In addition to VXLAN-backed networks and the Edge Services Gateway, the introduction of NSX features in vCloud Director brings another key benefit. The presence of the NSX components in each ESXi host, allows vCloud Director customers to utilize the NSX Distributed Firewall (DFW). The NSX Distributed Firewall implements a stateful packet filtering capability on each vNIC of every virtual machine (VM) under its management. In addition to the control of traffic arriving at the VM from outside the network to which the VM is connected, the Distributed Firewall allows control of traffic between VMs on the same network. This granular control of traffic within the same network is known as micro-segmentation. Micro-segmentation allows a degree of control over traffic that has already been allowed through the perimeter firewall which has not, previously, been possible. The following illustrates a portion of the Distributed Firewall “policy” applied to traffic to and from two “web server” VMs.

 

The DFW policies that control the flow of packets to and from each VM’s vNICs are configured centrally through the new vCloud Director HTML5-based firewall management interface and then distributed to the ESXi host to implement on the running VM. Should the VM be moved, the policy is reapplied on the destination host. This distributed policy management with per vNIC implementation when applied across the entire tenant network topology is shown in the following figure.

 

In the illustration, each vNIC is effectively separated from the network by a “firewall”. This allows the traffic between VMs on the same network to be controlled by a firewall policy in a way that is not practical using traditional networking infrastructure. See Section 7, References for more information on the benefits of micro-segmentation. Both the North/South policy on the Edge Services Gateway and the Distributed Firewall policy itself, can be managed from the vCloud Director user interface either by the service provider or, should the service provider choose to offer the facility, the customer themselves.

Because the Edge Services Gateway offers both firewall and VPN services, customers might question the presence of two firewalls in the internet connectivity, particularly as the benefits of micro-segmentation become accepted. At this point, the service provider can further reduce cost and complexity by removing the physical Internet firewall and moving its roles to the Edge Services Gateway. This level of risk acceptance is likely to be different for each customer, and it is possible that service providers might choose to offer solutions both with, and without, the physical internet firewall.