The Service Composer canvas tab offers a graphical view displaying all security groups within the selected NSX Manager. The view also displays details such as members of each security group as well as the security policy applied on it.

Note: In NSX 6.4.1 and later, the Service Composer > Canvas tab is removed.

This topic introduces Service Composer by walking you through a partially configured system so that you can visualize the mappings between security groups and security policy objects at a high level from the canvas view.

Procedure

  1. In the vSphere Web Client, navigate to Networking & Security > Security > Service Composer.
  2. Click the Canvas tab.

    Synchronization Status, displaying errors or warnings, and Firewall Publish Status, displaying the date and time stamp of the last successful publishing of firewall rules, are shown at the top of the screen.

    All security groups within the selected NSX Manager (that are not contained within another security group) are displayed along with the policies applied on them. The NSX Manager drop-down lists all NSX Managers on which the currently logged in user has a role assigned.

Results

Each rectangular box in the canvas represents a security group and the icons within the box represents security group members and details about the security policy mapped to the security group.
Figure 1. Security group
sec
A number next to each icon indicates the number of instances - for example, icon indicates that 1 security policy is mapped to that security group.
Icon Click to display

SG

Security groups nested within the main security group.

members

Virtual machines that are currently part of the main security group as well as nested security groups. Click the Errors tab to see virtual machines with service errors.

SP

Effective security policies mapped to the security group.
  • You can create a new security policy by clicking the Create Security Policy (add) icon. The newly created security policy object is automatically mapped to the security group.
  • Map additional security policies to the security group by clicking the Apply Security Policy (apply) icon.

EP

Effective Endpoint services associated with the security policy mapped to the security group. Suppose you have two policies applied to a security group and both have the same category Endpoint service configured. The effective service count in this case will be 1 (since the second lower priority service is overridden).

Endpoint service failures, if any, are indicated by the alert icon. Clicking the icon displays the error.

firewall

Effective firewall rules associated with the security policy mapped to the security group.

Service failures, if any, are indicated by the alert icon. Clicking the icon displays the error.

net Effective network introspection services associated with the security policy mapped to the security group.

Service failures, if any, are indicated by the alert icon. Clicking the icon displays the error.

Clicking an icon displays a dialog box with appropriate details.
Figure 2. Details displayed when you click an icon in the security group
canvas

You can search for security groups by name. For example, if you type PCI in the search field in the top right corner of the canvas view, only the security groups with PCI in their names are displayed.

To see the security group hierarchy, click the Top Level ( zoom) icon at the top left of the window and select the security group you want to display. If a security group contains nested security groups, click expand to display the nested groups. The top bar displays the name of the parent security group and the icons in the bar display the total number of security policies, endpoint services, firewall services, and network introspection services applicable to the parent group. You can navigate back up to the top level by clicking the Go up one level ( GoUp) icon in the top left part of the window.

You can zoom in and out of the canvas view smoothly by moving the zoom slider on the top right corner of the window. The Navigator box shows a zoomed out view of the entire canvas. If the canvas is much bigger than what fits on your screen, it will show a box around the area that is actually visible and you can move it to change the section of the canvas that is being displayed.

What to do next

Now that we have seen how the mapping between security groups and security policies work, you can begin creating security policies to define the security services you want to apply to your security groups.