my parts, I like the quality of the finished product, and I like to save money!
When I first started thinking about building my own bicycle wheels, I was terrified of the complexity, and I faced myriad questions. How do I find parts? What tools do I need? How long will it take? Will my wheels be safe? Yikes! This might be more than I can handle!
My first experiences with NSX in a Horizon 6 environment were similarly overwhelming. Things seemed simple at first until I started considering deployment nuances, operational procedures, and design options.
For background on the importance of micro-segmentation for Horizon 6, see the recent VMware EUC blog post VMware NSX – Customer Imperatives for Desktop Transformation Security. Today’s article aims to break down the broad micro-segmentation topic as it applies to a Horizon 6 environment. By breaking down NSX into bite-sized chunks, I hope to make this topic a bit more approachable to the EUC technical professional.
One obvious benefit that NSX provides to a Horizon 6 virtual desktop environment is the ability to provide micro-segmentation as part of desktop and application delivery services in an enterprise environment. As depicted at a high level in the preceding diagram, it is actually quite easy to introduce NSX into a Horizon 6 virtual desktop environment. I want to address a handful of important NSX components and then address their role in micro-segmentation.
NSX is easy and fast to deploy in an existing Horizon 6 environment. A single OVA (open virtualization appliance) is deployed in minutes, and after it is connected to vCenter, you are ready to start delivering services. Service Composer lets you provision and assign firewall policies and security services to applications. The Firewall Services let you build rules to protect virtual machines and applications. NSX Load Balancers provide the capability of front-ending application servers via an integrated, intuitive management interface.
A simple View virtual desktop environment in Horizon 6 (configured for desktop pool services) is depicted in the preceding diagram. Zooming in, we can see four ways that NSX is adding more lateral controls and protection.
- Distributed firewalls to protect Horizon 6 services
Required network services for Horizon 6 are controlled through distributed firewall rules. The NSX Service Composer interface makes it very easy to create and group services that the different Horizon 6 components require.
Protip: See VMware Horizon 6 (View) Firewall and Network Ports Visualized from Ray Heffer at VMware. In this blog post, Ray clearly depicts all of the required network services needed throughout a Horizon 6 environment.
- Distributed firewall for controlling View desktop pool access in Horizon 6
Virtual desktop access can be easily managed (allowed or blocked) at the desktop pool level by grouping desktops that belong to a single pool (for example, by desktop name or by NSX security tagging) with client connectivity addressed by identity-based firewall rules. If View user Dexter Smith belongs to the “IT Admin” security group in Active Directory, then he is permitted access to the “IT Admins Pool” desktop pool in Horizon.
- Distributed firewall for controlling individual desktop access
Because firewall rules are distributed and can be based on the identity of a logged-in Windows user, it is easy to deliver just-in-time firewall rules to a large pool of desktops based on a master image. For example, it might be a good security best practice to block all network traffic between individual desktops in a pool. This could protect the environment from attacks such as malware that is injected at the desktop browser and which attempts to move laterally through an environment. Blocking all network traffic between desktops could go a long way in protecting the enterprise.
- Load-balancing servers to optimize performance
An NSX edge load balancer can be rapidly deployed in front of a cluster of View Connection Servers in Horizon 6. With a basic round-robin load balancing policy, a basic protective mechanism is in place which prevents any single View Connection Server from being overloaded with sessions. Because everything is administered through the vCenter Web Client, it is very easy to deploy, administer, and monitor this load balancer service.
Cycling back (sorry for the pun!) to my biking story, after reading some books, using some Web resources, and making a few mistakes along the way, I have now worked through the complexity of bicycle wheel building. What used to take me three days, I can now do in three hours. Sometimes a topic that seems complex on the surface is, in fact, not so complex after all.
In the next blog post I will address just how easy it is to deploy NSX for micro-segmentation in an existing Horizon 6 environment. In future posts I will address the topics of:
- Distributed firewalling with identity
- Distributed firewall rule creation
- Monitoring NSX with vRealize Log Insight
Some other fantastic resources that I highly recommend are:
- Video overview of Secure Role Based Desktops with VMware Horizon 6, App Volumes, and NSX
- Video tour and demo series on micro-segmentation with NSX