VMs connected to an NSX overlay or VLAN segment can be protected through the NSX Distributed Firewall (DFW). However, a tradeoff between performance and security must be balanced against the latency and throughput requirements of the applications.

NSX DFW provides stateful protection of the workload through the hypervisor-level firewall enforcement. The NSX host preparation activates the DFW with the default rule set to 'allow' to facilitate VM-to-VM communication.

At the ESXi level, exclude data plane vNICs from the NSX DFW to avoid applying unnecessary DFW filter that can impact the data plane throughput.

This does not require deactivating DFW at the global scope, instead this can be achieved at the VSA logical port or logical switch level. The NSX DFW supports Exclusion List that allows a logical port, logical switch, or NSGroup to be excluded from the firewall rule.

NSGroups can be configured to contain a combination of IP sets, MAC sets, logical ports, logical switches, and other NSGroups. By adding a data plane intensive logical port or logical switch to the DFW Exclusion List, you ensure that only those ports and switches are excluded from the DFW. The DFW rules remain active for other workloads that can benefit from micro- segmentation.