How to Exclude Virtual Machines from NSX Distributed Firewall Protection

I am Sure that most of VMware Administrators atleast got an idea of what is VMware NSX?. VMware NSX (Software-Defined networking) is part of VMware’s Software-defined data center stack. NSX helps to abstracts network operations from the underlying network hardware into the software layer. It provides lot of network virtualization and security features such as Logical switching, Logical routing, NSX Egde firewall, NAT services, Load balancing, SW L2 bridging to physical environment, Support for Dynamic routing, NSX Distributed Firewall (Micro-segmentation), VPN services and also allows service insertion.
NSX Distributed Firewall (DFW) is an distributed firewall spread over ESXi host and enforced as close to source of the VMs traffic (shown in each VM). The DFW runs as a kernel service inside the ESXi host.With the NSX DFW we can enforce a stateful firewall service for VMs and the enforcement point will be at the VM virtual NIC – vNIC. Every packet that leaves the VM (before VTEP encapsulation) or enters the VM (After VTEP de–encapsulation) can be inspected with a firewall policy.

There are some cases that we need to exclude virtual machines such as vCenter Server and other Management VM’s from NSX Distributed Firewall. NSX provides the option to exclude a set of virtual machines from NSX firewall protection. When exclude any virtual machines, All the virtual machine vNICs are excluded from protection, if it has multiple virtual NICS. NSX Manager and service virtual machines are automatically excluded from firewall protection. In addition, you should exclude the vCenter server and partner service virtual machines to allow traffic to flow freely. Excluding virtual machines from firewall protection is useful for instances where vCenter Server resides in the same cluster where firewall is being utilized. After enabling this feature, no traffic from excluded virtual machines will go through the Firewall.

How to Exclude Virtual Machines from NSX Distributed Firewall Protection

1. Login to vSphere Web Client and Click Networking & Security.

2. Click on NSX Manager ->Select NSX Manager -> Manage -> Select Exclusion Tab -> Click on “+” 

Exclude virtual machines from NSX Distributed Firewall Protection

Select the Virtual Machines from the List or even you can search for the virtual machine in the Filter option. Select the Virtual Machines and move it to the selected objects. Click on OK to include the virtual machines for exclusion from NSX Distributed Firewall Protection

Exclude virtual machines from NSX Distributed Firewall Protection_2

Selected virtual machines will appear under Exclusion list and it will be excluded from the NSX Distributed firewall.

Exclude virtual machines from NSX Distributed Firewall Protection_3

That’s it. We are doe with configuring the exclusion of virtual machines from NSX firewall protection. I hope this is informative for you. Thanks for Reading!! Be social and share it in social media, if you feel worth sharing it.

Other VMware NSX Related Posts:

VMware NSX Installation Part 1 – NSX Overview & Installation Prerequistes

VMware NSX Installation Part 2 – NSX Lab Design & Deploying NSX Manager

VMware NSX Installation Part 3 – Integrating NSX Manager with vCenter Server

VMware NSX Installation Part 4 – Deploying NSX Controller

VMware NSX Installation Part 5 – Checking NSX Controller Status

VMware NSX Installation Part 6 – Preparing Cluster and Hosts for NSX

VMware NSX Installation Part 7 – Verify NSX VIBs Installation from ESXi hosts

VMware NSX Installation Part 8 – Configuring VXLAN on the ESXi Hosts

VMware NSX Installation Part 9 -Create Segment ID and Transport Zones

VMware NSX Installation Part 10 – Create NSX Logical Switch

VMware NSX Installation Part 11 – Creating Distributed Logical Router

VMware NSX – Backup & Restore VMware NSX Manager Data

VMware NSX – Unable to Delete/Remove NSX Logical Switch

VMware NSX – How to Manually Install NSX VIBS on ESXi Host

VMware NSX – How to Manually Remove NSX VIBs from ESXi Host?

How to Remove NSX (Network & Security) Extension from vSphere Web Client