The NSX Distributed Firewall is used to protect all management applications attached to application virtual networks. To secure the SDDC, only other solutions in the SDDC and approved administration IPs can directly communicate with individual components. External facing portals are accessible via a load balancer virtual IP (VIP).

This simplifies the design by having a single point of administration for all firewall rules. The firewall on individual ESGs is set to allow all traffic. An exception are ESGs that provide ECMP services, which require the firewall to be disabled.

Table 1. Design Decisions on Firewall Configuration

Decision ID

Design Decision

Design Justification

Design Implications


For all ESGs deployed as load balancers, set the default firewall rule to allow all traffic.

Restricting and granting access is handled by the distributed firewall. The default firewall rule does not have to do it.

Explicit rules to allow access to management applications must be defined in the distributed firewall.


For all ESGs deployed as ECMP North-South routers, disable the firewall.

Use of ECMP on the ESGs is a requirement. Leaving the firewall enabled, even in allow all traffic mode, results in sporadic network connectivity.

Services such as NAT and load balancing cannot be used when the firewall is disabled.


Configure the Distributed Firewall to limit access to administrative interfaces in the management cluster.

Only authorized administrators can access the administrative interfaces of management applications.

Maintaining firewall rules adds administrative overhead.