on NSX 6.3.x - when to use Control VM Firewall on DLR? Does the default rule any-any DENY affects data communication ?
We have DFW used to segment application groups?
The DFW runs on every ESXi host. The rules for this firewall are configured on the Firewall section and applies to traffic to the VMs according to the configured rules.
The DLR firewall (NSX Edges -> Logical Router - Firewall) applies only to traffic to and from the DLR Control VM itself. It does not affect VM traffic on ESXi hosts. Usually you don't mess with this, as necessary rules are auto-generated.
There is no hierarchy here, as they are applied to different places.
This article might help you understand: http://www.routetocloud.com/2014/06/nsx-distributed-logical-router/#DLR_Control_VM_Firewall
I am not really sure I understood your question. The control VM has no relationship with DFW. It is used for dynamic routing so DLRs can form a neighbor relationship with the ESG.
If you're asking about the firewall tab that is shown on the DLR, that firewall affects traffic to/from the DLR itself. Rules needed by the system are auto-generated (check settings->configuration in your DLR to se that auto-generate rules is enabled).
Apologies for not making it very clear!!
Are "DLR firewall" and DFW (Distributed firewall) are two different firewalls in terms of function? Do they over-lap?
How will rule behave? Is there a hierarchy ?
any to any Allowedto DFW &
any to any Allow (specific to DLR firewall)
The DFW runs on every ESXi host. The rules for this firewall are configured on the Firewall section and applies to traffic to the VMs according to the configured rules.
The DLR firewall (NSX Edges -> Logical Router - Firewall) applies only to traffic to and from the DLR Control VM itself. It does not affect VM traffic on ESXi hosts. Usually you don't mess with this, as necessary rules are auto-generated.
There is no hierarchy here, as they are applied to different places.
This article might help you understand: http://www.routetocloud.com/2014/06/nsx-distributed-logical-router/#DLR_Control_VM_Firewall
Thank you so much! It is really helpful!!