LAB NSX DFW Configuration

LAB NSX DFW Configuration

Posted on Jan 17, 2020 (0)

NSX DFW Configuration


  • Verify that web-01a is able to reach to web-02a , app-01a and db-01a Subnet for these three servers are
    • Web : 16.10.0/24
    • App: 16.20.0/24
    • DB: 16.30.0/24
  • Create a 3-tier Security Group named DCLessons-Web-Tier-SG and select object type VM , and then select both web-01a, web-02a
  • Create Three Tier Access Rule name DClessons-3tier-rule with source any, destination DCLessons-Web-Tier, and enable Service HTTPS, SSH
  • Create another new Rule, to allow Web Security Group to allow access to App Logical Switch over port 8443.
  • Create Another Rule to allow App-Logical Switch to access DB-logical Switch DB switch over port 80.
  • Test the connectivity



Login to the vSphere Web Client

  1. Test 3-tier VM to VM connectivity using Putty | Click on the PuTTY shortcut on the desktop taskbar
  2. Select web-01a.corp.local
  3. Click on Open

First you will show that web-01a can Ping web-02a by entering :

  1. ping -c 2

Now test connectivity between web-01a to app-01a and db-01a:

  1. ping -c 2
  2. ping -c 2

Create 3-Tier Security Groups

  1. Click Home | Networking & Security | Click on Service Composer.
  2. Select Security Groups. Note: there may be existing security groups to be used in another lab module
  3. To add a new security group click the + ADD icon

  1. Once selecting the + Add then choose Name this first group "DClessons-Web-Tier-SG"
  2. Click the "Select objects to include" section
  3. Pull down the Object Types and select Virtual Machines
  4. You can filter by typing "web" into the search widow
  5. Select web-01a
  6. Click the Right Hand arrow to push the VM to the Selected Objects window
  7. Repeat for web-02a
  8. Click Finish

Create 3-Tier Access Rules

  1. On the left hand menu, select Firewall
  2. In middle of screen select the + ADD SECTION button to add another Firewall
  3. section above the "Flow Monitoring & Trace Flow Rules-Disabled by Default (Rule 1)" row

Add New Rule Section for 3-Tier Application

  1. Name the section "DClessons-3-Tier-Rule"
  2. Select Add button

On the new "Dclessons-3-Tier-rule" section please choose the three dot as indicated with the arrow

  1. Click on the Add rule icon

Notice new default rule under the section called "Dclessons-3-Tier-rule"

  1. Click Name area of the new rule "[Enter rule name] to change to new name
  2. Enter "Ext to Web" for the name
  3. Click on Enter Key of your keyboard

Source: Leave the Rule Source set to any.

  1. Hover the mouse pointer in the Destination field and select box to modify

Destination from Any to security Group SG which was created Earlier: DClessons-Web-Tier-SG

Pull down the Object Type and scroll down until you find Security Group

  1. Click on DClessons-Web-Tier-SG
  2. Click on the top arrow to move the object to the right
  3. Click SAVE
  4. Edit Service

Again over in the Service field and click on the box to change from Any 

  1. Enter "https" and press enter to see all services associated with the name https
  2. Select the simple HTTPS service
  3. Click on the top arrow
  4. Repeat the above steps 1-3 to find and add SSH.
  5. Click SAVE

You will now add a second rule to allow the Web Security Group to access the App Security Group via the App port.

  1. Start by selecting the three dots next to "Ext to Web" rule as shown
  2. You want this rule to be processed below the previous rule so choose Add Below from the drop down box

As you did before hover the mouse over the Name field and click the pencil.

  1. Enter "Web to App" for the name
  2. Choose Web-tier Security Group for the Source field
  3. Hover over the Destination Field - Click the Destination to edit from Any
  4. Scroll down in the Object Type drop-down and click on Logical Switch choice
  5. Select App_Tier-Logical_Switch
  6. Click on the top arrow to move the object to the right
  7. Click SAVE
  8. Click the "Service Field" to edit from Any Click on New Service

 Enter MyApp for the new service name

  1. Select TCP for the Protocol
  2. Enter 8443 for the Port number
  3. Click ADD
  4. Click Save finally

Create Third Rule: Allow Logical Switch App to Access Logical Switch Database

Repeating the previous steps:

  1. Your new rule should look like the one listed in the above example.
  2. Publish Changes

Verify New Rule Allow 3-Tier Application Communication

Ping Test between Tiers


    You are will be the first.


Please login here to comment.