6.2
Table Of Contents
- IaaS Integration for Multi-Machine Services
- Contents
- IaaS Integration for Multi-Machine Services
- Introduction to Multi-Machine Services
- Configuring Network and Security Integration
- Configuring vRealize Orchestrator Endpoints
- Create a vSphere Endpoint for Networking and Security Virtualization
- Run the Enable Security Policy Support for Overlapping Subnets Workflow in vRealize Orchestrator
- Creating a Network Profile
- Configuring a Reservation for Network and Security Virtualization
- Optional Configurations for Multi-Machine Services
- Creating Multi-Machine Blueprints
- Specifying Scripts for Multi-Machine Service Provisioning
- Specifying Custom Properties for Multi-Machine Services
- Blueprint Action Settings for Multi-Machine Services
- Create a Multi-Machine Blueprint
- Specify Blueprint Information for a Multi-Machine Blueprint
- Specify Build Information for a Multi-Machine Blueprint
- Specify Network Information for a Multi-Machine Blueprint
- Specify Scripting Information for a Multi-Machine Blueprint
- Add Multi-Machine Blueprint Custom Properties
- Specify Actions for Multi-Machine Blueprints
- Publish a Blueprint
- Configuring Multi-Machine Blueprints for Network and Security Virtualization
- Managing Multi-Machine Services
When a multi-machine service is provisioned with App isolation, vRealize Automation creates a security
group corresponding to the multi-machine service and assigns the component machines as members of
that security group. The security policy called vRealize Automation App Isolation policy in NSX is created
and applied to the security group. The firewall rules are defined in the security policy to allow only internal
traffic.
Note When deploying a multi-machine that uses both an NSX Edge load balancer and the App Isolation
checkbox option, the dynamically provisioned load balancer is not added to the security group with the
other multi-machine blueprint components. This prevents the load balancer from communicating with the
machines for which it is meant to handle connections. Because Edges are excluded from the NSX
distributed firewall, they cannot be added to security groups. To allow load balancing to function properly,
use another security group or security policy that allows the required traffic into the component VMs for
load balancing.
The vRealize Automation App Isolation policy has a lower precedence compared to other security policies
in NSX. For example, if a multi-machine service contains a Web component machine and an App
component machine and the Web component machine hosts a Web service, then the service must allow
inbound traffic on ports 80 and 443. In this case, users must create a Web security policy in NSX with
firewall rules defined to allow incoming traffic to these ports. In vRealize Automation, users must apply the
Web security policy on the Web component of the multi-machine blueprint.
If the Web component machine needs access to the App component machine using a load balancer on
ports 8080 and 8443, the Web security policy should also include firewall rules to allow outbound traffic to
these ports in addition to the existing firewall rules that allow inbound traffic to ports 80 and 443.
Familiarize yourself with the security features that can be applied to a multi-machine blueprint. See
Applying Security on a Component Machine.
Prerequisites
n
Log in to the vRealize Automation console as a tenant administrator or business group manager.
n
Create a multi-machine blueprint. See Create a Multi-Machine Blueprint.
n
Verify that an IaaS administrator created a vCloud Networking and Security or NSX endpoint. See
Create a vSphere Endpoint for Networking and Security Virtualization.
n
Verify that the supported version of VMware Tools is installed on the component machines. See NSX
product documentation
Procedure
1 Select Infrastructure > Blueprints > Blueprints.
2 Locate a multi-machine blueprint with at least one virtual component blueprint.
3 Click the Network tab.
4 Click the App Isolation check box under Security to enable the option.
5 Click OK.
IaaS Integration for Multi-Machine Services
VMware, Inc. 53