Customers understand the need for micro-segmentation and benefits it provides to enhance the security posture within their datacenter. However, one of the challenges for a Security admin is how to define micro-segmentation policies for applications owned and managed by application teams. This is even more challenging especially when you have tens or hundreds of unique applications in your data center, all of which use different port and protocols and resources across the cluster. The traditional manual perimeter firewall policy modeling may not be ideal and may not be able to scale for the micro-segmentation of your applications as it would be error-prone, complex and time consuming.
NSX addresses the how & where to start micro-segmentation challenge by providing the built-in tool called Application Rule Manager (ARM), to automate the application profiling and the onboarding of applications with micro-segmentation policies. NSX ARM has been part of NSX, since the NSX 6.3.0 release but here we will talk about Application Rule Manager (ARM) enhancement, Recommendation Engine, introduced as part of NSX 6.4.0 release. This enhancement allows you to do Rapid Micro-segmentation to your data center application by recommending “ready to consume” workload grouping & firewall policy rules.
To understand the NSX 6.4 ARM enhancements, let’s take a day in the life of security admin who needs to plan and define micro-segmentation policy to a 3-tier application with a load balancer. The following figure shows three simple ARM tool steps to help a security admin identify the application layout, automate workload grouping and create a allowlist-based policy which only allows the flows the application needs to function. More details on each of the steps described below.
Step-1: Monitor Flows
- Identify all VM’s associated with the given application.
- Start ARM session with all the application VM’s to monitor flows.
- Keep the session active for few hours, days based on the application type and activity.
Step-2: Analyze & Auto-Recommend – In this step the user would stop the ARM session and click on Analyze. This triggers analysis of all the raw flows collected in step-1 and provides meaningful unique flow data. Prior to NSX 6.4.0 release, the admin had to use this flow data to manually define grouping and firewall policy. Starting NSX 6.4.0, ARM automates this workflow of workload grouping and policy creation as follows:
- Automate Grouping & IPSET Recommendation of the workloads based on the flow pattern and services used. In the above example with a 3-tier application, the outcome would be four recommended security groups, one each for the application tiers & one group for all VM’s in that application. ARM also recommends IP Set’s for destination based on services used by application VM’s e.g., DNS/NTP servers, if destination IP’s are outside vCenter domain.
- Automate Micro-segmentation Policy Rule recommendation based on analyzed flow data. In the above example of 3-tier application outcome could be four rules with
- LB to WEB on https,
- WEB to APP on http,
- APP to DB on MySql and
- Common rule for infra services like DNS.
- Identify the Application Context (Layer 7) to the flow between application tiers. For e.g., L7 application running irrespective of TCP/UDP ports used and TLS version used for https.
Figure: ARM recommended Security Groups, IPSets & FW rules, ready to publish
Step-3: Publish Micro-segmentation Policy
- Once flow is analyzed with security group & policy recommendation, admin can publish the policy for the given application as a section in the firewall rule table.
- The recommended FW rule also takes care of limiting the scope of enforcement (applied to) only to VM’s associated with the application.
- Optionally, User can modify the rules, especially naming of the groups and rule to make it more intuitive and readable.
Figure: ARM recommended FW rules ready to publish with group and rule name changed by user
Figure: ARM recommended Security groups for 3-tier application
Figure: Published ARM recommended DFW rules
In summary, NSX 6.4.0 ARM recommendation engine enhances the existing ARM capability by automating
- The application grouping based on the function,
- Firewall policy based on the analyzed flow for a given ARM session and
- Layer 7 Application identity of the flow.
The ARM allows multiple sessions (five) simultaneously, which can be leveraged to automate & speed up the multiple application onboardings with the NSX micro-segmentation.
For more details on NSX ARM, please refer to following previously published blogs and videos: