NSX-T Data Center Micro-Segmentation: Optimal Grouping for Security Policies

Optimal Grouping for Security Policies

Prev Question Next Question

Question

A company is deploying a NSX-T Data Center micro-segmentation in their vSphere environment to allow simple 3-tier app forms through web, app, and database.

The naming convention will be: " WKS-WEB-SRV-XXX " WKY-APP-SRR-XXX " WKI-DB-SRR-XXX What is the optimal way to group them in order to enforce security policies from NSX-T Data Center?

Answers

A. Use Edge as a firewall between tiers.

B. Create an Ethernet based security policy.

C. Do a service insertion to accomplish the task.

D. Group all by means of tags membership.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

To enforce security policies in a NSX-T Data Center micro-segmentation deployment for a three-tier application, the optimal way to group the workloads is by using tags membership. The naming convention provided, "WKS-WEB-SRV-XXX", "WKY-APP-SRR-XXX", and "WKI-DB-SRR-XXX", can be used to create tags for each workload based on the tier it belongs to.

For example, all the workloads in the web tier can be tagged with "web", all the workloads in the app tier can be tagged with "app", and all the workloads in the database tier can be tagged with "db". Once the workloads are tagged, NSX-T Data Center can use these tags to enforce security policies.

The security policies can be created using the Distributed Firewall (DFW) feature of NSX-T Data Center. DFW allows policies to be enforced at the virtual machine (VM) interface level, enabling micro-segmentation. Policies can be created based on the tags assigned to the VMs. For example, a policy can be created that only allows traffic from the web tier to the app tier on port 80. This policy can be enforced by configuring the DFW rules to only allow traffic from VMs with the "web" tag to VMs with the "app" tag on port 80.

Using the DFW feature with tags membership allows for a flexible and scalable solution that is easy to manage. The tags can be assigned automatically using automation tools or manually based on the naming convention of the workloads. This method of grouping and enforcing policies provides a granular level of security that is essential in a micro-segmentation deployment.

Therefore, option D, "Group all by means of tags membership," is the optimal way to group the workloads in order to enforce security policies from NSX-T Data Center. Option A, using Edge as a firewall between tiers, is also a viable solution, but it may not be as flexible and scalable as using tags. Option B, creating an Ethernet-based security policy, and option C, doing service insertion to accomplish the task, are not relevant or applicable to this scenario.

Prev Question Next Question