PowerNSX: NSX Security Tags, Security Groups, Distributed Firewall Sections and Distributed Firewall Rules with external CSV files

Last week I blogged about how to get started with PowerNSX.

Reason for me to dive into the wonderful world of PowerNSX was because I needed to implement Application Fencing. More about Application Fencing wan be found here and here.

The whole purpose of implementing Application Fencing is to get visibility what VM / Application is talking to what VM / Application with what protocol and port.

This information can be used to implement an Zero Trust Security Architecture

I will write a separate blog about Application Fencing in the future but in order to get there there are some steps that needs to be done.

In my example I will use the traditional 3-tier Bookstore App. This vApp has the following VM's:

  1. Web01
  2. Web02
  3. App01
  4. App02
  5. DB01

Right now we only have 5 VM's so creating the Security Tags, Security Groups, Assigning the tags to specific VM's and Creating the Distributed Firewall Rules is done pretty fast.

BUT WHAT IF ... you need to implement Application Fencing in an infrastructure with more than 1000 VM's with 500 security tags and 500 security groups and the corresponding firewall rules?

This could take a while right?

You can speed this up with the use of PowerNSX! Below you will find a method to run PowerNSX in combination with external Comma Separated Value (CSV) files. This will save you a lot of time!

The steps to implement Application Fencing are:

  1. Add Security Tags and Tier based Security Groups (and statically make the security tag an member of the tier security group)
  2. Assign the Security Tags to the correct VM's (so that the VM's are placed in the correct tier group)
  3. Add separate Application based Security Groups (so that the Tier based Security Groups can be nested inside an Application Security Group)
  4. Nest the Tier based Security Groups into the Application Security Group
  5. Add Distributed Firewall Sections to add in the Distributed Firewall Rules
  6. Add in the Tier based Distributed Firewall Rules
  7. Add in the Application based Distributed Firewall Rules
Note

This example will only have 5 VM's spread across 3 tiers all forming 1 application so this approach looks like its a bit overkill, but when you need to implement this in an organisation with a lot of VM's and a lot of applications that are segmented into different tenants then you will love it!

The scripts and CSV files that I used for this exercise are found below.

Add Security Tags and Tier based Security Groups (and statically make the security tag an member of the tier security group)

The script /script.ps1:

/script.ps1 - The script.ps1 file
## Author: Iwan Hoogendoorn t:@i1wan m:iwan@i-1.nl
## version 1.0
## August 2016
#-------------------------------------------------- 
# ____   __   _  _  ____  ____  __ _  ____  _  _ 
# (  _ \ /  \ / )( \(  __)(  _ \(  ( \/ ___)( \/ )
#  ) __/(  O )\ /\ / ) _)  )   //    /\___ \ )  ( 
# (__)   \__/ (_/\_)(____)(__\_)\_)__)(____/(_/\_)
#     PowerShell extensions for NSX for vSphere
#--------------------------------------------------

#This will create the security tags and the groups based on a CSV.
#Note that the tags and groups will need to be UNIQUE as this script does not do error handling.

#import the CSV file content and place the content in a loop
import-csv .\CSV.csv | % {

#Create security tag based on field in CSV
$st = New-NsxSecurityTag -name $_.SECTAG

#Create security group based on field in CSV and makes the security tag a member of the new security group
$sg = New-NsxSecurityGroup -name $_.SECGROUP -includemember ($st)
}

The CSV:

/CSV.csv - The CSV.csv file
SECTAG,SECGROUP
ST-WEB,SG-TIER-WEB
ST-APP,SG-TIER-APP
ST-DB,SG-TIER-DB

Executing the Script:

PowerCLI C:\new> .\script.ps1


Result:

Sddfnmxc-01.png

Sddfnmxc-02.png

Assign the Security Tags to the correct VM's (so that the VM's are placed in the correct tier group)

The script /script.ps1:

/script.ps1 - The script.ps1 file
## Author: Iwan Hoogendoorn t:@i1wan m:iwan@i-1.nl
## version 1.0
## August 2016
#-------------------------------------------------- 
# ____   __   _  _  ____  ____  __ _  ____  _  _ 
# (  _ \ /  \ / )( \(  __)(  _ \(  ( \/ ___)( \/ )
#  ) __/(  O )\ /\ / ) _)  )   //    /\___ \ )  ( 
# (__)   \__/ (_/\_)(____)(__\_)\_)__)(____/(_/\_)
#     PowerShell extensions for NSX for vSphere
#--------------------------------------------------

#This will go trough the list of VM's and apply the tag that is on the same line of the VM
import-csv .\CSV.csv|% {

#Read security tag from a field in the CSV
$st = Get-NsxSecurityTag -name $_.SECTAG

#Read VM Name from a field in the CSV
$vm = Get-Vm -name $_.VMNAME

#Assign security tag to the VM Name
$vm = Get-Vm -name $_.VMNAME|New-NsxSecurityTagAssignment -ApplyTag $st
}

The CSV:

/CSV.csv - The CSV.csv file
VMNAME,SECTAG
Web01,ST-WEB
Web02,ST-WEB
App01,ST-APP
App02,ST-APP
DB01,ST-DB

Executing the Script:

PowerCLI C:\new> .\script.ps1


Result:

Sddfnmxc-06.png

Sddfnmxc-07.png

Sddfnmxc-03.png

Sddfnmxc-04.png

Sddfnmxc-05.png

Add separate Application based Security Groups (so that the Tier based Security Groups can be nested inside an Application Security Group)

The script /script.ps1:

/script.ps1 - The script.ps1 file
## Author: Iwan Hoogendoorn t:@i1wan m:iwan@i-1.nl
## version 1.0
## August 2016
#-------------------------------------------------- 
# ____   __   _  _  ____  ____  __ _  ____  _  _ 
# (  _ \ /  \ / )( \(  __)(  _ \(  ( \/ ___)( \/ )
#  ) __/(  O )\ /\ / ) _)  )   //    /\___ \ )  ( 
# (__)   \__/ (_/\_)(____)(__\_)\_)__)(____/(_/\_)
#     PowerShell extensions for NSX for vSphere
#--------------------------------------------------

#This will create the security groups.
#Note that the tags and groups will need to be UNIQUE as this script does not do error handling.

#Create security groups
New-NsxSecurityGroup -name SG-APP-BOOKSTORE

Executing the Script:

PowerCLI C:\new> .\script.ps1

objectId           : securitygroup-31
objectTypeName     : SecurityGroup
vsmUuid            : 4223B69E-2DE2-804A-0BE0-FA7307BB2D02
nodeId             : c1afd25d-49fe-4259-bd07-f4508a80d472
revision           : 1
type               : type
name               : SG-APP-BOOKSTORE
description        :
scope              : scope
clientHandle       :
extendedAttributes :
isUniversal        : false
universalRevision  : 0
inheritanceAllowed : false


Result:

Sddfnmxc-08.png

Nest the Tier based Security Groups into the Application Security Group

The script /script.ps1:

/script.ps1 - The script.ps1 file
## Author: Iwan Hoogendoorn t:@i1wan m:iwan@i-1.nl
## version 1.0
## August 2016
#-------------------------------------------------- 
# ____   __   _  _  ____  ____  __ _  ____  _  _ 
# (  _ \ /  \ / )( \(  __)(  _ \(  ( \/ ___)( \/ )
#  ) __/(  O )\ /\ / ) _)  )   //    /\___ \ )  ( 
# (__)   \__/ (_/\_)(____)(__\_)\_)__)(____/(_/\_)
#     PowerShell extensions for NSX for vSphere
#--------------------------------------------------

#This will read the security groups from the CSV and will nest the groups into other groups in the CSV.

import-csv .\CSV.csv|% {

#Read the TIER Security Group
$app = Get-NsxSecurityGroup -name $_.SECTIERGROUP

#Read the APP Security Group
$ags = Get-NsxSecurityGroup -name $_.SECAPPGROUP

#Nest one group into another
$ags|Add-NsxSecurityGroupMember -member $app
}

The CSV:

/CSV.csv - The CSV.csv file
APPNAME,SECTIERGROUP,SECAPPGROUP
BOOKSTORE,SG-TIER-WEB,SG-APP-BOOKSTORE
BOOKSTORE,SG-TIER-APP,SG-APP-BOOKSTORE
BOOKSTORE,SG-TIER-DB,SG-APP-BOOKSTORE

Executing the Script:

PowerCLI C:\new> .\script.ps1

objectId           : securitygroup-31
objectTypeName     : SecurityGroup
vsmUuid            : 4223B69E-2DE2-804A-0BE0-FA7307BB2D02
nodeId             : c1afd25d-49fe-4259-bd07-f4508a80d472
revision           : 2
type               : type
name               : SG-APP-BOOKSTORE
description        :
scope              : scope
clientHandle       :
extendedAttributes :
isUniversal        : false
universalRevision  : 0
inheritanceAllowed : false
member             : member

objectId           : securitygroup-31
objectTypeName     : SecurityGroup
vsmUuid            : 4223B69E-2DE2-804A-0BE0-FA7307BB2D02
nodeId             : c1afd25d-49fe-4259-bd07-f4508a80d472
revision           : 3
type               : type
name               : SG-APP-BOOKSTORE
description        :
scope              : scope
clientHandle       :
extendedAttributes :
isUniversal        : false
universalRevision  : 0
inheritanceAllowed : false
member             : {SG-TIER-APP, SG-TIER-WEB}

objectId           : securitygroup-31
objectTypeName     : SecurityGroup
vsmUuid            : 4223B69E-2DE2-804A-0BE0-FA7307BB2D02
nodeId             : c1afd25d-49fe-4259-bd07-f4508a80d472
revision           : 4
type               : type
name               : SG-APP-BOOKSTORE
description        :
scope              : scope
clientHandle       :
extendedAttributes :
isUniversal        : false
universalRevision  : 0
inheritanceAllowed : false
member             : {SG-TIER-DB, SG-TIER-APP, SG-TIER-WEB}

PowerCLI C:\new>


Result:

Sddfnmxc-09.png

Add Distributed Firewall Sections to add in the Distributed Firewall Rules

The script /script.ps1:

/script.ps1 - The script.ps1 file
## Author: Iwan Hoogendoorn t:@i1wan m:iwan@i-1.nl
## version 1.0
## August 2016
#-------------------------------------------------- 
# ____   __   _  _  ____  ____  __ _  ____  _  _ 
# (  _ \ /  \ / )( \(  __)(  _ \(  ( \/ ___)( \/ )
#  ) __/(  O )\ /\ / ) _)  )   //    /\___ \ )  ( 
# (__)   \__/ (_/\_)(____)(__\_)\_)__)(____/(_/\_)
#     PowerShell extensions for NSX for vSphere
#--------------------------------------------------

#This will only add 1 new Distributed Firewall Section.
New-NsxFirewallSection FWS-APP-BOOKSTORE

Executing the Script:

PowerCLI C:\new> .\script.ps1

id               : 1012
name             : FWS-APP-BOOKSTORE
generationNumber : 1470349159308
timestamp        : 1470349159308
type             : LAYER3


Result:

Sddfnmxc-10.png

Add in the Tier based Distributed Firewall Rules

The script {{f|/script.ps1}:

/script.ps1 - The script.ps1 file
## Author: Iwan Hoogendoorn t:@i1wan m:iwan@i-1.nl
## version 1.0
## August 2016
#-------------------------------------------------- 
# ____   __   _  _  ____  ____  __ _  ____  _  _ 
# (  _ \ /  \ / )( \(  __)(  _ \(  ( \/ ___)( \/ )
#  ) __/(  O )\ /\ / ) _)  )   //    /\___ \ )  ( 
# (__)   \__/ (_/\_)(____)(__\_)\_)__)(____/(_/\_)
#     PowerShell extensions for NSX for vSphere
#--------------------------------------------------

#This will go trough the list of Firewall Rules
import-csv .\CSV.csv|% {

#Collect the varables from the CSV file
$tn = $_.TIERNAME
$sg = get-nsxsecuritygroup $_.SECGROUP
$sec = get-nsxfirewallsection $_.FWSECTION
$fwt = $_.FWT

#Add rule to Firewall section
$sec|new-nsxfirewallrule -name $tn -Action allow -position bottom -appliedto $sg -Tag $fwt -EnableLogging
}

The CSV:

/CSV.csv - The CSV.csv file
TIERNAME,SECGROUP,FWSECTION,FWT
WEB,SG-TIER-WEB,FWS-APP-BOOKSTORE,FWT-TIER-WEB
APP,SG-TIER-APP,FWS-APP-BOOKSTORE,FWT-TIER-APP
DB,SG-TIER-DB,FWS-APP-BOOKSTORE,FWT-TIER-DB

Executing the Script:

PowerCLI C:\new> .\script.ps1

id               : 1012
name             : FWS-APP-BOOKSTORE
generationNumber : 1470349548233
timestamp        : 1470349548233
type             : LAYER3
rule             : rule

id               : 1012
name             : FWS-APP-BOOKSTORE
generationNumber : 1470349548784
timestamp        : 1470349548784
type             : LAYER3
rule             : {WEB, APP}

id               : 1012
name             : FWS-APP-BOOKSTORE
generationNumber : 1470349549337
timestamp        : 1470349549337
type             : LAYER3
rule             : {WEB, APP, DB}


Result:

Sddfnmxc-11.png

Add in the Application based Distributed Firewall Rules

The script /script.ps1:

/script.ps1 - The script.ps1 file
## Author: Iwan Hoogendoorn t:@i1wan m:iwan@i-1.nl
## version 1.0
## August 2016
#-------------------------------------------------- 
# ____   __   _  _  ____  ____  __ _  ____  _  _ 
# (  _ \ /  \ / )( \(  __)(  _ \(  ( \/ ___)( \/ )
#  ) __/(  O )\ /\ / ) _)  )   //    /\___ \ )  ( 
# (__)   \__/ (_/\_)(____)(__\_)\_)__)(____/(_/\_)
#     PowerShell extensions for NSX for vSphere
#--------------------------------------------------



#This will set the variables
$sec = $_.FWSECTION
$arn = $_.APPNAME
$sg = "$_.SECGROUP
$fwt = $_.FWT

#Here we create a new Distributed Firewall Rule with the variables set above
$sec|new-nsxfirewallrule -name $arn -Action allow -position bottom -appliedto $sg -Tag $fwt -EnableLogging

The CSV:

/CSV.csv - The CSV.csv file
APPNAME,SECGROUP,FWSECTION,FWT
BOOKSTORE,SG-APP-BOOKSTORE,FWS-APP-BOOKSTORE,FWT-APP-BOOKSTORE

Executing the Script:

PowerCLI C:\new> .\script.ps1

id               : 1012
name             : FWS-APP-BOOKSTORE
generationNumber : 1470353361332
timestamp        : 1470353361332
type             : LAYER3
rule             : {WEB, APP, DB, BOOKSTORE}


If you want to run the script without an CSV file your can use this:

/script.ps1 - The script.ps1 file
## Author: Iwan Hoogendoorn t:@i1wan m:iwan@i-1.nl
## version 1.0
## August 2016
#-------------------------------------------------- 
# ____   __   _  _  ____  ____  __ _  ____  _  _ 
# (  _ \ /  \ / )( \(  __)(  _ \(  ( \/ ___)( \/ )
#  ) __/(  O )\ /\ / ) _)  )   //    /\___ \ )  ( 
# (__)   \__/ (_/\_)(____)(__\_)\_)__)(____/(_/\_)
#     PowerShell extensions for NSX for vSphere
#--------------------------------------------------

$an = "BOOKSTORE"
$sg = get-nsxsecuritygroup "SG-APP-BOOKSTORE"
$sec = get-nsxfirewallsection "FWS-APP-BOOKSTORE"
$fwt = "FWT-APP-BOOKSTORE"

#Add rule to Firewall section
$sec|new-nsxfirewallrule -name $an -Action allow -position bottom -appliedto $sg -Tag $fwt -EnableLogging

Result:

Sddfnmxc-12.png

Thanks Kyle for pointing out how to work with PowerShell and external CSV's and Anthony for finetuning this. And thanks Nick for this awesome PowerNSX!