The public IP address network service allows you to connect from the internet to a workload virtual machine (VM), a management appliance, or a load balancer running in your private cloud. For example, if you run a web server on your workload VM, you can serve web traffic using a public IP address through the internet. By default, the public IP network service is disabled.

Allocating a public IP address to a resource also provides the following benefits:

  • Distributed denial of service (DDoS) attack prevention. This protection is automatically enabled for the public IP address.

  • Always-on traffic monitoring and real-time mitigation of common network-level attacks.

  • Protection and mitigation of attacks across the entire scale of the global network. The network can be used to distribute and mitigate attack traffic across regions.

Ideas to consider:

  • Allow only required access to the Internet in the Compute Gateway Firewall by limiting the source IPs/VMs, services, and destination IPs as much as possible.

  • Restrict outbound traffic using DFW to meet the standard approach of blocking traffic closest to the source.

  • Apply IDS/IPS to outbound connections to look for known Command & Control access and common attack signatures.

  • Consider using a proxy server for filtering & inspecting web traffic if virtual desktops are being hosted in the SDDC. Using this model, Internet access would be blocked for endpoints, and only the proxy would be permitted to access the Internet, providing additional URL filtering based on real-time updated lists and/or other identifying capabilities such as geo-location, site categorization, etc.

  • NSX L7 firewall from the Advanced Security add-on can be used to ensure SSL/TLS connections are using encryption methods that meet minimum standards to avoid known attack vectors.

  • Restrict DNS traffic destined for Internet-based DNS servers and require all workloads to use internal DNS servers that are managed and patched. Log all queries and block or check for requests of known C&C or malicious domains using lists that are updated frequently.