4.5 Security Design
With VMware NSX, there are two points where the end customer and provider can manage security services:
• Edge services gateways
• Distributed firewall
The edge services gateways at each location can be used to control North-South bound firewalling to the physical world. For example, access to networks northbound of the edge services gateway can be controlled through the edge firewall.
The distributed firewall allows definition of security rules that can control access between virtual machines on the same logical network, or within the same universal logical switch. This is commonly known as micro-segmentation. For cross-vCenter security, you can only leverage MAC/IP sets for control, but you could create some dynamic group membership based on server name which would allow for policy to follow the virtual machine.
The following figure highlights how both security solutions can be used in a typical environment.
Figure 10. Security Design Example
For more information about security design, see the
VMware NSX for vSphere Documentation Center.
