What Micro Segmentation Is Not…

NSX-vSphere Micro Segmentation Review

NSX for vSphere has a compelling use case around Micro Segmentation –

  1. The ability to orchestrate the provisioning of new Layer 2 and Layer 3 application networks via API in a matter of seconds using VXLAN as the overlay technology allowing networks to be created for each application segment on demand. There are numerous benefits in doing this but the big one is this really simplifies the mobility of applications for BC/DR purposes… Easy to move the application and its dedicated network vs dealing with the complexity of splitting Layer 2 networks that support many applications.
  2. The ability to isolate VM’s from each other using customer defined business attributes or vCenter attributes independent of the network topology using Layer 4 Stateful firewall policy. Even with VM’s on the same network segment as each other, Layer 4 Stateful firewall policy dictates how these VM’s should communicate with each other and to the outside world… If you want complete isolation of VM’s on the same network as each other, this is easily accomplished with Layer 2, 3, or 4 security policies.
  3. The ability to apply static or dynamic policy based on changing security conditions within the infrastructure. As example, a virus is identified or intrusion detected will automatically firewall protect the infrastructure from the compromised VM.
  4. Using 3rd Party extensibility, ability to extend native Layer 4 Stateful inspection to Layer 7 Deep Packet Stateful inspection…

Examples of NSX-vSphere Micro Segmentation

The following are examples of Security Group and policies created for Micro Segmentation –

  • Application Environment Level 1 – Test, Dev, Stage, Prod etc combined with Layer 4 stateful policies on how these environments would communicate.
  • Application Environment Level 2 – Exchange, SAP, Peoplesoft, Sharepoint etc combined with Layer 4 stateful policies on how these applications would communicate with each other.
  • Application Environment Level 3 – IIS, Tomcat, MYSQL, SQL Server etc combined with Layer 4 stateful policies on how these application components should communicate with each other.
  • Infrastructure Management – AD, DNS, NTP etc and other components combined with Layer 4 Stateful policies detail how VM’s access infrastructure management components.
  • PCI – Layer 4-7 Stateful policies detail how VM’s that are PCI sensitive receive additional monitoring.
  • Win2K3 – Layer 4-7 Stageful policies to minimize the exposure of older Windows 2003 VM’s.
Screen Shot 2015-12-15 at 10.58.03 PM

NSX Security Groups with Static or Dynamic VM Membership – HOL-SDC-1625

Some Quick NSX Micro Segmentation Wins…

Easy to implement and common use cases for NSX-vSphere Micro Segmentation include –

  • The capability to provide isolation between VM’s in the same Application Tier such as Web Servers or VDI Desktops as these application VM’s do not have a business or technical need to communicate with each other. At the same time, it is still appropriate to allow ping to function so that application owners can quickly validate components are up and running.
  • Application isolation from other applications at the time of provisioning… Out of the box capability with VMware vRealize Automation and VMware Integrated Openstack!
Screen Shot 2015-12-15 at 10.30.23 PM

Security Model and VM Isolation is identical irrespective of network topology.

So why is NSX Micro Segmentation So Effective?

Customer defined business attributes or vCenter attributes are used for security policy and applied at the vNIC of the Virtual Machine.

This gets security administrators out of the business of using and managing IP Addresses for security policy, security policy is dynamic applied as VM’s are added to Security Groups, and most importantly, since security policy is applied at the vNIC, the topology of the network no longer matters. This is all possible as the Hypervisor is able to provide the abstraction layer between VM’s and security policy.

Screen Shot 2015-12-15 at 10.52.12 PM

Layer 4 Stateful Firewall Policy based on Security Groups – HOL-SDC-1625

What did we do before NSX?

Virtual Machine Appliance Based Firewalls

VMware’s vCloud Networking and Security vShield App provided one of the first Virtual Machine Firewalls and there are a few other Virtual Machine Firewall technologies available today although Firewall performance is limited to the VM’s IO performance.

Hardware Firewalls

In the physical world, network perimeter based firewalls play an important role for North-South traffic into and out of the data center but create bottle necks when used East-West within the data center forcing all traffic to “hair pin” into and out of big firewall iron. I know many customers today who are using firewall hardware appliances for both North-South and East-West and thats ok… With the understanding that to provide the same East-West capabilities of NSX, essentially every VM needs to be treated as an interface on the physical firewall.

Access Control Lists

Love them or not but they have existed well before firewalls to provide basic Layer 2-4 Access Control on perimeter routers. Still a very useful tool to assist with some basic network filtering and controls.

Private VLAN’s

A Routing & Switching CCIE’s favorite question on their certification exam, this technology was introduced to the world in the late 90’s/early 00’s as a means to create isolation between physical switch ports on the same VLAN. Today, this same capability is also available to virtual switches and virtual switch ports.

Private VLAN’s are an administrative nightmare – Promiscuous Ports, Community Ports, and Isolated Ports provided very static Permit and Deny capability and the implementation of Private VLAN’s was really only suited to static physical or virtual machines.

The limited use of Private VLAN use has been in DMZ segments where it is simpler to accommodate hard boundaries between virtual and physical workloads – The expansion of Private VLANs beyond DMZ segments adds considerable hardware dependencies to application segmentation. Being nice about it, PVLAN’s are a pig to manage and diagnose –

Screen Shot 2015-12-16 at 8.26.16 AM

Hair pinning East-West traffic across the data center when using traditional firewalls.

A Pig With Lipstick and what Micro Segmentation is Not…

I have described the definition of Micro Segmentation from an NSX perspective… Unfortunately, what the IT industry does so well is adapt and redefine industry definitions to suit their current capabilities. So brace yourselves… Private VLAN’s are being (re)introduced as a Micro Segmentation solution!

Actually, this is sad… When it comes to some really important technology capabilities, I get that there is a desire to say “we can do it too”, but Private VLAN’s are a nightmare to implement and manage.

Some simple facts –

  • Private VLANs are a network switch construct. They know nothing about the workloads connected to them.
  • Like a light switch, they are “on or off”. Depending on the use of the various Private VLAN port configurations of Promiscuous, Community, or Isolated, troubleshooting is difficult and requires reference back to switch port configuration to correlate workload connectivity.
  • When on, there is full network connectivity between switch ports. Using the NSX VDI or Web Tier isolation use case as an example, PVLANs do not allow for specific IP services such as only ICMP Echo/Echo Reply or SSH to be enabled.
  • They promote the use of additional physical and virtual ports given application requirements that cannot be accommodated by an “on or off” definition, may encourage the creation of extra physical or virtual ports for “out of band” access. This creates security backdoors.
  • They are Layer 2 in nature not tied to the workload in question so individual physical or virtual workload mobility will cause changes in security policy.
  • Layer 2 Spine and Leaf Data Center Topologies are not a best practice, thus attempting to use Private VLAN’s in a Layer 3 Spine and Leaf Data Center Topology would add considerable complexity.
  • BC/DR and the repurposing of workloads such as Test/Dev to DR Production would almost be impossible using Private VLANs.

PVLAN’s are a Layer 2 construct and in the world of Software Defined Infrastructure, using PVLANs as a “Micro Segmentation” technology is just plain wrong.

Next Steps…

Hands On Labs at are a great way to learn more about NSX Micro Segmentation and I highly recommend the labs HOL-SDC-1603 and HOL-SDC-1625. Download the lab manuals from and run on a separate screen so that you can run the lab in full screen mode.

Related Posts
The Phoenix Virtual Application…
Science Experiments / Technology Evaluations