The distributed firewall allows you to segment organization virtual data center entities, such as virtual machines, based on virtual machine names and attributes.
VMware Cloud Director supports distributed firewall services on organization virtual data centers that are backed by NSX Data Center for vSphere. As described in the NSX Administration documentation, this distributed firewall is a hypervisor kernel-embedded firewall that provides visibility and control for virtualized workloads and networks. You can create access control policies based on objects like virtual machine names and on network constructs like IP addresses or IP set addresses. Firewall rules are enforced at the vNIC level of each virtual machine to provide consistent access control even when the virtual machine is moved to a new ESXi host by vSphere vMotion. This distributed firewall supports a micro-segmentation security model where East-West traffic can be inspected at near line rate processing.
As described in the NSX Administration documentation, for layer 2 (L2) packets, the distributed firewall creates a cache for performance boost. Layer 3 (L3) packets are processed in the following sequence:
- All packets are checked for an existing state.
- When a state match is found, the packets are processed.
- When a state match is not found, the packets are processed through the rules until a match is found.
- For TCP packets, a state is set only for packets with a SYN flag. However, rules that do not specify a protocol (service ANY), can match TCP packets with any combination of flags.
- For UDP packets, 5-tuple details are extracted from the packet. When a state does not exist in the state table, a new state is created using the extracted 5-tuple details. Subsequently received packets are matched against the state that was just created.
For ICMP packets, ICMP type, code, and packet direction are used to create a state.
The distributed firewall can help in creating identity-based rules as well. Administrators can enforce access control based on the user's group membership as defined in the enterprise Active Directory (AD). Some use cases for when you might use identity-based firewall rules are:
- Users accessing virtual applications using a laptop or mobile device where AD is used for user authentication
- Users accessing virtual applications using VDI infrastructure where the virtual machines are Microsoft Windows-based
For more detailed information about the capabilities provided by the NSX software's distributed firewall, see the NSX Administration documentation.