VMware NSX firewall provides isolation and micro-segmentation to improve security within the data center. Three types of firewalls exist in VMware NSX architecture. VMware NSX Edge Firewall is installed as a virtual appliance, providing the same functionality as a physical perimeter firewall. In NSX terminology, Edge Firewall protects north-south traffic as well as routing between physical VLANs that are connected to a distributed switch port group. If you are preparing for NSX certification, firewall configuration is part of each exam.

Inside the data center’s network, NSX Distributed Firewall protects east-west traffic. Two firewalls above are installed in combination or separately. It is very important to mention the Service Composer, NSX component that enables high-level automation within the NSX firewall using functionality called dynamic tagging. Firewalls are deployed as part of installation by NSX Manager.

VMware NSX Firewall

VMware NSX Firewall

VMware NSX Distributed Firewall

Distributed firewall allows you to create L2, L3, and L4 rules. By default, all network traffic is denied (default deny all rule). All rules that are additionally created sit on default rule. When inspecting the package, the firewall rules are always analyzed by deny all rule and going up the user defined rules. It is an integral part of every ESXi host, installed in as a VIB on ESXI host, designed to provide protection, isolation and micro-segmentation of east-west traffic.

Distributed Firewall takes advantage of micro-segmentation to apply security rules to various objects such as security tags, IP addresses, MAC addresses, virtual machines, port groups, logical switches, directories, clusters as well as user accounts in Active Directory. Distributed firewall is the stateful firewall, which means that is monitoring the state of active connections and using that information to determine which network packets can go through. Learning NSX gives more details about the NSX Firewalls.

Design guidelines

  1. Distributed firewall is installed on each virtual adapter (vNIC) of each individual virtual machine
  2. If the control components are under VMware NSX control, such components should be excluded from distributed firewalls in order to eliminate interdependence
  3. It is recommended that each application layer has its own separate logic switch

Service composer

The service composer serves as a static and dynamic generator of security rules and it is VMware NSX Distributed Firewall extension. First, the objects and services we want to protect are defined and mapped to specific security groups. Security groups are mapped to the virtual machines.

Security groups

The first step is to create a security group (objects) we want to protect. Groups can be static (referring to a single virtual machine) and dynamic where the “membership” can be determined in several ways:

  1. vCenter Objects (clusters, port groups, and data centers)
  2. Security tags, IP addresses, MAC addresses. For example you can add criteria to include all members who have a security tag AntiVirus.virusFound in the security group
  3. User accounts in Active Directory
  4. Regular expressions

It is important to know that membership in security groups is constantly changing. For example, a virtual machine tagged with AntiVirus.virusFound is moved to the Quarantine security group. When the virus is removed, the virtual machine is no longer part of that security group. Service composer profiles can be exported and imported as backups for use in other environments.

Security policies

VMware NSX security policies are the collection of network and security services:

  1. Endpoint Services – Security Data and Anti-Virus
  2. Distributed firewalls
  3. Network traffic analysis services

Design guidelines

  1. VMware Tools should be installed on each virtual machine
  2. If you want to have more security groups you want to associate with policies, create a main security group that includes all sub-security groups. Then apply the policies that are mostly used to the main security group so that the VMware NSX distributed firewall optimally uses ESXI memory.

VMware Edge Gateway

VMware NSX Edge is a multi-functional network and security component that is part of a data and control layer, providing following services – NAT, routing protocols (OSPF, iBGP, eBGP), firewall, load balancing, DHCP/DNS and VPN functionality where the primary focus is north-south traffic. As we can see NSX Edge is used for much more functionality than a just firewall service.

Edge Firewall can set default firewall configurations such as denying or allowing everything. You can also add specific firewall rules that have the advantage over the default ones. The Edge Gateway firewall helps to create security rules on the perimeter of the network, such as installing a DMZ-based IP/VLAN sets, or isolating organizations within the same virtual data center. All firewalls are included in the standard NSX license.

Design guidelines

  1. NSX Edge should be should be protected by Hig Availability. Anti-affinity rule must be created to run the NSX Edge virtual machines on different ESXI hosts
  2. For increased network traffic bandwidth, the administrator can install equal-cost-multi-path (ECMP) high availability component. ECMP can be installed with maximum of 8 components that significantly increase the bandwidth and performance of the VMware NSX data center.