This document provides and overview of the NSX Security Capabilities and their use.
Readers are encouraged to send a feedback to NSXDesignFeedback_at_groups_vmware_com (replace at and underscores)
Thanks! This document is long awaited and highly valuable. Some feedback below - if I may.
Last two lines in the attached picture tells 11 and just below that 10 predefined roles.
Page 17 - I would amend Option 1 with the term "security focused design" as this was the name of this approach back in the time with NSX for vSphere.
Page 20 - "In the physical representation, both T0 and the T1 firewalls are on the Edge Transport Node. Thus the packed does not leave the Edge host until it has passed through T1 Gateway Firewall" This is true, but not always as active instance of the T1 can be elsewhere, so within an other Edge node and in that case the traffic will leave the T0 hosing Edge node and flow to the one hosting the active T1.
Page 32 - Flow 3 is in the text as example but picture talks about flow 2.
Page 34 - I'd iclude some lines about that the "applied to" can be configured at the section level also which is also important.
All very good points. Look forward to a revised version 1.1 coming out in a few weeks with these and other edits.