NSX supports the creation of policies when setting up multi-tenancy in your environment.

The firewall rules of a Project apply only to the VMs in the Project, that is, VMs connected to the networks in the Project. The rules within a Project, including those with ANY applied to DFW, do not impact workloads outside the Project.
Note: The grouping and the firewall rules from the /infra space apply to every VM in the NSX deployment, including those in the Projects. For instance, a group based on a tag includes all VMs with the same tag as members, both from within and outside the Project.

Distributed Firewall for Projects

The Emergency, Infrastructure, Environment, and Application DFW categories are supported for projects within the Org. The /infra policies have the highest precedence followed by the Project policies. The DFW rules from the /infra space can extend to a Project.

  • Rules created under the /infra space apply by default to all workloads in the environment.
    • To define the scope of your rules, select the appropriate option for Applied To, on the NSX UI. For instance, you can restrict the rules to a specific workload by using the Applied To option.
    • You can also use the Applied To option for groups created under the /infra space, or for the Project default groups (ORG-default-PROJECT-<project-name>) that are generated by the system and contain all VMs of the Project.
  • The following applies to groups created in the /infra space:
    • Dynamic Membership evaluates all VMs of the system, including VMs in a Project. For example, if a Group membership includes all VMs tagged with web, the group will include VMs with the web tag both within and outside the Project.
    • For Static Membership, you can add workloads connected to a Project either by explicitly referring to the VMs (Members > Virtual Machines) or by using the Project default Groups (ORG-default-PROJECT-<project-name>). Other resources created under a Project are not supported by Groups in the /infra space.

Default Rules

At Project creation, a default security policy is created within the Project at the bottom of the policy list in the Application category. The default policy defines the behaviour for VMs within the Project if no other rules is encountered.

The default policy contains the following rules:

  • Rules allowing communication to DHCP.

    (src:ANY dst:ANY services:DHCP Client|DHCP Server Action Allow)

  • Rules allowing communication between workloads within the Project.

    (src:Project default groups (ORG-default-PROJECT-<project-name> dst:Project default groups (ORG-default-PROJECT-<project-name> services:ANY Action Allow)

  • Rules denying all other communication.

    (src:ANY dst:ANY services:ANY Action Deny)

The default policy ensures that VMs within a Project can only reach other VMs in the same Project (and DHCP). Communication with VMs outside the Project or with other system-created IP addresses is blocked and can only be allowed by adding rules or modifying rules in the default security policy.

Add Distributed Firewall for Projects

For Project policies, when the scope is set to Any, the policies are limited to that Project. Project rules have access only to groups in the Project and to groups that have been shared with the Project.

Apply security policies by making the following API call:
PATCH /policy/api/v1/orgs/default/projects/<project-id>/infra/domains/default/security-policies/<security-policy-id>

Sample request:

URL:
PATCH https://{{nsx-manager-ip}}/policy/api/v1/orgs/default/projects/project-1/infra/domains/default/security-policies/web-db
Body:
{
  "resource_type": "SecurityPolicy",
    "description": "web-db",
    "display_name": "web-db",
    "rules": [
    {
      "resource_type": "Rule",
      "description": "web-db-rule-1",
      "display_name": "web-db-rule-1",
      "sequence_number": 1,
      "source_groups": [
        "/orgs/default/projects/project-1/infra/domains/default/groups/group-1"
      ],
      "destination_groups": [
        "/orgs/default/projects/project-1/infra/domains/default/groups/group-1"
      ],
      "services" : ["/infra/services/HTTP"],
      "action" : "ALLOW",
      "_revision": 0
    }
  ],
  "sequence_number": 1,
  "_revision": 0
}