NSX Security Deployment Workflow for On-Premises Environment

To benefit all the NSX Security features, you must deploy the NSX Management Plane in an on-premises environment.

After NSX-T is installed, configure the system for different security features. The workflow in this guide includes minimal deployment and configuration instructions required to set up the security features. For more detailed instructions for each feature, see NSX-T Data Center Installation Guide and NSX-T Data Center Administration Guide.

NSX Firewall – for all Deployment Options

NSX Firewall provides different security controls like Distributed Firewall, Distributed IDS/IPS, Distributed Malware Prevention, and Gateway Firewall as an option to provide firewalling to different deployment scenarios.

A typical data center can have different workloads like VMs, Containers, Physical Server, and a mix of NSX managed and non-managed workloads. These workloads can have a combination of a VLAN-based network or an NSX-based overlay network.

The following diagram summarizes different data center deployment scenarios and associated NSX firewall security controls, which best fits the design. You can use the same NSX Manager as a single pane of glass to define the security policies for all these different scenarios using different security controls.

The diagram summarizes different data center deployment scenarios and associated NSX firewall security controls, which best fits the design.

NSX Managed Workloads with Standard VLAN based Networking:
NSX distributed firewalling capability can be used to protect NSX managed VMs and Physical Server workloads.
NSX Managed Workloads with NSX Overlay for Networking:
- NSX Distributed Firewall can be used to protect NSX managed VMs, Containers (using NSX container plug-in), and Physical Server workloads from East-West traffic perspective. This can be used for Zone-segmentation, Application-segmentation, and Micro-segmentation with both L3-L7 firewalling and IDS/IPS capabilities.
- NSX Gateway Firewall can be used as inter-tenant/zone firewall from North-South perspective, along with the distributed firewall.
Non-NSX Managed Workloads on Traditional VLAN based Network:
NSX gateway firewalling capability can provide the inter VLAN routing and firewalling. The Service Interface on NSX tier-1 gateway or external interface on the tier-0 gateway is used as a gateway and firewall for all the non-NSX managed VLAN workloads.

Basic Deployment Workflow


Action	Description	Details
Deploy the NSX Management Plane	Download the NSX Manager OVA Deploy the NSX Manager appliance	Deploying NSX Management Plane
Configure for NSX Distributed Security	Distributed Security for VMs Distributed Security for Physical Server	Preparing for Distributed Security
Configure for NSX Gateway Security	Gateway Security for VMs or Physical Server Gateway Security for VM with NSX Network Virtualization (Overlay)	Preparing For Gateway Security

This guide does not cover advanced features supported by NSX Firewall. For more detailed instructions for each feature, see NSX-T Data Center Administration Guide.