When App Isolation is enabled for a vRealize Automation multi-machine blueprint, the firewall blocks all inbound and outbound traffic to the component machines of the blueprint. The component machines of the multi-machine blueprint can communicate with each other but cannot connect outside the firewall.
About this task
When a multi-machine service is provisioned with App isolation, vRealize Automation creates a security group corresponding to the multi-machine service and assigns the component machines as members of that security group. The security policy called vRealize Automation App Isolation policy in NSX is created and applied to the security group. The firewall rules are defined in the security policy to allow only internal traffic.
When deploying a multi-machine that uses both an NSX Edge load balancer and the App Isolation checkbox option, the dynamically provisioned load balancer is not added to the security group with the other multi-machine blueprint components. This prevents the load balancer from communicating with the machines for which it is meant to handle connections. Because Edges are excluded from the NSX distributed firewall, they cannot be added to security groups. To allow load balancing to function properly, use another security group or security policy that allows the required traffic into the component VMs for load balancing.
The vRealize Automation App Isolation policy has a lower precedence compared to other security policies in NSX. For example, if a multi-machine service contains a Web component machine and an App component machine and the Web component machine hosts a Web service, then the service must allow inbound traffic on ports 80 and 443. In this case, users must create a Web security policy in NSX with firewall rules defined to allow incoming traffic to these ports. In vRealize Automation, users must apply the Web security policy on the Web component of the multi-machine blueprint.
If the Web component machine needs access to the App component machine using a load balancer on ports 8080 and 8443, the Web security policy should also include firewall rules to allow outbound traffic to these ports in addition to the existing firewall rules that allow inbound traffic to ports 80 and 443.
Familiarize yourself with the security features that can be applied to a multi-machine blueprint. See Applying Security on a Component Machine.
Log in to the vRealize Automation console as a tenant administrator or business group manager.
Create a multi-machine blueprint. See Create a Multi-Machine Blueprint.
Verify that an IaaS administrator created a vCloud Networking and Security or NSX endpoint. See Create a vSphere Endpoint for Networking and Security Virtualization.
Verify that the supported version of VMware Tools is installed on the component machines. See NSX product documentation
- Select .
- Locate a multi-machine blueprint with at least one virtual component blueprint.
- Click the Network tab.
- Click the App Isolation check box under Security to enable the option.
- Click OK.
What to do next
Publish your blueprint to make it available as a catalog item. See Publish a Blueprint.