VMware vRealize Network Insight can be a great visualization tool to simplify network & security operations for virtual, physical and cloud environments. Because Network Insight correlates all aspects of your environment together, it can be used as a monitoring and troubleshooting tool across multiple disciplines. These disciplines, or personas, all want different bits of data displayed prominently and have different reports about either the virtualization, security or network infrastructure. This blog post goes into how to create custom pinboards to cater to the different personas for the vSphere, network, and security administrators.
Network Insight has a number of entities representing the data center. For example; virtual machines, vSphere hosts, AWS EC2 instances, physical switches, firewalls, and so on. Every major entity has a specific dashboard displaying important information about that entity. A dashboard has multiple widgets that displays insightful information about the entity. For entity searches (such as VMs), the results are displayed in a list view. Clicking on the result takes the user to the specific dashboard for that entity. Each of these widgets and results has a pin icon, meaning they can be saved to a custom pinboard.
You can create their own pinboards in Network Insight and can be created to suit specific monitoring and information visualization needs.
Let us go through a few examples of users that have different monitoring needs. Namely, the vSphere Administrator (VI), Network and Security Administrator
Creating a Pinboard
The simplest way to create a new pinboard is by clicking on the “pin” shapes on any of the widgets as shown below:
Select ‘Create New Pinboard’ and give it an appropriate name. A best practice is to put only the required or related set of pins on a pinboard. Multiple pinboards can be created for different monitoring requirements. Once a pinboard is created, it can be configured to refresh itself periodically. Enable auto-refresh as shown below:
Following are the example pinboards of the three user personas (vSphere admin, Network admin, Security admin)
On this dashboard, we will be putting information pertaining to the health of the vCenter.
Let’s begin with the count of entities. These numbers can also be segregated per vCenter.
- Count of vms [where vcenter = xxx]
- Count of hosts
- Count of datastores
- Count of flows
- Count of vMotion Event
These widgets all return a number and will be seen as:
Next section can have information related to problems identified by Network Insight
- problems [where manager = xxx]
Next section can have top usages pins:
- Top 5 hosts by Memory Usage
- Top 5 hosts by CPU usage
- Top 5 Datastore by RW IOPS
- Top 5 datastore by Used Space Percent
Next section can have all widgets related to vMotion:
- VMotion Event group by anchorEntities (search results all vMotion’ed VMs)
- vmotion event group by currHost.name (group no of vMotion events by hostnames)
- vmotion event group by currHost.cluster (group no of vMotion events by cluster)
- bytes of flow where port = 8000 and Flow Type = ‘Source is VMKNIC’ and flow type = ‘Destination is VMKNIC’ (volume of vMotion traffic)
Next section should have the information related to the health of VMs
- vm where not in (vm where Power State = ‘POWEREDON’ in last 30 days) (VMs that are not powered on in last 30 days)
- vms order by Snapshot Count
- Max latency of VMware VM
- cpu cores of vm (at times people are shocked to see such high powered VMs)
- Active Memory of VMware VM
Section with top n:
- sum(bytes) of flows group by vm
- Top 5 vms order by Rx Packet Drops
- Top 5 switch ports by Network rate
- sum(bytes) of flows group by L2 Network (Top L2 networks by flow volume)
- sum(bytes) of flows group by port (Top ports by flow volume)
- sum(bytes) of flows group by Service Endpoint (Top service endpoints [Dest IP, Dest Port] by flow volume)
- flows where flow type = ‘Multicast’ group by Source IP Address (Top sources sending multicast IPs)
- switch ports where Max Network Rate and vendor = ‘VMware, Inc.’ (traffic on physical nics of ESXi as reported by vCenter)
Next section can have widgets related to traffic flow.
- sum(packets) of flows group by cluster order by max(Bytes) where Dc = ‘xxx’ (Total traffic flowing through DC as reported by netflow DVS)
Search for ‘security’ [as shown below], it will give security dashboard w.r.t. NSX-V. There are widgets which give important numbers regarding the security posture of the data center.
It also has important things like:
- Data center machines accessed from internet
- Internet services accessed by data center machines
- Unused firewall rules
- Virtual machines that are excluded from firewall
- Unused security side entities
Click on the pin icons for these widgets to get them on security admin pinboard.
There is important information available in flow analytics dashboard which can be added on to this dashboard.
Once you click on “Flow Analytics”, refer “Whats New” section as:
Flow analytics will give statistics of all flows that are selected by the search. This gives the ability to have these analytics widgets defined for different flow queries.
Along with traffic that is sent to and from internet, it also has widgets like new firewall rules that are hit in last 1 day and new services [IP, Dst Port pair] which has blocked [information that is received from NSX-V] flows.
These queries can help in finding out how dense or sparse are defined as security groups, ipsets, firewall rules:
- vms group by Firewall Rule
- vms group by security groups
- vms group by ipsets
- vms group by ipsets, security groups (this gives a nice list of VMs that are present in same ipset and different security groups and vice versa. You can select any specific ipset or security groups from the filters)
Using pinboards you can create a personalized dashboard with all the information you need to do a review and monitor specific parts of the infrastructure. Creating multiple pinboards for multiple personas is extremely easy and customizable, and brings instant value to either morning checks, troubleshooting procedures or to a monitoring dashboard in a big screen in the NOC.