Konfiguruj przepływ Nutanix (EN)

Find out how to configure and use Nutanix Flow

Last updated 08/04/2022

Objective

Nutanix Flow is available on all Hosted Private Cloud Powered by Nutanix offers. This option secures the network in one or more clusters managed by Prism Central

Learn how to use Nutanix Flow for network security within a Nutanix cluster.

OVHcloud provides services for which you are responsible, with regard to their configuration and management. It is therefore your responsibility to ensure that they work properly.

This guide is designed to assist you as much as possible with common tasks. Nevertheless, we recommend contacting a specialist provider if you experience any difficulties or doubts when it comes to managing, using or setting up a service on a server.

Instructions

Log in to Prism Central.

To connect to a Nutanix cluster, if required, see the Go further section in this guide.

Enabling Nutanix Flow

Click the gear in the top right to change the settings.

Activate Flow 01

Click Microsegmentation from the scroll bar on the left.

Activate Flow 02

Select the Enable Microsegmentation checkbox and click Save.

Activate Flow 03

Microsegmentation is enabled. You can always disable it.

Activate Flow 04

Category configuration

A category is an object that can contain one or more values.

When installing a cluster, some categories already exist and can be modified, other categories can be added.

Entities, such as virtual machines, subnets, or images, can be among the categories used for a tool like Flow, for example.

Creating a category

From the main menu, click Categories on the Administration submenu.

Create Category 01

Click New Category.

Create Category 02

Type the name of the category in Name and Click New value.

Create Category 03

Type a name in Value and click the blue validation button on the right.

Create Category 04

Click Save.

Create Category 05

The new category appears in the category list.

Create Category 06

Modifying a Category

Select the Special-Computers category

Create Isolation Rule 02

Click Update on the Actions menu.

Create Isolation Rule 03

Click New value.

Create Isolation Rule 04

Enter a value in the Value column and click the validation icon.

Create Isolation Rule 05

Click New value.

Create Isolation Rule 06

Enter another value in the Value column and click the validation icon.

Create Isolation Rule 07

Click Save to commit the category change.

Create Isolation Rule 08

The category is visible in the category dashboard with these two new values.

Create Isolation Rule 09

Assigning a Category to a Virtual Machine

In the main menu, click VMs under Compute & Storage.

Add VM to Category 01

Select the virtual machine by ticking on the left.

Add VM to Category 02

Click Actions, then click Manage Categories.

Add VM to Category 03

Type categoryName:value and click the + sign.

Add VM to Category 04

Click Save to save the virtual machine to a category.

Add VM to Category 05

Assigning a category to multiple VMs

Select three virtual machines using the check boxes on the left.

Add category to multi VMs 01

Click the Actions menu and select Manage Categories.

Add category to multi VMs 02

Type categoryName:value and click +.

Add category to multi VMs 03

Click Save.

Add category to multi VMs 04

Assigning a Category to Subnets

From the main menu, click Subnets under Network & Security.

Add Category to subnet 01

Select the subnets by checking their left.

Add Category to subnet 02

Click the Actions menu and select Manage Categories.

Add Category to subnet 03

Type categoryName:value and click +.

Add Category to subnet 04

Click Save.

Add Category to subnet 05

Network quarantine management

Network quarantine allows you to isolate a virtual machine from the entire network, or allow it restricted access to certain repair tools that are on the network.

VM quarantine

In the main menu, click VMs under Compute & Storage.

Add VM to Quarantine 01

Select the virtual machine by ticking on the left.

Add VM to Quarantine 02

Click Actions and choose Quarantine VMs from the menu.

Add VM to Quarantine 03

Select Forensic in Quarantine Method and click Quarantine.

Add VM to Quarantine 04

The virtual machine is now in quarantine.

Customising the network quarantine.

There are currently no blockages affecting the quarantined virtual machine. Follow these instructions to configure the quarantine.

From the main menu, click Security Policies in the Network & Security submenu.

Configure Quarantine 01

Click the number next to Quarantined to view the quarantined virtual machines.

Configure Quarantine 02

The list of quarantined VMs appears in the Name column. Click Close to return to the previous menu.

Configure Quarantine 03

Click Quarantine below the Name column to edit the rule.

Configure Quarantine 04

The rule status is in monitoring mode, as shown in the top left-hand corner.

Traffic is not blocked but monitored. Connections between the quarantined VMs and the rest of the network are represented by orange lines attached to rectangles representing the IP address of the source or destination.

Click Enforce in the top right-hand corner to switch from Monitoring mode to Enforcing mode with traffic blocking.

Configure Quarantine 05

Type ENFORCE and click Confirm.

Configure Quarantine 06

The rule status is now on Enforced.

Traffic is blocked. We see attempts to access VMs in quarantines via red dotted lines to blocks containing the IP address of the VM.

Click Update in the top right-hand corner to edit the rule to allow certain network streams.

Configure Quarantine 07

Click Next.

Configure Quarantine 08

Move your mouse over an incoming connection attempt and click Allow Traffic

Configure Quarantine 09

Select the checkbox to the left of the Source to select the incoming discovered traffic, then click Allow 1 Discovered Traffic to allow only the discovered traffic, such as ICMP below.

Configure Quarantine 10

Move your mouse over an outgoing connection attempt and click Allow Traffic.

Configure Quarantine 11

Select the checkbox to the left of the Source to select the outbound discovered traffic, then click Allow 1 Discovered Traffic to allow only the discovered traffic.

Configure Quarantine 12

The authorised traffic is now visible via grey lines, while the blocked traffic is in red.

To create a rule manually without going through network discovery, left-click Add Source to allow an incoming connection to the quarantine.

Configure Quarantine 13

Enter the category name and its value in Add source by: Category, then click Add.

Configure Quarantine 14

The source appears in Configured.

Click + to the left of Quarantine: Forensics.

Configure Quarantine 15

Allow all traffic and click Save.

Configure Quarantine 16

Right-click Add Destination to allow an outgoing rule from quarantine.

Configure Quarantine 17

Enter the category name and its value in Add source by: Category, and then click Add.

Configure Quarantine 18

Click + to the right of Quarantine: Forensics.

Configure Quarantine 19

Allow all traffic and click Save.

Configure Quarantine 20

Click Next.

Configure Quarantine 21

Click Save and Enforce to apply the quarantine rule changes.

Configure Quarantine 22

Click Quarantine to view quarantine rule details.

Configure Quarantine 23

The rule status is on Enforced, the Forensic mode has been customised.

A virtual machine in Strict mode will be completely isolated from the network, while in Forensic mode it will have access to the areas defined in the quarantine rule.

Configure Quarantine 24

Creating an isolation rule

An isolation rule allows blocking of network communications between two categories (virtual machines or subnets).

For more information about managing categories, see the Setting up categories section in this guide.

From the main menu, click Securities Policies in the Network & Security submenu.

Create Isolation Rule 03

Click Create Security Policy.

Create Isolation Rule 04

Select Isolation Policy and click Create.

Create Isolation Rule 05

Type the rule name in Name and then add a comment in Purpose, choose a category in Isolate this category, followed by another category in From this category.

Select Enforce in Select a Policy mode, then click Save and Enforce.

Create Isolation Rule 06

The rule is active in the list of security rules.

Click The rule name below the Name column to view details.

Create Isolation Rule 07

The status of the rule indicates Enforced, and you can see that no connection attempt between the two zones is detected, as this message indicates: No Traffic between them has been discovered.

Create Isolation Rule 08

If a network connection attempt is detected between these two zones, the message changes to Traffic between them has been discovered.

Create Isolation Rule 09

Setting up an application rule.

An application rule limits access to certain ports, protocols, or services for members of a category from another category.

This rule can only be used with a category named Applications that can be edited but not deleted.

For more information about managing categories, see the Setting up categories section in this guide.

From the main menu, click Security Policies in the Network & Security submenu.

Create Application Rule 01

Click Create Security Policy.

Create Application Rule 02

Select Secure Application (App Policy) and click Create.

Create Application Rule 03

Enter the Name fields for the rule name, Purpose for comment, Secure this App by choosing an existing application category, and click Next.

Create Application Rule 04

Click Add Source on the left.

Create Application Rule 05

Choose the category for the VLAN and click Add.

Create Application Rule 06

Click + to connect the application to the source.

Create Application Rule 07

Select Select a Service, choose the category in Protocol/Service, search for the service name in Port/Service Details, and click Save.

Create Application Rule 08

Click Next.

Create Application Rule 09

Select Enforce and click Save and Enforce to enable this rule.

Create Application Rule 10

The rule you created is in the list of rules.

Create Application Rule 11

Go further

Hyperkonwergencji Nutanix (EN)

Presentation of Nutanix FLOW

Nutanix FLOW security rules

Categories in Nutanix

Join our community of users on https://community.ovh.com/en/.


Czy ten przewodnik był pomocny?

Zachęcamy do przesyłania sugestii, które pomogą nam ulepszyć naszą dokumentację.

Obrazy, zawartość, struktura - podziel się swoim pomysłem, my dołożymy wszelkich starań, aby wprowadzić ulepszenia.

Zgłoszenie przesłane za pomocą tego formularza nie zostanie obsłużone. Skorzystaj z formularza "Utwórz zgłoszenie" .

Dziękujemy. Twoja opinia jest dla nas bardzo cenna.


Inne przewodniki, które mogą Cię zainteresować...

OVHcloud Community

Dostęp do OVHcloud Community Przesyłaj pytania, zdobywaj informacje, publikuj treści i kontaktuj się z innymi użytkownikami OVHcloud Community.

Porozmawiaj ze społecznością OVHcloud

Zgodnie z Dyrektywą 2006/112/WE po zmianach, od dnia 1 stycznia 2015 r., ceny brutto mogą różnić się w zależności od kraju zameldowania klienta
(ceny brutto wyświetlane domyślnie zawierają stawkę podatku VAT na terenie Polski).