Hello everyone
how DFW is scale-out ?
what is the difference between DFW . Edge FW and physical FW
And what is the NSX avantages compared a physical architecture in a multi-tenants architecture
Thank you
dFW (Distributed Firewall) is a scale-out architecture, meaning capacity is increased bu adding ESXi hosts, 20 Gbps per host. If you have 2 hosts it is 2x20=40Gbps, and if there are 10 hosts it is 10x20=200Gbps Firewall. If per cluster there may be 64 hosts, it may go up to Ts scale, which any physical firewall hard to reach. Since it is kernel based, the CPU overhead is low.
Edge Firewall is a VM based Firewall, which may go up to 10 Gbps per host, and for multitenant environment different Edge Firewalls may be used per tenant. So it is not a scale-out architecture. It may be important that their replacement on the design generally idifferent, Edge FW is for N-S traffic, which is Intertenant or ouside of the DC, while dFW is intratenant E-W traffic.
dFW (Distributed Firewall) is a scale-out architecture, meaning capacity is increased bu adding ESXi hosts, 20 Gbps per host. If you have 2 hosts it is 2x20=40Gbps, and if there are 10 hosts it is 10x20=200Gbps Firewall. If per cluster there may be 64 hosts, it may go up to Ts scale, which any physical firewall hard to reach. Since it is kernel based, the CPU overhead is low.
Edge Firewall is a VM based Firewall, which may go up to 10 Gbps per host, and for multitenant environment different Edge Firewalls may be used per tenant. So it is not a scale-out architecture. It may be important that their replacement on the design generally idifferent, Edge FW is for N-S traffic, which is Intertenant or ouside of the DC, while dFW is intratenant E-W traffic.
is true! Another parameter could be cps: some physical firewall congestions could be caused by a huge connection per seconds, that could increase its CPU. DLR and DFW are actually is the most reliable and dynamic way to grow your infrastructure in terms of bandwith/cps without change physical infrastructure elements (like FW) and simply adding new host.
Cost in this scenario is the main driver, and before choose NSX, consider the risk line and the number of host in your infrastructure: if you have only 3 hosts it could be hard to justify, but if your infrastructure will grow and security risk are too high you will find this product (IMHO) the best in the market.
Suggest: never consider edge as a stand alone componet: it is like a hand of DFW, used to handle NS traffic that comes to the tenant or connect your infrastructure with other external infrastructures. Some physical fw are distributed in 2 way: physical and virtual edition (like juniper,fortigate,...): consider it as a flexible alternative way to physical constraints (firewall CPU and MEM).
Thank you very much for your responses