Supported Deployments of the VM-Series Firewall on VMware NSX-T
You can deploy one or more instances
of the VM-Series firewall as a partner service in your VMware NSX-T
Data Center. Attach a VM-Series firewall to any tier-0 or tier-1
logical router to protect north-south traffic. You can deploy the
VM-Series firewall as standalone service instance or two firewalls
in a high-availability (HA) pair. Panorama manages the connection
with NSX-T Manager and the VM-Series firewalls deployed in your
NSX-T software-defined datacenter.
Tier-0 Insertion—Tier-0 insertion deploys a VM-Series
firewall to a tier-0 logical router, which processes traffic between
logical and physical networks. When you deploy the VM-Series firewall
with tier-0 insertion, NSX-T Manager uses the deployment information
you configured on Panorama to attach a firewall to a tier-0 logical
router in virtual wire mode.
Tier-1 Insertion—Tier-1 insertion deploys a VM-Series firewall
to a tier-1 logical router, which provides downlink connections
to segments and uplink connection to tier-0 logical routers. NSX-T Manager
attaches VM-Series firewalls deployed with tier-1 insertions to
a tier-1 logical router in virtual wire mode.
VM-Series Firewall on Azure VMware Solution—The VM-Series
firewall secures North-South traffic moving to and from your vSphere
clusters deployed on Azure infrastructure using the Azure VMware
Solution (AVS). Using a similar procedure for deploying the VM-Series
firewall on VMware NSX-T (North-South) attached to a tier-1 router,
you can deploy the VM-Series firewall on AVS. To deploy the VM-Series
on AVS, see Deploy the VM-Series Firewall on NSX-T (North-South).
using the Panorama plugin for VMware NSX 3.2.0, Panorama must be
deployed on-prem, not in any public cloud environment, to manage
VM-Series firewalls on AVS. This requires a VPN connection between
your on-prem Panorama and your public VNet and an ExpressRoute between
your public VNet and NSX-T Manager on AVS.
After deploying the firewall, you configure traffic redirection
rules that send traffic to the VM-Series firewall when crossing
a tier-0 or tier-1 router. Security policy rules that you configure
on Panorama are pushed to managed VM-Series firewalls and then applied
to traffic passing through the firewall.