Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Table of Contents
Lab Overview - HOL-1822-01-NET - VMware NSX Cloud - Secure Native Workloads in
AWS .................................................................................................................................. 2
Lab Guidance .......................................................................................................... 3
Module 1 - Introduction to the AWS Console (15 minutes) .............................................. 10
Introduction........................................................................................................... 11
Solution Overview and Lab Validation ................................................................... 12
Overview of Amazon Web Services and NSX solution components....................... 17
Amazon Web Services Management Console access ............................................ 19
Review of Amazon Web Services inventory........................................................... 23
Conclusion............................................................................................................. 30
Module 2 - Verify Application Functionality (15 minutes) ................................................ 31
Introduction........................................................................................................... 32
Review security policies ........................................................................................ 33
WordPress application validation .......................................................................... 41
Perform port scan of the application environment ................................................ 48
Conclusion............................................................................................................. 53
Module 3 - Introduction to NSX Management Components (30 minutes) ....................... 54
Introduction........................................................................................................... 55
Perform log in to NSX Cloud Services Manager ..................................................... 56
Review configured AWS account and inventory .................................................... 60
Perform log in to NSX Manager ............................................................................. 67
Review NSX Manager User Interface ..................................................................... 70
Conclusion............................................................................................................. 77
Module 4 - Securing Applications with NSX (60 minutes)................................................ 78
Introduction........................................................................................................... 79
Deploy NSX Cloud Gateway in Amazon Web Services........................................... 81
Create Logical Groupings and Firewall Policies...................................................... 91
Applying Tags to the Application Instances ......................................................... 123
Installation of NSX Agent .................................................................................... 133
Validate NSX Deployment ................................................................................... 145
Validation of WordPress application functionality ................................................ 158
Perform security scan of application environment .............................................. 163
Quarantine Policy ................................................................................................ 167
Traffic Visibility .................................................................................................... 181
Conclusion........................................................................................................... 189
HOL-1822-01-NET Page 1
HOL-1822-01-NET
Lab Overview -
HOL-1822-01-NET -
VMware NSX Cloud -
Secure Native Workloads
in AWS
HOL-1822-01-NET Page 2
HOL-1822-01-NET
Lab Guidance
Note: It will take more than 120 minutes to complete this lab. You should
expect to only finish 2-3 of the modules during your time. The modules are
independent of each other so you can start at the beginning of any module
and proceed from there. You can use the Table of Contents to access any
module of your choosing.
The Table of Contents can be accessed in the upper right-hand corner of the
Lab Manual.
VMware NSX Cloud provides customers the ability to abstract and manage Networking
and Security policies in Public Cloud environments such as Amazon Web Services (AWS).
Lab Captains:
This lab manual can be downloaded from the Hands-on Labs Document site found here:
http://docs.hol.vmware.com
HOL-1822-01-NET Page 3
HOL-1822-01-NET
This lab may be available in other languages. To set your language preference and have
a localized manual deployed with your lab, you may utilize this document to help guide
you through the process:
http://docs.hol.vmware.com/announcements/nee-default-language.pdf
Disclaimer
This session may contain product features that are currently under
development.
HOL-1822-01-NET Page 4
HOL-1822-01-NET
1. The area in the RED box contains the Main Console. The Lab Manual is on the tab
to the Right of the Main Console.
2. A particular lab may have additional consoles found on separate tabs in the upper
left. You will be directed to open another specific console if needed.
3. Your lab starts with 90 minutes on the timer. The lab can not be saved. All your
work must be done during the lab session. But you can click the EXTEND to
increase your time. If you are at a VMware event, you can extend your lab time
twice, for up to 30 minutes. Each click gives you an additional 15 minutes.
Outside of VMware events, you can extend your lab time up to 9 hours and 30
minutes. Each click gives you an additional hour.
During this module, you will input text into the Main Console. Besides directly typing it
in, there are two very helpful methods of entering data which make it easier to enter
complex data.
HOL-1822-01-NET Page 5
HOL-1822-01-NET
You can also click and drag text and Command Line Interface (CLI) commands directly
from the Lab Manual into the active window in the Main Console.
You can also use the Online International Keyboard found in the Main Console.
1. Click on the Keyboard Icon found on the Windows Quick Launch Task Bar.
HOL-1822-01-NET Page 6
HOL-1822-01-NET
In this example, you will use the Online Keyboard to enter the "@" sign used in email
addresses. The "@" sign is Shift-2 on US keyboard layouts.
HOL-1822-01-NET Page 7
HOL-1822-01-NET
When you first start your lab, you may notice a watermark on the desktop indicating
that Windows is not activated.
One of the major benefits of virtualization is that virtual machines can be moved and
run on any platform. The Hands-on Labs utilizes this benefit and we are able to run the
labs out of multiple datacenters. However, these datacenters may not have identical
processors, which triggers a Microsoft activation check through the Internet.
Rest assured, VMware and the Hands-on Labs are in full compliance with Microsoft
licensing requirements. The lab that you are using is a self-contained pod and does not
have full access to the Internet, which is required for Windows to verify the activation.
Without full access to the Internet, this automated process fails and you see this
watermark.
HOL-1822-01-NET Page 8
HOL-1822-01-NET
Please check to see that your lab is finished all the startup routines and is ready for you
to start. If you see anything other than "Ready", please wait a few minutes. If after 5
minutes your lab has not changed to "Ready", please ask for assistance.
HOL-1822-01-NET Page 9
HOL-1822-01-NET
Module 1 - Introduction to
the AWS Console (15
minutes)
HOL-1822-01-NET Page 10
HOL-1822-01-NET
Introduction
The NSX management and control plane components, as well as a 2-tier WordPress
application have been provisioned in Amazon Web Services. We will examine the
component inventory.
HOL-1822-01-NET Page 11
HOL-1822-01-NET
• Lab topology
• Lab provisioning status
• Address and account information
Solution Overview
As companies move workloads to public cloud providers they require a way to extend
their SDDC network and security policies into these environments, while allowing native
workloads to run. VMware NSX Cloud provides companies with the ability to extend
enterprise security, compliance and governance.
NSX provides solutions for the top Networking and Security challenges companies face
in public cloud environments:
HOL-1822-01-NET Page 12
HOL-1822-01-NET
Solution Components
The solution consists of the following components, each of which will be explored in
upcoming lessons:
• Central Management Plane - NSX Manager and NSX Cloud Services Manager
• Central Control Plane - NSX Controllers
• Cloud Gateway - NSX Cloud Gateway
• Data Plane - NSX Agent installed in each AWS EC2 instance
• Public Cloud Infrastructure - Amazon Web Services public cloud infrastructure
and hypervisor
HOL-1822-01-NET Page 13
HOL-1822-01-NET
Lab Topology
The picture depicts the environment that is provisioned and used during the lessons of
this lab. The environment explores the scenario of a developer deploying a 2-tier
WordPress application in Amazon Web Services (AWS), including the use of native AWS
capabilities such as Elastic Load Balancer to provide load balancing between a pair of
web servers. The application deployment lacks security policies that match the
company corporate standards, and it will be necessary to use NSX to apply consistent
policies to the application environment.
The deployment of VMware NSX Cloud requires one Management VPC and one or more
Compute VPCs. The NSX Central Management Plane (NSX Manager and Cloud Services
HOL-1822-01-NET Page 14
HOL-1822-01-NET
Manager) and Central Control Plane (NSX Controller) components have been pre-
configured.
The AWS portion of the lab provisioning is currently completing. A webpage has been
provided that displays the status of the lab resources that are being provisioned on AWS
as part of this lab startup.
NOTE: The resources provisioned in Amazon Web Services are accessible only from the
Main Console of the HOL environment.
1. Click on the Chrome Icon on the Windows Quick Launch Task Bar.
HOL-1822-01-NET Page 15
HOL-1822-01-NET
The Chrome homepage has been set to the Account Information and lab provisioning
status page.
1. Type the Email Address you used to sign up for the lab.
2. Type VMware1! for the Password.
3. Click Login.
The AWS Account Information page will display when the provisioning process is
complete. This process can take 10 - 15 minutes. We will refer back to this page
frequently in the lab modules.
HOL-1822-01-NET Page 16
HOL-1822-01-NET
Management VPC
In the Management VPC in AWS, the following components have been configured:
AWS Services
• Internet Gateway
• Management subnet
• Route Table
• VPC Peering with Compute VPC
• AWS Security Groups
NSX Components
HOL-1822-01-NET Page 17
HOL-1822-01-NET
Compute VPC
In the Compute VPC in AWS, the following components have been configured:
AWS Services
• Internet Gateway
• Uplink subnet
• Management subnet
• Downlink subnet
• Route Table
• VPC Peering with Management VPC
• AWS Security Groups
• nmap-01a instance
• wordpress-web-01a instance
• wordpress-web-02a instance
• wordpress-db-01a instance
• Elastic Load Balancer for web instances
The NSX Cloud Gateway depicted will be deployed as part of the lab exercises.
HOL-1822-01-NET Page 18
HOL-1822-01-NET
1. Click on the Account Information tab that was previously opened. If this tab
was closed open another tab and click on the Account Info bookmark.
1. Click the Console URL to open a new browser tab and connect to the AWS
Management Console.
HOL-1822-01-NET Page 19
HOL-1822-01-NET
HOL-1822-01-NET Page 20
HOL-1822-01-NET
Zoom Browser
To improve readability of the various screens in this lab, it is recommended that you
adjust the Zoom setting in Google Chrome to at least 90%.
1. Click the Three Dots in the upper right hand corner of the browser for the drop
down menu.
2. Click '-' next to Zoom to adjust the setting to 90%.
HOL-1822-01-NET Page 21
HOL-1822-01-NET
Select Region
Verify that the console is viewing North California region resources. If a different region
is selected the lab resources will not be displayed.
1. Click the Region Name to the left of Support in the upper right.
2. Select US West (N. California).
HOL-1822-01-NET Page 22
HOL-1822-01-NET
Please Note: Some AWS inventory screens may show delete, terminated,
detached, etc entries that differ from the screenshots. These are items from
the previous lab deployment that have been removed, but not yet cleared
from, the AWS UI.
HOL-1822-01-NET Page 23
HOL-1822-01-NET
1. Click Services in the upper left corner of the AWS management console.
2. Click VPC under Network & Content Delivery.
HOL-1822-01-NET Page 24
HOL-1822-01-NET
There are multiple VPCs configured in this AWS Region. In particular, there is a
Management VPC for management and control plane components, and a Compute VPC
where the application instances are deployed. The VPC IDs will be different for each lab
pod.
HOL-1822-01-NET Page 25
HOL-1822-01-NET
There is an active VPC peering connection between the Management and Compute
VPCs, allowing traffic to flow between VPCs.
HOL-1822-01-NET Page 26
HOL-1822-01-NET
There are Security Groups configured for the Management and Compute VPCs to allow
EC2 instances to communicate.
Click EC2
HOL-1822-01-NET Page 27
HOL-1822-01-NET
Click Instances
There are three EC2 instances running that comprise the NSX solution:
HOL-1822-01-NET Page 28
HOL-1822-01-NET
There are four EC2 instances running that comprise the 2-tier WordPress application
plus an instance running nmap for security scans later in the lab.
1. Click Load Balancers under Load Balancing on the left. You may need to scroll
down.
As part of the application deployment, the developer has created a load balancer for the
web-tier instances. We will see this load balancer in action during application
functionality verification.
HOL-1822-01-NET Page 29
HOL-1822-01-NET
Conclusion
This completes Module 1. We have reviewed the components of the solution that are
deployed in Amazon Web Services, successfully logged in to the AWS management
console, and reviewed the AWS inventory.
Proceed to Module 2 for validation the application functionality. You may also proceed to
any other module of interest.
HOL-1822-01-NET Page 30
HOL-1822-01-NET
Module 2 - Verify
Application Functionality
(15 minutes)
HOL-1822-01-NET Page 31
HOL-1822-01-NET
Introduction
In the lab scenario, a 2-tier WordPress application has been deployed by an application
developer in to Amazon Web Services. An additional instance has been deployed in AWS
to simulate a possible hacker attempting to scan the application instances for
vulnerabilities.
Application Diagram
HOL-1822-01-NET Page 32
HOL-1822-01-NET
1. Click on the Chrome Icon on the Windows Quick Launch Task Bar.
The Chrome homepage has been set to the Account Information and lab provisioning
status page. If you've completed the previous lesson you can click on the account
information tab that is open and proceed to the next step.
1. Type the Email Address you used to sign up for the lab.
2. Type VMware1! for the Password.
3. Click Login.
HOL-1822-01-NET Page 33
HOL-1822-01-NET
The AWS Account Information page will display when the provisioning process is
complete. This process can take 10 - 15 minutes. We will refer back to this page
frequently in the lab modules.
1. Click the Console URL to open a new browser tab and connect to the AWS
Management Console.
HOL-1822-01-NET Page 34
HOL-1822-01-NET
Zoom Browser
To improve readability of the various screens in this lab, it is recommended that you
adjust the Zoom setting in Google Chrome to at least 90%.
HOL-1822-01-NET Page 35
HOL-1822-01-NET
1. Click the Three Dots in the upper right hand corner of the browser for the drop
down menu.
2. Click '-' next to Zoom to adjust the setting to 90%.
Select Region
1. Click the Region Name to the left of Support in the upper right.
2. Select US West (N. California).
HOL-1822-01-NET Page 36
HOL-1822-01-NET
HOL-1822-01-NET Page 37
HOL-1822-01-NET
1. Click view inbound rules at the bottom of the screen in the Description tab for
that instance. This instance has been configured with an AWS Security Group for
the Compute-VPC.
HOL-1822-01-NET Page 38
HOL-1822-01-NET
A list of policies that apply to this instance is displayed. Web and SSH traffic are allowed
from the HOL Main Console (Source IP ranges may vary). All traffic between application
instances is allowed within the AWS VPC environment.
HOL-1822-01-NET Page 39
HOL-1822-01-NET
1. Click view inbound rules at the bottom of the screen in the Description tab for
that instance. This instance has also been configured with an AWS Security Group
for the Compute-VPC.
A list of policies that apply to this instance is displayed. Like the wordpress-web-01a
instance, Web and SSH traffic are allowed from the HOL Main Console (Source IP ranges
may vary). All traffic between application instances is allowed within the AWS VPC
environment.
HOL-1822-01-NET Page 40
HOL-1822-01-NET
1. Click on the Account Information tab that was previously opened. If this tab
was closed open another tab and click on the Account Info bookmark.
1. Click on the WordPress Application Elastic Load Balancer DNS Name link to
open a new browser tab and connect to the WordPress application.
HOL-1822-01-NET Page 41
HOL-1822-01-NET
Verify that the WordPress application is functioning. The IP address of the server
presenting the page is noted. You can refresh the browser a few times to see the Server
IP address change to the other web server (172.16.10.10 and 172.16.10.11).
Note: Scrolling down in the browser will display the blog posts depicted in the screen
shot.
1. Click on the Account Information tab that was previously opened. If this tab
was closed open another and click on the Account Info bookmark.
HOL-1822-01-NET Page 42
HOL-1822-01-NET
1. Click on the PuTTY Icon on the Windows Quick Launch Task Bar.
HOL-1822-01-NET Page 43
HOL-1822-01-NET
HOL-1822-01-NET Page 44
HOL-1822-01-NET
Verify Connection
The first time connecting to the instance will result in a confirmation window to verify
the connection.
1. Click Yes.
1. Type the following command to test the connectivity between the wordpress-
web-01a and wordpress-web-02a instances:
ping -c 5 172.16.10.11
HOL-1822-01-NET Page 45
HOL-1822-01-NET
Instance is Reachable
The pings are successful since the AWS security policy is allowing all traffic between
instances.
1. Type the following command to test the connectivity between the wordpress-
web-01a and wordpress-db-01a instances:
ping -c 5 172.16.10.20
HOL-1822-01-NET Page 46
HOL-1822-01-NET
Instance is Reachable
The pings are successful since the AWS security policy is allowing all traffic between
instances.
HOL-1822-01-NET Page 47
HOL-1822-01-NET
1. Click on the Account Information tab that was previously opened. If this tab
was closed open another tab and click on the Account Info bookmark.
1. Locate the nmap-01 instance Public IP Address that will be used to log in to
the nmap port scanner instance.
Open PuTTY
HOL-1822-01-NET Page 48
HOL-1822-01-NET
1. Click on the PuTTY Icon on the Windows Quick Launch Task Bar. If the previous
PuTTY session is still open, click on the PuTTY Icon in the upper left corner of
that window and select New Session.
1. Type the IP Address of the nmap-01a instance from the Account Information
Page.
2. Click Open.
HOL-1822-01-NET Page 49
HOL-1822-01-NET
Verify Connection
The first time connecting to the instance will result in a confirmation window to verify
the connection.
1. Click Yes.
To speed up the scan time and reduce clutter, the nmap scanner is using the following
options:
HOL-1822-01-NET Page 50
HOL-1822-01-NET
HOL-1822-01-NET Page 51
HOL-1822-01-NET
The wordpress-db-01a instance at 172.16.10.20 has ports 80, 3306 and 22 open. As a
database instance, we don't want to have port 80 open, and we only want port 3306
open to the web instances.
HOL-1822-01-NET Page 52
HOL-1822-01-NET
Conclusion
This completes Module 2. We have validated that the developer's WordPress application
is functioning within AWS, including the load balancer. Through the review of the
security policies that were applied in AWS we discovered the application is exposed to
the Internet and potentially malicious attacks. Lastly, we used a common security
scanner to validate the open ports and discovered a port on the database server that
shouldn't be open.
Proceed to Module 3 for an Introduction to the NSX Management Components. You may
also proceed to any other module of interest.
HOL-1822-01-NET Page 53
HOL-1822-01-NET
Module 3 - Introduction to
NSX Management
Components (30 minutes)
HOL-1822-01-NET Page 54
HOL-1822-01-NET
Introduction
As part of the VMware NSX Cloud solution, separate instances are deployed in Amazon
Web Services to support the Management and Operations User Interface for the
solution. These instances are:
NSX Cloud Services Manager manages the complete lifecycle of deployed NSX
components in AWS and provides a unified view between NSX Manager and the AWS
inventory. Other functions of NSX Cloud Services Manager include:
NSX Manager provides the graphical user interface (GUI) and the REST APIs for creating,
configuring, and monitoring NSX components such as the NSX controllers and logical
switches. NSX Manager is the management plane for the NSX eco-system. It provides an
aggregated view and is the centralized network management component of NSX. It
provides a method for monitoring and troubleshooting workloads attached to virtual
networks created by NSX. It provides configuration and orchestration of:
HOL-1822-01-NET Page 55
HOL-1822-01-NET
1. Click on the Chrome Icon on the Windows Quick Launch Task Bar.
The Chrome homepage has been set to the Account Information and lab provisioning
status page. If you've completed the previous lesson you can click on the account
information tab that is open and proceed to the next step.
1. Type the Email Address you used to sign up for the lab.
HOL-1822-01-NET Page 56
HOL-1822-01-NET
The AWS Account Information page will display when the provisioning process is
complete. This process can take 10 - 15 minutes. We will refer back to this page
frequently in the lab modules.
1. Click on the NSX Cloud Services Manager DNS Name link to open a new
browser tab and connect to the NSX Cloud Services Manager console.
HOL-1822-01-NET Page 57
HOL-1822-01-NET
Certificate Validation
The hands-on lab environments are built on-demand, so the certificates are not yet
trusted. In a production deployment, a trusted certificate would be generated and used
to secure connectivity. To continue the log in process:
1. Click Advanced.
2. Click Proceed link.
HOL-1822-01-NET Page 58
HOL-1822-01-NET
HOL-1822-01-NET Page 59
HOL-1822-01-NET
Zoom Browser
To improve readability of the various screens in this lab, it is recommended that you
adjust the Zoom setting in Google Chrome to at least 90%.
1. Click the Three Dots in the upper right hand corner of the browser for the drop
down menu.
2. Click '-' next to Zoom to adjust the setting to 90%.
HOL-1822-01-NET Page 60
HOL-1822-01-NET
1. Click Cross-Cloud.
The AWS account information has been configured in Cloud Services Manager. This
information will be different for each lab pod.
HOL-1822-01-NET Page 61
HOL-1822-01-NET
Click VPCs
1. Click VPCs.
1. Select us-west-1 from the Region pull down menu to narrow down the view of
VPCs.
HOL-1822-01-NET Page 62
HOL-1822-01-NET
Review VPCs
These are the two VPCs we saw in the AWS inventory in previous lessons.
• Compute-VPC
• Management-VPC
The Management VPC includes an icon that shows NSX management components are
installed in this VPC.
HOL-1822-01-NET Page 63
HOL-1822-01-NET
The NSX components that were reported in the AWS inventory are listed.
Click VPCs
1. Click VPCS at the top of the screen to go back to the list of VPCs.
HOL-1822-01-NET Page 64
HOL-1822-01-NET
The Compute VPC reports a Status of "NSX Managed - No." Later in this lab we will
deploy NSX components in this VPC to manage the running AWS EC2 instances.
Click Instances
HOL-1822-01-NET Page 65
HOL-1822-01-NET
The AWS EC2 instances for the 2-tier WordPress application that were reported in the
AWS inventory are listed. The NSX State circle is not green because NSX components
have not been deployed.
HOL-1822-01-NET Page 66
HOL-1822-01-NET
1. Click on the Account Information tab that was previously opened. If this tab
was closed open another and click on the Account Info bookmark.
1. Click on the NSX Manager DNS Name link to open a new browser tab and
connect to the NSX Manager console.
HOL-1822-01-NET Page 67
HOL-1822-01-NET
Certificate Validation
The hands-on lab environments are built on-demand, so the certificates are not yet
trusted. In a production deployment, a trusted certificate would be generated and used
to secure connectivity. To continue the log in process:
1. Click Advanced.
2. Click Proceed link.
HOL-1822-01-NET Page 68
HOL-1822-01-NET
HOL-1822-01-NET Page 69
HOL-1822-01-NET
Click Dashboard
1. Click Dashboard.
HOL-1822-01-NET Page 70
HOL-1822-01-NET
The status of the Management Cluster (NSX Manager) is reported. The Manager
Connection reports as Up.
HOL-1822-01-NET Page 71
HOL-1822-01-NET
Scrolling down below the Management Cluster status, we see the the status of the
Controller Cluster (NSX Manager) is reported as Up.
HOL-1822-01-NET Page 72
HOL-1822-01-NET
Click Fabric
1. Click each of the options at the top of the screen, starting with Hosts and ending
with Transport Nodes, to validate that each is empty.
We will return to this inventory in upcoming lessons to validate that the NSX deployment
is operational.
HOL-1822-01-NET Page 73
HOL-1822-01-NET
Click Inventory
This section will include the grouping objects that simplify the creation of security
policies in NSX.
1. Click each of the options at the top of the screen, starting with Groups and
ending with MAC Sets, to validate that each are empty.
In upcoming lessons we will return here to create dynamic grouping objects for the
application security policies.
HOL-1822-01-NET Page 74
HOL-1822-01-NET
Click Firewall
The default NSX firewall policy has been deployed. We will return to this screen in an
upcoming lesson to configure the application security policies.
HOL-1822-01-NET Page 75
HOL-1822-01-NET
Click Switching
No Logical Switches have been created. We will create a new logical switch in an
upcoming lesson to attach our application instances.
HOL-1822-01-NET Page 76
HOL-1822-01-NET
Conclusion
This completes Module 3. We have logged into the NSX Cloud Services Manager (CSM)
that is deployed in Amazon Web Services. The NSX CSM acts as the operations user
interface for the VMware NSX Cloud solution. We also reviewed the AWS inventory from
within NSX CSM. We have also logged into the NSX Manager that is deployed in Amazon
Web Services. We reviewed the inventory of NSX objects to confirm only the defaults are
present and to get familiarity with the new HTML5 interface.
Proceed to Module 4 to secure the application environment with NSX. You may also
proceed to any other module of interest.
HOL-1822-01-NET Page 77
HOL-1822-01-NET
Module 4 - Securing
Applications with NSX (60
minutes)
HOL-1822-01-NET Page 78
HOL-1822-01-NET
Introduction
Securing the WordPress application in Amazon Web Services (AWS) requires security
policies for the instances that will be NSX managed. NSX provides a distributed firewall
with logical grouping capabilities to simplify configuration and provide consistency.
After the Central Management Plane (NSX Manager and NSX Cloud Services Manager)
and Central Control Plane (NSX Controllers) have been deployed in the Management
VPC, the following steps are required to secure instances in AWS:
This Module contains the following lessons that will result in the securing of the
WordPress application:
HOL-1822-01-NET Page 79
HOL-1822-01-NET
The nmap instance is outside the scope of the security policies, and is provided as a tool
to assess the security posture of the application in this lab.
HOL-1822-01-NET Page 80
HOL-1822-01-NET
As an Edge Transport Node in NSX, the NSX Cloud Gateway provides the following
services in each VPC it is deployed:
1. Click on the Chrome Icon on the Windows Quick Launch Task Bar.
HOL-1822-01-NET Page 81
HOL-1822-01-NET
The Chrome homepage has been set to the Account Information and lab provisioning
status page. If you've completed the previous lesson you can click on the account
information tab that is open and proceed to the next step.
1. Type the Email Address you used to sign up for the lab.
2. Type VMware1! for the Password.
3. Click Login.
HOL-1822-01-NET Page 82
HOL-1822-01-NET
The AWS Account Information page will display when the provisioning process is
complete. This process can take 10 - 15 minutes. We will refer back to this page
frequently in the lab modules.
1. Click on the NSX Cloud Services Manager DNS Name link to open a new
browser tab and connect to the NSX Cloud Services Manager console.
HOL-1822-01-NET Page 83
HOL-1822-01-NET
Certificate Validation
The hands-on lab environments are built on-demand, so the certificates are not yet
trusted. In a production deployment, a trusted certificate would be generated and used
to secure connectivity. To continue the log in process:
1. Click Advanced.
2. Click Proceed link.
HOL-1822-01-NET Page 84
HOL-1822-01-NET
HOL-1822-01-NET Page 85
HOL-1822-01-NET
Zoom Browser
To improve readability of the various screens in this lab, it is recommended that you
adjust the Zoom setting in Google Chrome to at least 90%.
1. Click the Three Dots in the upper right hand corner of the browser for the drop
down menu.
2. Click '-' next to Zoom to adjust the setting to 90%.
1. Click Cross-Cloud.
HOL-1822-01-NET Page 86
HOL-1822-01-NET
Click VPCs
1. Select us-west-1 from the Region pull down menu to narrow down the view of
VPCs.
HOL-1822-01-NET Page 87
HOL-1822-01-NET
HOL-1822-01-NET Page 88
HOL-1822-01-NET
The NSX Cloud Gateway supports a High Availability (HA) deployment model. To reduce
the amount of time it takes to complete the lab, we will not configure HA.
HOL-1822-01-NET Page 89
HOL-1822-01-NET
The deployment process begins for this VPC. It can take approximately 5 minutes
to complete. The deployment progress screen will report on the actions being
completed in the process.
Deployment of the NSX Cloud Gateway provides the local control plane for NSX policies
in our VPC, as well as an installation location for the NSX Agents that will be deployed in
an upcoming lesson.
Continue to the next lesson to configure logical groupings and firewall policies while the
NSX Cloud Gateway deployment completes. We will then return to NSX Cloud Services
Manager to verify completion.
HOL-1822-01-NET Page 90
HOL-1822-01-NET
1. Click on the Account Information tab that was previously opened. If this tab
was closed open another and click on the Account Info bookmark.
1. Click on the NSX Manager DNS Name link to open a new browser tab and
connect to the NSX Manager console.
HOL-1822-01-NET Page 91
HOL-1822-01-NET
Certificate Validation
The hands-on lab environments are built on-demand, so the certificates are not yet
trusted. In a production deployment, a trusted certificate would be generated and used
to secure connectivity. To continue the log in process:
1. Click Advanced.
2. Click Proceed link.
HOL-1822-01-NET Page 92
HOL-1822-01-NET
HOL-1822-01-NET Page 93
HOL-1822-01-NET
1. Click Inventory.
2. Click Groups.
HOL-1822-01-NET Page 94
HOL-1822-01-NET
2. Click Add.
Click Criteria
1. Click Criteria.
HOL-1822-01-NET Page 95
HOL-1822-01-NET
Create DB Group
1. Click Add.
HOL-1822-01-NET Page 96
HOL-1822-01-NET
Group Name is DB
Click Criteria
1. Click Criteria.
HOL-1822-01-NET Page 97
HOL-1822-01-NET
1. Click Add.
HOL-1822-01-NET Page 98
HOL-1822-01-NET
Click Criteria
1. Click Criteria.
HOL-1822-01-NET Page 99
HOL-1822-01-NET
These will be used in the firewall policies that we will create next.
Click Firewall
1. Click Default Layer3 Section if it isn't already selected (outlined with a blue
box).
1. Click the Wordpress-App Section and make sure it is highlighted with a blue
box.
Hover the mouse pointer over name and click the pencil
Hover the mouse pointer over services and click the pencil
1. Type http.
2. Select HTTP.
3. Click the Right Arrow to move it to the Selected box.
4. Click OK.
Hover the mouse pointer over name and click the pencil
Hover the mouse pointer over sources and click the pencil
Hover the mouse pointer over services and click the pencil
1. Type MYSQL.
2. Select MySQL.
Hover the mouse pointer over name and click the pencil
Hover the mouse pointer over services and click the pencil
1. Type SSH.
2. Select SSH.
Hover the mouse pointer over name and click the pencil
Hover the mouse pointer over action and click the pencil
Click Save
1. Click Save. Note: You may need to scroll back up to the top.
1. Click Save.
The security policies for the WordPress application have been created. We are allowing
HTTP traffic from the internet to our Web servers, MySQL (port 3306) traffic from the
Web servers to the DB server, and SSH traffic to all of our servers. Everything else is
denied (dropped).
We leveraged the NSGroups that we created earlier to simplify the source, destination,
and firewall section configuration.
Next we will return to NSX Cloud Services Manager to check on the deployment progress
of our NSX Cloud Gateway.
1. Select the NSX Cloud Services Manager browser tab in Google Chrome that
was opened previously. Note: The order of browser tabs may differ if you have
completed previous Modules.
The Compute-VPC now reports as NSX Managed with a Cloud Gateway deployed.
1. Click on the Account Information tab that was previously opened. If this tab
was closed open another tab and click on the Account Info bookmark.
1. Click the Console URL to open a new browser tab and connect to the AWS
Management Console.
Select Region
1. Click the Region Name to the left of Support in the upper right.
2. Select US West (N. California).
Click Instances
1. Move the mouse over the column divider and then click and drag right to expand
the Name column.
1. Select wordpress-web-01a.
Click Instances
1. Select wordpress-web-02a.
Click Instances
1. Select wordpress-db-01a.
Summary
We have applied the NSX-specific AWS Tag to the WordPress application instances. Once
the NSX Agent is deployed, this tag will "attach" the instances to the default NSX Logical
Switch that was created during the NSX Cloud Gateway deployment. Security policies
will also be applied to these instances.
A best practice would be to include the agent in the "gold master" images that are used
in an organization's Amazon Web Services environment. The NSX Agent can also be
installed in existing deployed, or brownfield, instances.
The NSX Agent will be deployed on each of the WordPress application instances via a
script.
1. Click on the Account Information tab that was previously opened. If this tab
was closed open another tab and click on the Account Info bookmark.
Open PuTTY
1. Click on the PuTTY Icon on the Windows Quick Launch Task Bar. If the
wordpress-web-01a PuTTY session (172.16.10.10) is still open, select that window
from the task bar and skip ahead to Enable the NSX Agent.
Verify Connection
The first time connecting to the instance will result in a confirmation window to verify
the connection.
1. Click Yes.
1. Type the following command to start the NSX Agent installation script:
./install_agent.sh
The NSX Agent installation can take 3-5 minutes to complete. Once installation
is complete, the NSX Agent starts and reports a status of OK.
1. Click on the Account Information tab that was previously opened. If this tab
was closed open another tab and click on the Account Info bookmark.
Open PuTTY
1. Switch to the PuTTY window and click on the PuTTY Icon in the upper left of the
open PuTTY session.
2. Select New Session.
Verify Connection
The first time connecting to the instance will result in a confirmation window to verify
the connection.
1. Click Yes.
1. Type the following command to start the NSX Agent installation script:
./install_agent.sh
The NSX Agent installation can take 3-5 minutes to complete. Once installation
is complete, the NSX Agent starts and reports a status of OK.
Install on DB Instance
1. Click on the Account Information tab that was previously opened. If this tab
was closed open another tab and click on the Account Info bookmark.
Open PuTTY
1. Switch to the PuTTY window and click on the PuTTY Icon in the upper left of the
open PuTTY session.
2. Select New Session.
Verify Connection
The first time connecting to the instance will result in a confirmation window to verify
the connection.
1. Click Yes.
1. Type the following command to start the NSX Agent installation script:
./install_agent.sh
The NSX Agent installation can take 3-5 minutes to complete. Once installation
is complete, the NSX Agent starts and reports a status of OK..
Select the NSX Manager browser tab in Google Chrome that was opened previously. If
this browser tab has been closed open a new browser tab using the NSX Manager URL
from the Account Information browser tab.
Note: If the page has timed out enter admin for the username and VMware1! for the
password and click Log In to continue.
1. Click on the NSX Manager DNS Name link to open a new browser tab and
connect to the NSX Manager console.
Click Fabric
Click Edges
A new Transport Node has been created (the newly deployed Cloud Gateway).
Click Switching
Click Switches
Two Logical Switches are created, and there are 4 Logical Ports on the Default Logical
Switch.
1. Click Inventory.
2. Click Groups.
1. Click Wordpress-app.
Group membership
The WordPress application instances are all present as effective members of this group
(criteria was VM name contains 'wordpress').
Select the AWS Console tab in Chrome that was opened previously. If this browser tab
has been closed open a new browser tab using the AWS Console URL link from the
Account Information browser tab, vmware_hol_user for the User Name and type or
copy the password from the Account Information Page.
Note: If the AWS Console page has timed out enter vmware_hol_user for the User
Name and VMware1!! for the Password to continue.
Click Instances
A new EC2 Instance has been created for the NSX Cloud Gateway.
Several new AWS Security Groups were created for application instances and to control
traffic in/out of the NSX Cloud Gateway.
Select the NSX Cloud Services Manager browser tab in Google Chrome that was opened
previously. If this browser tab has been closed open a new browser tab using the NSX
Cloud Services Manager URL from the Account Information browser tab.
Note: If the page has timed out enter admin for the username and VMware1! for the
password and click Log In to continue.
1. Click Actions.
2. Click Resync Account.
Click VPCs
1. Click VPCs.
1. Select us-west-1 from the Region pull down menu to narrow down the view of
VPCs.
Click Instances
Account Information
1. Click on the Account Information tab that was previously opened. If this tab
was closed open another and click on the Account Info bookmark.
1. Click on the WordPress Application Elastic Load Balancer DNS Name link to
open a new browser tab and connect to the WordPress application.
Verify that the WordPress application is functioning. The IP address of the server
presenting the page is noted.
1. Refresh the browser a few times to see the Server IP address change to the
other web server (172.16.10.10 and 172.16.10.11).
1. Click on the Account Information tab that was previously opened. If this tab
was closed open another and click on the Account Info bookmark.
Open PuTTY
1. Click on the PuTTY Icon on the Windows Quick Launch Task Bar. If the previous
PuTTY session is still open, click on the PuTTY Icon in the upper left corner of
that window and select New Session.
1. Type the following command to test the connectivity between the wordpress-
web-01a and wordpress-web-02a instances:
ping -c 5 172.16.10.11
The pings are unsuccessful. This matches the security policy we configured in NSX.
1. Type the following command to test the connectivity between the wordpress-
web-01a and wordpress-db-01a instances:
ping -c 5 172.16.10.20
The pings are unsuccessful. This matches the security policy we configured in NSX.
1. Click on the Account Information tab that was previously opened. If this tab
was closed open another tab and click on the Account Info bookmark.
1. Locate the nmap-01a Public IP Address that will be used to log in to the nmap
port scanner instance.
Open PuTTY
1. Click on the PuTTY Icon on the Windows Quick Launch Task Bar. If the previous
PuTTY session is still open, click on the PuTTY Icon in the upper left corner of
that window and select New Session.
1. Type the IP Address of the nmap-01a instance from the Account Information
Page.
2. Click Open.
To speed up the scan time and reduce clutter, the nmap scanner is using the following
options:
DB Instance results
Note: Leave the nmap-01a PuTTY session open for the next lesson.
Quarantine Policy
NSX Cloud provides the capability to detect and quarantine rogue instances in a VPC.
For example, if a person with malicious intent forcibly stops the NSX Agent on an NSX
managed instance, the compromised instance will be quarantined using the default
Security Group in Amazon Web Services (AWS). NSX Cloud uses AWS Security Groups in
conjunction with the VPC’s Quarantine Policy. During the deployment of the NSX Cloud
Gateway in a previous lesson, NSX Cloud created additional Security Groups in AWS and
modified the default Security Group to limit access. You can enable or disable
Quarantine Policy on a per-VPC basis.
We'll be demonstrating this feature by turning on the Quarantine policy and observing
the EC2 instance Security Group changes in the AWS management console. We will also
observe that the EC2 instance without the NSX Agent loses connectivity.
• Un-managed instances are assigned the default Security Group and are
quarantined. The default Security Group limits the outbound traffic and stops all
inbound traffic.
• Un-managed instances can become NSX-Managed VMs when you install the NSX
Agent on the instance and tag them in AWS with nsx:network. In the default
scenario, NSX will assign the vm-overlay-sg or vm-underlay-sg Security Groups to
allow appropriate inbound/outbound traffic.
• An NSX-Managed instance can still be assigned the default Security Group and be
quarantined if a threat is detected on the instance, for example, if the NSX Agent
is stopped on the instance. This lesson will demonstrate this behavior.
• Any manual changes to the Security Groups will be reverted to the NSX-
determined Security Group within 120 seconds.
• An instance can be moved out of quarantine by assigning vm-override-sg as the
only Security Group for the instance. NSX Cloud does not auto-change the vm-
override-sg Security Group and allows SSH and RDP access to the instance.
Removing the vm-override-sg Security Group will again cause the instance
Security Group(s) to revert to the NSX-Managed Security Group(s).
Select the AWS Console tab in Chrome that was opened previously. If this browser tab
has been closed open a new browser tab using the AWS Console URL link from the
Account Information browser tab, vmware_hol_user for the User Name and type or
copy the Password from the Account Information Page. Enter this same
information if the console has timed out.
Click Instances
1. Click view inbound rules at the bottom of the screen in the Description tab for
that instance. This instance has been configured with an AWS Security Group for
the Compute-VPC.
A list of policies that apply to this instance is displayed. Web and SSH traffic are allowed
from the HOL Main Console (Source IP ranges may vary). All traffic between application
instances is allowed within the AWS VPC environment.
1. Click view inbound rules at the bottom of the screen in the Description tab for
that instance. This instance has been configured with an AWS Security Group for
the Compute-VPC.
A list of policies that apply to this instance is displayed. Web and SSH traffic are allowed
from the HOL Main Console (Source IP ranges may vary). All traffic between application
instances is allowed within the AWS VPC environment.
Note: The nmap-01a instance currently has SSH (port 22) allowed inbound.
Later in this lesson we will observe a Security Group change as a result of
Quarantine Policy which will remove SSH access to this instance.
Select the NSX Cloud Services Manager browser tab in Google Chrome that was opened
previously. If this browser tab has been closed open a new browser tab using the NSX
Cloud Services Manager URL from the Account Information browser tab.
Note: If the page has timed out enter admin for the username and VMware1! for the
password and click Log In to continue.
Zoom Browser
The next few steps to enable Quarantine Policy perform better with the browser zoom
set to 100% to improve readability. It is recommended that you adjust the Zoom setting
in Google Chrome back to 100%. Note: You'll be prompted to change the zoom
setting back to 90% following the Quarantine Policy setting steps.
1. Click the Three Dots in the upper right hand corner of the browser for the drop
down menu.
2. Click '+' next to Zoom to adjust the setting to 100%.
Edit Quarantine
Turn on Quarantine
Zoom Browser
To improve readability of the various screens in this lab, it is recommended that you
adjust the Zoom setting in Google Chrome to at least 90%.
1. Click the Three Dots in the upper right hand corner of the browser for the drop
down menu.
2. Click '-' next to Zoom to adjust the setting to 90%.
Select the AWS Console tab in Chrome that was opened previously. If this browser tab
has been closed open a new browser tab using the AWS Console URL link from the
Account Information browser tab, vmware_hol_user for the User Name and type or
copy the Password from the Account Information Page. Enter this same
information if the console has timed out.
Click Instances
1. Click view inbound rules at the bottom of the screen in the Description tab for
that instance. This instance has been changed to the vm-underlay-sg AWS
Security Group for the Compute-VPC.
A list of policies that apply to this instance is displayed. Turning on Quarantine moves all
instances that are NSX Managed to the vm-underlay-sg Security Group. This Security
Group allows all traffic to the instance from the AWS network, but NSX Cloud is enforcing
security policy to each instances as was configured earlier in the lesson.
Since this instance does not have the NSX Agent installed, the quarantine policy has
moved the instance to the default AWS Security Group for the Compute-VPC. Now we'll
look closer at the default Security Group changes.
Click Inbound
1. Click the Inbound tab to view the inbound rules. The only rule is allowing all
traffic within the same (default) security group. This blocks our SSH connection.
In a production environment a bastion or jump host would be needed in the same
security group to restore access to quarantined instances.
Click Outbound
1. Click the Outbound tab to view the outbound rules. The rules are setup to allow
communication to the NSX Cloud Gateway so the instance could install the NSX
Agent.
The PuTTY window for nmap-01a will now be unresponsive and an connection error
message may appear.
Verify that the WordPress application is functioning. The IP address of the server
presenting the page is noted.
1. Click the tab with the Wordpress application. If the tab was closed, re-open by
selecting the link the the Account Info page.
2. Refresh the browser a few times to verify the application is still functioning.
Turning on the Quarantine Policy in the Compute-VPC has successfully quarantined the
instance that was not properly managed by NSX, without impacting the Wordpress
application.
Traffic Visibility
NSX provides additional operational tools to give visibility into the traffic occurring in an
application environment running in Amazon Web Services. We will look at some of the
traffic statistic aggregation features of NSX.
Select the NSX Manager browser tab in Google Chrome that was opened previously. If
this browser tab has been closed open a new browser tab using the NSX Manager URL
from the Account Information browser tab.
Note: If the page has timed out enter admin for the username and VMware1! for the
password and click Log In to continue.
Click Firewall
Firewall Statistics
1. The Stats column displays the packets, bytes and number of sessions for each
rule.
Click Switching
1. Click Switching.
Here we see the 3 WordPress application instances that we enabled NSX for security,
plus the uplink port.
Click Monitor
1. Click Monitor.
Port Statistics
1. Click Begin Tracking to start the switch port statistic tracking feature (it opens a
new browser tab).
NSX provides near-real time statistic tracking for this switch port. You can switch over to
the WordPress website broswer tab and refresh the page a few times to generate traffic
and then review this page.
Conclusion
This completes Module 4, and the Hands-On Lab. The WordPress application that was
deployed in Amazon Web Services has been successfully secured by installing NSX
components in Amazon Web Services and applying consistent security policies to the
application instances.
Follow the instructions at the end of this lesson to end the lab. You may also proceed to
any other module of interest.
Conclusion
Thank you for participating in the VMware Hands-on Labs. Be sure to visit
http://hol.vmware.com/ to continue your lab experience online.
Version: 20180412-122736