Tuesday, October 25, 2016

Restoring NSX from Old Backup - Impact on Security

(Quick note: I wrote this blogpost back in October 2016 just before my son was born, so this one felt thru the cracks...but better late than never)

Taking a quick timeout from slacking (in blogging that is) to write up what happens to NSX Security when restoring from an old NSX MGR backup. Please have a read on the last two blogs, found here and here, if you don’t know why I’m writing this blog.

Starting off where we left off, I confirmed that I can ping between VMs ServerApp01 and ServerApp02 and then created a backup (I think this is Backup6) to save my starting position.

I then created a Security Group to include all ServerApp VMs and a Security Policy to not allow pings, and applied the Security Policy to the Security Group.

Trying to ping again failed:

Looking at the Traceflow output, we see that Rule 1006 is blocking the ping, which matches the rule to drop pings (following are a series of CLI commands to get the filter name for ServerApp01)

Next, I did a backup of NSX MGR’s current configuration (Backup7???) and restored the previous backup before the Security Group and Security Policies were created. Sure enough checking Service Composer I can verify that the Security Group and Security Policy I created earlier are gone (as was to be expected) and the rules are gone from ServerApp01. The rules are gone because when NSX MGR comes back online after the restore, the ESXi hosts will flush all the old rules they have and receive updated rules from (the restored) NSX MGR. I’m also able to ping again.

Elver’s Opinion: I think this wraps up all cases of what happens when restoring NSX Manager from a copy that is missing configs. Although I didn’t cover what happens to the NSX Edge directly, I did cover the Control VM; the result will be similar.

No comments:

Post a Comment