Using On-demand NSX-T Security Groups in VMC on AWS with vRA Cloud
There are different ways you can create on-demand NSX-T security groups in a VMC on AWS environment with vRA Cloud templates: through a vRA template or through a network profile.
Demo Product Versions
- vRA Cloud
- VMC on AWS (SDDC version 1.13)
VMC on AWS:
- Active SDDC
- Basic infrastructure configured for the VMC on AWS environment (Cloud Proxy, Cloud Account, Project, Cloud Zone, Flavor Mapping, Image Mapping)
- Using vRA template
- Using vRA network profile
Demos / Examples
Method 1: Using vRA Template
- In a vRA Cloud template in vRA Cloud Assembly, drag a Cloud Agnostic Security Group resource on the canvas and connect it to the machine you’d like to place in the security group.
- Make sure the value for
newand give a name for the on-demand security group by giving a value for the
- After you deploy the template and the deployment is finished, you can go to the VMC on AWS UI and verify that a new security group has been created under “Compute Groups”.
- You can verify that the machine has been placed in this new security group by clicking “View Members”.
Method 1 YAML
Method 2: Using vRA Network Profile
In vRA Cloud Assembly, go to “Infrastructure” then “Network Profiles”. Create a network profile or edit an existing one.
Under “Network Policies”, select “On-demand security group” for the “Isolation Policy”.
Note that if you select “On-demand security group” AND you have existing group(s) added under “Security Groups” tab within the network profile, vRA will place the machine(s) in the on-demand security group it creates AND the existing group(s) that are in the network profile. vRA will only create distributed firewall rules according to the
networkTypeyou select for the on-demand security group. It will not create any distributed firewall rules using the existing security group(s).
In a vRA Cloud template in vRA Cloud Assembly, make sure that the machine(s) being deployed will use the network profile you’ve created. In this example, I have created a capability tag on the network profile and the machine is using that capability tag under
constraints. Note that you do not need a security group resource in the template.
You must set
networkTypeproperty for the cloud network as
outboundin order for the isolation policy to take effect. For this example, I set the
private. If you do not use
outboundand use another
existing, vRA will not create an on-demand security group for the deployment.
After you deploy the template and the deployment is finished, go to “Deployments” in vRA Cloud Assembly and click on the deployment. On the right panel, expand “Network” and you’ll see the name of the security group that has been created by vRA.
In VMC on AWS UI, go to “Distributed Firewall” then “Category Specific Rules”. You will see that a new section has been created with rules that deny all inbound and outbound traffic to the newly created security group so that the machines in this security group are isolated.
Note that if you set the
outbound, the outbound rule created in this section will be “Allow” instead of “Reject”.
Method 2 YAML