• Distributed firewall enforcement is applied at the vNIC level of the VMs.

• If the management components are under control of VMware NSX, the components must be excluded from participation within the distributed firewall to avoid circular dependencies. For example, you could edit a rule that blocks access to the vCenter Server.

• Collapsing application tiers to common services with each application tier having its own logical switch:

o Better for managing domain (web and database) specific security requirements.

o Easier to develop segmented isolation between application tiers (web-to-database compared with web-to-application granularity).

o Requires explicit security between application tiers.

• Collapsing all application tiers into single logical switch:

o Better for managing group/application-owner specific expertise.

o Applications container model. Suits the application as tenant model.

o Simpler security group construct per application tier.

o Security policy between different applications container is required.

• DMZ model

o Zero-trust security.

o Multiple DMZ logical networks. Default deny_ALL within DMZ segments.

o External to internal protection by multiple groups.