vRealize Network Insight Day 2 Network Operations

Using VMware Network Insight to Visualize and Secure Geographically Distributed Applications

This post was authored by Arun Sharma, Staff Engineer for Network Insight. This is a showcase from a real-life environment on which he worked on.

Try Network Insight free for 30 days.

 

VMware Network Insight can be a great visualization tool to simplify network & security operations for virtual, physical and cloud environments. Because Network Insight correlates all aspects of your environment together, it can be used as an application mapping tool. It accelerates micro-segmentation deployment, minimizes business risk during application migration and enables your business to confidently manage and scale NSX deployments.

This technical blog outlines how you can use VMware Network Insight to visualize and operate your geographically distributed applications. You could have distributed your application to ensure high availability and disaster recovery. As your applications spread out, it becomes significantly harder to ensure security, monitor and troubleshoot them. Using VMware Network Insight makes it easy for you to comprehend what’s going on and take full control over the visibility of your applications. VMware Network Insight helps to visualize all communication within and between applications, application tiers and geographical sites.

Setting the scene

Assume that you have 3 applications (HR, Finance, and VDI) and 3 sites (Boston, Seattle, and Singapore).

  • HR application (Workday) is available on all the 3 sites
  • Finance application (SAP) is located in Boston
  • Virtual Desktop Infrastructure (VDI) is based in Singapore

Figure 1: The distributed applications
 

The plan is to use VMware NSX Data Center to micro-segment the applications and ensure that these are adequately protected. The following table details the application names, their respective application tiers, the VMware NSX security tags applied to the tier workloads and the IP subnet to determine in the intended location.

The applications have below security and communication requirements:

  • For the HR (Workday) application
    • Allow traffic from any site to reach any HR application (WEB-HR-WD-TIER) sites (Boston, Seattle or Singapore)
    • Allow traffic from the Internet for external employees
  • For the Finance (SAP) application
    • Allow traffic from Singapore (VDI-TIER) to Finance application GW-TIER
    • Deny traffic from the Internet
  • HR Application (APP-HR-WD-TIER) can communicate with Finance Application (API-FIN-SAP-TIER) on service port 8080
  • Finance Application (API-FIN-SAP-TIER) can communicate with HR application (APP-HR-WD-TIER) on service port 8090
  • Any other communication is restricted or in question

 

Application Context

You start by defining the application context in VMware Network Insight (more details). The application definition for each of your app could be as follows:

Figure 2: List of Application constructs
 

If we click each application above, we can see its definition:

Figure 2.1: HR application definition

Figure 2.2: Finance application definition

Figure 2.3: VDI-Desktops application definition

Figure 2.4: SITES application definition
 

Note: The application named SITES is important as it helps to correlate the location of the applications. In this case, subnets are used to identify each site. This can also be a logical construct like a cluster name or the vCenter that manages that site.

Visualizing

Let’s select the HR application and visualize its network flows, geographical sites and generated recommended firewall rules. The VMware Network Insight search engine lets us do this directly by executing this query: plan flows where application = ‘HR-WD’

Keep the focus on web tier WEB-HR-WD-TIER as it is shown in the below figure. On focus, it pops up outgoing, incoming, bidirectional paths. As per this example, we can see:

  • Outgoing traffic to Boston site
  • Bidirectional traffic between web tier to Singapore site
  • Incoming traffic from VDI-TIER (VDI VM’s)
  • Incoming Traffic from Internet
  • Outgoing traffic to app tier of HR application APP-HR-WD-TIER
  • Outgoing traffic to app tier of Finance application.
  • Outgoing traffic to Seattle site

 

Figure 3: HR Application with a focus on the web tier.
 

The data that’s being shown in Network Insight, is showing us that within the web servers are talking to the application servers, which is fine. However, the web servers also seem to be talking to the database servers, which is not supposed to happen. Furthermore, the web servers from the HR application are also talking to the API servers if the finance (SAP) application, which is also not supposed to happen. We should probably fix that by implementing security policies to stop that. By referring to the recommended firewall rules above and flows in question, we might want to:

  • DENY traffic between WEB-HR-WD-TIER to DB-HR-WD-TIER
  • DENY traffic between WEB-HR-WD-TIER to API-FIN-SAP-TIER

Now, let’s look at the Finance application it the same way and visualize its flows, geographical sites and generate the recommended firewall rules.

If we keep the focus on GW-FIN-SAP-TIER, then we can understand that there is:

  • Incoming traffic from VDI-TIER residing in Singapore site. This was expected because from Singapore, VDI can access Finance application.
  • Outbound traffic from GW-FIN-SAP-TIER to APP-HR-WD-TIER. This flow is in question, it was not expected. See more info in the diagram below.
  • Incoming traffic from Internet. This flow is in question, it was not expected.

 

Figure 4: Finance Application with focus on gateway tier.
 

As per the recommended firewall rules above and flow in question, we might want to:

  • DENY GW-FIN-SAP-TIER to Singapore which is APP-HR-WD-TIER

 

Figure 5: Finance Application with focus on gateway tier showing internet incoming traffic.
 

Here we have something really peculiar and something that we should probably block right away. For some reason, there is network traffic coming from the internet to the SAP application. By referring to the recommended firewall rules above and the flow in question, we might want to:

  • DENY traffic from the internet to finance application GW-FIN-SAP-TIER

Now, let’s see communication between Finance application API-FIN-SAP-TIER and HR application APP-HR-WD-TIER. As it was expected, there were supposed to be a communication between these two applications at APP-HR-WD-TIER and API-FIN-SAP-TIER level. We can check the communication between these two tiers as below.

Figure 6: Two application tier communication.
 

By referring to the recommended firewall rule above, we want to explicitly place this rule in firewall to allow this communication.

Geographical Distribution

In exactly the same way we visualized the network flows between applications, we can have a look at how much traffic is being sent between the multiple sites where the HR application is hosted. Specifically, we’ll have a look at the App tier of the HR application.

Figure 7: HR Application App Tier geographical sites communication and bandwidth size.
 

Above are only a few ways how you can visualize application connectivity. This provides some context and correlation which helps during troubleshooting, monitoring, and micro-segmentation security planning.

Conclusion

VMware Network Insight solves the age-old question; what’s happening on my network? Only with the application context that VMware Network Insight brings, can you visualize your applications across multiple regions and answer that question. From the simple visualization to see what intra-application network flows there are, to drilling deep and seeing the exact network flows that are happening.

 

Try VMware Network Insight free for 30 days or learn more.