The distributed firewall is a vCloud Director 8.20 feature that applies and enforces firewall configurations in the ESXi VMkernel at the vNIC level of virtual machines. This means the firewall can inspect every packet and frame coming and leaving the configured VMs, and is therefore, completely independent from the network topology and can be used for micro-segmentation of Layer 2 network. Both Layer 3 and Layer 2 rules can be created. It is managed at the Org VDC level from the Manage Firewall link.

At the NSX platform level, each tenant is given a section in the NSX firewall table and can only apply rules to VMs and Edge Gateways in their domain. There is one section for each Org VDC that has the DFW enabled, and it is always created on top (or optionally at the bottom if vCloud API is used to enable DFW at Org VDC level with ?append=true suffix) of the firewall rule list. Because tenants might have overlapping IP addresses, all rules in the section are scoped to a security group with a dynamic membership of tenant Org VDC resource pools and therefore are applied only to VMs in the Org VDC.

Note that using L3 non-IP based rules requires NSX to learn IP addresses of the guest VM. One of the following mechanisms must be enabled:

IP Detection Type is configured in NSX at the Cluster Level in the Host Preparation tab.

The scope for each rule can be defined in the Applied To column. By default, it is set to the Org VDC. However, the tenant can further limit the scope of the rule to a particular VM, or Org VDC network (note that the vApp network cannot be used). It is also possible to apply the rule to the Org VDC Edge Gateway. In this case, the rule is actually created and enforced on the Edge Gateway as pre-rule which has precedence over all other firewall rules defined at that Edge Gateway.

The tenant can enable logging of a specific firewall rule with API by editing the <rule … logged=”true|false”> element. NSX then logs the first session packet matching the rule to the ESXi host log with a tenant-specific tag (Org VDC UUID subset string). The provider can then filter such logs and forward them to tenants with its own syslog solution.