Configuring Distributed Firewall(Micro-segmentation) - NSX-T

Owned by Eugene Burhovetsky
08 Sept 2022
4 min read

Distributed Firewall

VMware Cloud Director supports a distributed firewall service for data center groups with an NSX-T Data Center network provider type. When you enable a distributed firewall for a data center group with a NSX-T Data Center network provider type, you create a single default security policy that is applied to the data center group. As an organization administrator, you can create and modify additional distributed firewall rules which are associated with the data center group's default security policy. By using distributed firewall, you can apply a set of level 3 firewall rules across a single data center group.

Activate distributed firewall to a Data Center Group

The distributed firewall service is not enabled by default. After enabling the distributed firewall, you can create IP sets and security groups to facilitate the creation of distributed firewall rules. The distributed firewall rules that you create apply only to the workloads that are attached to the data center group networks.

Be careful, activation of the Distributed Firewall feature incurs additional cost to your vDC.

Example: activating distributed firewall in data center group

Add a Distributed Firewall Rule to a Data Center Group

To create distributed firewall rules and add them to a data center group, you must first create IP sets, Static Group or Dynamic Group.

IP sets are groups of IP addresses and networks to which the distributed firewall rules apply. Combining multiple objects into IP sets helps you to reduce the total number of distributed firewall rules to be created.

Example: IP set

Static security groups are static groups of data center group networks to which distributed firewall rules apply.

Dynamic security group are dynamic groups of data center group networks to which distributed firewall rules apply. Criterion for inclusion in the group, add up to four rules that apply either to a VM name or to a VM security tag.

The distributed firewall rules that you create apply only to workloads that are attached to the data center group networks. During creating this fields must be specified:

Option

Description

Option

Description

Name

Enter a name for the rule.

State

To enable the rule upon creation, toggle on the State option.

Applications

(Optional) To select a specific port profile to which the rule applies, turn on the Applications toggle and click Save.

Context

(Optional) Select an NSX-T Data Center context profile for the rule.

Source

Select the source traffic and click Keep.

  • To allow or deny traffic from any source address, toggle on Any Source.

  • To allow or deny traffic from specific IP sets or security groups, select the IP sets and security groups from the list.

Destination

Select the destination traffic and click Keep.

  • To allow or deny traffic to any destination address, toggle on Any Destination.

  • To allow or deny traffic to specific IP sets or security groups, select the IP sets and security groups from the list.

Action

From the Action drop-down menu, select whether to allow or deny traffic from or to specific sources.

  • To allow traffic from or to the specified sources, destinations, and services, select Accept.

  • To block traffic from or to the specified sources, destinations, and services, select Deny.

IP Protocol

Select whether to apply the rule to IPv4 or IPv6 traffic.

Enable logging.

To have the address translation performed by this rule logged, turn on the Enable logging toggle.

Â