Supported Deployments on VMware vSphere Hypervisor (ESXi)

One VM-Series firewall per ESXi host
—Every VM server on the ESXi host passes through the firewall before exiting the host for the physical network. VM servers attach to the firewall via virtual standard switches. The guest servers have no other network connectivity, therefore the firewall has visibility and control over all traffic leaving the ESXi host. One variation of this use case is to also require all traffic to flow through the firewall, including server to server (east-west) traffic on the same ESXi host.
One VM-Series firewall per virtual network
—Deploy a VM-Series firewall for every virtual network. If you have designed your network such that one or more ESXi hosts has a group of virtual machines that belong to the internal network, a group that belongs to the external network, and a group that belongs to the DMZ, you can deploy a VM-Series firewall to safeguard the servers in each group. If a group or virtual network does not share a virtual switch or port group with any other virtual network, it is completely isolated from all other virtual networks within or across the host(s). Because there is no other physical or virtual path to any other network, the servers on each virtual network must use the firewall to talk to any other network. The firewall has visibility and control over all traffic leaving the virtual (standard or distributed) switch attached to each virtual network.
Hybrid environment
—Both physical and virtual hosts are used. The VM-Series firewall can replace a physical firewall appliance in a traditional aggregation location. A hybrid environment achieves the benefits of a common server platform for all devices, and unlinks hardware and software upgrade dependencies.