The VMware vDefend Firewall service enables your SDDC to use advanced NSX features.

The vDefend Firewall service is included in VMware Cloud on AWS. This service includes:

To activate the vDefend Firewall service in your SDDC, open the Integrated Services tab and click ACTIVATE on the VMware vDefend Firewall card. After the service is activated, vDefend advanced security features become available in your SDDC.

You can find detailed documentation for all of these features in the NSX Product Documentation. There are a few operational differences between how the features work on on-premises NSX and how they work in VMware Cloud on AWS . For example, most of the procedures in the NSX Product Documentation include a step telling you to log in with admin privileges to an NSX Manager. This step isn't needed in VMware Cloud on AWS since clicking OPEN NSX MANAGER or opening the Networking & Security tab gives you admin access to the NSX manager in your SDDC. Other differences are listed in the following sections.

Using Context Profiles in the SDDC

Click Inventory > Context Profiles. You can specify a context profile in a distributed firewall rule by updating the value in the Profiles column of the Distributed Firewall grid. For more information, see Layer 7 Firewall Rule Workflow in the NSX Product Documentation.

In VMware Cloud on AWS, context profiles are supported only for use with Distributed Firewall rules. They cannot be used with MGW or CGW firewall rules.

Using Identity Firewall in the SDDC

Click the System > Identity Firewall AD to add an SDDC Active Directory domain so that you can create user-based Identity firewall rules. When using this feature in VMware Cloud on AWS, keep these operational differences in mind:
Enable the feature for one or more SDDC clusters
Before you can use this feature, you have to take the "Configure Identity Firewall settings" step in Manage Distributed Firewall Rules to enable the feature and apply it to one or more SDDC clusters.
Create a firewall rule to allow Active Directory access
If you're using Active Directory, you'll also need to create a Management Gateway Firewall rule to allow NSX to access the Active Directory server you want to use. This feature doesn’t work if access to Active Directory is interrupted in your SDDC, so it’s important to make sure that the firewall rule you create here remains valid in the face of changes to the Active Directory server. For more information, see Add an Active Directory in the NSX Product Documentation.
Logging
In VMware Cloud on AWS, events generated by this feature are logged to VMware Aria Operations for Logs.

Using Distributed FQDN Filtering in the SDDC

In VMware Cloud on AWS, Distributed FQDN filtering is supported only for use with Distributed Firewall rules. It cannot be used with MGW or CGW firewall rules. To use this feature, start by adding a DNS snooping rule, described in Filtering Specific Domains (FQDN/URLs), as the first rule in the policy. You must also enable the predefined FQDNfiltering-spoofguard-profile segment profile for all segments on which you want to support FQDN filtering. See Create or Modify a Network Segment for information about applying a segment profile to an SDDC network segment.

Deactivating the VMware vDefend Firewall Service

Before you can deactivate the VMware vDefend Firewall service, you must remove all firewall rules that reference service features. This includes:
  • All distributed firewall rules that include a context profile
  • All identity-based firewall rules
After you have removed these objects, you can deactivate the service:
  1. Open the Integrated Services tab in your SDDC.
  2. On the VMware vDefend Firewall card, click ACTIONS > Deactivate.
  3. Review the list of objects that must be removed prior to deactivation. When you are sure that the objects have been removed, click CONFIRM DEACTIVATION.
Billing for the service stops as soon as deactivation is completed.