VMWare NSX 6.7 Micro-Segmentation Configuration steps

Securing the Data Center with a Data Center & perimeter firewall is not enough. Last year attacks like wannacry and other effected many data centers and brought down services. All those data Centers has all the security devices in place, Still they could spread widely due to no micro segmentation with in the same vLan or L2 broadcast domain. With NSX micro-segmentation which is indeed true segmentation every machine can be isolated and in a easy way. Most of the web servers residing on one subnet don’t talk to each other, But if one got hit all are gone. With NSX its a couple of clicks away.

As the saying goes 100% secured product cannot be used, But its not the case with NSX micro segmentation. It is 100% secured but user will never notice any impact and its easy for Security team to configure such granular level policies with few clicks and managed centrally from one place.

The distributed firewalling will be applied for every individual VM at the kernel level, So there is no change of getting bypassed like infecting other vLans and same vLan.

This post will cover the micro segmentation configuration for NSX. Please click here for NSX Manager 6.7 Installation & Configuration post if you wanted to setup NSX manager from scratch.

Create Distributed vSwitch & Add Hosts

Distributed fire walling is supported on Distributed switch only, even though in practical it works with standard switch. So our first step is to create Distributed switch , port groups , add hosts to vDS and move VM’s to distributed port group.

Creating Distributed vSwitch

Step : Login to vCenter server – Menu – Networking

Step : Right Click on the Data Center – Distributed switch – New Distributed switch

Step : Provide Name and next

Step : Select ESXi support

Step : Provide no of Uplinks that you want to use for this vDS, in my case 2

Step : review and finish

Add ESXi Hosts to Distributed Switch

Step : Right click the Distributed switch just created – Add and Manage Hosts

Step : Add hosts

Step :New Hosts

Step : Select Hosts

Step : Review hosts and Next

Step : Click on Link – Assign link

Step : Select uplink 1

Step : Similarly do for all hosts for uplink 1,2

Step : Next

Step :Next

Step :Finish

Now move all the VM’s to distributed port groups.

Micro-Segmentation Configuration

Host Preparation for NSX

NSX will install VIB’s on the ESXi hosts to prepare them, so that micro-segmentation ( distributed fire walling) will work.

Step : Menu – Network and Security

Step : Select Installation and Upgrade – Host preparation – select cluster – Install NSX.

Step : Yes

Step : VIB’s will install and shows the version and fire walling status as below. If for some reason its failed, it can be reinstalled easily.

Security Group Creation with dynamic inclusion

Now we need to create security groups for virtual machines, It can be done based on Dynamic inclusion where all web, app, db is grouped automatically once they have the name as group criteria or statically.

Step : Home – network and security

Step : Select Service Composer – security groups – Add

Step : provide Name ( web-VMs)

Step : Name contains – web

Step : Next

Step : Next

Step : Finish

Step : Similarly create for App VM’s as well.

Distributed Firewall Configuration

In this section will create some rules to implement micro segmentation and allow only required traffic.

  • We will allow user to web server – Https.
  • Web servers to app servers – SAP app port
  • Web servers to web servers – Deny all ports

Step : Click on Firewall – Expand Default Section – Default rule – Block – Publish

Step : Click on Firewall – Add Section

Step : Provide Section Name – Add

Step : Expand the section created and click on add rule

Step : Provide a name to the rule , select source , Destination – Edit

Step : select the security group created before.

Step :Select the rule – Right click – add rule below – Create web – web traffic block all – click publish

Conclusion for Micro-Segmentation

Step : Rules can be added or deleted as shown below.

Step : All the necessary rules can be created below and this can be done with built in capabilities of NSX.


With this no web server will be able to communicate with other web server, Web to app only allowed port and User to Web server specific ports also can be opened.


Hope this post is useful, leave your comments and feedback.

Siva Sankar

Siva Sankar works as Solution Architect in Abu Dhabi with primary focus on SDDC, Mobility, Virtualization, VDI, HCI and Network Virtualization products from VMWare, Citrix and Microsoft.

Leave a Reply

Your email address will not be published. Required fields are marked *

Show Buttons
Hide Buttons