VMware NSX

 External Network firewall rule

Jump to  Best Answer
MCVMH's profile image
MCVMH posted Sep 23, 2024 10:52 AM

Hoping this is an easy one. In NSX-V we had the concept of external and internal network definitions. We don't see to have the same options with NSX-T. 

We have some customers who have multiple networks, it was useful for us to allow connections from the LAN to "External" but not to a DMZ for example.

Is this possible with NSX-T still, or are we going to have to add a deny to the DMZ network from the LAN? not the end of the world but does mean we need to pay carful attention to the rule ordering

Steffen Richter's profile image
Steffen Richter posted Sep 26, 2024 06:57 AM  Best Answer

Hi @MCVMH, within NSX (NSX-T ended with v3.2, since v4 its NSX again ;)) and the DFW you can negate within the Sources and/or Destinations columns of a Firewall rule. 

I guess you could solve your topic with that one. E.g. a Security Group that contains all RFC1918-Subnets and building a rule with that one, allowing traffic to ANY (but Destination "not RFC1918 networks") or whatever similar networks suit your use case.

Havent looked to deep into the new NSX VPC feature, may there are other options with this capability (if in use).

BR
Steffen