Configure Nutanix Flow
Find out how to configure and use Nutanix Flow
Last updated 08/04/2022
Objective
Nutanix Flow is available on all Hosted Private Cloud Powered by Nutanix offers. This option secures the network in one or more clusters managed by Prism Central
Learn how to use Nutanix Flow for network security within a Nutanix cluster.
OVHcloud provides services for which you are responsible, with regard to their configuration and management. It is therefore your responsibility to ensure that they work properly.
This guide is designed to assist you as much as possible with common tasks. Nevertheless, we recommend contacting a specialist provider if you experience any difficulties or doubts when it comes to managing, using or setting up a service on a server.
Instructions
Log in to Prism Central.
To connect to a Nutanix cluster, if required, see the Go further section in this guide.
Enabling Nutanix Flow
Click the gear in the top right to change the settings.
Click Microsegmentation from the scroll bar on the left.
Select the Enable Microsegmentation checkbox and click Save.
Microsegmentation is enabled. You can always disable it.
Category configuration
A category is an object that can contain one or more values.
When installing a cluster, some categories already exist and can be modified, other categories can be added.
Entities, such as virtual machines, subnets, or images, can be among the categories used for a tool like Flow, for example.
Creating a category
From the main menu, click Categories on the Administration submenu.
Click New Category.
Type the name of the category in Name and Click New value.
Type a name in Value and click the blue validation button on the right.
Click Save.
The new category appears in the category list.
Modifying a Category
Select the Special-Computers category
Click Update on the Actions menu.
Click New value.
Enter a value in the Value column and click the validation icon.
Click New value.
Enter another value in the Value column and click the validation icon.
Click Save to commit the category change.
The category is visible in the category dashboard with these two new values.
Assigning a Category to a Virtual Machine
In the main menu, click VMs under Compute & Storage.
Select the virtual machine by ticking on the left.
Click Actions, then click Manage Categories.
Type categoryName:value and click the + sign.
Click Save to save the virtual machine to a category.
Assigning a category to multiple VMs
Select three virtual machines using the check boxes on the left.
Click the Actions menu and select Manage Categories.
Type categoryName:value and click +.
Click Save.
Assigning a Category to Subnets
From the main menu, click Subnets under Network & Security.
Select the subnets by checking their left.
Click the Actions menu and select Manage Categories.
Type categoryName:value and click +.
Click Save.
Network quarantine management
Network quarantine allows you to isolate a virtual machine from the entire network, or allow it restricted access to certain repair tools that are on the network.
VM quarantine
In the main menu, click VMs under Compute & Storage.
Select the virtual machine by ticking on the left.
Click Actions and choose Quarantine VMs from the menu.
Select Forensic in Quarantine Method and click Quarantine.
The virtual machine is now in quarantine.
Customising the network quarantine.
There are currently no blockages affecting the quarantined virtual machine. Follow these instructions to configure the quarantine.
From the main menu, click Security Policies in the Network & Security submenu.
Click the number next to Quarantined to view the quarantined virtual machines.
The list of quarantined VMs appears in the Name column. Click Close to return to the previous menu.
Click Quarantine below the Name column to edit the rule.
The rule status is in monitoring mode, as shown in the top left-hand corner.
Traffic is not blocked but monitored. Connections between the quarantined VMs and the rest of the network are represented by orange lines attached to rectangles representing the IP address of the source or destination.
Click Enforce in the top right-hand corner to switch from Monitoring mode to Enforcing mode with traffic blocking.
Type ENFORCE and click Confirm.
The rule status is now on Enforced.
Traffic is blocked. We see attempts to access VMs in quarantines via red dotted lines to blocks containing the IP address of the VM.
Click Update in the top right-hand corner to edit the rule to allow certain network streams.
Click Next.
Move your mouse over an incoming connection attempt and click Allow Traffic
Select the checkbox to the left of the Source to select the incoming discovered traffic, then click Allow 1 Discovered Traffic to allow only the discovered traffic, such as ICMP below.
Move your mouse over an outgoing connection attempt and click Allow Traffic.
Select the checkbox to the left of the Source to select the outbound discovered traffic, then click Allow 1 Discovered Traffic to allow only the discovered traffic.
The authorised traffic is now visible via grey lines, while the blocked traffic is in red.
To create a rule manually without going through network discovery, left-click Add Source to allow an incoming connection to the quarantine.
Enter the category name and its value in Add source by: Category, then click Add.
The source appears in Configured.
Click + to the left of Quarantine: Forensics.
Allow all traffic and click Save.
Right-click Add Destination to allow an outgoing rule from quarantine.
Enter the category name and its value in Add source by: Category, and then click Add.
Click + to the right of Quarantine: Forensics.
Allow all traffic and click Save.
Click Next.
Click Save and Enforce to apply the quarantine rule changes.
Click Quarantine to view quarantine rule details.
The rule status is on Enforced, the Forensic mode has been customised.
A virtual machine in Strict mode will be completely isolated from the network, while in Forensic mode it will have access to the areas defined in the quarantine rule.
Creating an isolation rule
An isolation rule allows blocking of network communications between two categories (virtual machines or subnets).
For more information about managing categories, see the Setting up categories section in this guide.
From the main menu, click Securities Policies in the Network & Security submenu.
Click Create Security Policy.
Select Isolation Policy and click Create.
Type the rule name in Name and then add a comment in Purpose, choose a category in Isolate this category, followed by another category in From this category.
Select Enforce in Select a Policy mode, then click Save and Enforce.
The rule is active in the list of security rules.
Click The rule name below the Name column to view details.
The status of the rule indicates Enforced, and you can see that no connection attempt between the two zones is detected, as this message indicates: No Traffic between them has been discovered.
If a network connection attempt is detected between these two zones, the message changes to Traffic between them has been discovered.
Setting up an application rule.
An application rule limits access to certain ports, protocols, or services for members of a category from another category.
This rule can only be used with a category named Applications that can be edited but not deleted.
For more information about managing categories, see the Setting up categories section in this guide.
From the main menu, click Security Policies in the Network & Security submenu.
Click Create Security Policy.
Select Secure Application (App Policy) and click Create.
Enter the Name fields for the rule name, Purpose for comment, Secure this App by choosing an existing application category, and click Next.
Click Add Source on the left.
Choose the category for the VLAN and click Add.
Click + to connect the application to the source.
Select Select a Service, choose the category in Protocol/Service, search for the service name in Port/Service Details, and click Save.
Click Next.
Select Enforce and click Save and Enforce to enable this rule.
The rule you created is in the list of rules.
Go further
Join our community of users on https://community.ovh.com/en/.
Did you find this guide useful?
Please feel free to give any suggestions in order to improve this documentation.
Whether your feedback is about images, content, or structure, please share it, so that we can improve it together.
Your support requests will not be processed via this form. To do this, please use the "Create a ticket" form.
Thank you. Your feedback has been received.