Using VMware NSX in CloudControl Overview

CloudControl supports the following VMware NSX versions for vSphere 6.x: 

  • 6.2.7
  • 6.2.8
  • 6.3.2
  • 6.3.3

CloudControl authorizes CUD (Create, Update, Delete) operations on key NSX resources such as Logical Switches, Edges, Routers, Firewalls, Security Groups, and Security Policies. This allows you to use role-based access control to inspect NSX admin operations and apply CloudControl policies to NSX resources. To protect and proxy NSX resources in CloudControl, you need a valid CloudControl license that includes NSX support.

Note: Read or view operations are not authorized or logged.

NSX resources are imported into CloudControl as follows:

NSX Resource Type

CloudControl Resource Type

 Operations Description

Logical Router

Router

Supports CUD operations on: 

  • Router Service

  • Firewall

Edge Gateway Services

Network Service Containers

Supports CUD operations on:

  • Gateway Services

  • DHCP

  • Load Balancer

  • IP Sec VPN

  • VPN(L2/SSL)

  • Firewall
Security Group ObjectGroup CUD operations
Security Policy SecurityPolicy CUD operations

Distributed Firewall

 Firewall CUD operations

Logical Switch

Switch

 CUD operations

Controller

Controller

 CUD operations

IP Set

IPAddressGroup

CUD operations
MAC Set MacAddressGroup CUD operations

Distributed Firewall Section

Firewall Section

CUD operations
Important:
  • Before CloudControl version 5.2, the same firewall privileges were used for distributed firewall, edge firewall, and router firewall. Beginning with version 5.2, new firewall privileges have been added for edge firewall and router firewall. The new privileges have been added to the SuperAdmin, SecurityAdmin, and NetworkEngineer roles. You will need to manually assign the privileges to any custom roles used for edge or router firewall.
  • Beginning with CloudControl version 5.3, we now support multi-tenant Distributed Firewall configuration through WCS and REST API. For REST API, the following privileges have been updated: 
    Previous Privilege NameUpdated Privilege Name
    Network.Firewall_Rule*Network.FirewallRule*
    Network.Firewall_Policy*Network.FirewallPolicy*
  • Beginning with CloudControl version 5.3, new privileges have been added for IP Set, MAC Set, and Distributed Firewall Section to the SuperAdmin, SecurityAdmin, and NetworkEngineer roles. You will need to manually assign the privileges to any custom roles using the previous privileges.

The following NSX resource types are updated:

NSX Resource Type CloudControl Previous Resource Type CloudControl Current Resource Type
IP Set IPCollection IPAddressGroup
Mac Set MacCollection MacAddressGroup
Service Group ServiceCollection ServiceGroup
Security Group ObjectCollection ObjectGroup

 

HyTrust CloudControl v 5.5

Copyright © 2019 HyTrust, Inc. All Rights Reserved.

Follow us: