This post was authored by Arun Sharma, Staff Engineer for Network Insight. This is a showcase from a real-life environment on which he worked on.
VMware Network Insight can be a great visualization tool to simplify network & security operations for virtual, physical and cloud environments. Because Network Insight correlates all aspects of your environment together, it can be used as an application mapping tool. It accelerates micro-segmentation deployment, minimizes business risk during application migration and enables your business to confidently manage and scale NSX deployments.
This technical blog outlines how you can use VMware Network Insight to visualize and operate your geographically distributed applications. You could have distributed your application to ensure high availability and disaster recovery. As your applications spread out, it becomes significantly harder to ensure security, monitor and troubleshoot them. Using VMware Network Insight makes it easy for you to comprehend what’s going on and take full control over the visibility of your applications. VMware Network Insight helps to visualize all communication within and between applications, application tiers and geographical sites.
Setting the scene
Assume that you have 3 applications (HR, Finance, and VDI) and 3 sites (Boston, Seattle, and Singapore).
- HR application (Workday) is available on all the 3 sites
- Finance application (SAP) is located in Boston
- Virtual Desktop Infrastructure (VDI) is based in Singapore
The plan is to use VMware NSX Data Center to micro-segment the applications and ensure that these are adequately protected. The following table details the application names, their respective application tiers, the VMware NSX security tags applied to the tier workloads and the IP subnet to determine in the intended location.
The applications have below security and communication requirements:
- For the HR (Workday) application
- Allow traffic from any site to reach any HR application (WEB-HR-WD-TIER) sites (Boston, Seattle or Singapore)
- Allow traffic from the Internet for external employees
- For the Finance (SAP) application
- Allow traffic from Singapore (VDI-TIER) to Finance application GW-TIER
- Deny traffic from the Internet
- HR Application (APP-HR-WD-TIER) can communicate with Finance Application (API-FIN-SAP-TIER) on service port 8080
- Finance Application (API-FIN-SAP-TIER) can communicate with HR application (APP-HR-WD-TIER) on service port 8090
- Any other communication is restricted or in question
You start by defining the application context in VMware Network Insight (more details). The application definition for each of your app could be as follows:
If we click each application above, we can see its definition:
Note: The application named SITES is important as it helps to correlate the location of the applications. In this case, subnets are used to identify each site. This can also be a logical construct like a cluster name or the vCenter that manages that site.
Let’s select the HR application and visualize its network flows, geographical sites and generated recommended firewall rules. The VMware Network Insight search engine lets us do this directly by executing this query: plan flows where application = ‘HR-WD’
Keep the focus on web tier WEB-HR-WD-TIER as it is shown in the below figure. On focus, it pops up outgoing, incoming, bidirectional paths. As per this example, we can see:
- Outgoing traffic to Boston site
- Bidirectional traffic between web tier to Singapore site
- Incoming traffic from VDI-TIER (VDI VM’s)
- Incoming Traffic from Internet
- Outgoing traffic to app tier of HR application APP-HR-WD-TIER
- Outgoing traffic to app tier of Finance application.
- Outgoing traffic to Seattle site
The data that’s being shown in Network Insight, is showing us that within the web servers are talking to the application servers, which is fine. However, the web servers also seem to be talking to the database servers, which is not supposed to happen. Furthermore, the web servers from the HR application are also talking to the API servers if the finance (SAP) application, which is also not supposed to happen. We should probably fix that by implementing security policies to stop that. By referring to the recommended firewall rules above and flows in question, we might want to:
- DENY traffic between WEB-HR-WD-TIER to DB-HR-WD-TIER
- DENY traffic between WEB-HR-WD-TIER to API-FIN-SAP-TIER
Now, let’s look at the Finance application it the same way and visualize its flows, geographical sites and generate the recommended firewall rules.
If we keep the focus on GW-FIN-SAP-TIER, then we can understand that there is:
- Incoming traffic from VDI-TIER residing in Singapore site. This was expected because from Singapore, VDI can access Finance application.
- Outbound traffic from GW-FIN-SAP-TIER to APP-HR-WD-TIER. This flow is in question, it was not expected. See more info in the diagram below.
- Incoming traffic from Internet. This flow is in question, it was not expected.
As per the recommended firewall rules above and flow in question, we might want to:
- DENY GW-FIN-SAP-TIER to Singapore which is APP-HR-WD-TIER
Here we have something really peculiar and something that we should probably block right away. For some reason, there is network traffic coming from the internet to the SAP application. By referring to the recommended firewall rules above and the flow in question, we might want to:
- DENY traffic from the internet to finance application GW-FIN-SAP-TIER
Now, let’s see communication between Finance application API-FIN-SAP-TIER and HR application APP-HR-WD-TIER. As it was expected, there were supposed to be a communication between these two applications at APP-HR-WD-TIER and API-FIN-SAP-TIER level. We can check the communication between these two tiers as below.
By referring to the recommended firewall rule above, we want to explicitly place this rule in firewall to allow this communication.
In exactly the same way we visualized the network flows between applications, we can have a look at how much traffic is being sent between the multiple sites where the HR application is hosted. Specifically, we’ll have a look at the App tier of the HR application.
Above are only a few ways how you can visualize application connectivity. This provides some context and correlation which helps during troubleshooting, monitoring, and micro-segmentation security planning.
VMware Network Insight solves the age-old question; what’s happening on my network? Only with the application context that VMware Network Insight brings, can you visualize your applications across multiple regions and answer that question. From the simple visualization to see what intra-application network flows there are, to drilling deep and seeing the exact network flows that are happening.