« Previous 1 2
Microsegmentation with VMware NSX and vRealize Automation
Micro Net
Configuring NSX vRealize Automation
You need to configure some settings on the vRealize Automation side. First, customize the vSphere endpoint by changing to the Infrastructure | Endpoints | Endpoints page in the graphical user interface. When you get there, edit the corresponding vSphere endpoint (Figure 2). Now check the Specify Manager for Network and Security Platform box, enter the URL of the NSX Manager below Address , and enter the corresponding NSX access data before closing the dialog box by pressing OK and saving the changes.
You also have to run an inventory scan so that vRealize Automation is notified of NSX. To run an inventory scan, navigate to the Infrastructure | Compute Resources | Compute Resources menu and start data collection for the appropriate resource.
Creating Network Profiles
The next step is to configure the network profiles in vRealize Automation. Network profiles store information that vRealize Automation needs at run time to create a new network. vRealize Automation uses four different types of network profiles:
- External network profiles point to existing networks (i.e., vSphere port groups). This type of network profile stores network information such as DNS servers, gateway, or IP addresses that can be assigned when provisioning VMs.
- Routed network profiles allow the dynamic creation of a network with various subnets and a matching routing table. They enable end-to-end communication between machines on different networks with separately allocated IP addresses.
- One-to-one network profiles ensure that the machines generated are given an internal NAT network address, as well as an external IP address.
- One-to-many network profiles behave just like one-to-one network profiles, except that all internal machines share a single external IP address. In both cases, Orchestrator creates corresponding source NAT rules in the NSX.
If a routed network profile is used for the deployment, vRealize Automation creates a new network with the help of Orchestrator and registers this network with the DLR so that the newly-created network can be routed through the L3 gateway.
To create a routed network profile, you need to create the routed network profile and then link the profile with the vRealize Automation reservations you wish to use.
Because an external network profile is already present in most environments, you can jump right to creating the routed network profile. Navigate in the vRealize Automation GUI to the Infrastructure | Reservations | Network Files page, press the [+ New] button, and then choose the Routed option. During the configuration, you first need to type a name and optionally a description. Then select the external network profile with which outside communication will take place from the External Network Profiles drop-down list. Once this value is set, vRealize Automation automatically populates the DNS/WINS settings at the bottom of the screen. The fields Subnet Mask , Range Subnet Mask , and Base IP are of particular interest. The Subnet Mask defines the start of the subnet bit range in the 32-bit IP address. The Range Subnet Mask defines the end of the subnet range. According to VMware documentation, "vRealize Automation generates 255 IP ranges if the subnet mask is 255.255.0.0 and the range subnet mask is 255.255.255.0." Base IP defines the start of the IP address range. Before you save the network profile, go to the IP Ranges tab and generate the n to reflect the previously defined values. Then save the network profile by clicking OK . In some cases, you might need to adjust the firewall rules to match your configuration (Figure 3).
Now you only need to assign the profile to a reservation, so that you can use the network profile when creating a blueprint. To assign a profile to a reservation, go to the GUI below Infrastructure | Reservations | Reservations in the Network tab. You need to assign the external uplink network profile to the appropriate network in the Network section. Below Advanced Settings , make sure that the Transport Zone is set correctly. In the Routed Gateway section, you need to install the distributed load balancer with the network path and network profiles from the external network profile (this was configured when setting up external communication). After this configuration work, you are done at this point and can start creating blueprints. See the box entitled "NAT Profiles" for more on configuring network address translation.
NAT Profiles
Network Address Translation (NAT) network profiles are particularly well-suited to settings such as a lab or training environment. Behind the scenes, vRealize Automation creates a dedicated edge gateway for NAT networks; the gateway handles the address translation and provides a route to the overlying L3 gateway.
Conclusions
vSphere, NSX, and vRealize Automation give admins the ability to create dynamic networks and, at the same time, control network traffic with microsegmentation. The interaction between NSX and vRealize Automation is critical to the configuration. Security rules can be defined centrally in NSX for use with vRealize Automation.
« Previous 1 2
Buy this article as PDF
(incl. VAT)