SDDC administrators configure NSX features to provide network isolation and segmentation in the data center.
Isolation is the foundation of most network security, whether for compliance, containment, or isolation of development, test, and production environments. Traditionally, ACLs, firewall rules, and routing policies are used to establish and enforce isolation and multitenancy. With network virtualization, support for those properties is inherently provided. Using VXLAN technology, virtual networks are isolated from other virtual networks and from the underlying physical infrastructure by default, delivering the security principle of least privilege. Virtual networks are created in isolation and remain isolated unless explicitly connected. No physical subnets, VLANs, ACLs, or firewall rules are required to enable isolation.
Network segmentation is related to isolation, but is applied in a multitier virtual network. Traditionally, network segmentation is a function of a physical firewall or router, designed to allow or deny traffic between network segments or tiers. When segmenting traffic between Web, application, and database tiers, traditional configuration processes are time consuming and highly prone to human error, resulting in a large percentage of security breaches. Implementation requires expertise in device configuration syntax, network addressing, and application ports and protocols.
Network virtualization simplifies building and testing configurations of network services to produce proven configurations that can be programatically deployed and duplicated throughout the network to enforce segmentation. Network segmentation, like isolation, is a core capability of NSX network virtualization.
Microsegmentation isolates traffic at the vNIC level by using distributed routers and distributed firewalls. Access controls enforced at the vNIC provide increased efficiency over rules enforced on the physical network. You can use microsegmentation with an NSX distributed firewall and implementation distributed firewall to implement microsegmentation for a three-tier application, for example, web server, application server, and database, where multiple organizations might share the same logical network topology.
To achieve the strictest security settings, apply a zero-trust model when configuring security policies. A zero-trust model denies access to resources and workloads unless specifically permitted by a policy. In this model, traffic must be whitelisted to be allowed. Be certain to allow essential infrastructure traffic. By default, NSX Manager, NSX Controllers, and NSX Edge service gateways are excluded from distributed firewall functions. vCenter Server systems are not excluded and should be explicitly allowed to prevent lockout before applying such a policy.