In this example, your goal is to create a Distributed Firewall policy in NSX-T Data Center to secure Pod-to-Pod traffic in the Enterprise Human Resource application, which is running in a single Antrea container cluster.

Let us assume that the Pod workloads in the Antrea container cluster are running Web, App, and Database microservices of the Enterprise Human Resource application. You have added Antrea groups in your NSX-T environment by using Pod-based membership criteria, as shown in the following table.

Antrea Group Name Membership Criteria


Pod Tag Equals Web Scope Equals HR


Pod Tag Equals App Scope Equals HR


Pod Tag Equals DB Scope Equals HR

Your objective is to create a security policy in the Application category with three firewall rules, as follows:
  • Allow all traffic from HR-Web group to HR-App group.
  • Allow all traffic from HR-App group to HR-DB group.
  • Reject all traffic from HR-Web to HR-DB group.


Antrea container cluster is registered to NSX-T Data Center.


  1. From your browser, log in to an NSX Manager at https://nsx-manager-ip-address.
  2. Click the Security tab, and then under Policy Management, click Distributed Firewall.
    The Category Specific Rules page is displayed.
  3. Make sure that you are in the Application category.
  4. Click Add Policy and enter a policy name.
    For example, enter EnterpriseHRPolicy.
  5. In the Applied To of the policy, select the Antrea container cluster where the Pod workloads of the Enterprise Human Resource application are running.
  6. Publish the policy.
  7. Select the policy name, and click Add Rule.
    Configure three firewall rules, as shown in the following table.
    Rule Name Rule ID Sources Destinations Services Applied To Action
    Web-to-App 1022 HR-Web N/A Any HR-App Allow
    App-to-DB 1023 HR-App N/A Any HR-DB Allow
    Web-to-DB 1024 HR-Web N/A Any HR-DB Reject

    The rule IDs in the table are only sample values for this example. The rule IDs can vary in your NSX-T environment.

  8. Publish the rules.


When the policy is realized successfully, the following results occur in the Antrea container cluster:
  • A Cluster Network Policy is created.
  • Rules 1022, 1023, and 1024 are enforced in the container cluster in that order.
  • For each firewall rule, a corresponding Ingress rule is created in the Cluster Network Policy.