Error

Unable to initialize the simulation player:

Please reload the page or report this error to:
hol-feedback@vmware.com

This demo file may be incomplete or damaged. Please reload the page or download again from the VMware Demo Library:

For VMware partners:
www.vmware.com/go/partnerdemos

For VMware employees:
www.vmware.com/go/demos

Loading

 

Error

Your web browser doesn't support some required capabilities.

This demo works best with the latest version of Chrome, Firefox, Safari, or Internet Explorer.

This simulation works best with the latest version of Chrome, Firefox, Safari, or Internet Explorer.

Error

This demo file is incomplete or damaged. Please reload the page or download again from the VMware Demo Library:

For VMware partners:
www.vmware.com/go/partnerdemos

For VMware employees:
www.vmware.com/go/demos

This simulation did not load correctly. Please reload the page or report this error to:
hol-feedback@vmware.com

Error

Visit the VMware Demo Library
to get more demos!

For VMware partners:
www.vmware.com/go/partnerdemos

For VMware employees:
www.vmware.com/go/demos

The demo will restart in 5 seconds.

Hit Esc to cancel.

X
↩ Return to the lab
HOL-1829-01: Managing Security for Public Clouds (AWS)

This is an interactive demo

Drive it with your mouse, your finger, or just use the arrow keys.

Use Learn mode to learn the demo. The orange boxes show where to click.

Use Present mode to hide the orange boxes and notes.

Use Autoplay mode to make it play like a movie. Hit the Esc key to stop.

Click a Shortcut to jump to a specific part of the demo.

X
Hide notes
Restore notes
Open notes window
Increase font size
Decrease font size

This part of the lab is presented as a Hands-on Labs Interactive Simulation. This will allow you to experience steps which are too time-consuming or resource intensive to do live in the lab environment. In this simulation, you can use the software interface as if you are interacting with a live environment.

The orange boxes show where to click, and the left and right arrow keys can also be used to move through the simulation in either direction.

Log into vRealize Network Insight User Interface

Log into the portal.  Credentials provided.

  1. Click on Login to continue.

Plan Security - AWS Cloud

vRealize Network Insight extends micro-segmentation planning to AWS constructs. The 'CRM' Application in AWS Virtual Private Cloud (VPC) has already been created.

Application creation steps have been discussed in Module 1.

  1. Click on Plan Security icon under the vRealize Network Insight left menu panel.
  2. Click Plan Security.
  3. Click Entity drop-down menu.
  4. Click Application.
  5. Click Select One drop-down menu.
  6. Click CRM.
  7. Click Analyze.

Visualize the three tier CRM Application in AWS in one VPC. Explore the three tier System Logic in the proceeding steps.

Please note that Micro-Segments are already filtered by Tier

  • Web (Web tier talks to App tier on  port 8080. Internal users of organization can access Web Tier of the CRM Application on port 80 internally)
  • App (App tier talks to DB tier on port 3306)
  • DB  ( DB tier talks to Log Servers ) - This is the problem area that will be explored.

All tiers of first VPC talks to DNS server on port 53 and Log Server on port 514 of second VPC.

Exploring the Three Tier Application - Step by Step

Explore the three their application setup to understand the security and communication posture.

  1. Click on App Micro-segment.
  2. Click on Keep Focus.
  3. Click on the Yellow line to explore the flows. This will reveal flows from Web to App.

In this view, observe that the App tier talks to Web tier on Port 8080.

  1. Click X to continue.

While the focus is on App Micro-segment,

  1. Click on the Blue line to explore the flows. This will reveal flows from App to DB.

In this view, observe that the App tier talks to DB tier on Port 3306.

  1. Click X to continue.

While the focus is on App Micro-segment,

  1. Click on the Yellow Line to explore the flows. This will reveal flows from DC Virtual to App.

In this view, observe that DC Virtual (jump box) talks to App tier on Port 22.

  1. Click X to continue.

While the focus is on App Micro-segment,

  1. Click on the Blue line to explore the flows. This will reveal flows from App to Shared Virtual.

In this view, observe that the App tier talks to Shared Virtual on Port 53 and 514 respectively.

  1. Click X to continue.
  1. Click on DB Micro-segment.
  2. Click on Keep Focus.
  3. Click on the Blue line to explore the flows. This will reveal flows from DB to Shared Virtual.

By design the DB should be pushing logs to 'aws-log-server' i.e. on port 514 (Syslog) but the flow reveals that there is only one service, port 53 aws-dns-server. Effectively, no communication to syslog server which is the back-up service.

  1. Click X to continue.

Firewall Queries for CRM Application

To further troubleshoot the issue, the administrator executes three firewall queries to establish why DB to Shared Virtual does not have flow(s) for port 514 (syslog).  The queries have been saved for the purpose of this interactive simulation.

  1. Click on plan Application 'CRM' tab.
  2. Click Duplicate in drop-down menu.
  1. Click on Saved Searches icon (5th icon in left menu panel).
  2. Click on Saved Searches.
  3. Click on Search string:  firewall action of flows where dst vm = 'aws-log-server'.  

This will return 5 results; 4 Allow (for web and midtier) and 1 Deny (for DB).

  1. Click on the DENY checkbox to focus on the deny rule.

Notice that the DENY rule is preventing crm-database to communicate with aws-log-server on port 514 indicating that AWS Admin forgot to add rule to allow traffic from (Database) crm-database to (syslog server) aws-log-Server.

  1. Click on plan Application 'CRM' tab.
  2. Click Duplicate in drop-down menu.
  1. Click on Saved Searches icon (5th icon in left menu panel).
  2. Click on Saved Searches
  3. Click on Search string: aws firewall rule where src vm = 'crm-web1' and dst vm = 'aws-log-server'.

This will return 3 results; 1 Inbound and 2 Outbound rules. The results of this query validates the communication from crm-web1' to 'aws-log-server'

  1. Click on plan Application 'CRM' tab.
  2. Click Duplicate in drop-down menu.
  1. Click on Saved Searches icon (5th icon in left menu panel).
  2. Click on Saved Searches
  3. Click on Search string: aws firewall rule where src vm = 'crm-database' and dst vm = 'aws-log-server'.

This will return 2 results for Outbound rules, further explaining the firewall rule behavior from crm-database to aws-log-server.

This concludes the interactive simulation.

To return to the lab, click the link in the top right corner or close this browser tab.

Copyright © 2017 VMware, Inc. All rights reserved.