Its depends upon the type of VCD network you are using. If the workloads are connected to same edge and they all fall under single subnet, DFW is required. If you have multiple tenants and multiple edges and transit paths are terminating on upstream devices, you can have have End-End F/W check . Like i said, there are multiple options based on design.
Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 7x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
