Configure Nutanix Flow
Find out how to configure and use Nutanix Flow
Find out how to configure and use Nutanix Flow
Last updated 08/04/2022
Nutanix Flow is available on all Nutanix on OVHcloud offers. This option secures the network in one or more clusters managed by Prism Central
Learn how to use Nutanix Flow for network security within a Nutanix cluster.
OVHcloud provides services for which you are responsible, with regard to their configuration and management. It is therefore your responsibility to ensure that they work properly.
This guide is designed to assist you as much as possible with common tasks. Nevertheless, we recommend contacting a specialist provider if you experience any difficulties or doubts when it comes to managing, using or setting up a service on a server.
Log in to Prism Central.
To connect to a Nutanix cluster, if required, see the Go further section in this guide.
Click the gear in the top right to change the settings.
Click Microsegmentation
from the scroll bar on the left.
Select the Enable Microsegmentation checkbox and click Save
.
Microsegmentation is enabled. You can always disable it.
A category is an object that can contain one or more values.
When installing a cluster, some categories already exist and can be modified, other categories can be added.
Entities, such as virtual machines, subnets, or images, can be among the categories used for a tool like Flow, for example.
From the main menu, click Categories
on the Administration
submenu.
Click New Category
.
Type the name of the category in Name and Click New value
.
Type a name in Value and click the blue validation button on the right.
Click Save
.
The new category appears in the category list.
Select the Special-Computers category
Click Update
on the Actions menu
.
Click New value
.
Enter a value in the Value column and click the validation icon.
Click New value
.
Enter another value in the Value column and click the validation icon.
Click Save
to commit the category change.
The category is visible in the category dashboard with these two new values.
In the main menu, click VMs
under Compute & Storage.
Select the virtual machine by ticking on the left.
Click Actions
, then click Manage Categories
.
Type categoryName:value
and click the +
sign.
Click Save
to save the virtual machine to a category.
Select three virtual machines using the check
boxes on the left.
Click the Actions
menu and select Manage Categories
.
Type categoryName:value
and click +
.
Click Save
.
From the main menu, click Subnets
under Network & Security
.
Select the subnets by checking their left.
Click the Actions
menu and select Manage Categories
.
Type categoryName:value
and click +
.
Click Save
.
Network quarantine allows you to isolate a virtual machine from the entire network, or allow it restricted access to certain repair tools that are on the network.
In the main menu, click VMs
under Compute & Storage.
Select the virtual machine by ticking on the left.
Click Actions
and choose Quarantine VMs
from the menu.
Select Forensic
in Quarantine Method
and click Quarantine
.
The virtual machine is now in quarantine.
There are currently no blockages affecting the quarantined virtual machine. Follow these instructions to configure the quarantine.
From the main menu, click Security Policies
in the Network & Security
submenu.
Click the number next to Quarantined
to view the quarantined virtual machines.
The list of quarantined VMs appears in the Name column. Click Close
to return to the previous menu.
Click Quarantine
below the Name column to edit the rule.
The rule status is in monitoring
mode, as shown in the top left-hand corner.
Traffic is not blocked but monitored. Connections between the quarantined VMs and the rest of the network are represented by orange lines attached to rectangles representing the IP address of the source or destination.
Click Enforce
in the top right-hand corner to switch from Monitoring mode to Enforcing mode with traffic blocking.
Type ENFORCE
and click Confirm
.
The rule status is now on Enforced
.
Traffic is blocked. We see attempts to access VMs in quarantines via red dotted lines to blocks containing the IP address of the VM.
Click Update
in the top right-hand corner to edit the rule to allow certain network streams.
Click Next
.
Move your mouse over an incoming connection attempt and click Allow Traffic
Select the checkbox to the left of the Source to select the incoming discovered traffic, then click Allow 1 Discovered Traffic
to allow only the discovered traffic, such as ICMP below.
Move your mouse over an outgoing connection attempt and click Allow Traffic
.
Select the checkbox to the left of the Source to select the outbound discovered traffic, then click Allow 1 Discovered Traffic
to allow only the discovered traffic.
The authorised traffic is now visible via grey lines, while the blocked traffic is in red.
To create a rule manually without going through network discovery, left-click Add Source
to allow an incoming connection to the quarantine.
Enter the category name and its value in Add source by: Category
, then click Add
.
The source appears in Configured
.
Click +
to the left of Quarantine: Forensics.
Allow all traffic and click Save
.
Right-click Add Destination
to allow an outgoing rule from quarantine.
Enter the category name and its value in Add source by: Category
, and then click Add
.
Click +
to the right of Quarantine: Forensics.
Allow all traffic and click Save
.
Click Next
.
Click Save and Enforce
to apply the quarantine rule changes.
Click Quarantine
to view quarantine rule details.
The rule status is on Enforced
, the Forensic mode has been customised.
A virtual machine in Strict mode will be completely isolated from the network, while in Forensic mode it will have access to the areas defined in the quarantine rule.
An isolation rule allows blocking of network communications between two categories (virtual machines or subnets).
For more information about managing categories, see the Setting up categories section in this guide.
From the main menu, click Securities Policies
in the Network & Security
submenu.
Click Create Security Policy
.
Select Isolation Policy
and click Create
.
Type the rule name in Name
and then add a comment in Purpose
, choose a category in Isolate this category
, followed by another category in From this category
.
Select Enforce
in Select a Policy mode, then click Save and Enforce
.
The rule is active in the list of security rules.
Click The rule
name below the Name column to view details.
The status of the rule indicates Enforced
, and you can see that no connection attempt between the two zones is detected, as this message indicates: No Traffic between them has been discovered.
If a network connection attempt is detected between these two zones, the message changes to Traffic between them has been discovered.
An application rule limits access to certain ports, protocols, or services for members of a category from another category.
This rule can only be used with a category named Applications that can be edited but not deleted.
For more information about managing categories, see the Setting up categories section in this guide.
From the main menu, click Security Policies
in the Network & Security
submenu.
Click Create Security Policy
.
Select Secure Application (App Policy)
and click Create
.
Enter the Name fields for the rule name, Purpose for comment, Secure this App by choosing an existing application category, and click Next
.
Click Add Source
on the left.
Choose the category
for the VLAN and click Add
.
Click +
to connect the application to the source.
Select Select a Service
, choose the category in Protocol/Service, search for the service name in Port/Service Details, and click Save
.
Click Next
.
Select Enforce
and click Save and Enforce
to enable this rule.
The rule you created is in the list of rules.
Join our community of users on https://community.ovh.com/en/.
Please feel free to give any suggestions in order to improve this documentation.
Whether your feedback is about images, content, or structure, please share it, so that we can improve it together.
Your support requests will not be processed via this form. To do this, please use the "Create a ticket" form.
Thank you. Your feedback has been received.
Access your community space. Ask questions, search for information, post content, and interact with other OVHcloud Community members.
Discuss with the OVHcloud community