Question to VMware Product Team.
In this article from 2019 https://aws.amazon.com/blogs/apn/integrating-next-gen-firewalls-with-vmware-cloud-on-aws/ there is information about "service insertion" which can give possibility to integrate for example some external third party firewall vendor .
Now we have 2021. Some news about this functionality ? which was in NSX-V ?
We are in time when customers which use NSX-V onpremise are looking some alternative for their current solution to switch to NSX-T
If they are using in their datacenter some Network introspection in NSX-V and currently they cant for example migrate also to VMC without this functionality.
Thank you for your question, indeed this is an important topic.
Lei asked to our Product Management team but since this is holiday time in US, let me just give you some inputs regarding your question:
Service insertion was initially planned to embed 3rd party security features within VMC, it was 2 or 3 years ago as the AWS article is showing. But in the meanwhile some events appeared: we switched from NSX-V to NSX-T and we acquired companies and enhance NSX features.
So, based on these events, VMware has decided to choose another option, at least for the mid-term:
- Enhance NSX features into VMC (like in the latest release with L7, IDS-IPS, identity firewall)
- let our customer choose another security vendor by leveraging AWS services (ALB, ELB, 3rd party firewall in marketplace) https://cloud.vmware.com/community/2020/06/08/integrating-aws-application-load-balancing-vmware-clou...
- or for larger environment including many VPC's or SDDC's, leverage in 1st case a Transit Gateway: https://blogs.vmware.com/networkvirtualization/2020/06/vmware-cloud-on-aws-with-transit-gateway-demo... or build a Transit Connect in 2nd case: https://blogs.vmware.com/networkvirtualization/2020/09/vmware-transit-connect-simplifying-networking...
Hope these details are clear and are fully addressing your question!
Adding on to this already amazing response:
VMware Cloud recently introduced NSX Advanced Firewall Features in VMC M14 version. These new features include
Added in VMC M12 version, the VMware-managed Transit Connect Gateway can be an alternative to the Native-AWS TGW. Through the use of SDDC Groups, customers can link their SDDC vCenter servers together and attach a single Direct Connect Gateway (DXGW / Native AWS Concept) to the backing TGW, allowing for there to be a single global resource available for all participating SDDCs to utilize for routing traffic to OnPrem.