Deployments with on-demand private networks with security groups are forbidden from communicating with other systems in the same deployment due to security policy rules
search cancel

Deployments with on-demand private networks with security groups are forbidden from communicating with other systems in the same deployment due to security policy rules

book

Article ID: 326022

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

Symptoms:
  • Machines assigned to on-demand private network with security group have internal communication to other systems in the same deployment forbidden by the security policy rules.
Note: All machines assigned to the same private network should be able to communicate with one another.


Environment

VMware Aria Automation 8.x
VMware Aria Automation 8.14.x

Cause

Aria Automation on-demand private network with security group provisions a security group with undefined order of firewall rules which can randomly place firewall rule that allows internal communication after firewall rules that forbid all other communications.

Resolution

VMware is aware of this issue and being considered for inclusion in a future release. See the Workaround section below for additional information.

Workaround:
Use on-demand security groups instead of isolation network. See the blueprint YAML below: 
formatVersion: 1
inputs: {}
resources:
  Deny_Inbound_Outbound:
    type: Cloud.SecurityGroup
    properties:
      securityGroupType: new
      rules:
        - access: Deny
          source: ANY
          direction: inbound
          name: DenyOutboundFlows
        - access: Deny
          destination: ANY
          direction: outbound
          name: DenyInboundFlows
  Allow_Infra_Traffic:
    type: Cloud.SecurityGroup
    properties:
      securityGroupType: new
      rules:
        - access: Allow
          source: ${resource.Deny_Inbound_Outbound.id}
          direction: inbound
          name: InboundInternalFlows
        - access: Allow
          destination: ${resource.Deny_Inbound_Outbound.id}
          direction: outbound
          name: OutboundInternalFlows
  Cloud_Network_1:
    type: Cloud.Network
    properties:
      networkType: existing
  Cloud_Machine_1:
    type: Cloud.Machine
    properties:
      count: 2
      image: ubuntu
      flavor: small
      networks:
        - network: ${resource.Cloud_Network_1.id}
          securityGroups:
            - ${resource.Deny_Inbound_Outbound.id}
            - ${resource.Allow_Infra_Traffic.id}
Note: This workaround requires 2 security groups to be created instead of 1, but because of the explicit dependencies, the rules will always be created in the predictable order.

Additional Information

Impact/Risks:
Machines provisioned with on-demand private network with security group do not have internal communication.

Powered by Wolken Software