Friday, February 16, 2018

vSphere Integrated Containers and VMware NSX better together


The dynamics and agile nature of container world are constantly challenging us that need to deal with securing our environments, it’s clear manual operations are just not enough to keep up with innovations pace this new world brings us.

But How can I protect my production container workloads in a dynamic and agile way?
VMware NSX has the answer.

Leveraging Security Groups and dynamic membership you can create rules that match specific vSphere objects, which is a perfect match for vSphere Integrated Containers and its container-vm constructs, allowing or blocking traffic on-demand whenever a new workload is created or deleted, providing the agility developers love without giving up on security that infrastructure guys need.

Let me give you a couple of use cases:

- Protect containers based on name
VIC allows you to expose a container service directly on the network with the use of container networks (just covered it on another post), so you can protect them just allowing certain services based on the container-vm name, like access to HTTP to only container-vms starting with web. (check the video below for a quick demo).

- Container to container communication
You could also use the container-vm names to create rules between containers, like, just container-vms starting with app could communicate with database container-vms (starting with db).

- Protect tenant containers
I might be pushing a little bit on that one, it’s not a real tenant construct OK, but it serves my point.
Image 2 distinct developers or projects, you can provision a VCH for each one of them leveraging distinct name prefixes/suffixes (check my post about it if you are not sure), that way you can create a security boundary based on the prefixes, where they can communicate freely between the container-vms with the same one, but not with the others, this way providing isolation and security between projects.

You guys are clever than me and I’m sure you can come up with some new and innovative ideas to use NSX to protect the containers, so tell us about it, leave your comment below.



Who am I

My photo
I’m an IT specialist with over 15 years of experience, working from IT infrastructure to management products, troubleshooting and project management skills from medium to large environments. Nowadays I'm working for VMware as a Consulting Architect, helping customers to embrace the Cloud Era and make them successfully on their journey. Despite the fact I'm a VMware employee these postings reflect my own opinion and do not represents VMware's position, strategies or opinions. Reach me at @dumeirell

Most Viewed Posts

Blog Archive