Securing VDI workloads with VMware NSX is incredibly easy and quick. In this post, I’ll demonstrate how to implement segmentation for VDI workloads to prevent undesirable and unintended VDI to VDI communications.
In most environments, there are more users than applications and the number of desktops greatly outnumbers servers. Thus, the attack surface for user compute workloads is much larger and poses a much greater risk to the majority of organizations. Being able to quickly and easily implement scalable and dynamic security to prevent VDI to VDI risks is key to any solution and VMware NSX does this without any changes to the user compute workloads or underlying network.
Let’s take a look at what we need to do to create VDI segmentation with VMware NSX for vSphere.
After logging into the vSphere web client, we click on Menu and navigate to Networking and Security. Click the Firewall menu item on the left to display the NSX Distributed Firewall interface. We add a firewall rule section named VDI and then create a blocking rule for VDI to VDI traffic, using NSX Security Groups with dynamic membership based on a string of characters in the VM name, such as “vdi”. We then create an allow rule above the block rule, for any intended VDI to VDI communications traffic, which is usually, Skype, Slack or the like.
That’s it folks. It’s that simple. A VDI to VDI block rule based on a string of characters in the name, which provides dynamic addition of any VDI desktops to the security policy, as they are created and destroyed.
Check out this video of the entire process and see how you can achieve VDI segmentation in Minutes with VMware NSX for vSphere:
There are a large number of VDI environments running NSX for vSphere, as it offered client endpoint antivirus protection integrations early on in SDN, that are massively beneficial from a standpoint of architecture and performance. These same capabilities are now available in NSX Data Center and any new VDI deployments are certainly taking advantage of the all the improvements in NSX-T.
With that said, after a bit of thought, it seemed logical to create this blog and demo video in NSX for vSphere. While the process for creating VDI segmentation in NSX Data Center (NSX-T) may vary by a few steps, the implementation is just as simple as NSX for vSphere. Anyone that’s using NSX Data Center can create the same rules in NSX-T. …and should.
Simple. Quick. Scalable. …that’s VMware NSX.