NSX SpoofGuard Automatic Approvals through your IPAM
VMware NSX provides a (heavily underestimated) SpoofGuard functionality, which prevents virtual machines to use IP addresses that are not approved by the network engineers. It guards for, guess what, IP spoofs. Virtual machines will not be able to change their IP addresses without administrative approval, which prevents issues with unauthorized changes or duplicate IPs.
SpoofGuard in NSX
SpoofGuard can operate in 3 modes:
– Approve everything (the default);
– Automatically approve first detected IP, manual approve changes;
– Manually approve all first detected IPs and changes.
While having control of the IP address changes in the virtual network is pretty awesome, it does create another administrative task. Luckily, you can automated the heck out of your virtual network with NSX.
IP Address Management (IPAM)
I recently came across a situation where Infoblox was the main IPAM system, strict SpoofGuard functionality was required and manually approving all IP address usage wasn’t really an option. Queue the NSX REST API and an idea to automate the SpoofGuard approvals depending on the information that’s in the Infoblox appliance. And yes, Infoblox has an API as well!
The workflow was to automatically (via a Cloud Management Portal) deploy a VM where a post-deployment procedure was in place to register the VMs new IP and MAC address to the Infoblox. After the VM was deployed and registration was done, the IP usage had to manually be approved via NSX.
Automating the Stuff
What I ended up doing was periodically (every minute) ask NSX whether there are any VMs asking to go online with a new IP address, feeding the VMs IP address and MAC address to the Infoblox IPAM and ask it whether a registration (either DHCP or fixed) exists for that IP/MAC combination and sending the IP approval to NSX in the case the Infoblox has an entry for the new VM.
The new workflow is to automatically deploy a VM, the CMP registered the new IP and MAC address to Infoblox and a minute later, the IP address usage was automatically approved in NSX. No more manual approvals!
The script that I used to automate this procedure is on my GitHub page. It’s set up modular and it’s first module is for Infoblox, because of the immediate requirements. Considering the possibilities to re-use this script in different environments, I’ll most likely be adding more IPAMs as I go along (e.g. Netbox). Feel free to do a pull request if you create another module!
By the way, the handling of NSX API operations is handled through PowerNSX, of which a copy is in the GitHub repository, but you do need PowerCLI to installed on the host you’re running this on.
Instructions for running the script can be found in the README file in the repository. It should be sufficient to get you started, but feel free to contact me if you have any questions!
- What is the VMware Virtual Cloud Network? by Martijn Smit
- VMware NSX & OTRS - Automating Security with Help… by Martijn Smit
- NSX load balancer buffer size by Sander Martijn
- Using VMware and Veeam? Update VBR 9.5 to Update 3a now by Edwin Weijdema
- GRE Tunnels & Dynamic Routing in NSX 6.4 by Martijn Smit