You can install Distributed Security only for a vSphere Distributed Switch (VDS).
Installing Distributed Security for VDS provides the NSX security capabilities such as:
- Distributed Firewall (DFW)
- Distributed IDS/IPS
- Identity Firewall
- L7 App ID
- Fully Qualified Domain Name (FQDN) Filtering
- NSX Intelligence
- NSX Malware Prevention
- NSX Guest Introspection
For details about installing Distributed Security for VDS, see Install Distributed Security for vSphere Distributed Switch.
Installation Process
When you install Distributed Security, configuration changes occur only in NSX and there are no changes in VMware vCenter. The details of the VDS are discovered and the following objects are automatically created in NSX to represent the VDS details:
- A transport node profile for each cluster.
- A host switch for each VDS.
- A VLAN transport zone for each VDS.
These objects are system-generated and are not configurable or editable.
Also, as part of the VDS discovery, the Distributed Virtual port groups (DVPG) and DVports of the VDS are created as objects in NSX. For more details, see Distributed Port Groups.
Any changes made to the VDS in VMware vCenter are automatically updated in NSX.
vMotion of VMs Between Clusters With or Without Distributed Security
When you vMotion a VM from a cluster without Distributed Security to a cluster with Distributed Security, the security policies of the cluster with Distributed Security are applied to the VM.
Conversely, when you vMotion a VM from a cluster with Distributed Security to a cluster without Distributed Security, the security policies are removed.
How Upgrades to VDS Affects Distributed Security
Upgrading a VDS with Distributed Security may cause temporary disruptions to the DFW.
VDS Upgrade Path | Effect on Distributed Security |
---|---|
When upgrading from VDS 6.6 to any version before VDS 7.0.3. | There are no disruptions to the DFW. |
When upgrading from VDS 6.6, 7.0, or 7.0.2 to VDS 7.0.3. | The DFW policies on the VDS are not enforced for a brief moment on each host during the upgrade process due to a data plane outage which occurs on the host while the upgrade is in progress. The VDS upgrade is performed concurrently across all hosts, so the overall outage period for any cluster is not significant.
Note: During the upgrade process, the DFW policies are not changed, they are only not enforced.
After the upgrade process is complete on the host, the DFW policies are reinforced on the host. |