VMware Cloud Director supports a distributed firewall service for data center groups with an NSX-T Data Center network provider type.
When you enable a distributed firewall for a data center group with a NSX-T Data Center network provider type, you create a single default security policy that is applied to the data center group. As an organization administrator, you can create and modify additional distributed firewall rules which are associated with the data center group's default security policy.
The distributed firewall service is not enabled by default. After enabling the distributed firewall, you can create IP sets and security groups to facilitate the creation of distributed firewall rules.
Working with Dynamic Security Groups and VM Security Tags
Starting with VMware Cloud Director 10.3, you can create security groups with a dynamic membership that is based on VM characteristics, such as VM names and VM tags. You use dynamic groups to create distributed firewall rules and edge gateway firewall rules that are applied on a per-VM basis in a data center group networking context. By using dynamic security groups in distributed firewall rules, you can micro-segment network traffic and effectively secure the workloads in your organization.