NSX supports the creation of policies when setting up multi-tenancy in your environment.
Distributed Firewall for Projects
The Emergency, Infrastructure, Environment, and Application DFW categories are supported for projects within the Org. The /infra
policies have the highest precedence followed by the Project policies. The DFW rules from the /infra
space can extend to a Project.
- Rules created under the
/infra
space apply by default to all workloads in the environment.- To define the scope of your rules, select the appropriate option for Applied To, on the NSX UI. For instance, you can restrict the rules to a specific workload by using the Applied To option.
- You can also use the Applied To option for groups created under the
/infra
space, or for the Project default groups (ORG-default-PROJECT-<project-name>
) that are generated by the system and contain all VMs of the Project.
- The following applies to groups created in the
/infra
space:- Dynamic Membership evaluates all VMs of the system, including VMs in a Project. For example, if a Group membership includes all VMs tagged with web, the group will include VMs with the web tag both within and outside the Project.
- For Static Membership, you can add workloads connected to a Project either by explicitly referring to the VMs (
ORG-default-PROJECT-<project-name>
). Other resources created under a Project are not supported by Groups in the/infra
space.
) or by using the Project default Groups (
Default Rules
At Project creation, a default security policy is created within the Project at the bottom of the policy list in the Application category. The default policy defines the behaviour for VMs within the Project if no other rules is encountered.
The default policy contains the following rules:
- Rules allowing communication to DHCP.
(src:ANY dst:ANY services:DHCP Client|DHCP Server Action Allow)
- Rules allowing communication between workloads within the Project.
(src:Project default groups (ORG-default-PROJECT-<project-name> dst:Project default groups (ORG-default-PROJECT-<project-name> services:ANY Action Allow)
- Rules denying all other communication.
(src:ANY dst:ANY services:ANY Action Deny)
The default policy ensures that VMs within a Project can only reach other VMs in the same Project (and DHCP). Communication with VMs outside the Project or with other system-created IP addresses is blocked and can only be allowed by adding rules or modifying rules in the default security policy.
Add Distributed Firewall for Projects
For Project policies, when the scope is set to Any, the policies are limited to that Project. Project rules have access only to groups in the Project and to groups that have been shared with the Project.
PATCH /policy/api/v1/orgs/default/projects/<project-id>/infra/domains/default/security-policies/<security-policy-id>
Sample request:
PATCH https://{{nsx-manager-ip}}/policy/api/v1/orgs/default/projects/project-1/infra/domains/default/security-policies/web-dbBody:
{ "resource_type": "SecurityPolicy", "description": "web-db", "display_name": "web-db", "rules": [ { "resource_type": "Rule", "description": "web-db-rule-1", "display_name": "web-db-rule-1", "sequence_number": 1, "source_groups": [ "/orgs/default/projects/project-1/infra/domains/default/groups/group-1" ], "destination_groups": [ "/orgs/default/projects/project-1/infra/domains/default/groups/group-1" ], "services" : ["/infra/services/HTTP"], "action" : "ALLOW", "_revision": 0 } ], "sequence_number": 1, "_revision": 0 }