NSX Section Based Distributed Firewall Model
I've written before about creating NSX Distributed Firewall Rules following a model that uses rules that will specifically hit traffic based on if it's Inbound or Outbound. That model is also useful for creating NSX Security Policies, as there's no negative logic (NOT applied to object) in the rule set. While that model works great, it can be a bit difficult to wrap your head around. In turn, that can make it difficult to hand off to a customer... so we've been working on an alternate model. Unfortunately, this model does not work with Service Composer Policies, but it's flexible enough that it doesn't really need them. It's based on a set of generic Security Tags (with corresponding Security Groups), that interact to create a dynamic micro-segmentation solution. This model is based on defining a set of DFW Sections, each of which serves a very specific purpose in blocking or allowing traffic. When creating new firewall rules, the administrato...