Service composer is a tool built into NSX which allows security policies to be built. These policies can be assigned to groups of virtual machines, and new virtual machines will inherit the policy settings when they are added into a group. Security policies define how things will be protected, whilst security groups define what will be protected.
Service Composer can be found in the vSphere Web Client, in the ‘Networking and Security’ screen, and then ‘Service Composer’:
Security Groups
A security group is a dynamic grouping of virtual machines, based on criteria. For example, VMs can be members of a given security group based on where they exist in vCenter, tags, VM name and many more. When a VM matches the criteria defined, then it is automatically included in the security group.
To create a security group, go to the ‘Security Groups’ tab in Service Composer and click the ‘New Security Group’ icon. On the first screen, give the new security group and appropriate name:
On the next screen, define the dynamic group membership. I’ve chosen to create a group based on matching the virtual machine’s hostname, in this case ‘VM’:
You can also define group membership using other criteria:
The next two screens will give the opportunity to explicitly add or exclude objects:
Once complete, click Finish. The new group should be listed, and will show how many virtual machines have been included:
Clicking on the value in the virtual machines column will show the group membership:
So, that is all that’s’ required to create a security group. Some things to be aware of are that:
- A Virtual Machine can belong to more than one group
- Security groups can have multiple policies applied to them
- You can nest security groups inside other security groups
- When a VM belongs to multiple security groups then the actual applied settings are based on the precedence of the security policies applied.
Security Policies
The security policies are where you define the rules and services that will be applied to the security groups. It can contain Guest Introspection Services (which are third-party services such as AV), Distributed firewall rules and Network introspection services.
Security policies are created on the ‘Security Policy’ tab in service composer. When you click the button to add a new policy a series of configuration pages will open:
On the first screen you can give the policy a name and description, and choose whether this is a ‘child’ policy of an existing security policy. The advanced options let you set a weight (policies with a higher weight will take precedence when virtual machines receive more than one policy).
The following page allows you to configure Guest Introspection Services. I don’t have any available in my lab – moving on to the next screen, you can configure distributed firewall rules to be included in the policy:
Next, the policy needs to be applied to a security group. To do so, highlight the policy, then select ‘Apply Policy’ from the actions menu:
Switching over to the Firewall screen, Service Composer will have added rules to the distributed firewall configuration:
That’s about it for a quick run through of the basics of service composer. I think it’s a great feature, allowing security policies to be applied consistently to groups of virtual machines. There is a great VMware blog post here, which explains Service Composer in a little more detail.