The NSX Distributed Firewall is used to protect all management applications attached to application virtual networks. To secure the ROBO SDDC, only other solutions in the ROBO SDDC and approved administration IPs can directly communicate with individual components. External facing portals are accessible via a load balancer virtual IP (VIP). This simplifies the design by having a single point of administration for all firewall rules. The firewall on individual ESGs is set to allow all traffic. An exception are ESGs that provide ECMP services, which require the firewall to be disabled.

Table 1. Firewall Design Decisions

Decision ID

Design Decision

Design Justification

Design Implications

ROBO-VI-SDN-019

For all ESGs deployed as load balancers, set the default firewall rule to allow all traffic.

Restricting and granting access is handled by the distributed firewall. The default firewall rule does not have to do it.

Explicit rules to allow or deny access to management applications and tenant workloads must be defined in the distributed firewall.

ROBO-VI-SDN-020

For all ESGs deployed as ECMP north/south routers, disable the firewall.

Use of ECMP on the ESGs is a requirement. Leaving the firewall enabled, even in allow all traffic mode, results in sporadic network connectivity.

Services such as NAT and load balancing cannot be used when the firewall is disabled.

ROBO-VI-SDN-021

Configure the Distributed Firewall to limit access to administrative interfaces on the management virtual applications.

To ensure only authorized administrators can access the administrative interfaces of management applications.

Maintaining firewall rules adds administrative overhead.