The micro-segmentation use case supports a set of workflows that are tested as part of this validated design. To implement static security, you use the vSphere Web Client to configure distributed firewall rules or workflows based on Service Composer.

Prepare your environment.

  • Install and configure the ESXi hosts in a compute cluster.

  • Set up vRealize Log Insight to receive logs from all hosts. This includes distributed firewall logs and NSX logs.

To implement static security groups, you can use logical switches, IP sets, and virtual machine attributes.

  • Create rules for virtual machines on VLAN-backed networks. These rules limit traffic based on virtual machine IP address or based on virtual machine attributes.

  • Create rules.

To implement dynamic security groups based on tag creation, you use security policies.

  • Create rules that separate virtual machines in different security groups according to assigned tags.

  • Create security policies and apply them to security groups.

To implement monitoring, you can use the vRealize Log Insight product, which is part of this use case.

  • Send all distributed firewall logs to vRealize Log Insight for analysis.

  • Configure monitoring dashboards.

The scenario Configuring Micro-Segmentation for Multi-Tier Applications that is a part of the VMware Validated Design for IT Automating IT documentation illustrates the use of micro-segmentation capabilities such as security profiles and distributed firewalls with multi-tier applications.