4.9.1 Design Considerations
• Distributed firewall enforcement is applied at the vNIC level of the VMs.
• If the management components are under control of VMware NSX, the components must be excluded from participation within the distributed firewall to avoid circular dependencies. For example, you could edit a rule that blocks access to the vCenter Server.
• Collapsing application tiers to common services with each application tier having its own logical switch:
o Better for managing domain (web and database) specific security requirements.
o Easier to develop segmented isolation between application tiers (web-to-database compared with web-to-application granularity).
o Requires explicit security between application tiers.
• Collapsing all application tiers into single logical switch:
o Better for managing group/application-owner specific expertise.
o Applications container model. Suits the application as tenant model.
o Simpler security group construct per application tier.
o Security policy between different applications container is required.
• DMZ model
o Zero-trust security.
o Multiple DMZ logical networks. Default deny_ALL within DMZ segments.
o External to internal protection by multiple groups.
A DFW policy can be applied to various objects in the Virtual Inventory such as: Security Tags, IP Sets, MAC Sets, VMs, Port Groups and Logical Switches, Folders, Clusters, as well as user group identity information from Active Directory.