Idle session timeouts – Depending on the level of activity within the vCloud environment, some connections, such as sessions to vSphere hosts to retrieve thumbnails by way of the vslad agent and to vCenter Server for inventory, might require adjustment to default TCP timeout policies. This also applies to the Oracle Notification Service (ONS) connections needed for fast connection failover support in Oracle RAC environments.

Dead connection detection or equivalent – Many firewalls support functionality to allow idle but still valid connections to persist. This modifies the idle timeout behavior by probing endpoints of the connection and verifying that the session is not terminated.

Logging – Send firewall logs to a centralized syslog server.

SMTP filtering – Many firewalls filter email connections, restricting ESMTP commands. It might be necessary to disable this capability to permit vCloud Director to send mail notifications.

Bandwidth – Some vCloud operations require either high throughput or low latency (examples of this are NFS transfer access and database access). The firewall must be correctly specified so that it does not become a performance bottleneck.

Availability – Deploy firewalls and load balancers in highly available pairs where possible.

Secure Administrative Access – Tightly control access to the management networks using strong authentication, logging, and encryption.

Scalability – vCloud environments are typically architected to scale and support a large number of workloads and users. Scale firewalls along with the vCloud to help avoid future downtime.