Home  >  VMware

DMZ on NSX-T

Published date

When looking at a physical network, we can think of the DMZ as an area where our internet-facing services will reside, keeping our LAN isolated.

I recognise that there isn’t a single formula that satisfies all use cases but, for the sake of argument and simplicity, I will be considering the DMZ as a barrier that exists between the Internet and the LAN, with a Firewall protecting the DMZ and another one protecting the LAN.

In this scenario, all the Internet traffic would always be redirected to the DMZ subnet(s), which would be protected by a Firewall (and possibly other components, such as IDS/IPS), leaving no direct route to the LAN. Likewise, all communication between DMZ and LAN components would be protected by another Firewall.

When we translate this to an NSX-T network, it may not look as straight forward (considering a single NSX-T instance). On this post I would like to discuss a few options that could potentially deliver a similar result as the DMZ on the example above.

Create the DMZ on a separate T1 Gateway (Single T0)

By using multiple T1 Gateways you may leverage the NSX-T Gateway Firewall. This way you can create rules on your T0 and T1 Gateways to allow/deny network traffic to the network segments you like.

All the DMZ traffic can be forwarded to the Segments under the DMZ T1, and the Gateway firewall can be configured to Allow/Deny traffic between Segments on the DMZ T1 and other parts of the NSX-T network.

The down-side of this model is that the North-South traffic for both DMZ and LAN will to through the same uplinks.

Create the DMZ on a separate T0 Gateway

This involves installing a new Edge Cluster, which may not be the preferred option for some. With a dedicated T0 Gateway for the DMZ, the North-South uplinks are not shared between DMZ and LAN. This way, the traffic between the DMZ Segments and the rest of the NSX-T network would need to pass through the physical network, which may contain an extra Firewall, etc.

Configure VRF Lite

VRF Lite allows you to create “child” T0 instances connected to a “parent” T0 Gateway. Although it has some limitations compared to using separate T0 Gateway instances, it does allow for the separation of the North-South traffic as well.

Although this model allows you to have different uplinks for the DMZ and the LAN VRFs, note that the Edge Cluster is still being shared between them, which means that the physical links are still sharing all the load.

As I mentioned before, there isn’t a single solution that will work for all use cases, but I hope those scenarios can give you some ideas on how this could be implemented.

Categories:VMware

Tags: