VMware Cloud Director 10.5.1 is now GA and is full of new networking features which doesn’t mean the integration with VMware NSX Advanced Load Balancer will remain without any enhancements.
There are two significant new features along with some UI improvements that directly impact the Load Balancer as a Service (LBaaS) capabilities of VMware Cloud Director:
- Virtual Service Logs
- Web Application Firewall (WAF)
Virtual Service Logs
As an extension to the Virtual Service Analytics available in previous VMware Cloud Director versions, 10.5.1 also makes the Virtual Service Logs available to tenants.
When creating a new virtual service all the analytics related configs are automatically populated by the integration. This results in using the System-Analytics-Profile as an analytics profile and the following settings for logging:
- Significant log throttle – 10 logs/sec
- User defined filters log throttle – 10 logs/sec
However, tenants can decide whether to capture non-significant logs by checking the Non-Critical Logging checkbox while creating a new virtual service or editing an existing one. Once activated, the logging settings are as follows:
- Non-significant log throttle – 10 logs/sec
- Non-significant log duration – 30 minutes
Currently, none of these settings can be modified through the VMware Cloud Director UI.
To access the logs, you need to select a virtual service and navigate to the new Logs tab.
Each log entry displays a timestamp, client IP, URI, request type, response code, size, total time in ms, and WAF status (if available).
To display extended information, you need to select the desired entry. It will reveal the client request, load balancer, and application response details.
The logs can be exported to a CSV file directly from the VMware Cloud Director UI.
Web Application Firewall (WAF)
The self-service Web Application Firewall configuration per virtual service is another enhancement introduced by VMware Cloud Director 10.5.1. It is made available as a part of the Premium Feature Set.
Now, for each virtual service, tenants can:
- enable WAF
- set the operation mode – detection or enforcement
- create allowlist rules
- select which signature groups to be activated or deactivated
- activate/deactivate individual signatures in every group
When the WAF configuration is created in VMware Cloud Director for a virtual service, the integration automatically creates a WAF policy and a WAF profile in NSX Advanced Load Balancer.
WAF profile
As the recommendation engine may modify the WAF profile, each virtual service gets its own created by the integration. Initially, it is a copy of System-WAF-Profile containing all its settings.
WAF Policy
A new WAF Policy is automatically created out of the System-WAF-Policy for each virtual service where WAF is enabled. This means all the settings that are not available for configuration through the VMware Cloud Director UI will have their values set according to the System-WAF-Policy.
WAF in Logs
When a virtual service has WAF enabled, each log entry has information about its WAF Status – Rejected, Flagged, Passed, Bypassed, or Not Applicable.
If a violation is detected, the log details also include information about the violated protocol as well as remediation recommendations.
You can check the VMware Cloud Director 10.5.1 GA blog for more information about the other new features included in this release.