I am Sure that most of VMware Administrators atleast got an idea of what is VMware NSX?. VMware NSX (Software-Defined networking) is part of VMware’s Software-defined data center stack. NSX helps to abstracts network operations from the underlying network hardware into the software layer. It provides lot of network virtualization and security features such as Logical switching, Logical routing, NSX Egde firewall, NAT services, Load balancing, SW L2 bridging to physical environment, Support for Dynamic routing, NSX Distributed Firewall (Micro-segmentation), VPN services and also allows service insertion.
NSX Distributed Firewall (DFW) is an distributed firewall spread over ESXi host and enforced as close to source of the VMs traffic (shown in each VM). The DFW runs as a kernel service inside the ESXi host.With the NSX DFW we can enforce a stateful firewall service for VMs and the enforcement point will be at the VM virtual NIC – vNIC. Every packet that leaves the VM (before VTEP encapsulation) or enters the VM (After VTEP de–encapsulation) can be inspected with a firewall policy.
There are some cases that we need to exclude virtual machines such as vCenter Server and other Management VM’s from NSX Distributed Firewall. NSX provides the option to exclude a set of virtual machines from NSX firewall protection. When exclude any virtual machines, All the virtual machine vNICs are excluded from protection, if it has multiple virtual NICS. NSX Manager and service virtual machines are automatically excluded from firewall protection. In addition, you should exclude the vCenter server and partner service virtual machines to allow traffic to flow freely. Excluding virtual machines from firewall protection is useful for instances where vCenter Server resides in the same cluster where firewall is being utilized. After enabling this feature, no traffic from excluded virtual machines will go through the Firewall.
How to Exclude Virtual Machines from NSX Distributed Firewall Protection
1. Login to vSphere Web Client and Click Networking & Security.
2. Click on NSX Manager ->Select NSX Manager -> Manage -> Select Exclusion Tab -> Click on “+”
Select the Virtual Machines from the List or even you can search for the virtual machine in the Filter option. Select the Virtual Machines and move it to the selected objects. Click on OK to include the virtual machines for exclusion from NSX Distributed Firewall Protection
Selected virtual machines will appear under Exclusion list and it will be excluded from the NSX Distributed firewall.
That’s it. We are doe with configuring the exclusion of virtual machines from NSX firewall protection. I hope this is informative for you. Thanks for Reading!! Be social and share it in social media, if you feel worth sharing it.