VMware Hands-on Labs - HOL-1829-01-NET


Lab Overview - HOL-1829-01-NET - Getting Started with vRealize Network Insight

Lab Guidance


Note: It will take approximately 90 minutes to complete this lab. You should expect to only finish two of the modules during your time if you are new to vRealize Network Insight. The modules are independent of each other so you can start at the beginning of any module and proceed from there. You can use the Table of Contents to access any module of your choosing.

The Table of Contents can be accessed in the upper right-hand corner of the Lab Manual.

In this lab students will be presented with an overview and demonstration using vRealize Network Insight. This lab will focus on four particular capabilities and two use case scenarios. The first module introduces Micro-segmentation and the security within networks, followed by module two that will provide a detailed Map walk through of a Real Time flow rendering a 360 degree view for cross platform under and overlays. Module number three will focus on NSX Manager and provide an easy in-depth look at how we manage advanced NSX operations within vRealize Network Insight. Module number four will focus on Manage Security for Public Clouds (AWS).

Lab Module List:

Lab Captain:

This lab manual can be downloaded from the Hands-on Labs Document site found here:

[http://docs.hol.pub/HOL-2017]

This lab may be available in other languages.  To set your language preference and have a localized manual deployed with your lab, you may utilize this document to help guide you through the process:

http://docs.hol.vmware.com/announcements/nee-default-language.pdf


 

Location of the Main Console

 

  1. The area in the RED box contains the Main Console.  The Lab Manual is on the tab to the Right of the Main Console.
  2. A particular lab may have additional consoles found on separate tabs in the upper left. You will be directed to open another specific console if needed.
  3. Your lab starts with 90 minutes on the timer.  The lab can not be saved.  All your work must be done during the lab session.  But you can click the EXTEND to increase your time.  If you are at a VMware event, you can extend your lab time twice, for up to 30 minutes.  Each click gives you an additional 15 minutes.  Outside of VMware events, you can extend your lab time up to 9 hours and 30 minutes. Each click gives you an additional hour.

 

 

Alternate Methods of Keyboard Data Entry

During this module, you will input text into the Main Console. Besides directly typing it in, there are two very helpful methods of entering data which make it easier to enter complex data.

 

 

Click and Drag Lab Manual Content Into Console Active Window

You can also click and drag text and Command Line Interface (CLI) commands directly from the Lab Manual into the active window in the Main Console.  

 

 

Accessing the Online International Keyboard

 

You can also use the Online International Keyboard found in the Main Console.

  1. Click on the Keyboard Icon found on the Windows Quick Launch Task Bar.

 

 

Activation Prompt or Watermark

 

When you first start your lab, you may notice a watermark on the desktop indicating that Windows is not activated.  

One of the major benefits of virtualization is that virtual machines can be moved and run on any platform.  The Hands-on Labs utilizes this benefit and we are able to run the labs out of multiple datacenters.  However, these datacenters may not have identical processors, which triggers a Microsoft activation check through the Internet.

Rest assured, VMware and the Hands-on Labs are in full compliance with Microsoft licensing requirements.  The lab that you are using is a self-contained pod and does not have full access to the Internet, which is required for Windows to verify the activation.  Without full access to the Internet, this automated process fails and you see this watermark.

This cosmetic issue has no effect on your lab.  

 

 

Look at the lower right portion of the screen

 

Please check to see that your lab is finished all the startup routines and is ready for you to start. If you see anything other than "Ready", please wait a few minutes.  If after 5 minutes your lab has not changed to "Ready", please ask for assistance.

 

Module 1 - Micro-Segmentation and Security (30 minutes)

Introduction


When mid to large-sized enterprises deploy NSX, they often struggle to define the level of micro segmentation needed between applications on networks. The most challenging part is knowing what information is required to get started, how to locate the information and traffic flow and how to capture the results.

vRealize Network Insight helps solve this problem by analyzing and categorizing VMs into logical groups based on specific compute and network characteristics. This process automatically generates a recommended model for security groups and specific firewalling rules for each group. This makes life much easier for Security Architects and Engineers.

vRealize Network Insight (vRNI) relies on the use of an IPFIX collector at the Virtual Distributed switch layer to capture data flows. We enable IPFIX at the Virtual Distributed switch layer for the ESXi Hosts to forward IPFIX UDP packets to the vRealize Network Insight appliance. The data capture will enable real time data flow for all port traffic and provide further filtering capabilities in order to explore East-West traffic.

We have two scenario's to help explain how vRealize Network Insight can be utilized to ensure we have full visibility and granular control to deploy firewall rules in order to complete micro-segmentation without guessing.

Scenario 1: (Brown Field deployment) Customer ABC bought ESXi and NSX and does not have a clear understanding of how to operationally deploy existing workloads with East-West firewall protection or how to segment the workload. The client will now use vRealize Network Insight to observe the real time data flow between ports in order to build the East-West firewall rules. The vRealize Network Insight process will observe the traffic patterns based on the captured data flow, recommendations will then be made in order to secure workloads for East-West communication. Current firewall and micro-segmentation can also be verified.

Scenario 2: (Green Field) Customer ABC has a new deployment project for DevOps and wouldn't know what the immediate firewall rules or recommendations would be. Using vRealize Network Insight we could immediately start to monitor the real time data flow as each deployment and development unfolds. Based on the DevOps information we can now apply the Firewall rules at the Q&A stage and prep for testing to ensure when we move workloads into Production we will have day zero operational security for East-West traffic within the data center.

NOTE: NSX is not required at any stage to capture, observe or implement successful East-West firewall rules. The process of planning security only relies on IPFIX at the vDS layer in order to capture and observe data flow between ports.

This Module contains the following lessons:


Micro-Segmentation Introduction


This section contains the following lessons:


 

Lab Status Check

 

  1. Make sure the Lab Status displays Ready before continuing.

Close browser sessions from previous modules

 

 

Open Google Chrome

 

  1. Open Chrome on the Control Centre Desktop.

Note: Internet Explorer will not work and is not certified to be used with vRealize Network Insight at the time of this release.

 

 

Plan Security

 

When the vRealize Network Insight portal login completes, the first screen will show a search bar at the top

  1. Type plan security (the search bar uses "Auto Fill" and predictive text will appear as you type).
  2. Select the Time Icon.

 

 

Micro-Segments

 

The screen should be back and focused on the Plan Security view. Let us focus on the Left-hand side of the plan security screen marked - Micro Segments. This section will focus on the subnet view and how this could be used to track flows between two or multiple points.

Note: Segmenting flows can be achieved using views that will focus on VLAN/VXLAN, Subnet, Folder, Clusters, VM's, Ports, Security Tag or Security Groups.

  1. Select Last 1 Day (to clear previous data range)
  2. Select the drop down box and then select by Subnet.
  3. We can further analyze micro-segments by secondary groups ( This step is for information only)
  4. Click Analyze to populate the data

 

 

Security Group 'Prod_MidTier'

 

Network administrators and architects face daily challenges in identifying security parameters /groups that are in-place, requiring a lot more detail around container topology before continuing to execute or plan Micro-segmentation. Lets look at how this would be possible in a single view that has granular integration with over and underlay networks.

  1. Using the search bar, type Nsx Security Group 'Prod_MidTier' (the search bar uses "Auto Fill" and predictive text will appear as you type).
  2. Click search to continue.

The Help screen may pop-up (in this lab setting) to ensure the user has an instant guide, called the Security Group Pinboard . The reason for this guide is to point out the detail view and topology layout. Read through the help guide and once completed:

  1. Click the close icon (x) to continue.

 

 

Firewall Rule - Tracking

 

Using the search bar we will demonstrate how you can track any firewall rule in your environment. This is only one example of how we can search for security related objects in one easy statement and also export the results.

 

Conclusion


Congratulations on completing  Module 1.

In this module we introduced the minimum required steps in order to facilitate Micro-segmentation. This module further demonstrated how we achieve day zero readiness, track, report and alert on each individual object or group of objects in Real Time. Using the East-West traffic in this module, vRealize Network Insight highlighted the ease of acquiring network analysis and using this to automatically generate firewall rules for both "Green" or "Brown field" deployments.

Key facts to remember as demonstrated in this module:

For additional information about the functionality showcased in this module visit www.vmware.com

Please close the Chrome Web browser.

This concludes this module, please continue to the next module.


 

For More Information

 

 

How to End Lab

 

To end your lab click on the END button, else click on a module to from the list above to continue.

 

Module 2 - 360 degree Visibility across Virtual and Physical Networks (45 minutes)

Introduction


vRealize Network Insight includes advanced analytics that can collect and display configuration data from all the components involved in the overlay and underlay of the network. Data is collected in realtime.

vRealize Network Insight presents this via a smart user interface, and simplifies the determination of problems, as well as the visibility of firewall and network configurations.

vRealize Network Insight presents this in a smart user interface, and makes problem determination and visibility of the firewall and network configurations very easy

This Module contains the following lessons:


360 Network Visibility and Troubleshooting


This section contains the following lessons:


 

Open Google Chrome

 

  1. Open Chrome on the Control Center Desktop.

Note: Internet Explorer will not work and is not certified to be used with vRealize Network Insight at the time of this release.

 

 

Path and Topology

 

This module will utilize the "Path and Topology" feature in vRealize Network Insight to get a 360-degree visibility into our network scenario. The "Path and Topology" view can also extend to host, L3 networks, security groups etc, but in this module we will only be focusing on the path.

From the main console:

  1. Click on "Path and Topology".
  2. Click on "Path".

 

 

VM Underlay

 

Lets now focus on VM Underlay.

  1. The VMUnderlay section that is on the right side of the VM Path topology shows the underlay information of the VMs involved and their connectivity to the top of the rack switches and the ports involved.
  2. The VM Underlay path topology is shown here.
  3. The components are labeled under Path Details

 

 

  1. In this section, the drop-down list at the top shows the endpoint VMs and the active VMs at the edges.
  2. For each edgeVM, the neighbouring drop-down list shows the ingress and the egress interface IP addresses.

 

  1. From the previous step we selected the Prod-DB-2 Virtual Machine
  2. Which changes the focus to corresponding Interface IP Address (VNIC)
  3. Shows the visual map (Path topology) of all the path objects
  4. Path details shows the labels and list the components.

This concludes this module. Please continue to the next module.

 

Conclusion


Congratulations on completing  Module 2.

This module has shown us that vRealize Network Insight is capable of tracing the flow of data between two objects throughout the network. vRealize Network Insight is providing us with a 360 degrees view of the virtual as well as the physical components in the path. With the map function and the details on the map it is very easy to get a quick overview of the components utilized in network communication.

All the components in the map is based on a snapshot of real life data. Feel free to click on other icons shown in the map in this module before continuing to the next module to have a look at other components.


 

For More Information

 

For additional information about the functionality showcased in this module visit http://www.vmware.com/vrealize network insight.

This concludes this module. Please continue to the next module.

If you are looking for additional information, try one of these:

Proceed to any module below which interests you most.

 

 

 

How to End Lab

 

To end your lab click on the END button, else click on a module to from the list above to continue. 

 

Module 3 - Advanced NSX Management & Operations (45 minutes)

Introduction


Introduction

vRealize Network Insight ensures that we have full visibility from an overlay and underlay perspective and in this module focus on advanced operations of NSX with vRealize Network Insight. Its important to note that the vRealize Network Insight provides a real time view and a historical view. The integration is not a simple SNMP query, but advanced CLI and Metadata information gathered in real time for NSX.

This Module contains the following lessons:

  • Operational guidance for NSX Manager.
  • Advanced NSX Management & Operations Interactive Simulation.

NSX Advanced Management Operations



 

Lab Status Check

 

  1. Make sure the Lab Status displays Ready before continuing.

Close browser sessions from previous modules.

 

 

Open Google Chrome

 

  1. Open Chrome on the Control Centre Desktop.

Note: Internet Explorer will not work and is not certified to be used with vRealize Network Insight at the time of this release.

 

 

Search Bar - NSX Manager

 

 

Using the search bar on the entry screen

  1. Type NSX Manager (this will list three NSX Managers
  2. Click Search.

 

 

Topology - Explained

 

Note: The Topology for the NSX environment will not show any load balancing device status information in this release.

  1. Click the edge VM's icon to see detailed information about the edge services.

 

Hands-on Labs Interactive Simulation: Advanced NSX Management & Operations


This part of the lab is presented as a Hands-on Labs Interactive Simulation. This will allow you to experience steps which are too time-consuming or resource intensive to do live in the lab environment. In this simulation, you can use the software interface as if you are interacting with a live environment.

  1. Click here to open the interactive simulation. It will open in a new browser window or tab.
  2. When finished, click the “Return to the lab” link to continue with this lab.

Conclusion


Congratulations on completing  Module 3.

This module demonstrated the vRealize Network Insight capability of advanced management operations. vRealize Network Insight provides an in-depth analysis of the virtual as well as the physical components associated with NSX (underlay and overlay).


 

For More Information

 

If you are looking for additional information, try one of these:

Proceed to any module below which interests you most.

 

 

 

How to End Lab

 

To end your lab click on the END button, else click on a module to from the list above to continue.

 

Module 4 - Manage Security for Public Clouds (AWS) (30 Minutes)

Introduction


Enterprise IT needs visibility into the network and security status of their workloads, whether hosted on premises, or within AWS. While many AWS workloads are sandboxes for application development teams (DevOps), it is important to analyze these workloads. Increasingly, public cloud workloads are also fulfilling mission critical production needs for many organizations. Enterprise IT must be ready to determine the best location, security posture, and bandwidth allocation when deploying workloads. Having traffic pattern details as well as security analysis and recommendations readily available, helps organizations make the ideal hosting decisions to meet their business needs.

vRealize Network Insight (vRNI) Supports Amazon Web Services (AWS) Public Cloud. The vRNI traffic monitoring features provide visibility into native AWS constructs such as Virtual Private Clouds, VMs, Security Groups, firewall rules, and tags. vRNI also analyzes AWS traffic flows to provide security and micro-segmentation views of cloud workloads. This means youll be able to plan micro-segmentation and understand traffic patterns using data collected from your AWS instances.

This Module contains the following lessons:


Introduction to Managing Security for Public Clouds (AWS)



 

Lab Status Check

 

  1. Make sure the Lab Status displays Ready before continuing.

Close browser sessions from previous modules.

 

 

Open Google Chrome

 

  1. Open Chrome on the Control Centre Desktop.

Note: Internet Explorer will not work and is not certified to be used with vRealize Network Insight at the time of this release.

 

 

AWS Configuration

 

Lets review the AWS VPC setup for the purpose of this lab.

  1. We have an on premise instance of vRealize Network Insight managing AWS.
  2. There are two VPCs i.e. CRM and Common Services.
  3. VPC CRM consists of CRM Application which comprises of 3 tiers i.e. Web, APP and DB.
  4. Internal users of Company can access Web Tier of the CRM on 80 internally via Jump-box.
  5. Web tier talks to App tier on port 8080.
  6. App tier talks to DB tier on port 3306.
  7. Web tier is open for internal datacenters VM on 80 port.
  8. From Jump-box in VPC: CRM all virtual machines have ssh access on port 22.
  9. All tiers of VPC:CRM talks to DNS server on 53 and LogServer on 514 on VPC: Common Services.
  10. This means connection to DB to Log Server (used for backup services) must exist as configured by the Administrator but this in fact is the problem area where our focus will be.

 

 

Plan Security - AWS Cloud

 

vRealize Network Insight extends micro-segmentation planning to AWS constructs. The 'CRM' Application in AWS VPC has already been created for you.

Application creation steps have been discussed in Module 3.

  1. On the vRealize Network Insight, Click on Plan Security

 

From Plan Security dialogue box under Entity select

  1. Application
  2. CRM
  3. Click Analyze

 

We can now visualize the three tier ‘CRM’ Application in AWS in one VPC. We Shall explore the three Tier System Logic in proceeding steps.

  1. Please note that Micro-Segments are already filtered by Tier
  2. Web (Web tier talks to App tier on  port 8080. Internal users of organisation can access Web Tier of the CRM Application on port 80 internally)
  3. App (App tier talks to DB tier on port 3306)
  4. DB  ( DB tier talks to Log Servers ) - This is the problem area we are going to explore.

All tiers of first VPC talks to DNS server on port 53 and LogServer on port 514 of Second VPC

 

 

Exploring the Three Tier Application - Step by Step

 

We shall now explore the three their application setup to understand the security and communication posture.

  1. Hover over to App Micro-segment.
  2. Click on Keep Focus.
  3. Click on the Yellow line to explore the flows. This will reveal flows from Web to App.

 

  1. The App tier talks to DB tier on Port 3306.
  2. Click X to continue.

 

  1. Hover over to App Micro-segment.
  2. Click on Keep Focus.
  3. Click on the Blue line to explore the flows. This will reveal flows from App to DB.

 

  1. The App tier talks to DB tier on Port 3306.
  2. Click X to continue.

 

  1. Hover over to App Micro-segment.
  2. Click on Keep Focus.
  3. Click on the Yellow Line to explore the flows. This will reveal flows from DC Virtual to App.

 

  1. DC Virtual (jump box) talks to App tier on Port 22.
  2. Click X to continue.

 

  1. Hover over to App Micro-segment.
  2. Click on Keep Focus.
  3. Click on the Blue line to explore the flows. This will reveal flows from App to Shared Virtual.

 

  1. The App tier talks to Shared Virtual on Port 53 and 514 respectively.
  2. Click X to continue.

 

  1. Hover over to DB Micro-segment.
  2. Click on Keep Focus.
  3. Click on the Blue line to explore the flows. This will reveal flows from DB to Shared Virtual.

 

  1. By design the DB should be pushing logs to 'aws-log-server' i.e. on port 514 (Syslog) but the flow reveals that there is only one service i.e. port 53 aws-DNS-Server. Effectively, no communication to syslog server (which is the back up service).
  2. Click X to continue.

 

 

Firewall Queries for CRM Application

To further troubleshoot the issue the administrator executes three firewall queries to establish why DB to Shared Virtual does not have flow(s) for port 514 (syslog)

 

  1. On Chrome web browser, right click
  2. Select duplicate from the the menu

 

  1. Remove the current search string which has been copied when duplicating previous tab and type new search query:  firewall action of flows where dst vm = 'aws-log-server'  This will return 5 results i.e. 4 Allow (for web and midtier) and 1 Deny (for DB)
  2. Click Search
  3. click on the DENY checkbox so we can focus on the deny rule

 

We can see a DENY rule which is preventing crm-databse to communicate with aws-log-server on port 514. Which indicates that AWS Admin forgot to add rule to allow traffic from (Database) crm-database to (syslog server) aws-log-Server.

 

 

  1. On Chrome web browser, right click.
  2. Select Duplicate from the the menu.

 

  1. Remove the current search string which has been copied when duplicating previous tab and replace it by typing new search string: aws firewall rule where src vm = 'crm-web1' and dst vm = 'aws-log-server'.
  2. Click Search
  3. This will return  3 results i.e. 1 Inbound and 2 Outbound rules. The result of this query validates the communication from crm-web1' to 'aws-log-server'

 

  1. On Chrome web browser, right click.
  2. Select duplicate from the the menu.

 

  1. Remove the current search string which has been copied when duplicating previous tab and replace it by typing new search string: aws firewall rule where src vm = 'crm-database' and dst vm = 'aws-log-server'.
  2. Click Search.
  3. This will return 2 results for Outbound rules, further explaining the firewall rule behaviour from crm-database to aws-log-server.

 

Conclusion


Congratulations on completing  Module 4.

This module demonstrated the vRealize Network Insight capability to understand traffic patterns and plan micro-segmentation across your private and public cloud environments. This capability offers unparalleled visibility into public and private clouds for micro-segmentation planning, network visibility, and management.


 

For More Information

 

 

 

How to End Lab

 

To end your lab click on the END button, else click on a module to from the list above to continue.

 

Conclusion

Thank you for participating in the VMware Hands-on Labs. Be sure to visit http://hol.vmware.com/ to continue your lab experience online.

Lab SKU: HOL-1829-01-NET

Version: 20171010-152226