With the introduction of NSX-T within VMware Cloud on AWS (VMC), the networking architecture for VMC changed and various new features were introduced to the platform. One of the new features that has been introduced in VMC is the Distributed Firewall (DFW). With the DFW you can firewall east-west traffic in your SDDC – and it helps you to implement micro-segmentation. In this article we will have a look at this new feature.

To fully understand VMC firewalling options, take a look at the NSX-T networking architecture that is now used in VMC:

The DFW works within the customer VM segments, and across the customer VM segments. Next to the DFW there are two edge firewalls: one on the Compute Gateway (CGW), and one on the Management Gateway (MGW). If you want to learn more about the NSX-T architecture within VMConAWS, read more about it here.

Initial configuration of the Distributed Firewall

The configuration of the DFW is done through the VMC management interface. You will find a new Distributed Firewall option in the Security menu under the Networking & Security tab, as depicted in the following screenshot:

The DFW allows you to create different sections, and add firewall rules to each of these sections. On top of this you also have four groups available to organize your rules even further. Available groups are: Application Rules, Environment Rules, Infrastructure Rules and Emergency Rules. An example Application Rule is showed in the screenshot:

The Grouping feature allows you to create Groups that contains members. You can put Virtual Machines in a group, a group can also contain one or IP addresses or a specific subnet. It’s also possible to create dynamic groups based on a matching criteria:

Matching criteria based on the VM name, wildcards are allowed here;

Matching criteria based on a tag.

Especially the tag option is very powerful, this allows you to dynamically add VMs to a group and automatically apply the required firewall rules to these groups. If you’re using the same tags on-premises and in the cloud, you can automatically link the VM to the correct security policies while it’s travelling around between on-premises and the public cloud. The following screenshot shows the tags that are configured for a couple of VMs that I have running in VMC:

In this example we have a tag “db” (for database servers) and a tag “web” (for web servers).

Example Distributed Firewall Scenario

So let’s think of scenario and see how this is configured in the DFW of VMC. There are three webservers that are connected to the internet, and there is a database server that provides DB services to the three webservers. The requirements are:

The webservers are allowed to connect to the database server; The webservers are not allowed to connect to each other; The webservers are not allowed to connect to any other VM that is running in the private IP space of the datacenter.

The are several ways to setup the required firewall rules. The main focus of DFW firewall rules is east-west traffic, although you can also add rules that are more related to north-south traffic.

In this example I’ve created the following groups:

The db-servers and web-servers groups are based dynamically on the tag, the three other groups include the three private IP address spaces. These groups can be used to deny traffic to local subnets. Notice that the groups in the example are Workload Groups, they can be used in the DFW and CGW firewall policies. Management Groups can only be used in MGW firewall policies.

The following screenshot shows a few example firewall rules:

There’s a web-to-db allow rule that leverages the web-servers and db-servers groups, there also a web-to-other drop rule that leverages the db-servers group as well as the three groups based on (private space) IP addresses.

On the compute gateway firewall you would setup the firewall rules to allow traffic to/from the webservers, this includes any specific rules that allow port 80/443 to the webservers. Because I’m running three webservers in this example, a load balancer is required to balance to traffic to these webservers. This would be perfect case to use a AWS native load balancer such as the Elastic Load Balancer (ELB) or Application Load Balancer (ALB).

Learn more

I hope this was useful, and this article gives you an idea of how the new DFW works in VMC. If you want to learn more about the Distributed Firewall within VMware Cloud, take a look at these articles: