VMware Networking Community
Petersaints
Enthusiast
Enthusiast

Virtual firewall

Hello all,

Need some help if possible. I'm managing a multi-tenant NSX 4.x environment. I'm using VRF Lite to separate all customers.

I'm receiving requests of customers that want to use a Firewall to manage the access of their VMs to the internet, or manage the traffic that comes from outside NSX to the VMs on their VRF. Customers don't have access to Gateway FW or DFW.

Each customer have a VRF and a T1, and inside NSX the VMs only use overlay segments.

Is it possible to deploy a virtual firewall, like Fortigate VM (but not integrate it with the NSX) to that customers, so they can manage themselves the firewall?

Anyone test it?

Thanks.

Regards.

Reply
0 Kudos
5 Replies
Sreec
VMware Employee
VMware Employee

Why not, it's a VM :), so as long as your connectivity and placement is done correctly it will work. Will this be a scalable design?  I don't think so.

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 6x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
Reply
0 Kudos
Petersaints
Enthusiast
Enthusiast

@Sreechi,

But imagine, when i create an overlay segment, eg: 192.168.100.1/24, the .1 is the default gateway. How can assign that .1 ip to that virtual firewall?

 

Thanks.

Regards.

Reply
0 Kudos
EvertAM
Enthusiast
Enthusiast

You don't really have to. The customer can route their traffic to the firewall VM, the firewall VM can then route it out via the segment gateway IP.

It might be worth looking into other options as well though. Either through service insertion, or using multi tenancy. There were quite a few new features added in 4.1 to allow your tenants access to their own DFW/gateway FW but nothing else. It could be worth a look.

Reply
0 Kudos
Petersaints
Enthusiast
Enthusiast

Hi @EvertAM ,

Those features are NSX Projects, right? But in that case customer will need to have access to NSX UI.

Thanks.

Regards.

Reply
0 Kudos
EvertAM
Enthusiast
Enthusiast

I believe so, if you want the customer to access the native FW, they'll need access to either the UI or the API. 

Reply
0 Kudos