The ReSTNSX Cloud Check tool collects IP flow information from Virtual Machines to help plan migrating workloads. Cloud Check will analyze flows to and from a given set of VMs using VMware’s vRealize Network Insight (vRNI) or NSX dFW as the source of truth. To collect data, there are two modes of operation: Real-time and Historical.
Flow data that is collected provides insight into source/destination ports and protocols in use.
Once collected, the flow data is stored in the ReSTNSX database for immediate or future review.
Minimum Release: 2.8 Application: NSX-v License: Enterprise Privilege level: Audit (View only), Security Engineer or higher (View, Collect)
No setup required for dFW flow monitoring. vRNI must added as a data source for vRNI flow-based real-time or historical analysis.
Starting a Collection
To start a new analysis or review existing collections, navigate to Tools > Security Planning > Cloud Check.
Clicking the green plus (add Flows) on the dashboard will open a window where the source of either dFW or vRNI is selected.
VMware’s vRealize Network Insight – vRNI – is available as a Cloud Check data source where the flow information is collected as either real-time or historical for a setup of VMs.
Real-time: Flow data can collected from vRNI and for a user configurable amount of time (up to 24 hours). During this collection period, the results can be viewed real-time or after the collection period has ended.
Historical: Flow collection is set for vRNI only as dFW does not retain historical data to poll.
In either mode, Cloud Check will connect to the pre-configured vRNI data source in ReSTNSX and collect flow information. The screen shot below illustrates a vRNI data source for a particular cluster; the discovered VMs in the selected Cluster; traffic type of North-South or East-West; Historical or Real-time flows and the time bounds for historical flows (up to 30 days in the past).
NSX Distributed Firewall – dFW – is another method for collecting flow information. The dFW method allows for real-time flow monitoring for all traffic to and from a given VM vNIC. As opposed to the vRNI collection method, dFW accounts for every flow in and out of the vNIC. vRNI, along with other tools that leverage IPFIX data, represents sampled flows where traffic blind spots can occur due to lower sampling rates.
In this example, we will capture flow data from dFW for VM Photon-VM-2 with IP address of 172.16.100.223 for a one minute period. A ping and HTTPS GET was initiated from the VM to illustrate the real-time nature of the capture.
Once the collection is started, the flow collection page for the given VM is updated every 5 seconds with new flow information.
The graphs are interactive where every data point can be clicked to reveal the flow data in the table.
Once the collection is complete the information is available for review and export. A relationship diagram is also provided that shows a summarized version of the flows to and from the selected VM.
When planning for an application to move to the cloud or for creating policy, it is critical to understand the flows. In a cloud environment, this can help avoid expensive egress toll charges.
This data is stored in the ReSTNSX database and all the previous collected flows are presented on the Cloud Check dashboard where they can be reviewed at a later date or removed.