VMware Networking Community
vmware3222
Enthusiast
Enthusiast
‎09-03-2016 09:43 AM
Jump to solution

DFW Scale-out

Hello everyone

how DFW is scale-out  ?

what is the difference between DFW . Edge FW and physical FW

And what is the NSX avantages compared a physical architecture in a multi-tenants architecture

Thank you

1 Solution

Accepted Solutions
cnrz
Expert
Expert
‎09-03-2016 10:01 PM
Jump to solution

‌dFW (Distributed Firewall) is a scale-out architecture, meaning capacity is increased bu adding ESXi hosts, 20 Gbps per host. If you have 2 hosts it is 2x20=40Gbps, and if there are 10 hosts it is 10x20=200Gbps Firewall. If per cluster there may be 64 hosts, it may go up to Ts scale, which any physical firewall hard to reach. Since it is kernel based, the CPU overhead is low.

Edge Firewall is a VM based Firewall, which may go up to 10 Gbps per host, and for multitenant environment different Edge Firewalls may be used per tenant. So it is not a scale-out architecture. It may be important that their replacement on the design generally idifferent, Edge FW is for N-S traffic, which is Intertenant or ouside of the DC, while dFW is intratenant E-W traffic.

  • With physical firewalls it is not possible check VM to VM traffic on the same VLAN or Vxlan, so microsegmentation os not possible to achieve. Also they are not scale out architectures, so either total capacity that may be needed in the future should be invested day one, or the Physical FW should be replaced once the total capacity is reached, which is a waste of investement.
  • Also dFW is a L4 firewall, not an application L7 firewall, so if L7 FW rules are needed, then it is possible to integrate these FWs with dFW which provides to send only needed traffic toass through L7 FW,  so capacity is more efficiently used.
  • With dFW it is possible to use dynamic rules based on Vcenter objects such as VM name, LS, Cluster. this provides faster and more efficient design of the rules.
  • SInce dFW rules are enforced at VNIC level, the rule is applied without even reaching the dVS, but for the physical FW case, it should travel through physical switches adding hop counts, thus delay to the traffic.
  • AUtomation of the Fw rules is easier for a dFW in a Vsphere evronment. Since Multitenant architectures rely on self service or aauto ation, orchestration, NSX dFW and Edge FW may have advantages
  • PHysical firewalls still needed for Internet and other Perimeter based zones, so dFW for some cases complement, instead  of replacing the physical FW.



View solution in original post

3 Replies
cnrz
Expert
Expert
‎09-03-2016 10:01 PM
Jump to solution

‌dFW (Distributed Firewall) is a scale-out architecture, meaning capacity is increased bu adding ESXi hosts, 20 Gbps per host. If you have 2 hosts it is 2x20=40Gbps, and if there are 10 hosts it is 10x20=200Gbps Firewall. If per cluster there may be 64 hosts, it may go up to Ts scale, which any physical firewall hard to reach. Since it is kernel based, the CPU overhead is low.

Edge Firewall is a VM based Firewall, which may go up to 10 Gbps per host, and for multitenant environment different Edge Firewalls may be used per tenant. So it is not a scale-out architecture. It may be important that their replacement on the design generally idifferent, Edge FW is for N-S traffic, which is Intertenant or ouside of the DC, while dFW is intratenant E-W traffic.

  • With physical firewalls it is not possible check VM to VM traffic on the same VLAN or Vxlan, so microsegmentation os not possible to achieve. Also they are not scale out architectures, so either total capacity that may be needed in the future should be invested day one, or the Physical FW should be replaced once the total capacity is reached, which is a waste of investement.
  • Also dFW is a L4 firewall, not an application L7 firewall, so if L7 FW rules are needed, then it is possible to integrate these FWs with dFW which provides to send only needed traffic toass through L7 FW,  so capacity is more efficiently used.
  • With dFW it is possible to use dynamic rules based on Vcenter objects such as VM name, LS, Cluster. this provides faster and more efficient design of the rules.
  • SInce dFW rules are enforced at VNIC level, the rule is applied without even reaching the dVS, but for the physical FW case, it should travel through physical switches adding hop counts, thus delay to the traffic.
  • AUtomation of the Fw rules is easier for a dFW in a Vsphere evronment. Since Multitenant architectures rely on self service or aauto ation, orchestration, NSX dFW and Edge FW may have advantages
  • PHysical firewalls still needed for Internet and other Perimeter based zones, so dFW for some cases complement, instead  of replacing the physical FW.



linotelera
Hot Shot
Hot Shot
‎09-03-2016 10:51 PM
Jump to solution

is true! Another parameter could be cps: some physical firewall congestions could be caused by a huge connection per seconds, that could increase its CPU. DLR and DFW are actually is the most reliable and dynamic way to grow your infrastructure in terms of bandwith/cps without change physical infrastructure elements (like FW) and simply adding new host.

Cost in this scenario is the main driver, and before choose NSX, consider the risk line and the number of host in your infrastructure: if you have only 3 hosts it could be hard to justify, but if your infrastructure will grow and security risk are too high you will find this product (IMHO) the best in the market.

Suggest: never consider edge as a stand alone componet: it is like a hand of DFW, used to handle NS traffic that comes to the tenant or connect your infrastructure with other external infrastructures. Some physical fw are distributed in 2 way: physical and virtual edition (like juniper,fortigate,...): consider it as a flexible alternative way to physical constraints (firewall CPU and MEM).

vmware3222
Enthusiast
Enthusiast
‎09-04-2016 01:40 PM
Jump to solution

Thank you very much for your responses

0 Kudos