Supported Deployments of the VM-Series Firewall on VMware NSX-T (North-South)

You can deploy one or more instances of the VM-Series firewall as a partner service in your VMware NSX-T Data Center. Attach a VM-Series firewall to any tier-0 or tier-1 logical router to protect north-south traffic. You can deploy the VM-Series firewall as standalone service instance or two firewalls in a high-availability (HA) pair. Panorama manages the connection with NSX-T Manager and the VM-Series firewalls deployed in your NSX-T software-defined datacenter.
nsxt-north-south-insertion.png
  • Tier-0 Insertion—Tier-0 insertion deploys a VM-Series firewall to a tier-0 logical router, which processes traffic between logical and physical networks. When you deploy the VM-Series firewall with tier-0 insertion, NSX-T Manager uses the deployment information you configured on Panorama to attach a firewall to a tier-0 logical router in virtual wire mode.
  • Tier-1 Insertion—Tier-1 insertion deploys a VM-Series firewall to a tier-1 logical router, which provides downlink connections to segments and uplink connection to tier-0 logical routers. NSX-T Manager attaches VM-Series firewalls deployed with tier-1 insertions to a tier-1 logical router in virtual wire mode.
  • VM-Series Firewall on Azure VMware Solution—The VM-Series firewall secures North-South traffic moving to and from your vSphere clusters deployed on Azure infrastructure using the Azure VMware Solution (AVS). Using a similar procedure for deploying the VM-Series firewall on VMware NSX-T (North-South) attached to a tier-1 router, you can deploy the VM-Series firewall on AVS. To deploy the VM-Series on AVS, see Deploy the VM-Series Firewall on NSX-T (North-South).
    When using the Panorama plugin for VMware NSX 3.2.0, Panorama must be deployed on-prem, not in any public cloud environment, to manage VM-Series firewalls on AVS. This requires a VPN connection between your on-prem Panorama and your public VNet and an ExpressRoute between your public VNet and NSX-T Manager on AVS.
    See the Azure documentation for AVS for more information about Azure VMware Solution.
After deploying the firewall, you configure traffic redirection rules that send traffic to the VM-Series firewall when crossing a tier-0 or tier-1 router. Security policy rules that you configure on Panorama are pushed to managed VM-Series firewalls and then applied to traffic passing through the firewall.

Recommended For You