vCloud Director SP 8.20 New Features – Distributed Firewall

With the release of vCloud Director 8.20 VMware has stepped up their game and offered a set of features that’s truly impressive.

vCloud Director has been around for some time so I won’t dive into the existing feature set but will instead work on a series of posts going over each new feature and how it works. First up….Distributed Firewall.

Now the NSX Distributed Firewall up until this point has been only accessible either via API or the vSphere WebClient. In a multi-tenant environment giving access to the WebClient was not possible given the lack of Role Based Access Controls (RBAC) within the NSX UI. This required Service Providers to deploy custom UI’s making back end API calls, time consuming to say the least.

Now vCloud Director has taken the hard work out of the equation by providing a fully multi-tenant HTML5 interface based on the Clarity VMware standard with full RBAC baked in. Let’s take a look.

The DFW UI is accessed via the OrgVDC as seen below. The key thing to remember here is that by having the DFW managed under each OrgVDC you are able to give each VDC control over their own firewall. With the already baked in RBAC of vCloud this gives a huge amount of granular control.

Selecting ‘Manage Firewall’ will load the HTML5 UI in a separate window. Initially the DFW is disabled for the OrgVDC and will need to be enabled:

The UI will look very familiar to anyone who has used the WebClient UI with a few caveats.

The functionality of the DFW is exactly the same as via the WebClient including creating of IP and MAC sets, however there are 3 key exceptions:

  1. Unable to interact with Service Composer
  2. Unable to create Object Groupings (more on this later)
  3. Unable to create new service groupings

Finally the last bit of new information is the ‘Applied To’ section. As vCloud is fully multi-tenant the NSX UI must also be. How this works is that you are only able to apply the DFW rules to objects under the control of your OrgVDCs. Your options for applying rules are:

  1. Edges
  2. OrgVDC Networks
  3. Virtual Machines
  4. OrgVDCs

Now let’s take a moment and create a rule so you can see how it looks within vSphere.

Clicking the ‘+’ button brings up a new rule above our default rule. For sake of this post I’m simply creating a duplicate Allow Any/Any rule.

After labeling the rule, I select the Applied To field and select my OrgVDC:

As with the WebClient you must commit all rules and save them before they are applied. The discard option is also present in case you need to roll back:

Finally we have the completed live rule:

Looking into the vSphere WebClient we see the following entry:

A Unique section is created for each OrgVDC with a live DFW. The naming of the section corresponds to the UUID of our OrgVDC. As we chose to use the OrgVDC as our target, a grouping object was automatically created encompassing all VM’s within our OrgVDC with a label also matching the OrgVDC UUID.

Looking in the hosts and cluster section we’ll see that it nicely matches up as well:


As you can see the new feature of a fully multi-tenant HTML5 UI allowing per OrgVDC control of the distributed firewall is a huge step forward for customers. Customers can now self-manage micro-segmentation within their multi-tenant vCloud environment in a secure and scalable fashion greatly enhancing the value add of vCloud Director and NSX.


Leave a Reply

Your email address will not be published. Required fields are marked *