VMware NSX

 NSX Firewall Rules Not Applying to VMs Outside NSX Segments

michael_weintz's profile image
michael_weintz posted Oct 26, 2024 05:08 AM

Hey Community,

i have a question that has been bothering me for days, and I just can't find anything about it.

The NSX Manager retrieves all information about the VMs located on the ESX hosts via vCenter. These VMs are listed in the inventory and can be used in groups, which I can then apply in the firewall rules of the virtual distributed switch. However, the firewall rules do not apply as long as the virtual machine is not part of an NSX segment. Is there no way to use the VMs discoverd from vCenter, which are also listed in the inventory, in groups and firewall rules when they are not part of a NSX Group? Do I always have to manually enter the IP address in the firewall rules, even though the NSX Manager already knows the IP and MAC addresses in his Inventory? 

Short: "What is the best way to handle VMs, there not Part of a NSX Segment but listed in the Inventory of the NSX Manager"

best regards, 

Michael

Bogdan28's profile image
Bogdan28 posted Jan 03, 2025 06:27 AM

Great question! The scenario you're describing with NSX Manager and firewall rules is a common point of confusion. NSX Manager primarily uses segments to apply firewall rules, as these segments map directly to logical networks within NSX.

The issue you're facing, where firewall rules don't apply to VMs that aren't part of an NSX segment, is due to the NSX architecture that requires VMs to be on a segment in order for firewall rules to take effect. When a VM is not part of an NSX segment, it isn't part of the NSX logical network, so the rules can't be applied directly.

To answer your question more directly :-) -  if the VMs are not part of an NSX segment, you will need to manually handle the IP or MAC addresses in the firewall rules. While the NSX Manager knows these details, the firewall rules can only be applied to segments, not directly to VMs unless they are part of that segment.

Sriram ChunchankatteMelukote's profile image
Broadcom Employee Sriram ChunchankatteMelukote posted Jan 04, 2025 12:48 AM

Hello Michael,

As already was mentioned I think, as long as the VMs are not attached to any segments, there is no way the DFW rules within NSX can apply to the VMs and they would not be affected by any of the services within NSX. So the VMs in effect will not be part of the data plane traffic within NSX. Also they can be part of any group but there is no way any firewall rules can be applied on them.

Regards

Sriram