VMware Hands-on Labs - HOL-2022-01-NET


Lab Overview - HOL-2022-01-NET - VMware NSX Cloud – Getting Started

Lab Guidance


Note: It will take more than 120 minutes to complete this lab. You should expect to only finish 2-3 of the modules during your time.  The modules are independent of each other so you can start at the beginning of any module and proceed from there. You can use the Table of Contents to access any module of your choosing.

The Table of Contents can be accessed in the upper right-hand corner of the Lab Manual.

VMware NSX Cloud provides customers the ability to abstract and manage Networking and Security policies in Public Cloud environments such as Amazon Web Services (AWS) and Microsoft Azure.

Through a scenario of an application deployed with minimal security in AWS and Azure, we will explore how VMware NSX Cloud provides operation consistency by bringing an existing cloud environment under NSX management and providing micro-segmentation to native workloads running in AWS and Azure.

Lab Module List:

 Lab Captains:

 

This lab manual can be downloaded from the Hands-on Labs Document site found here:

http://docs.hol.vmware.com 

This lab may be available in other languages.  To set your language preference and have a localized manual deployed with your lab, you may utilize this document to help guide you through the process:

http://docs.hol.vmware.com/announcements/nee-default-language.pdf


 

Disclaimer

This session may contain product features that are currently under development.

This session/overview of the new technology represents no commitment from VMware to deliver these features in any generally available product.

Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

Technical feasibility and market demand will effect final delivery.

Pricing and packaging for any new technologies or features discussed or presented have not been determined.

 

 

Location of the Main Console

 

  1. The area in the RED box contains the Main Console.  The Lab Manual is on the tab to the Right of the Main Console.
  2. A particular lab may have additional consoles found on separate tabs in the upper left. You will be directed to open another specific console if needed.
  3. Your lab starts with 90 minutes on the timer.  The lab can not be saved.  All your work must be done during the lab session.  But you can click the EXTEND to increase your time.  If you are at a VMware event, you can extend your lab time twice, for up to 30 minutes.  Each click gives you an additional 15 minutes.  Outside of VMware events, you can extend your lab time up to 9 hours and 30 minutes. Each click gives you an additional hour.

 

 

Alternate Methods of Keyboard Data Entry

During this module, you will input text into the Main Console. Besides directly typing it in, there are two very helpful methods of entering data which make it easier to enter complex data.

 

 

Click and Drag Lab Manual Content Into Console Active Window

You can also click and drag text and Command Line Interface (CLI) commands directly from the Lab Manual into the active window in the Main Console.  

 

 

Accessing the Online International Keyboard

 

You can also use the Online International Keyboard found in the Main Console.

  1. Click on the Keyboard Icon found on the Windows Quick Launch Task Bar.

 

 

Click once in active console window

 

In this example, you will use the Online Keyboard to enter the "@" sign used in email addresses. The "@" sign is Shift-2 on US keyboard layouts.

  1. Click once in the active console window.
  2. Click on the Shift key.

 

 

Click on the @ key

 

  1. Click on the "@ key".

Notice the @ sign entered in the active console window.

 

 

Activation Prompt or Watermark

 

When you first start your lab, you may notice a watermark on the desktop indicating that Windows is not activated.  

One of the major benefits of virtualization is that virtual machines can be moved and run on any platform.  The Hands-on Labs utilizes this benefit and we are able to run the labs out of multiple datacenters.  However, these datacenters may not have identical processors, which triggers a Microsoft activation check through the Internet.

Rest assured, VMware and the Hands-on Labs are in full compliance with Microsoft licensing requirements.  The lab that you are using is a self-contained pod and does not have full access to the Internet, which is required for Windows to verify the activation.  Without full access to the Internet, this automated process fails and you see this watermark.

This cosmetic issue has no effect on your lab.  

 

 

Look at the lower right portion of the screen

 

Please check to see that your lab is finished all the startup routines and is ready for you to start. If you see anything other than "Ready", please wait a few minutes.  If after 5 minutes you lab has not changed to "Ready", please ask for assistance.

 

Module 1 - Introduction to Hybrid On-Premises and Public Cloud Environments (30 minutes)

Introduction


The NSX management and control plane components, as well as portions of the application, have been provisioned in our on-premises data center. We have (2) separate applications, hybrid, and public cloud. The hybrid application front end web tier has been deployed in both AWS and Azure. A public cloud application is also deployed in both AWS and Azure. We will examine the component inventory.


Solution Overview


This lab includes many pre-configured items that are necessary for future lessons. We will examine a brief overview of the configured solution and review the functionality of the configured lab environment.

The configurations that will be reviewed include:


 

Solution Overview

As companies move workloads to public cloud providers, they require a way to extend their SDDC network and security policies into these public environments. This extension allows workloads to run in public clouds with the same native controls they have present in an on-premises datacenter. VMware NSX Cloud provides companies with the ability to extend enterprise security, compliance and governance.

NSX provides solutions for the top networking and security challenges companies face in public cloud environments:

 

 

Solution Components

 

The solution consists of the following components, each of which will be explored in upcoming lessons:

 

 

Hybrid App (AB-Cart) Topology

 

The picture depicts the environment that is provisioned and used during the lessons of this lab. The environment explores the scenario of a developer deploying an application with components in the on-premises data center, Microsoft Azure, and Amazon Web Services (AWS). The application deployment lacks security policies that match the company corporate standards, and it will be necessary to use NSX to apply consistent policies to the application environment.

The deployment of VMware NSX Cloud requires one or more Public Cloud environments. The NSX Management Plane (NSX Manager and Cloud Services Manager) and Control Plane (NSX Controller) components have been pre-configured in the on-premises data center.

 

 

Public Cloud App (OpenMRS) Topology

 

The picture depicts the environment that is provisioned and used during the lessons of this lab. The environment explores the scenario of a developer deploying an application with all components in public cloud, Microsoft Azure, and Amazon Web Services (AWS). The application deployment lacks security policies that match the company corporate standards, and it will be necessary to use NSX to apply consistent policies to the application environment.

 

Lab Validation


This lab includes many pre-configured items that are necessary for future lessons. We will examine a brief overview of the configured solution and review the functionality of the configured lab environment.

The configurations that will be reviewed include:


 

Lab Must Be In Ready State

 

Please check to see that your lab is finished all the startup routines and is ready for you to start. If you see anything other than "Ready", please wait a few minutes.  If after 5 minutes you lab has not changed to "Ready", please ask for assistance.

Proceeding when the lab is not "Ready" will result in a non-functional lab.

 

 

Lab provisioning status page

The AWS and Azure portions of the lab provisioning are currently completing. A webpage has been provided that displays the status of the lab resources that are being provisioned on AWS and Azure as part of this lab startup.

NOTE: The resources provisioned in Amazon Web Services and Microsoft Azure are accessible only from the Main Console of the HOL environment.

The lab provisioning can be expected to take 10-15 minutes.

 

 

Open Google Chrome

 

  1. Click on the Chrome Icon on the Windows Quick Launch Task Bar.

 

 

Account Information Homepage

 

The Chrome homepage has been set to the Account Information and lab provisioning status page.

  1. Type the Email Address you used to sign up for the lab.
  2. Type VMware1! for the Password.
  3. Click Login.

 

 

Lab Provisioning Complete

 

The Account Information page will display when the provisioning process is complete. This process can take 10 - 15 minutes. We will refer back to this page frequently in the lab modules.

 

Establish VPN Connectivity to Public Clouds


VPN connectivity to both AWS and Azure is being established for this lab. We will validate access to our Web front end via a simple ping.

Note: If either of the ping tests are unsuccessful, please request assistance before moving forward in the lab.


 

Open Command Prompt

 

  1. Click on the Command Prompt Icon on the Windows Quick Launch Task Bar.

 

 

Ping Azure Web Instance

 

  1. Type the following command to ping the Azure web front end instance for connectivity:

ping 172.18.10.4

 

 

Azure Connectivity Established

 

Connectivity is established with Azure if we receive replies.

 

 

Ping AWS Web Instance

 

  1. Type the following command to ping the AWS web front end instance for connectivity:

ping 172.15.10.4

 

 

AWS Connectivity Established

 

Connectivity is established with AWS if we receive replies.

 

Overview of On-Premises Environment


The on-premises data center environment contains both the NSX management and control plane components as well as various VMs for the application we will be securing in this lab.


 

On-Premises Topology

 

Our HOL vPod environment is acting as our on-premises data center environment. We have deployed the NSX Management and Control Plane components. In addition, we have also deployed the 4 application and database VMs that will support the front end web VMs that are running in our AWS and Azure environments.

Note: The NSX deployment has been minimized for lab purposes only in order to reduce the lab start times. It is not a recommended or supported deployment model.

 

 

Open a new browser tab

 

  1. Click the Empty Tab in Google Chrome to open a new browser tab.

 

 

Open vCenter

 

  1. Click the vCenter bookmark.

 

 

Login to vCenter

 

  1. Select "Always open these types of links in the associated app".
  2. Click on "Open vmware-cip-launcher.exe"

 

  1. Click "Use Windows session authentication"
  2. Click Login.

 

 

Expand Inventory

 

  1. Click to expand RegionA01.
  2. Click to expand RegionA01-COMP01.

 

 

VM Inventory

We can see VMs are running in our on-premises data center.

  1. The two on-premises application VMs have been deployed.

Note: The NSX VM functionality will be explored in Module 3.

 

Overview of Microsoft Azure Environment


We will review the Microsoft Azure application components that have been configured in the lab environment.


 

Compute Virtual Network

 

In the Compute VNET in Azure, the following components have been configured:

Azure Services

Application web tier VM

The NSX Cloud Gateway depicted will be deployed as part of the lab exercises.

 

Microsoft Azure Management Console Access


A web front end application virtual machine for this lab is running in Azure. Throughout this lab it will be necessary to access the Azure management console to verify inventory and configurations. This lesson will establish access to the Azure management console.


 

Accessing Azure Management Console

 

  1. Click on the Account Information tab that was previously opened. If this tab was closed open another tab and click on the Account Info bookmark.

 

 

Locate the Azure Management Console URL

 

  1. Click the Console URL to open a new browser tab and connect to the Azure Management Console.

 

 

Enter the Azure Email

 

  1. Copy or type the Azure account email address (Username) from the Account Information Page.
  2. Click Next.

 

 

 

Enter the Azure Password

 

  1. Copy or type the Azure account password from the Account Information Page.
  2. Click Sign In.

 

 

 

Do Not Remain Signed In

 

  1. If presented with this screen, Click No.

 

 

Azure Management Console

 

The Azure management console page will appear.

 

Review of Microsoft Azure Inventory


In this lesson we will review the Microsoft Azure components that are part of the solution:

Please Note: Some Azure inventory screens may show deleted, terminated, detached, etc. entries that differ from the screenshots. These are items from the previous lab deployment that have been removed, but not yet cleared from, the Azure UI.


 

Review Configured Virtual Networks

 

  1. Click Virtual networks in the Azure management console.

 

 

Review Configured Virtual Networks

 

There are two Virtual Network configured in this Azure Region where the application virtual machines are deployed.

  1. Click the Home link

 

 

Click Virtual Machines

 

  1. Click Virtual machines in the Azure console.

 

 

Review Azure Application VMs

 

There are multiple VMs running for this lab:

 

 

Select the Web VM

 

  1. Click the abCartWeb01 virtual machine.

 

 

Click Networking

 

  1. Click Networking.

 

 

Configured Network Security Groups

 

 

There is one Network Security Group configured. We will look at the configured rules in more depth in Module 2.

 

Overview of Amazon Web Services Environment


We will review the Amazon Web Services application components that have been configured in the lab environment.


 

Compute VPC

 

In the Compute VPC in AWS, the following components have been configured:

AWS Services

Application web tier instance

The NSX Cloud Gateway depicted will be deployed as part of the lab exercises.

 

Amazon Web Services Management Console Access


A web front end application instance for this lab is running in Amazon Web Services. Throughout this lab it will be necessary to access the AWS management console to verify inventory and configurations. This lesson will establish access to the AWS management console.


 

Accessing AWS Management Console

 

  1. Click on the Account Information tab that was previously opened. If this tab was closed open another tab and click on the Account Info bookmark.

 

 

Locate the AWS Management Console URL

 

  1. Click the Console URL to open a new browser tab and connect to the AWS Management Console.

 

 

Log in to the AWS Console

 

  1. Type vmware_hol_user for the IAM User Name. Note: The Account will vary between lab environments.
  2. Type or copy the Password from the Account Information page.
  3. Click the Sign In button.

 

 

 

AWS Management Console

 

The AWS management console page will appear.

 

 

Zoom Browser

 

To improve readability of the various screens in this lab, it is recommended that you adjust the Zoom setting in Google Chrome to at least 90%.

  1. Click the Three Dots in the upper right hand corner of the browser for the drop down menu.
  2. Click '-' next to Zoom to adjust the setting to 90%.

 

 

Select Region

 

Verify that the console is viewing North California region resources. If a different region is selected the lab resources will not be displayed.

  1. Click the Region Name to the left of Support in the upper right.
  2. Select US West (N. California).

 

Review of Amazon Web Services Inventory


In this lesson we will review the Amazon Web Services and NSX components that are part of the solution:

Please Note: Some AWS inventory screens may show deleted, terminated, detached, etc. entries that differ from the screenshots. These are items from the previous lab deployment that have been removed, but not yet cleared from, the AWS UI.


 

Review Configured Virtual Private Clouds

 

  1. Click Services in the upper left corner of the AWS management console.
  2. Click VPC under Network & Content Delivery.

 

 

Click Your VPCs

 

  1. Click Your VPCs under VPC Dashboard on the left.

 

 

Review Configured VPCs

 

There are two VPC's configured in this AWS Region where the application instance is deployed. The VPC's IDs will be different for each lab pod.

 

 

Click Security Groups

 

  1. Click on Security Groups on the left under Security.

 

 

Review Configured Security Groups

 

There are (4) Security Groups configured for the VPCs to allow EC2 instances to communicate in and out of the VPC's.  We will look at the configured rules in more depth in Module 2.

 

 

Click EC2

 

  1. Click Services in the upper left corner of the AWS console.
  2. Click EC2 under Compute.

 

 

Click Instances

 

  1. Click Instances under EC2 Dashboard on the left.

 

 

Acknowledge UI Changes

 

  1. If presented to you, click the X to close out the notification.

 

 

Expand Column

 

  1. Click and Drag the column handle to expand the Name column.

 

 

Review NSX EC2 Instances

 

There are multiple EC2 instances running for this lab:

 

Conclusion


This completes Module 1. By successfully logging in to the management console of each location, we have reviewed the components of the solution that are deployed in our multi-cloud environment to support our application:


 

Congratulations, you've finished Module 1

Proceed to Module 2 for validation the application functionality. You may also proceed to any other module of interest.

 

Module 2 - Verify Application Functionality (15 minutes)

Introduction


In the lab scenario, a multi-service application has been deployed by an application developer into Amazon Web Services and Microsoft Azure. The majority of the application's services have been deployed in the on-premises data center. An additional instance has been deployed in both AWS and Azure for the web front end.


 

ABcart Hybrid Application Diagram

 

Our application consists of multiple services that are deployed across our on-premises location as well as Amazon Web Services and Microsoft Azure.

An instance of the frontend service will be deployed in AWS and Azure. The remaining API, DB services will be running in our on-premises data center.

 

 

Native Public Cloud Application Diagram

 

OpenMRS has (2) tiers, Web and DB tier. Both tiers are running in public cloud (AWS & Azure).

 

Review Security Policies


We will look at the security policies that were applied to the application web front end when the developer deployed it. Since NSX has not been deployed, the security policies that are applied are what have been configured in Amazon Web Services and Microsoft Azure.

The on-premises application virtual machines do not have any security policies applied. They will also be secured during the NSX deployment and configuration.


 

Open Google Chrome

 

  1. Click on the Chrome Icon on the Windows Quick Launch Task Bar (or open Chrome if it is already running).

 

 

Account Information Homepage

 

The Chrome homepage has been set to the Account Information and lab provisioning status page. If you've completed the previous lesson you can click on the account information tab that is open and proceed to the next step.

  1. Type the Email Address you used to sign up for the lab.
  2. Type VMware1! for the Password.
  3. Click Login.

 

 

Lab Provisioning Complete

 

The Account Information page will display when the provisioning process is complete. This process can take 10 - 15 minutes. We will refer back to this page frequently in the lab modules.

 

 

Locate the AWS Management Console URL

 

  1. Click the Console URL to open a new browser tab and connect to the AWS Management Console (or click on the open AWS tab in Chrome if you've already logged in).

 

 

Log in to the AWS Console

 

  1. Type vmware_hol_user for the IAM User Name.
  2. Type or copy the Password from the Account Information Page.
  3. Click the Sign In button.

 

 

 

Zoom Browser

 

To improve readability of the various screens in this lab, it is recommended that you adjust the Zoom setting in Google Chrome to at least 90%.

  1. Click the Three Dots in the upper right hand corner of the browser for the drop down menu.
  2. Click '-' next to Zoom to adjust the setting to 90%.

 

 

Select Region

 

Verify that the console is viewing North California region resources.

  1. Click the Region Name to the left of Support in the upper right.
  2. Select US West (N. California).

 

 

Navigate to EC2 Dashboard

 

  1. Click Services in the upper left corner of the AWS console.
  2. Click EC2 under Compute.

 

 

Navigate to the Deployed Instances

 

  1. Click Instances under EC2 Dashboard on the left.

 

 

Acknowledge UI Changes

 

  1. If presented to you, click the X to close out the notification.

 

 

Expand Column

 

  1. Click and Drag the column handle to expand the Name column.

 

 

Select the ab_cart-web01 Instance

 

  1. Select the ab_cart-web01 instance.

 

 

Open the Inbound Rules

 

  1. Click view inbound rules at the bottom of the screen in the Description tab for that instance. This instance has been configured with an AWS Security Group for the Compute-VPC.

 

 

Review the Configured AWS Security Policies

 

A list of policies that apply to this instance is displayed. Web and SSH traffic are allowed from the HOL Main Console (Source IP ranges may vary). All traffic is allowed within the AWS VPC environment.

 

 

Open Account Information Tab

 

  1. Click on the Account Info tab in Google Chrome.

 

 

Locate the Azure Management Console URL

 

  1. Click the Console URL to open a new browser tab and connect to the Azure Management Console (or click on the open Azure tab in Chrome if you've already logged in).

 

 

Enter the Azure Email

 

  1. Copy or type the Azure account email address from the Account Information Page.
  2. Click Next.

 

 

 

Enter the Azure Password

 

  1. Copy or type the Azure account password from the Account Information Page.
  2. Click Sign In.

 

 

 

Do Not Remain Signed In

 

  1. If presented with this screen, Click No.

 

 

Azure Management Console

 

The Azure management console page will appear.

 

 

Click Virtual Machines

 

  1. Click Virtual machines in the Azure console.

 

 

Select the Web VM

 

  1. Click the abCartWeb01 virtual machine.

 

 

Click Networking

 

  1. Click Networking.

 

 

Configured Network Security Groups

 

 

A list of policies that apply to this virtual machine are displayed. Web and SSH traffic are allowed from the HOL Main Console (Source IP ranges may vary). All traffic between application virtual machines is allowed within the Virtual Network environment.

 

Azure Application Validation


A web front end for the application has been deployed by a developer in Microsoft Azure. NSX will be used to secure this application in upcoming lessons. We will validate the pre-NSX functionality of the application.


 

Accessing Account Information

 

  1. Click on the Account Information tab that was previously opened. If this tab was closed open another tab and click on the Account Info bookmark.

 

 

Locate the Web Instance Information

 

  1. Click on the Azure Web Frontend Instance Public URL link to open a new browser tab and connect to the application.

 

 

Verify ABcart Hybrid Application is Functioning

 

Verify that the application is functioning. The IP address of the server presenting the page is noted. All application components are properly communicating between Azure and our on-premises data center.

 

 

OpenMRS Application (Native Azure Application)

 

  1. Click on url to launch Openmrs application (Native public cloud).

 

 

Verify OpenMRS Application is Functioning

 

NOTE: In some cases OpenMRS web UI show error "OpenMRS is not able to start." This is due to db vm took too long to boot up in Azure . This error will not affect the exercises or functionality of this lab. Please continue with the lab.

 

AWS Application Validation


A web front end for the application has been deployed by a developer in Amazon Web Services. NSX will be used to secure this application in upcoming lessons. We will validate the pre-NSX functionality of the application.


 

Accessing Account Information

 

  1. Click on the Account Information tab that was previously opened. If this tab was closed open another tab and click on the Account Info bookmark.

 

 

Locate the Web Instance Information

 

  1. Click on the AWS AB Cart Web Frontend Instance Public URL link to open a new browser tab and connect to the application.

 

 

Verify ABcart Hybrid Application is Functioning

 

Verify that the application is functioning. The IP address of the server presenting the page is noted. The web front end is working and all application components are properly communicating between AWS and our on-premises data center.

 

 

Verify OpenMRS Native AWS Application

 

 

Locate the Web Instance Information

 

  1. Click on the AWS Open MRS Web Frontend Instance Public URL link to open a new browser tab and connect to the application.

 

 

Verify OpenMRS Application is Functioning

 

 

Conclusion


This completes Module 2. We have validated that the application is functioning within the on-premises datacenter, AWS, and Azure. Through the review of the security policies that were applied we discovered the application has components that are exposed to unnecessary access and potentially malicious attacks. Lastly, we used a common security scanner to validate these open ports and available access.


 

Congratulations, you've finished Module 2

Proceed to Module 3 for an Introduction to the NSX Management Components. You may also proceed to any other module of interest.

 

Module 3 - Introduction to NSX Management Components (15 minutes)

Introduction


As part of the VMware NSX Cloud solution, separate virtual machines are deployed in our on-premises data center environment to support the Management and Operations User Interface for the solution. These instances are:

NSX Cloud Services Manager manages the complete lifecycle of deployed NSX components in AWS and Azure, and provides a unified view between NSX Manager and the public cloud inventory. Other functions of NSX Cloud Services Manager include:

NSX Manager provides the graphical user interface (GUI) and the REST APIs for creating, configuring, and monitoring NSX components such as the NSX controllers and logical switches. NSX Manager is the management plane for the NSX eco-system. It provides an aggregated view and is the centralized network management component of NSX. It provides a method for monitoring and troubleshooting workloads attached to virtual networks created by NSX. It provides configuration and orchestration of:


Lab Validation


This module requires connectivity to Microsoft Azure and Amazon Web Services in order to complete the lessons. We will take a few moments to validate this connectivity, particularly if the prior three modules were not completed.


 

Lab Must Be In Ready State

 

Please check to see that your lab is finished all the startup routines and is ready for you to start. If you see anything other than "Ready", please wait a few minutes.  If after 5 minutes you lab has not changed to "Ready", please ask for assistance.

Proceeding when the lab is not "Ready" will result in a non-functional lab.

 

 

Lab provisioning status page

The AWS and Azure portions of the lab provisioning are currently completing. A webpage has been provided that displays the status of the lab resources that are being provisioned on AWS and Azure as part of this lab startup.

NOTE: The resources provisioned in Amazon Web Services and Microsoft Azure are accessible only from the Main Console of the HOL environment.

The lab provisioning can be expected to take 10-15 minutes.

 

 

Open Google Chrome

 

  1. Click on the Chrome Icon on the Windows Quick Launch Task Bar.

 

 

Account Information Homepage

 

The Chrome homepage has been set to the Account Information and lab provisioning status page.

  1. Type the Email Address you used to sign up for the lab.
  2. Type VMware1! for the Password.
  3. Click Login.

 

 

Lab Provisioning Complete

 

The Account Information page will display when the provisioning process is complete. This process can take 10 - 15 minutes. We will refer back to this page frequently in the lab modules.

 

Perform log in to NSX Cloud Services Manager


One function of the NSX Cloud Services Manager is to provide a unified view of the inventory between NSX and the public cloud environments. In this lesson we will log in to the NSX Cloud Services Manager.


 

Open a new browser tab

 

  1. Click the Empty Tab in Google Chrome to open a new browser tab.

 

 

NSX Cloud Services Manager Bookmark

 

  1. Click the CSM bookmark to connect to the NSX Cloud Services Manager console.

 

 

Log in to NSX Cloud Services Manager

 

  1. Type admin for the Username.
  2. Type VMware1!VMware1! for the Password.
  3. Click Log In.

 

Review configured AWS account and inventory


NSX Cloud Service Manager provides a unified view of NSX and AWS inventory. We will review the inventory reported by NSX Cloud Service Manager and compare it to the AWS inventory.


 

CSM Configuration and Inventory

 

  1. Click Clouds.
  2. Click AWS.

 

 

Review AWS Account Information

 

The AWS account information has been configured in Cloud Services Manager. This information will be different for each lab pod.

 

 

Review Number of Configured VPCs

 

There are multiple VPCs configured in this AWS account, across the various Regions.

 

 

Review Number of Configured Instances

 

There are 5 instances running in this AWS account.

 

 

Click VPCs

 

  1. Click VPCs.

 

 

Narrow down the view of VPCs

 

  1. Select us-west-1 from the Region pull down menu to narrow down the view of VPCs.

 

 

 

Review VPC's

 

This is the VPC's we saw in the AWS inventory in previous lessons.

 

 

Confirm VPC is not Managed by NSX

 

The Compute VPC reports a Status of "NSX Managed - No." Later in this lab we will deploy NSX components in this VPC to manage the running AWS EC2 instances.

 

 

Click Instances

 

  1. Click Instances.

 

 

Confirm Instances are not Managed by NSX

 

The AWS EC2 instances for the applications that were reported in the AWS inventory are listed. The NSX State circle is not green because NSX components have not been deployed.

 

Review configured Azure account and inventory


NSX Cloud Service Manager provides a unified view of NSX and Azure inventory. We will review the inventory reported by NSX Cloud Service Manager and compare it to the Azure inventory.


 

CSM Configuration and Inventory

 

  1. Click Azure on the left.

 

 

Review Azure Account Information

 

The Azure account information has been configured in Cloud Services Manager. This information will be different for each lab pod.

 

 

Review Number of Configured VNets

 

There is one Virtual Network configured in this Azure account.

 

 

Review Number of Configured Instances

 

There are 5 instances running in this Azure account.

 

 

Click VNets

 

  1. Click VNets.

 

 

Review VNet

 

This is the VNet's we saw in the Azure inventory in previous lessons.

 

 

Confirm VNet is not Managed by NSX

 

The VNet reports a Status of "NSX Managed - No." Later in this lab we will deploy NSX components in this VNet to manage the running Azure virtual machines.

 

 

Click Instances

 

  1. Click Instances.

 

 

Confirm Instances are not Managed by NSX

 

The Azure virtual machines for the applications that were reported in the Azure inventory are listed. The NSX State circle is not green because NSX components have not been deployed.

 

Perform log in to NSX Manager


As the centralized management plane for the solution, we will be using NSX Manager to configure security policies for our application, as well as to validate the successful deployment of NSX in Amazon Web Services and Microsoft Azure. In this lesson we will log in to NSX Manager.


 

Open a new browser tab

 

  1. Click the Empty Tab in Google Chrome to open a new browser tab.

 

 

NSX Manager Bookmark

 

  1. Click the VMware NSX | Login bookmark to connect to the NSX Manager console.

 

 

Log in to NSX Manager

 

  1. Type admin for the Username.
  2. Type VMware1!VMware1! for the Password.
  3. Click Log In.

 

Review NSX Manager User Interface


In preparation for the configuration of NSX to manage our application, we will walk through several of the NSX Manager User Interface screens to view the current configuration of the lab environment, validate that the NSX management infrastructure is functional, and get familiar with the new HTML5 interface.


 

Click Dashboard

 

  1. Click Monitoring Dashboards.
  2. Click System.

 

 

Management Cluster

 

The Dashboard screen provides a single location to see the status of the various components of the NSX deployment. You can see at a high level if there are any issues with components as well as things like the number of load balancers, firewall rules, and VPN sessions.

For our NSX deployment we can see under System that the Management Cluster are Green. This means that our NSX Manager and NSX Controller nodes are up.

NSX Manager is the management plane component that provides the graphical user interface (GUI) and the REST APIs for creating, configuring, and monitoring NSX components such as controllers, logical switches, firewall policies, and edge service gateways.

NSX Controller is the control plane component that provides advanced distributed state management in our environment.

 

 

Review Fabric Status

There are 2 hosts in the NSX Fabric. We have only prepped one host for NSX at this time.

 

 

 

 

Click Networking

 

  1. Click Networking on the top.
  2. Click Segments on the left.

 

 

Confirm One Logical Switch in Inventory

There is one Logical Switch that has been created for our on-premises VMs.

 

 

Click the Logical Segment

 

  1. Click the expand arrow.
  2. Click on Ports.
  3. Click 2 in front of Segment Ports.

 

 

Check out Logical Ports.

 

Both of our On-Prem virtual machines are connected to this segment.

 

Conclusion


This completes Module 3. We have logged into the NSX Cloud Services Manager (CSM) that acts as the operations user interface for the VMware NSX Cloud solution. We also reviewed the AWS and Azure inventories from within NSX CSM. We have also logged into the NSX Manager and reviewed the inventory of NSX objects to confirm only the defaults are present and to get familiarity with the new HTML5 interface.


 

Congratulations, you've finished Module 3

Proceed to Module 4 to secure the application environment with NSX. You may also proceed to any other module of interest.

 

Module 4 - Securing Hybrid Cloud Applications with NSX (60 minutes)

Introduction


Securing the application in Amazon Web Services (AWS), Microsoft Azure, and the on-premises data center requires security policies for the workloads that will be NSX managed. NSX provides a distributed firewall with logical grouping capabilities to simplify configuration and provide consistency.

After the Central Management Plane (NSX Manager and NSX Cloud Services Manager) have been deployed in the on-premises data center, the following steps are required to secure the application:

  1. An NSX Cloud Gateway is deployed in each cloud environment with workloads to be managed by NSX.
  2. A Cloud Administrator will create Logical Networks and Security Policies using the NSX Manager UI or APIs.
  3. A Cloud Administrator will generate a set of tags in NSX Cloud Services Manager.
  4. A Developer will apply the tags to their workloads in AWS and Azure for consumption of NSX policies at the time of instance creation.
  5. The NSX Agent is installed on each AWS instance and Azure virtual machine to be managed by NSX.

 

Required Security Policies for Hybrid Application

 

The application requires these high level security policies.

 

Lab Validation


This module requires connectivity to Microsoft Azure and Amazon Web Services in order to complete the lessons. We will take a few moments to validate this connectivity, particularly if the prior three modules were not completed.


 

Lab Must Be In Ready State

 

Please check to see that your lab is finished all the startup routines and is ready for you to start. If you see anything other than "Ready", please wait a few minutes.  If after 5 minutes you lab has not changed to "Ready", please ask for assistance.

Proceeding when the lab is not "Ready" will result in a non-functional lab.

 

 

Lab provisioning status page

The AWS and Azure portions of the lab provisioning are currently completing. A webpage has been provided that displays the status of the lab resources that are being provisioned on AWS and Azure as part of this lab startup.

NOTE: The resources provisioned in Amazon Web Services and Microsoft Azure are accessible only from the Main Console of the HOL environment.

The lab provisioning can be expected to take 10-15 minutes.

 

 

Open Google Chrome

 

  1. Click on the Chrome Icon on the Windows Quick Launch Task Bar.

 

 

Account Information Homepage

 

The Chrome homepage has been set to the Account Information and lab provisioning status page.

  1. Type the Email Address you used to sign up for the lab.
  2. Type VMware1! for the Password.
  3. Click Login.

 

 

Lab Provisioning Complete

 

The Account Information page will display when the provisioning process is complete. This process can take 10 - 15 minutes. We will refer back to this page frequently in the lab modules.

 

Verify VPN Connectivity to Public Clouds


VPN connectivity to both AWS and Azure is being established for this lab. We will validate access to our Web front end via a simple ping.

Note: If either of the ping tests are unsuccessful, please request assistance before moving forward in the lab.


 

Open Command Prompt

 

  1. Click on the Command Prompt Icon on the Windows Quick Launch Task Bar.

 

 

Ping AWS Web Instance

 

  1. Type the following command to ping the AWS web front end instance for connectivity:  ping 172.15.10.4

 

 

AWS Connectivity Established

 

Connectivity is established with AWS if we receive replies.

 

 

Ping Azure Web Instance

 

  1. Type the following command to ping the Azure web front end instance for connectivity:  ping 172.18.10.4

 

 

Azure Connectivity Established

 

Connectivity is established with Azure if we receive replies.

 

Deploy NSX Cloud Gateway in Amazon Web Services


NSX components need to be deployed to provide security policies for the application instances in Amazon Web Services. The first step is to deploy the NSX Cloud Gateway in the Transit VPC where the application instances are deployed.

As an Edge Transport Node in NSX, the NSX Cloud Gateway provides the following services in each VPC it is deployed:


 

Open Google Chrome

 

  1. Click on the Chrome Icon on the Windows Quick Launch Task Bar (or open Chrome if it is already running).

 

 

Open a new browser tab

 

  1. Click the Empty Tab in Google Chrome to open a new browser tab (or switch to the CSM tab if it is already open).

 

 

NSX Cloud Services Manager Bookmark

 

  1. Click the CSM bookmark to connect to the NSX Cloud Services Manager console.

 

 

Log in to NSX Cloud Services Manager

 

  1. Type admin for the Username.
  2. Type VMware1!VMware1! for the Password.
  3. Click Log In.

 

 

Select AWS Account

 

  1. Click Clouds.
  2. Click AWS.

 

 

Click VPCs

 

  1. Click VPCs at the top.

 

 

Narrow down the view of VPCs

 

  1. Select us-west-1 from the Region pull down menu to narrow down the view of VPCs

 

 

 

Click Actions Pull-Down Menu

 

  1. Click Actions in the Transit-VPC box.
  2. Click Deploy NSX Cloud Gateway.

 

 

Provide NSX Cloud Gateway Configuration Settings

  1. Click PEM File and select nsx-management.
  2. Enable Manage with Agents
  3. Select No Proxy Server
  4. Expand Advanced
  5. Enter AMI ID: ami-083547e7682145126
  6. Click Next.

 

 

 

Configure High Availability Settings

 

The NSX Cloud Gateway supports a High Availability (HA) deployment model. To reduce the amount of time it takes to complete the lab, we will not configure HA.

  1. Uncheck the Enable HA for NSX Cloud Gateway box.
  2. Select your Availability Zone. Note: If the wrong availability zone is selected, the subnet menus for steps 3-5 will be empty.
  3. Select nsx-uplink-subnet for the Uplink Subnet.
  4. Select nsx-downlink-subnet for the Downlink Subnet.
  5. Select nsx-mgmt-subnet for the Management Subnet.
  6. Select Allocate new IP for the Public IP on Mgmt NIC
  7. Select Don't Allocate for the Public IP for Uplink NIC
  8. Click Deploy.

 

 

NSX Cloud Gateway Begins Deployment

 

 

The deployment process begins for this VPC. It can take approximately 7-10 minutes to complete. The deployment progress screen will report on the actions being completed in the process.

Deployment of the NSX Cloud Gateway provides the local control plane for NSX policies in our VPC, as well as an installation location for the NSX Agents that will be deployed in an upcoming lesson.

Continue to the next lesson to configure logical groupings while the NSX Cloud Gateway deployment completes. We will then return to NSX Cloud Services Manager to verify completion.

 

You will see that Gateway has been deployed. Also check NSX is managed by Gateway. Also Manage with Agent is On.

If you want to do NSX Native Enforcement then skip remaining steps in this module and move to Module 5

 

Installation of NSX Agent in Public Cloud Environments - AWS


To continue the process of securing the web frontends, the NSX Agent must be deployed. The NSX Agent provides the data plane functions within each Amazon Web Services instance or Microsoft Azure virtual machine where it is installed. This includes:

A best practice would be to include the agent in the "gold master" images that are used in an organization's public cloud environment. The NSX Agent can also be installed in existing deployed, or brownfield, instances using a variety of automation methods.

The NSX Agent will be deployed on each of the web frontends via a script. We will show the process in Azure where you can see the location of the installation script, and the command to run. For AWS, we'll show an automated approach where a single script is run to complete the installation.


 

New PuTTY Session

 

  1. Click on the PuTTY Icon in the upper left of the open PuTTY session.

 

 

NSX Agent has been installed

 

 

The NSX Agent installation can take 3-5 minutes to complete.

 

 

 

Applying Tags to the AWS Application


NSX-specific Tags are used to indicate where the EC2 instance's network interface should be logically "attached" in NSX. During attachment, security policies are pushed. Prior to enabling the NSX Agent on the web frontend, we will configure a Tag.


 

Accessing AWS Management Console

 

  1. Click on the Account Information tab that was previously opened. If this tab was closed open another tab and click on the Account Info bookmark.

 

 

Locate the AWS Management Console URL

 

  1. Click the Console URL to open a new browser tab and connect to the AWS Management Console.

 

 

Log in to the AWS Console

 

  1. Type vmware_hol_user for the IAM User Name.
  2. Type or copy the Password from the Account Information Page.
  3. Click the Sign In button.

 

 

 

Select Region

 

Verify that the console is viewing North California region resources.

  1. Click the Region Name to the left of Support in the upper right.
  2. Select US West (N. California).

 

 

Navigate to EC2 Instances

 

  1. Click Services in the upper left corner of the AWS console.
  2. Click EC2 under Compute.

 

 

Click Instances

 

  1. Click Instances in the menu on the left.

 

 

Acknowledge UI Changes

 

  1. If presented to you, click the X to close out the notification.

 

 

Expand Column

 

  1. Click and Drag the column handle to expand the Name column.

 

 

Select the Web instance

 

  1. Select ab_cart-web01

 

 

Click the Tags tab for this instance

 

  1. Click the Tags tab below the list of EC2 instances.
  2. Click Add/Edit Tags.

 

 

Click Create Tag

 

  1. Click Create Tag.
  2. Type nsx.network under Key.
  3. Type default under Value. (Note: Do not use the auto-complete DEFAULT-nsx-compute-security-group that may appear)
  4. Click Save.

 

 

Summary

We have applied the NSX-specific Tag to the web frontend. Once the NSX Agent is deployed, this tag will "attach" the instance to the default NSX Logical Switch that was created during the NSX Cloud Gateway deployment. Security policies will also be applied to this instance.

 

Deploy NSX Cloud Gateway in Azure


NSX components need to be deployed to provide security policies for the application virtual machines in Microsoft Azure. The first step is to deploy the NSX Cloud Gateway in the Compute VNet where the application virtual machines are deployed.

As an Edge Transport Node in NSX, the NSX Cloud Gateway provides the following services in each VNet it is deployed:


 

Select Azure

 

  1. Return to the CSM window and click Clouds on the left.
  2. Select Azure.

 

 

Click VNets

 

  1. Click VNets.

 

 

 

Click Actions Pull-Down Menu

 

  1. In HOL2022-Transit-vNet click Actions drop down.
  2. Click Deploy NSX Cloud Gateway.

 

 

Provide NSX Cloud Gateway Configuration Settings

 

 

  1. Copy the SSH Public Key from the very bottom of the Account Info web page (copy all three lines). Refer to Screenshot above.
  2. Change Manage with Agents to Enabled
  3. Copy the VHD URL from Account info web page after Azure SSH public key
  4. Select No Proxy Server from dropdown
  5. Click Advanced.

 

 

Advanced Settings

 

  1. Select Override Public Cloud Provider's DNS Server.
  2. Type 192.168.110.10
  3. Click Next.

 

 

Configure High Availability Settings

 

The NSX Cloud Gateway supports a High Availability (HA) deployment model. To reduce the amount of time it takes to complete the lab, we will not configure HA.

  1. Uncheck the Enable HA for NSX Cloud Gateway box.
  2. Select nsx-uplink-subnet for the Uplink Subnet.
  3. Select nsx-downlink-subnet for the Downlink Subnet.
  4. Select nsx-mgmt-subnet for the Management Subnet.
  5. Select Allocate new IP for Public IP on Mgmt NIC.
  6. Select Don't Allocate for Public IP on Uplink NIC.
  7. Click Deploy.

 

 

NSX Cloud Gateway Begins Deployment

 

The deployment process begins for this VNet. It can take approximately 10-15 minutes to complete. The deployment progress screen will report on the actions being completed in the process.

Deployment of the NSX Cloud Gateway provides the local control plane for NSX policies in our VNet, as well as an installation location for the NSX Agents that will be deployed in an upcoming lesson.

Continue to the next lesson to configure firewall policies while the NSX Cloud Gateway deployment completes. We will then return to NSX Cloud Services Manager to verify completion.

 

 

Enable Auto Agent Install in Public Cloud Environments - Azure


To continue the process of securing the web frontends, the NSX Agent must be deployed. The NSX Agent provides the data plane functions within each Amazon Web Services instance or Microsoft Azure virtual machine where it is installed. This includes:

A best practice would be to include the agent in the "gold master" images that are used in an organization's public cloud environment. The NSX Agent can also be installed in existing deployed, or brownfield, instances using a variety of automation methods.

The NSX Agent will be deployed on each of the web frontends via a script. We will show the process in Azure where you can see the location of the installation script, and the command to run. For AWS, we'll show an automated approach where a single script is run to complete the installation.


 

Accessing Cloud Service Manager (CSM) UI

 

  1. Click on the Clous Service Manager (CSM) tab that was previously opened. If this tab was closed open another tab and click on the CSM bookmark. 

 

 

Select Azure

 

  1. Click Clouds on the left.
  2. Click Azure on the left.

 

 

Select HOL2022-Transit-vNet

 

  1. Click VNets.

 

  1. Select tile HOL2022-Transit-vNET

 

 

Edit HOL2022-Transit-vNET configuration

 

  1. Click gear dropdown.
  2. Click Edit Configuration.

 

 

Enable Auto Agent Install

 

  1. Select Auto Agent Install to ON.
  2. Click Save.

Note: By enabling Auto Agent Install in this VNET all the NSX managed VMs in this VNET will automatically get NSX agent installed. Currently we don't have any VMs managed by NSX in this VNET. 

In the next exercise we will enable a Web VM to be managed by NSX (by adding NSX tag to that Web VM). After tagging, NSX Gateway will auto install the NSX agent on that Web VM.

 

Applying Tags to the Azure Application


NSX-specific Tags are used to indicate where the virtual machine's network interface should be logically "attached" in NSX. During attachment, security policies are pushed. Prior to enabling the NSX Agent on the web front end, we will configure a Tag.


 

Accessing Azure Portal

 

  1. Click on the Account Information tab that was previously opened. If this tab was closed open another tab and click on the Account Info bookmark.

 

 

Locate the Azure Portal URL

 

  1. Click the Console URL to open a new browser tab and connect to the Azure Management Console.

 

 

Enter the Azure Email

 

  1. Copy or type the Azure account email address from the Account Information Page.
  2. Click Next.

 

 

 

Enter the Azure Password

 

  1. Copy or type the Azure account password from the Account Information Page.
  2. Click Sign In.

 

 

 

Do Not Remain Signed In

 

  1. If presented with this screen, Click No.

 

 

Azure Management Console

 

The Azure management console page will appear.

 

 

Click Virtual Machines

 

  1. Click Virtual Machines.

 

 

Click Web VM

 

  1. Click abCartWeb01.

 

 

Click on Tags on left column. Add tags to existing Web server

 

 

 

 

Enter the Tag Information

 

  1. Type nsx.network for Name. (Note: in Azure it is a period vs a colon)
  2. Type default for Value.
  3. Click Save.

NOTE: Tagging of this vm with nsx.network tag will notify NSX Gateway that this VM is now managed by NSX. Between 1-2 mins NSX Gateway will start the process of installing NSX tool (agent) on this VM. This is because in previous exercise we have enabled the Auto Agent Install feature. Agent install will happen in background and will take approx. 5 mins.

 

 

Summary

We have applied the NSX-specific Tag to the web frontend. Once the NSX Agent is deployed, this tag will "attach" the virtual machine that was created during the NSX Cloud Gateway deployment. Security policies will also be applied to this virtual machine.

 

Create Logical Groupings


NSX is able to leverage contextual information about workloads to create dynamic policy groups. This provides a greatly simplified operational model for security policy management. In this lesson we will review the pre-configured groups and then finish several of them to simplify policy management.

CSM is able to sync cloud inventory information to pull in the tags that have been applied to the cloud workloads. Typically, these tags are added during the deployment of instances and virtual machines in AWS and Azure. Some examples of tags might be the application name, application tier, etc. NSX will also import cloud environment information tags such as VPC or VNet name that can also be used.

These Tags, along with tags that have been applied to our on-premises virtual machines, will be used to create dynamic logical groupings in NSX.


 

Open a new browser tab

 

  1. Click the Empty Tab in Google Chrome to open a new browser tab (or switch to the NSX Manager tab in Chrome if it's already open).

 

 

NSX Manager Bookmark

 

  1. Click the NSX Manager bookmark to connect to the NSX Manager console.

 

 

Log in to NSX Manager

 

  1. Type admin for the Username.
  2. Type VMware1!VMware1! for the Password.
  3. Click Log In.

 

 

Click Groups in the Inventory Menu

 

  1. Click Inventory.
  2. Click Groups.

 

 

Review Created Groups

 

Several groups have already been created to save time in the lab. We will review and then complete the configuration of two of the groups. ABCart-Web and ABCart-App. ABCart-DB group is already done for you and we have already tagged Web,App and DB machines with App-Name and App-Tier in interest of time.

These will be used in the firewall policies that we will create in section.

 

 

Review ABCart Web Group Membership

 

  1. Select ABCart.
  2. Click View Members.

 

 

Check Group Definition

 

  1. Select Group Definition
  2. Select Criteria
  3. Review Criteria for both OnPrem, AWS and Azure.
  4. Click Close

This is showing all machines that are part of ABCart application (Web, App and DB). Notice that we are leveraging the native tags that NSX will discover from the public cloud inventory (dis:<cloud>: prefix on those tags) for WebTier.

We will be using tags as membership criteria for all groups.

 

 

Review ABCart App and DB Virtual Machines Tags

 

  1. Click on Inventory
  2. Click on Virtual Machines

 

 

  1. Click on Tags in front of abcart-app01a to review App-Name and App-Tier
  2. Repeat steps for abcart-db01a

The virtual machines running in our on-premises data center and public cloud have tags already applied. We'll use them to complete this group.

 

 

Create ABCart Web membership criteria

 

  1. Click on Inventory.
  2. Click on Groups.

 

 

 

  1. Click on 3 dots on left side of ABCart-Web.
  2. Click on Edit.
  3. Click on Set Members.

 

 

  1. Click on ADD CRITERIA.
  2. Enter Tag equal to web and Scope equal to dis:aws:App-Tier.
  3. Click on + sign.
  4. Enter Tag equal to abcart and Scope equal to dis:aws:App-Name.
  5. Click ADD CRITERIA and Select OR.
  6. Enter Tag equal to web and Scope equal to dis:azure:App-Tier.
  7. Click on + sign.
  8. Enter Tag equal to abcart and Scope equal to dis:azure:App-Name.
  9. Click on Apply.

 

 

Create ABCart App membership criteria

 

 

 

  1. Click on 3 dots on left side of ABCart-App.
  2. Click on Edit.
  3. Click on Set Members

 

  1. Click on ADD CRITERIA.

 

  1. Enter Tag equal to app and Scope equal to App-Tier.
  2. Click on + sign.
  3. Enter Tag equal to abcart and Scope equal to App-Name.
  4. Click on Apply.

 

  1. Click SAVE.

 

 

Verify ABCart-DB Group

 

  1. Click on ABCart-DB Group
  2. Click on View Members

 

  • You will see ABCart-DB Virtual Machine under Effective Members.

 

Please go ahead and also check group definition for tags and scope.

 

Validate NSX Deployment


Following the deployment of the NSX components in the Compute-VPC, we will walk through the NSX configuration in NSX Manager and NSX Cloud Services Manager to verify operation.


 

Click System

 

  1. Click System.
  2. Click Fabric on the left.
  3. Click Nodes under fabric.

 

 

Click Edges

 

  1. Click Edge Transport Nodes at the top.

 

 

Expand Column

 

  1. Click and Drag to expand the column width.

 

 

Newly Created Edge Nodes

 

Two Edge nodes have been created, one in each Public Cloud.

Note: Each edge name will be different in each lab.

 

 

Click Edge Clusters

 

  1. Click Edge Clsuters at the top.

 

 

Expand Column

 

  1. Click and Drag to expand the column width.

 

 

Newly Created Edge Clusters

 

Two new Edge Clusters have been created (the newly deployed Cloud Gateways).

 

 

Click Networking

 

  1. Click Segments on the left.

 

 

Segment Inventory

 

Four new Logical Switches have been created (a VLAN and Overlay Logical Switch for each Public Cloud). The public cloud instances and virtual machines are being connected to the default VLAN switches in each cloud.

 

 

Click Groups under Inventory

 

  1. Click Inventory.
  2. Click Groups.

 

 

Click the ABCart Group

 

  1. Click View Members in front of ABCart.

 

 

Group members

 

The ABCart group has 3 Virtual Machines as effective members which are shown above.

 

 

VM Tags

 

  1. click on Inventory.
  2. Click Virtual Machines on left.

 

Check out tags in front of abCartWeb01 virtual machine. This virtual machine is running in public cloud.

 

 

All of the tags on that virtual machine are displayed, including the discovered (user-defined) tags that we used in creating the groups earlier.

 

 

Return to NSX Cloud Services Manager

 

  1. Select the NSX Cloud Services Manager browser tab in Google Chrome that was opened previously. Note: The order of browser tabs may differ if you have completed previous Modules.

 

 

CSM Configuration and Inventory

 

  1. Click Clouds.
  2. Click AWS.

 

 

Click Accounts

 

  1. Click Accounts.

 

 

Resync Account

 

To speed up the API refresh of the CSM dashboard, we will force a re-sync of the AWS inventory.

  1. Click Actions.
  2. Click Resync Account.

 

 

Click VPCs

 

  1. Click VPCs.

 

 

Narrow down the view of VPCs

 

  1. Select us-west-1 from the Region pull down menu to narrow down the view of VPCs.

 

 

 

Click Instances

 

  1. Click Instances in the Transit-VPC.

 

 

Application instances are managed by NSX

 

  1. Our Application instance are managed by NSX.
  2. The VPN and Rogue instances did not receive an AWS Tag or an NSX Agent install.

 

 

CSM Configuration and Inventory

 

  1. Click Azure on the left.

 

 

Click Accounts

 

  1. Click Accounts.

 

 

Resync Account

 

To speed up the API refresh of the CSM dashboard, we will force a re-sync of the Azure inventory.

  1. Click Actions.
  2. Click Resync Account.

 

 

Click VNets

 

  1. Click VNets.

 

 

Click Instances

 

  1. Click the Instances.

NOTE: If instance is showing in red it is because 'auto agent install' is still in process to installing the NSX agent on this VM. Please wait a couple minutes and Resync Azure Account (as shown in previous step). 

 

 

Application instances are managed by NSX

 

  1. Our Application instance is managed by NSX.
  2. The VPN instance did not receive an Azure Tag or an NSX Agent install.

 

 

Forwarding Policies

As this is a hybrid application with tiers in both public cloud and on-prem DC, we want to ensure that routing is not asymmetric. Hence we need to change our forwarding policies in NSX.

 

Return to the NSX Management window

  1. Click on Networking.
  2. Click on Forwarding Policies.

 

  1. Click arrow to expand the policy section (note: Section ID is dynamic and will be different from screenshot).
  2. Change CloudDefaultRoute of Azure to Route to Underlay.
  3. Change CloudDefaultRoute of AWS to Route to Underlay.
  4. Click Publish.

 

Enable Firewall Policies


NSX is able to create security policies that leverage the dynamic nature of our cloud environments. This provides a more streamlined and operationally consistent deployment model for security policies.


 

Switch to the NSX Manager Browser Tab

 

  1. Select the NSX Manager browser tab in Google Chrome that was opened previously. Note: The order of browser tabs may differ if you have completed previous Modules.

 

 

Click Security Tab in NSX-T

 

  1. Click Security.

 

 

Change Browser Zoom

 

  1. Click the Three Dots in the upper right.
  2. Change the Zoom level to 80% to make the rules more readable.

 

 

Review Configured Policies

 

  1. click on Security tab.
  2. Click on Distributed Firewall.
  3. Click on Category Specific Rules.
  4. Click on Application.
  5. Expand ABCart Policy.

 

 

Expand ABCart Policy. The security policies that allow our application to function have been pre-created but disabled to save time. We will walk through a brief review of a few points before enabling.  Please review these policies before moving forward.

 

 

App Isolation

 

  1. Verify Applied To:

Note that the ABCart-app group we finished earlier is being used. This will apply this firewall section to only those virtual machines, giving us a mechanism to isolate this application from the rest of the environment.

 

 

Source Destination Groups

 

The groups we reviewed and completed previously are being used as Source and Destination pairs for our application, making policies more dynamic and easier to maintain.

 

 

Traffic Services

 

Services are pre-configured in NSX, simplifying the selection of the traffic types that are required. We are also using a custom Service for HTTP port 8080.

 

 

Logging Enabled

 

  1. Click the Three Dots next to ABCart-Policy at the top.
  2. Click Enable logging for all rules.

 

  1. Verify logging by clicking on settings gear next to any firewall rule.

 

Logging has been turned on for all the rules, and the logs are being sent to the Log Insight deployment.

 

 

Deny All rule

 

The final Deny All rule is set to Drop all other traffic that we aren't explicitly allowing (you will need to scroll down).

 

 

Click Publish to Save the Rules

 

  1. Scroll back up and click Publish on top right to save the rules.

The security policies for the application have been enabled.

We leveraged the groups that we created earlier to simplify the source, destination, and firewall section configuration.

Next we will return to NSX Cloud Services Manager to check on the deployment progress of our NSX Cloud Gateway.

 

 

Return to NSX Cloud Services Manager

 

  1. Select the NSX Cloud Services Manager browser tab in Google Chrome that was opened previously. Note: The order of browser tabs may differ if you have completed previous Modules.

 

Validation of application functionality across multi-cloud environments


Prior to NSX deployment, the application running in Amazon Web Services and Microsoft Azure was left wide open to the Internet and several unneeded ports were exposed as potential attack surfaces. This lesson will revisit the application functionality and test basic connectivity.


 

Accessing Account Information (AWS)

 

  1. Click on the Account Information tab that was previously opened. If this tab was closed open another tab and click on the Account Info bookmark.

 

 

Locate the AWS Web Instance Information

 

  1. Click on the Web Frontend Public URL link to open a new browser tab and connect to the application.

 

 

Verify Application is Functioning

 

Verify that the application is functioning. The web front end is working, and we can further test the rest of the application components:

 

  1. Click Apparel & Accessories.

All application components are properly communicating between AWS and our on-premises data center.

 

 

Accessing Account Information

 

  1. Click on the Account Information tab that was previously opened. If this tab was closed open another tab and click on the Account Info bookmark.

 

 

Locate the Azure Web VM Information (Azure)

 

  1. Click on the Web Frontend Instance Public URL link to open a new browser tab and connect to the application

 

 

Verify Application is Functioning

 

Verify that the application is functioning. The web front end is working, and we can further test the rest of the application components.

 

  1. Click on Makeup.

All application components are properly communicating between Azure and our on-premises data center.

 

NSX Security Enforcement


In this section we will explore how we can provide security enforcement. NSX provides these capabilities via Distributed Firewall in hypervisor for onprem workloads (App and DB) and NSX agent running in Web workloads in public cloud (AWS and Azure).


 

Log into NSX Manager

 

  1. Click on VMware NSX
  2. Username: admin
  3. Password: VMware1!VMware1!
  4. Click LOG IN

 

 

Review NSX Firewall Rules

 

  1. Click Security.
  2. Click Distributed Firewall.

In the interest of time we have already configured rules.  We will now review these rules now. We are also using groups we created in earlier section.

 

  • Internet to Web: Allow HTTP access to ABcart-Web VM from outside.
  • Web to App: ABcartWeb VM will talk to ABcart App VM on TCP_8080.
  • App to DB: ABcart App VM will talk to ABcart DB VM on MySQL.
  • Deny All: Deny all other communications.

 

 

Firewall Rules Enforcement

We will go ahead and drop Internet to Web in ABCart Policy. This will break hybrid application.

 

  1. For Internet to Web click on Action Drop down.
  2. Select Reject.
  3. Click Publish.

 

 

Test ABCart Application

 

Click on ABCart URL from Hands on Lab Page.

 

Note - this may take a few minutes to return.

As you can see we are not able to connect to web server in AWS . This shows that our rules are getting enforced on web VM running in AWS.

 

Traffic Visibility


NSX provides additional operational tools to give visibility into the traffic occurring in an application environment running in public clouds. We will look at some of the traffic statistic aggregation features of NSX.


 

Switch to the NSX Manager Browser Tab

 

  1. Select the NSX Manager browser tab in Google Chrome that was opened previously. Note: The order of browser tabs may differ if you have completed previous Modules. Enter admin for the username and VMware1!VMware1! for the password if it has timed out.

 

 

Change Browser Zoom

 

  1. Click the Three Dots in the upper right.
  2. Change the Zoom level to 80% to make the next steps more readable.

 

 

Click Security

 

  1. Click Security on top.
  2. Click Distributed Firewall..

 

 

Firewall Statistics

 

  1. Click the Flow Statistics icon on the far right of the first firewall rule.

 

 

Flow Statistics

 

The packets, bytes and number of sessions for this rule are displayed.

 

 

Click Networking

  1. Click Segments on the left.

 

 

 

Click ABcart-PG

 

  1. Expand ABcart-PG.
  2. Click on View Statistics to review then close that window.

 

 

 

 

ABcart-PG review

 

  1. Click Ports.
  2. Click Number after Segment Ports.

 

Click View More.

 

Click Advanced Configuration.

 

  1. Click Monitor to see all traffic statistics on that port.

 

Conclusion


This completes Module 4. The application that was deployed in our hybrid cloud environment has been successfully secured by installing NSX components in Amazon Web Services and Microsoft Azure and applying consistent security policies to the application instances. Visibility and logging options were also explored.


 

Congratulations, you've finished Module 4!

Follow the instructions at the end of this lesson to end the lab. You may also proceed to any other module of interest.

 

Module 5 - Securing Native Cloud Applications with NSX (45 minutes)

Introduction


Securing the application in Amazon Web Services (AWS), Microsoft Azure, and the on-premises data center requires security policies for the workloads that will be NSX managed. NSX provides a distributed firewall with logical grouping capabilities to simplify configuration and provide consistency.

After the Central Management Plane (NSX Manager and NSX Cloud Services Manager) have been deployed in the on-premises data center, the following steps are required to secure the application:

  1. Link Transit-VPC/VNET to Compute VPC/VNET
  2. A Cloud Administrator will create Logical Networks and Security Policies using the NSX Manager UI or APIs.
  3. A Cloud Administrator will generate a set of tags in NSX Cloud Services Manager.
  4. A Developer will apply the tags to their workloads in AWS and Azure for consumption of NSX policies at the time of instance creation.

 

Required Security Policies

 

 

Lab Validation


This module requires connectivity to Microsoft Azure and Amazon Web Services in order to complete the lessons. We will take a few moments to validate this connectivity, particularly if the prior three modules were not completed.


 

Lab Must Be In Ready State

 

Please check to see that your lab is finished all the startup routines and is ready for you to start. If you see anything other than "Ready", please wait a few minutes.  If after 5 minutes you lab has not changed to "Ready", please ask for assistance.

Proceeding when the lab is not "Ready" will result in a non-functional lab.

 

 

Lab provisioning status page

The AWS and Azure portions of the lab provisioning are currently completing. A webpage has been provided that displays the status of the lab resources that are being provisioned on AWS and Azure as part of this lab startup.

NOTE: The resources provisioned in Amazon Web Services and Microsoft Azure are accessible only from the Main Console of the HOL environment.

The lab provisioning can be expected to take 10-15 minutes.

 

 

Open Google Chrome

 

  1. Click on the Chrome Icon on the Windows Quick Launch Task Bar.

 

 

Account Information Homepage

 

The Chrome homepage has been set to the Account Information and lab provisioning status page.

  1. Type the Email Address you used to sign up for the lab.
  2. Type VMware1! for the Password.
  3. Click Login.

 

 

Lab Provisioning Complete

 

The Account Information page will display when the provisioning process is complete. This process can take 10 - 15 minutes. We will refer back to this page frequently in the lab modules.

 

Verify VPN Connectivity to Public Clouds


VPN connectivity to both AWS and Azure is being established for this lab. We will validate access to our Web front end via a simple ping.

Note: If either of the ping tests are unsuccessful, please request assistance before moving forward in the lab.


 

Open Command Prompt

 

  1. Click on the Command Prompt Icon on the Windows Quick Launch Task Bar.

 

 

Ping AWS Web Instance

 

  1. Type the following command to ping the AWS web front end instance for connectivity:  ping 172.15.10.4

 

 

AWS Connectivity Established

 

Connectivity is established with AWS if we receive replies.

 

 

Ping Azure Web Instance

 

  1. Type the following command to ping the Azure web front end instance for connectivity:  ping 172.18.10.4

 

 

Azure Connectivity Established

 

Connectivity is established with Azure if we receive replies.

 

Deploy NSX Cloud Gateway in Amazon Web Services


NSX components need to be deployed to provide security policies for the application instances in Amazon Web Services. The first step is to deploy the NSX Cloud Gateway in the Transit VPC where the application instances are deployed.

As an Edge Transport Node in NSX, the NSX Cloud Gateway provides the following services in each VPC it is deployed:

Important Note: If you have already deployed the Public Cloud Gateway in AWS (from Module 4), skip to here


 

Open Google Chrome

 

  1. Click on the Chrome Icon on the Windows Quick Launch Task Bar (or open Chrome if it is already running).

 

 

Open a new browser tab

 

  1. Click the Empty Tab in Google Chrome to open a new browser tab (or switch to the CSM tab if it is already open).

 

 

NSX Cloud Services Manager Bookmark

 

  1. Click the CSM bookmark to connect to the NSX Cloud Services Manager console.

 

 

Log in to NSX Cloud Services Manager

 

  1. Type admin for the Username.
  2. Type VMware1!VMware1! for the Password.
  3. Click Log In.

 

 

Select AWS Account

 

  1. Click Clouds.
  2. Click AWS.

 

 

Click VPCs

 

  1. Click VPCs at the top.

 

 

Narrow down the view of VPCs

 

  1. Select us-west-1 from the Region pull down menu to narrow down the view of VPCs

 

 

 

Click Actions Pull-Down Menu

 

  1. Click Actions in the Transit-VPC box.
  2. Click Deploy NSX Cloud Gateway.

 

 

Provide NSX Cloud Gateway Configuration Settings

  1. Click PEM File and select nsx-management.
  2. Enable Manage with Agents
  3. Select No Proxy Server
  4. Expand Advanced
  5. Enter AMI ID: ami-083547e7682145126
  6. Click Next.

 

 

 

Configure High Availability Settings

 

The NSX Cloud Gateway supports a High Availability (HA) deployment model. To reduce the amount of time it takes to complete the lab, we will not configure HA.

  1. Uncheck the Enable HA for NSX Cloud Gateway box.
  2. Select your Availability Zone. Note: If the wrong availability zone is selected, the subnet menus for steps 3-5 will be empty.
  3. Select nsx-uplink-subnet for the Uplink Subnet.
  4. Select nsx-downlink-subnet for the Downlink Subnet.
  5. Select nsx-mgmt-subnet for the Management Subnet.
  6. Select Allocate new IP for the Public IP on Mgmt NIC
  7. Select Don't Allocate for the Public IP for Uplink NIC
  8. Click Deploy.

 

 

NSX Cloud Gateway Begins Deployment

 

 

The deployment process begins for this VPC. It can take approximately 7-10 minutes to complete. The deployment progress screen will report on the actions being completed in the process.

Deployment of the NSX Cloud Gateway provides the local control plane for NSX policies in our VPC, as well as an installation location for the NSX Agents that will be deployed later in the lesson.

Continue in the lesson to configure logical groupings while the NSX Cloud Gateway deployment completes. We will then return to NSX Cloud Services Manager to verify completion.

 

You will see that Gateway has been deployed. Also check NSX is managed by Gateway. Also Manage with Agent is On.

 

Linking AWS VPC's


Important Note: Please make sure you have deployed NSX Cloud Gateway in Amazon Web Services before moving forward.


 

Log in to CSM

 

 

Log in to CSM.

  1. Type admin for the Username.
  2. Type VMware1!VMware1! for the Password.
  3. Click Log In.

NSX provides agentless solution for native enforcement. Below are steps.

 

Select Compute-VPC and then link to Transit VPC

 

 

  1. Select Transit-VPC.
  2. Click Next.

 

 

 

Once you have linked Compute-VPC to Transit-VPC you can see NSX managed by Transit VPC.

 

 

Log into NSX Manager

 

 

  1. Click on Inventory.
  2. Click on Virtual Machines.

 

You can now see virtual machines running in AWS under NSX manager inventory.

 

Deploy NSX Cloud Gateway in Azure


NSX components need to be deployed to provide security policies for the application virtual machines in Microsoft Azure. The first step is to deploy the NSX Cloud Gateway in the Compute VNet where the application virtual machines are deployed.

As an Edge Transport Node in NSX, the NSX Cloud Gateway provides the following services in each VNet it is deployed:

Important Note: If you have already deployed the Public Cloud Gateway in Azure (from Module 4), skip to here


 

Select Azure

 

  1. Click Clouds on the left.
  2. Click Azure on the left.

 

 

Click VNets

 

  1. Click VNets.

 

 

 

Click Actions Pull-Down Menu

 

  1. Click Actions.
  2. Click Deploy NSX Cloud Gateway.

 

 

Provide NSX Cloud Gateway Configuration Settings

 

 

  1. Copy the SSH Public Key from the very bottom of the Account Info web page (copy all three lines). Refer to Screenshot above.
  2. Change Manage with Agents to Enabled
  3. Copy the VHD URL from Account info web page after Azure SSH public key
  4. Select No Proxy Server from dropdown
  5. Click Advanced.

 

 

Advanced Settings

 

  1. Select Override Public Cloud Provider's DNS Server.
  2. Type 192.168.110.10
  3. Click Next.

 

 

Configure High Availability Settings

 

The NSX Cloud Gateway supports a High Availability (HA) deployment model. To reduce the amount of time it takes to complete the lab, we will not configure HA.

  1. Uncheck the Enable HA for NSX Cloud Gateway box.
  2. Select nsx-uplink-subnet for the Uplink Subnet.
  3. Select nsx-downlink-subnet for the Downlink Subnet.
  4. Select nsx-mgmt-subnet for the Management Subnet.
  5. Select Allocate new IP for Public IP on Mgmt NIC.
  6. Select Don't Allocate for Public IP on Uplink NIC.
  7. Click Deploy.

 

 

NSX Cloud Gateway Begins Deployment

 

The deployment process begins for this VNet. It can take approximately 10-15 minutes to complete. The deployment progress screen will report on the actions being completed in the process.

Deployment of the NSX Cloud Gateway provides the local control plane for NSX policies in our VNet.

 

 

Linking Azure VNET's


Important Note: Please make sure you have deployed NSX Cloud Gateway in Azure before moving forward.


 

Log into Cloud Services Manager

 

 

  1. Click on Azure.
  2. Click on Regions.

 

Click on VNets.

 

  1. Once you are on Compute-vNET, click on Actions.
  2. Select Link to Transit VNet.

 

Select Transit-vNET and click Next.

 

 

Linking Transit VNet to Compute vNET.

 

 

Virtual Machines Inventory

 

Assign tags to VM's



 

Assign Tags to EC2 instances in AWS

Log into AWS Management Console. Credentials are provided in Hands on Labs callback page.

 

 

 

  1. Click Services.
  2. Click EC2.

 

There are total (6) EC2 instances running. Please click on 6 running instances.

 

  1. Select Open_mrs_web01.
  2. Click on Tags.

 

Click on Add/Edit Tags.

 

  1. Assign openmrs to App-Name.
  2. Assign Web to App-Tier.
  3. Click Save.

 

Repeat the same steps for Open_mrs_db01 EC2 instance also.

 

 

Assign Tags to Azure Virtual Machines

 

 

Log back into Hands on Labs page

 

 

Please click on Virtual Machines on left side.

 

You will see all virtual machines. Please select OpenMRSWeb01.

 

Click on Change to add tags.

 

  1. Create AppName as openmrs.
  2. Create AppTier as web.
  3. Select Save.

 

Follow the same steps for openMRSDB01 as assign tags.

 

Grouping in NSX


In this module we will review NSX groups created based on tags defined in previous sections. You will see how these tags are dynamically discovered by NSX Manager and these virtual machines are assigned to NSX groups based on tags and scope.


 

Verify Groups in NSX

Log into NSX Manager

 

Username: admin

Password: VMware1!VMware1!

 

 

  1. Click on Inventory.
  2. Click on Groups.

 

In the interest of time we have already created groups for our application (OpenMRS) which will leverage Native Security Enforcement. We will review these Groups and also review its member group definition.

 

 

 

Review OpenMRS Group

 

Click on View Members.

Review Virtual Machines. Here you will see all VM's running in both AWS and Azure.

 

Next we will review Group membership criteria (Group Definition). Here you will see that we using AppName as membership criteria for both AWS and Azure. These are discovered automatically from virtual machines running. These are the tags we had setup in previous section.

 

As you can see Group Definition is Tag equal to OpenMRS and Scope equal to App-Name (discovered from AWS and Azure).

 

 

Review OpenMRS Web Frontend Group

 

Click on View Members.

 

You can see Web server from both AWS and Azure here. This provides consistent security policy to workloads running in both AWS and Azure.

 

Check out IP Address tab. It shows IP address of both virtual machines. 172.16.x.x is running in AWS and 172.19.x.x. in Azure.

 

  1. Click on Group Definition.
  2. Review App-Tier and App-Name tags.

 

 

Review OpenMRS DB Backend Group

 

  1. Click on View Members in front of OpenMRS-DB group.

 

You will see both DB machines running in AWS and Azure in this group. Next we will review group definition.

 

  1. Click on Group Definition.
  2. Review App-Tier and App-Name tags.

 

NSX Firewall Rules



 

NSX distributed firewall provides security enforcement for workloads in public cloud. In this section we will configure firewall rules in NSX distributed firewall.

Log into NSX Manager.

 

 

 

  1. Username is admin.
  2. Password is VMware1!VMware1!.
  3. Click on Log IN.

 

 

  1. Click on Security.
  2. Click on Distributed Firewall on left.
  3. Click on ADD POLICY.

 

 

  1. Click on New Policy to change name of policy. Change name to OpenMRS-Policy.

 

 

  1. Click on three dots next to OpenMRS-Policy.

 

 

  1. Click on Add Rule.

 

 

 

Change the name of Rule to Web to DB.

 

 

  1. Click on Edit next to Sources.

 

 

  1. Enter openmrs in search bar.
  2. Select OpenMRS-Web group.
  3. Click Apply.

 

 

  1. click on Edit icon next to destination.

 

 

  1. Enter openmrs in search bar.
  2. Select OpenMRS-DB group.
  3. Click Apply.

 

 

  1. Click on edit icon next to Services.

 

 

  1. Enter mysql in search bar.
  2. Select MySQL service.
  3. Click Apply.

 

 

  1. Click Edit Applied To. This field is used to define scope of Firewall Rules.

 

 

  1. Select Groups.
  2. Enter openmrs in search bar.
  3. Select OpenMRS group.
  4. Click Apply.

This will ensure that this rules get applied to all virtual machines which are part of OpenMRS group which is both web and db servers.

 

 

  1. Click on 3 dots next to Web to DB rule.
  2. Select Add Rule.

 

 

  1. Change name of rule to Internet to Web.
  2. Click on edit under destination.

 

  1. Enter openmrs in bar above.
  2. Select OpenMRS-Web.
  3. Select Apply.

 

 

  1. Edit Services.

 

 

  1. Enter HTTP in search bar.
  2. Select HTTP as service.
  3. Click APPLY.

 

 

  1. Click on Edit icon next to Applied To.

 

 

  1. Select Groups.
  2. Enter openmrs in search bar.
  3. Select OpenMRS group.
  4. Click Apply

 

 

 

Verify OpenMRS-Policy and Publish

 

 

  1. Click Publish

 

Test Native Cloud Application



 

Log into Hands on Labs landing Page

 

You will see login credentials for both Open MRS AWS and Azure.

 

 

Click on AWS Open MRS Frontend URL.

 

Log into using below credentials.

  1. Username: Admin
  2. Password: VMware1!

 

You will see login page of application. Click on Administration.

 

Your application is working properly.

 

NSX Native Firewall Enforcement


In this section we will perform NSX Native Firewall enforcement. This is an agentless approach to enforce security using native security constructs of public cloud. We will perform steps on OpenMRS our native public cloud application.


 

Log into NSX Manager

 

Log into NSX manager with below credentials.

  1. Username: admin
  2. Password: VMware1!VMware1!

 

  1. Click on Security tab at the top.

 

  1. Click on Distributed Firewall.

You will be able to see firewall rules already created for you under OpenMRS Policy section.

 

OpenMRS Policy is allowing HTTP communication and MySql between Web and DB tier. Also note that source and destination are groups we created earlier. This way we can leverage same and consistent security policy across both public clouds.

To test security policies, go ahead and change action to Reject.

 

  1. Change Internet to Web policy action to Reject.

 

 

Application Connectivity Verification

Log into your Azure Dashboard using credentials for Hands on Lab.

 

 

  1. Click on Virtual Machines.

 

Click on openMRSDB01 virtual machine.

 

  1. Click on Networking on left side.
  2. Click on Inbound Port Rules.
  3. Check Rule 102, there is a Deny rule which got created.

 

As you can see application is not working and now Web VM can't talk to DB tier.

 

Conclusion


This completes Module 5, and the Hands-On Lab. The application that was deployed in our public cloud environment has been successfully secured by installing NSX components in Amazon Web Services and Microsoft Azure and applying consistent security policies to the application instances.


 

Congratulations, you've finished Module 5 and the Hands-On Lab!

Follow the instructions at the end of this lesson to end the lab. You may also proceed to any other module of interest.

 

Conclusion

Thank you for participating in the VMware Hands-on Labs. Be sure to visit http://hol.vmware.com/ to continue your lab experience online.

Lab SKU: HOL-2022-01-NET

Version: 20200430-180408