Please enable Javascript for better experience...
VMware NSX Notes - Overview of Micro-Segmentation
By Pranay Jha | May 31, 2019 | In Articles | Update: May 31, 2019 | Total Views [ 713 ]
Taged In
(0 Like)


-        70% of threats are from internal...apply micro segmentation.

-        In traditional datacenter we had only security on edge and incoming layer.

-        Now you need within the network security. Let see if you have 2 VM in a cluster than you need security for both VM that where it should be applied.

-        We now need within the network firewall not only between the firewall. Means context-based firewall.

-        Within the datacenter itself, we have many networks. We need security within that.

-        If we use physical firewall, then it may be quite high number.

-        If we are not using NSX then firewall need to be applied at each layer.

-        Our traffic will come to core firewall then it will send to base on the rules. If we are not using physical firewall, then we must do in such way. Even though if our source and destination are on same network, still network will flow in this way. So, this is a challenge.

-        Let’s take example of cloud, we have one host which may have VM for multi tenants. Than how will you provide security between them? We cannot achieve it with physical firewall. This is also challenge.

-        Where we need to do firewall? Physical host or VM?

-        If it will be on host then there will be multi hops between that. If it’s in VM than there might be chances of high consumption.

-        We will implement the firewall in our hypervisor which will be right place. You do not need to install firewall in each VM.

-        There will be single centralized console from where you can define rules for each VM.

What all firewalls do we have? And what would be advantage of these firewalls?

Types of Firewall:

  1. ESG – For North South (Outside)
  2. DFW - East West (Within Datacenter)

When we talk about DFW, it is per vNIC level firewall. If we have one VM and there is 2 NIC, then there will be firewall rules for each vNIC.

Now even if your VM are on same or different host, then also firewall rules will be applied.


-        It has 16 slots. Out of those, 8 slots have been kept by VMware starting from 0-3 and 12-15.

-        Rest 8 slots from 4-11 are open for you. It can be used if you want to integrate any 3rd party product with NSX then you can use those 8 ports.

-        These slots are like service insertion point.

Benefits of DFW:

No hair pinning

Consistent configuration – If you migrate your VM, rules get migrate.

How do we configure?

-        Create using NSX Manager.

-        NSX manager will talk to ESXi using AMQP over the port 5671.’

-        It will direct communicate with ESXi.

-        ESXi has vsfwd, DFW will directly communicate with this service.

-        Now these rules will be delivered to vsfwd.

-        Now these rules will communicate to vsip (VMware internetworking service insertion platform).

DFW maintains two table:

-        Connection tracker table

  • It is initially blank when VM power on.

-        Rule table

  • Contains firewall rules for specific VM.


-        You create a SpoofGuard policy for specific networks that allows you to authorize the IP addresses reported by VMware Tools and alter them if necessary to prevent spoofing.

-        SpoofGuard inherently trusts the MAC addresses of virtual machines collected from the VMX files and vSphere SDK.

-        Operating separately from Firewall rules, you can use SpoofGuard to block traffic determined to be spoofed.

Guest Introspection Service (GIS)

-        Antivirus

-        Malware

-        At client end

Network Introspection Service (NIS)

-        IDS

-        IPS

We can associate GIS and NIS with security group.


Identity Based Firewall

-        It means that source in firewall rules, I want it to be a user or group of users from AD.

-        To use identity-based firewall, you need a guest introspection VM.

-        For integration any third-party solution, you need one service VM for each VM.

-        Service Introspection VM will be created on each host in cluster, and the number of VM will be equal to number of ESXi exist in that cluster.

-        This VM should be reachable to NSX manager.

-        Third party service VM will be on a same network where actual management services are running of that third party service.

Thanks for visiting here. Share this article if you found it useful.
Like Facebook Page
Connect to twitter
Subscribe my Channel
Connect over Linkedin
Share this on Social Media

About the Author

Pranay Jha
Pranay Jha
Founder, Contributer

Public profile: user/profile/99900000

Follow me

facebook linkedin twitter G+ VMTN youtube

Thank you for visiting my profile. I am Pranay Jha, bring along a total of 11+ years of extensive experience with me in Information Technology sector for organizations from small business to large enterprises, wherein my current assignment I am associated with IBM as a Technical Solution Architect for Virtualization platform. I am vExpert x 3 (16/17/18), VCIX-DCV, VCAP5/6-DCD, VCAP5-DCA, VCP7-CMA, VCP5/6-DCV, VCA-DCV, VCA-Cloud, VSP, VCE-CIA, MCITP, MCSE, MCSA(Messaging). I am also an Independent blogger and founder of and I can be reached via email at or Direct Message via Contact Us form.

Please SignUp/Login to comment...

Or comment as anonymous...
* Name
* Email ID
Facebook Likes