Use Case: Shared Compute Infrastructure and Shared Security Policies

This use case allows you to logically isolate traffic from two tenants that share an ESXi cluster and have a common set of security policies. In order to isolate traffic from each tenant you need to create a service definition with a template stack that includes two zones. Zone-based traffic separation makes it possible to distinguish traffic between virtual machines that belong to separate tenants, when it traverses through the firewall. The firewall is able to distinguish traffic between tenant virtual machines based on a service profiles and security groups created on the NSX-V Manager, which are available as match criteria in Dynamic Address Groups on the firewall. Therefore, even with overlapping IP addresses, you can segregate traffic from each tenant and secure each tenant’s virtual machines using zone-base policy rules (source and destination zones must be the same) and dynamic address groups.
nsx_multi-tenant_usecase1.png
  1. This is one-time task and is required if you have not enabled access between the NSX-V Manager and Panorama.
    1. Log in to the Panorama web interface.
    2. Select
      Panorama
      Templates
      to add a template stack. This use case has a template stack named NSX-Template.
    3. Select
      Panorama
      Device Groups
      and add device group. This use case has a device group named NSX-DG.
    4. Create two zones within the template stack. To isolate traffic for each tenant, you need two zones in this use case.
      1. Select
        Network
        Zones
        .
      2. Select the correct template stack in the
        Template
        drop-down.
      3. Select
        Add
        and enter a zone
        Name
        . For example,
        Tenant1
        .
      4. Sets the interface
        Type
        to
        Virtual Wire
        .
      5. Click
        OK
        .
      6. Repeat the steps to add another zone, for example,
        Tenant2
        .
      7. Verify that the zones are attached to the correct template stack.
        nsx_usecase1_zones.PNG
    1. Select
      Panorama
      VMware NSX-V
      Service Definitions
      .
    2. Select
      Add
      and fill in the details.
      nsx_usecase1_sd.PNG
    3. Click
      Commit
      , and select
      Panorama
      as the
      Commit Type
      to save the changes to the running configuration on Panorama.
    1. Select
      Objects
      Address Groups
      and Set Up Dynamic Address Groups on Panorama for each tenant’s virtual machines. For example, this use case has two security groups per tenant; one security group for the web servers and the other security group for the application servers.
    2. Select
      Policies
      Security
      Pre Rules
      to set up security policy rules for sending traffic to the VM-Series firewall.
    3. Select
      Panorama
      VMware NSX-V
      Steering Rules
      and click
      Auto-Generate Steering Rules
      .
    4. Commit
      your changes
  2. The ESXi hosts in the cluster must have the necessary NSX-V components that allow the NSX-V firewall and the VM-Series firewall to work together. The NSX-V Manager will install the components— the Ethernet Adapter Module (.eam) and the SDK —required to deploy the VM-Series firewall.
    1. Select
      Networking and Security
      Installation
      Service Deployments
      .
    2. Click
      New Service Deployment
      (green plus icon), and select the service definition for the Palo Alto Networks next generation firewall you want to deploy,
      Palo Alto Networks NGFW Test 1
      in this example, make your selections including the appropriate ESXi cluster to which you want to deploy the firewall and click
      Finish
      .
      nsx_usecase1_servicedeploy.PNG
    3. Verify that the NSX-V Manager reports the
      Installation Status
      as
      Successful
      .
    4. Verify that the VM-Series firewall is successfully deployed.
      1. On the vCenter server, select
        Hosts and Clusters
        to check that every host in the cluster(s) has one instance of the firewall.
      2. View the management IP address(es) and the PAN-OS version running on the firewall directly from vCenter server. VMware Tools is bundled with the PAN-OS software image and is automatically enabled when you launch the VM-Series firewall.
    1. Create Dynamic Address groups for each tenant on Panorama. The dynamic address group(s) that match on the name of the security group(s) you defined on the NSX-V Manager.
      1. On Panorama, select
        Objects
        Address Groups
        .
      2. Select the correct
        Device Group
        from the drop-down and click
        Add
        .
      3. Add a
        Name
        for the address group and set Type as
        Dynamic
        and
        Add Match Criteria
        . Verify that you select the correct tags for each tenant, the tag includes the service profile ID, the security group name and the security group ID. For example, for this use case there are four dynamic address groups:
        nsx_usecase1_DAGs.PNG
    2. On Panorama, create security policy rules and use the dynamic address groups as source or destination address objects in security policy rules and push it to the firewalls.
      1. Select
        Policies
        Security
        Prerules
        and click
        Add
        .
      2. Create rules for each tenant. This use case has the following policy rules:
        nsx_usecase1_SecurityPolicies.PNG
    3. Click Commit, and select Commit Type as Device Groups. Select the device group, NSX-DG in this example and click OK.
  3. Verify that traffic from each tenant is secured.
    1. Log in to the CLI on the firewall and enter the following command to view the subinterfaces on the firewall:
      show interface all
      total configured hardware interfaces: 2 name id speed/duplex/state mac address --------------------------------------------------- ethernet1/1 16 auto/auto/up d4:f4:be:c6:af:10 ethernet1/2 17 auto/auto/up d4:f4:be:c6:af:11 aggregation groups: 0 total configured logical interfaces: 6 name id vsys zone         forwarding ------------------- ----- ---- ----------------- ethernet1/1      16 1                vwire:ethernet1/2 ethernet1/1.3    4099 1 TENANT-1   vwire:ethernet1/2.3 ethernet1/1.4     4100   1   TENANT-2     vwire:ethernet1/2.4 ethernet1/2        17 1 vwire:ethernet1/1 ethernet1/2.3    4355 1 TENANT-1 vwire:ethernet1/1.3 ethernet1/2.4      4356 1 TENANT-2 vwire:ethernet1/1.4
    2. On the web interface of the VM-Series firewall, select
      Objects
      Address Groups
      and verify that you can view the IP address for the members of each Dynamic Address Group. The following is an example of duplicate IP addresses in dynamic address groups across both tenants.
      nsx_usecase1_dup-IPs.PNG
    3. View the
      ACC
      and the
      Monitor
      Logs
      Traffic
      . Filter on the zone name to ensure that traffic from the virtual machines for each tenant is secured.

Related Documentation