NSX Home Lab (4/6) – DFW Firewall Service

In this post we will see how to secure communication from VLAN to VXLAN and also how Security Groups, Security Policies and Default firewall works.

1) Environment

  • Networks
    • VLAN – 10.1.1.0/24 – Physical Network
    • VXLAN 5001 – 10.10.10.0/24 – Web Servers – http 80
    • VXLAN 5002 – 10.10.20.0/24 – DB Servers – mysql 3306
  • VMs
    • VXLAN : vmpn01
    • VXLAN 5001 : web01,web02
    • VXLAN 5002 : db01

2) NSX Firewall Plan

  • Create Security groups for Web Servers and DB Servers. Use security tags for dynamic membership.
  • Default Firewall rule – Block
  • Level 1 Security Policy for Production Environment – Allows ICMP,DNS,DHCP,SSH and RDP
  • Level 2 Security Policy for Web Servers: Allows HTTP and HTTPs
  • Level 2 Security Policy for Web Servers: Inherits Level 1 Security Policy for Production Environment. Through inheritance it allows ICMP, DNS, DHCP, SSH, RDP, HTTP & HTTPs.

3) VMs

  • VM on Physical Network

  • VMs on VXLAN 5001


  • VM on VXLAN 5002

4) Add vCenter VM in NSX exclusion list.

Excluding virtual machines from firewall protection is useful for instances where vCenter Server resides in the same cluster where firewall is being utilized. After enabling this feature, no traffic from excluded virtual machines will go through the Firewall.
See KB for more details https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2079620

5) Create Security Tags

  • Security Tag “Production” – For all VMs in production environment
  • Security Tag “WebServers” – For VMs which run web servers
  • Security Tag “DBServers” – For VMs which run Database services
  • Assign Security Tags to VMs



  • Check Security tags of VMs

6) Create Security Groups

  • Create Security group for all Production Servers.



  • Create Security group for Web Servers

  • Create Security group for DB Servers



6) Create Security Policies

  • L1 Security Policy– Baseline security applicable for all Production Servers







  • L2 Security Policy–security applicable for all Web Servers. Inherits L1 Production Security policy

6) Assign Security Policy to Security Groups

  • Assign Security policy “L2-production-Web Servers” to Security group “Web Servers”




  • Check what firewall rules are effective on “Web Servers”

7) Block Default Firewall rule (“Any” to “Any”)

  • Block Firewall rule


  • Publish Changes
  • Check default rule

8) Test Security Policies

  • Test1 : Check http port connectivity from VLAN to VXLAN 5001
  • Test2 : Block http in L2 Security Policy and Test port connectivity


    Allow http in L2 Security Policy
    Allow http and test

  • Test3 : Block default firewall rule

    Allow Default firewall rule


NSX Home Lab (3/6) - Logical Routing
NSX Home Lab (5/6) - Micro Segmentation
No tags for this post.

Leave a Comment