VMware Networking Community
JJBN
Enthusiast
Enthusiast
‎12-26-2016 02:28 AM
Jump to solution

DFW "Apply to all ESGs" feature

Hi,

when creating a FW rule on DFW there is the option to chose "Apply that rule to all ESGs".

My question is that If we apply that FW rule to a specific Logical switch and we select the option "apply to all ESGs" to which ESGs the rule is going to be applied?

- All ESGs managed by the NSX Manager?

- All ESGs attached to the specific logical switch that the rule is applied to?

Thanks.


Regards,

JJBN

Tags (3)
Reply
1 Solution

Accepted Solutions
bayupw
Leadership
Leadership
‎12-26-2016 03:06 AM
Jump to solution

The rule will be applied to all ESGs + to all VMs connected to that particular Logical Switch.

An example in below screenshot, in this case the rule will be applied to all ESGs regardless of ESG is connected to Web_Tier_Logical_Switch or not and also to all VMs connected to Web_Tier_Logical_Switch.

appliedto.png

If you would like to do some test and you don't have any lab for testing, you can always use the VMware Hands On Lab http://labs.hol.vmware.com/

Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw

View solution in original post

Reply
4 Replies
bayupw
Leadership
Leadership
‎12-26-2016 03:06 AM
Jump to solution

The rule will be applied to all ESGs + to all VMs connected to that particular Logical Switch.

An example in below screenshot, in this case the rule will be applied to all ESGs regardless of ESG is connected to Web_Tier_Logical_Switch or not and also to all VMs connected to Web_Tier_Logical_Switch.

appliedto.png

If you would like to do some test and you don't have any lab for testing, you can always use the VMware Hands On Lab http://labs.hol.vmware.com/

Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw
Reply
JJBN
Enthusiast
Enthusiast
‎12-26-2016 03:15 PM
Jump to solution

thanks Bayu. And in case the "Apply to all ESGs" feature is not selected and only the logical switch Web_Tier_Logical_Switch is chosen will apply to the ESG attached to the logical switch Web_Tier_Logical_Switch or it will never apply to an ESG the DFW rule?

Thanks!


Regards,

JJBN

Reply
0 Kudos
bayupw
Leadership
Leadership
‎12-26-2016 06:46 PM
Jump to solution

Please note that DFW (Distributed Firewall) is in kernel while ESG Firewall is on NSX Edge Services Gateway VM.

In previous scenario, the firewall rule will be pushed to ESG VMs and also to DFW.

In the second scenario, if you don't select ESGs then the Firewall rule will be applied to DFW and only to VM vNIC connected to that particular Logical Switch.

This is useful when you have an overlapping IP address across different logical switches.

This will also reduce the amount of rules pushed to the ESXi hosts which will improves efficiency because the DFW will have less rules to evaluate for every new session.

Some links for your references:

VMware NSX for vSphere 6.2 Documentation Center - Add a Firewall Rule

Distributed Firewall (DFW) in NSX for vSphere, and “Applied To:” | Telecom Occasionally

NSX Distributed Firewall Deep Dive – VMware Professional Services

Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw
Reply
0 Kudos
JJBN
Enthusiast
Enthusiast
‎12-27-2016 04:46 AM
Jump to solution

Thanks Bayu for the answer! So the DFW will apply the rules to all the VMs attached to the selected logical switch, except the ESG attached (even though is a VM) and in case I want to push the DFW rules into an ESG using "apply to all ESGs", it will do the job, BUT it will apply to all ESGs managed by the NSX Manager.

Now it is clear to me, thanks for the explanation Bayu, not what I was expecting, but well... I hope in future releases I get what I want. What I was looking for is apply the DFW rules on the  ESGs attached to the logical switch that I apply the DFW rule. I know that it sounds stupid when all your environment are VMs, but in my case 50% are VMs and 50% are physical servers (attached to NSX through hardware VTEPs), so I will have to apply the same rules twice (on DFW for a specific logical switch and again to that ESG attached to the DFW).

Thanks.


Regards,

JJBN

Reply
0 Kudos