All ESXi hosts in the same cluster have the same DFW policy rules.Ī distributed firewall instance on an ESXi host contains the following two tables: The rules are published from NSX Manager to ESXi cluster and then from ESXi host down to VM level. With DFW, you can create Ethernet rules (L2 rules) and General rules (元 to L7 rules). DFW Policy RulesĭFW policy rules are created by using the vSphere Web Client, and the rules are stored in the NSX Manager database. As your infrastructure expands and you buy more servers to manage your ever-growing number of VMs, the DFW capacity increases. Adding more hosts increases the DFW capacity. If a VM does not require DFW service, you can manually add it to the exclusion list.Īs DFW is distributed in the kernel of every ESXi host, firewall capacity scales horizontally when you add hosts to the clusters. NSX Manager virtual appliance, NSX Controller VMs, and NSX Edge Service Gateways are automatically excluded from DFW. Inspection also happens at the vNIC just as the traffic leaves the switch but before entering the VM (ingress). Inspection of traffic happens at the vNIC of a VM just as the traffic is about to exit the VM and enter the virtual switch (egress). That is, the firewall rules are enforced at the vNIC of each virtual machine. DFW is implemented in the hypervisor and applied to virtual machines on a per-vNIC basis. NSX DFW is a stateful firewall, meaning it monitors the state of active connections and uses this information to determine which network packets to allow through the firewall. Traffic is inspected at the ESXi level and delivered to the destination VM. Traffic destined to another VM on the same host or another host does not have to traverse through the network up to the physical firewall, and then go back down to the destination VM. There is no need for the traffic to traverse the network, only to be stopped at the perimeter by the physical firewall.
Rejected traffic is blocked before it leaves the ESXi host. For example, hair-pinning of traffic through physical firewalls at the perimeter of the network creates an extra latency for certain applications.ĭFW complements and enhances your physical security by removing unnecessary hair-pinning from the physical firewalls and reduces the amount of traffic on the network. The fundamental constraints of traditional perimeter-centric security architecture impact both security posture and application scalability in modern data centers. Host preparation automatically activates DFW on the ESXi host clusters. A Distributed Firewall (DFW) runs in the kernel as a VIB package on all the ESXi host clusters that are prepared for NSX.
0 kommentar(er)
