In Aria Automation you can create Network Profiles, these are the networks and network settings for deployments, one of those settings is for Isolation Policy, which has the options; None
, On-demand Network
and On-demand Security Group
. In this post we will have a high-level look at what both of the on-demand options really mean and what is required to get them working with Aria Automation.
#On-demand Network
With this policy a network is created for each deployment using the settings specified within the Network Policies tab and all virtual machines within the deployment are attached to this network/segment.
#Network Profile Requirements Summary
- NSX Cloud Account within Aria Automation.
- Transport Zone configured within NSX.
- An “External Network”, think of it as routable, available within NSX and Aria Automation, this is used to create an outbound SNAT rule from the on-demand networks.
- The “External Network” needs to be configured within Aria Automation with Domain, CIDR, DNS and IP Range.
- A Tier-0 router configured within NSX, this is used for outbound access for the on-demand networks.
- An Edge Cluster configured within NSX, this is used for outbound access for the on-demand networks.
- An IPAM configuration using either Aria Automation Internal IPAM or External IPAM, this is used to allocate the subnets to the on-demand networks.
- A Cloud Template that has a NSX network resource using the networkType of
outbound
,private
, orrouted
.
When a deployment associates itself with a Network Profile that is set to create an on-demand network, the following objects are created within NSX, which differ depending on the networkType.
Object/Resource | outbound | private | routed |
---|---|---|---|
Tier-1 Gateway | ✓ | ✓ | |
Network Segment | ✓ | ✓ | ✓ |
NAT Rule (SNAT) | ✓ | ||
DHCP Server* | ✓ | ✓ | ✓ |
- The created Tier-1 Gateway is attached to the Tier-0 Gateway and Edge Cluster specified in the Network Profile.
- The created Segment is attached to the Transport Zone specified in the Network Profile and a subnet is allocated from the IPAM section within the Network Profile. The gateway address is set to first address in the allocated subnet.
- If required, an SNAT rule is attached to the created Tier-1. This is configured so that the “Source” is the IP range allocated to the segment and the “Translated IP” comes from the External Network specified within the Network Profile and its pre-configured IP Range.
- Virtual Machines within the Deployment are attached to the created Segment (if linked in the Cloud Template)
- If the Network Profile > Network Policies > IP Address Management > IP Range Assignment is set to use DHCP or Static and DHCP then an NSX hosted DHCP Server is created. The size of this range depends on the option, for DHCP it is for ALL IP’s in the network, for Static and DHCP* it is half of the network.
#On-demand Security Group
With this policy a security group is created for each deployment and all of the virtual machines within the deployment are members of this security group.
#Network Profile Requirements Summary
- NSX Cloud Account within Aria Automation.
- Existing networks configured to attach VMs to.
- If you are going to use static IP assignment within the Cloud Template then the networks need to be configured within Aria Automation with Domain, CIDR, DNS and IP Range.
- A Cloud Template that has a NSX network resource using the networkType of
outbound
orprivate
.
When a deployment associates itself with a Network Profile that is set to create an on-demand security group, the following DFW rules are created within NSX. The security group is usually named isolation-securitygroup-GUID. The VMs are added to the security group based on their allocated IP address (the IP’s are security group members).
#Network Type: Outbound
Rule Name | Sources | Destinations | Services | Applied To | Action |
---|---|---|---|---|---|
inbound-deny-all | Any | isolation-securitygroup | Any | isolation-securitygroup | Reject |
outbound-allow-all | isolation-securitygroup | Any | Any | isolation-securitygroup | Allow |
allow-intra-traffic | isolation-securitygroup | isolation-securitygroup | Any | isolation-securitygroup | Allow |
#Network Type: Private
Rule Name | Sources | Destinations | Services | Applied To | Action |
---|---|---|---|---|---|
inbound-deny-all | Any | isolation-securitygroup | Any | isolation-securitygroup | Reject |
allow-intra-traffic | isolation-securitygroup | isolation-securitygroup | Any | isolation-securitygroup | Allow |
outbound-allow-all | isolation-securitygroup | Any | Any | isolation-securitygroup | Reject |
Tip: Tag your resources in Aria Automation to easily identify objects created by AA - for example add a tag with key: ManagedBy and value: AriaAutomation to Network and Virtual Machine resources to enable the quick search and filtering of these tags in vSphere and NSX - be aware that the DHCP Server in NSX is not tagged!
Hopefully this has been helpful in understanding what is created within NSX when using Aria Automation’s on-demand isolation options.