Well-Architected Design: Network Security Considerations


VMware Cloud provides organizations the ultimate flexibility to deploy their applications wherever they choose, on the public cloud provider that best fits their needs, with consistent VMware Cloud infrastructure and operations.

VMware Cloud delivers a new cloud operations model with a more efficient and automated datacenter and hybrid operations that leverage the same tools, processes, skills, and teams across multiple public clouds and the edge. Organizations achieve consistent operations across any cloud with a more robust infrastructure to run their apps. It also allows you to operate your cloud securely and efficiently.

As part of the VMware Cloud SDDC stack, NSX enables organizations to implement a cloud smart network at scale with networking and security that facilitates consistent security policy, operations, and automation across multiple cloud environments.

Scope of the Document

The NSX Advanced Firewall provides advanced security features such as distributed and centralized ransomware protection, centralized IDS/IPS, URL filtering, extensive next-generation firewall app identification, and identity firewall. This document will focus on NSX security considerations, providing a consistent foundation for VMware Cloud on public cloud SDDCs and enabling organizations to expand on it by leveraging NSX's advanced firewall capabilities.

Considerations for NSX Security

VMware Cloud enables organizations to increase agility and efficiencies to remain competitive and to drive faster business growth. However, as the organization scale and grow, enterprise-scale NSX implementation on VMware Cloud necessitates the customer to deploy and operate their hybrid and multi-cloud environments more securely and simplify operations.

The following sections will focus on the essential considerations for organizations to build and deploy their applications anywhere on VMware Cloud while maintaining consistent operations with standardized automation and enabling robust governance across all environments.

Network Automation

As organizations' scope and speed increase, automating VMware Cloud networking and security ensures that services and apps are developed and delivered at the speed of business. By removing manual, error-prone network provisioning tasks through automation, the speed of application deployment substantially increases. Automation not only saves time and heavy lifting with repetitive manual configuration, but it also decreases security risk.

NSX Policy API Framework

NSX Policy API framework provides a declarative API that provides an outcome-driven configuration for NSX security policies, which enables the automation of multiple NSX networking and security objects for application deployment with a single API call. Organizations that use automation frameworks and CMP plugins can leverage the NSX API for network automation. The following are some of the main benefits of a declarative API framework:



Outcome driven

Reduces the number of configuration steps by allowing a user to describe desired end goal (the "what") and letting the system figure out "how" to achieve it, which enables users to utilize user-specified names, not system-generated IDs

Order Independent

Create/update/delete in any order and always arrive at the same consistent result


Reduces potential for user error with built-in dependency checks

Policy Life Cycle Management

Simpler with a single API call. Toggle the marked-to-delete flag in the JSON request body to manage the life cycle of the entire application topology.

Simplified and Performant Scripting

Because there is no need to iterate through arrays, this simplifies the scripting and troubleshooting.

NSX Policy API Example

This section describes building a complete example topology using the Policy API model. The example topology provides how Policy API helps the user to create the reusable code template for deploying a 3-Tier APP shown in the figure, which includes Networking, Security & Services needed for the application.

A picture containing text, screenshot, diagram, parallel

Description automatically generated

Figure 1 - Typical 3-tier Topology

The above topology consists of an existing Tier-0 gateway that provides North-South connectivity. The three segments (Web, App, and DB) connect to the Tier-1 Gateway. There are DFW rules specified on each Segment Port to fulfill the need for micro-segmentation to provide a zero-trust security model. DFW rules use Dynamic Groups to group VMs with similar tags.

The desired outcome for deploying the application can be defined using JSON. Once the JSON request body is defined to reflect the desired outcome, then it can be leveraged to automate the following operational workflows:

  • Deploy the entire topology with a single API and JSON request body.
  • The same API/JSON can be leveraged to templatize and reuse to deploy the same application in different environments (dev, test, staging, and production pods).
  • Handle life cycle management of the entire application topology by toggling the "marked_for_delete" flag in the JSON body to true or false.


PATCH /policy/api/v1/infra/


    “resource_type”: “infra”,

    “children”: [


            “resource_type”: “ChildTier1”,

            “Tier1”: {

                ... Define Tier-1 Gateway object parameters ...

                “children”: [

                    { ... Define Segment WEB as child Segment object ...    },

                    { ... Define Segment APP as child Segment object ...    },

                    { ... Define Segment DB as child Segment object ...     },





            “resource_type”: “ChildDomain”,

            “Domain”: {

                "id”: “default”,

                “resource_type”: “Domain”,

                “children”: [

                    { ... Define GROUP WEB VM as ChildGroup object ... },

                    { ... Define GROUP APP VM as ChildGroup object ... },

                    { ... Define GROUP DB VM as ChildGroup object ... },

                    { ... Define Security Policy as ChildSecurityPolicy object ... }






NSX Policy APIs give an order-independent method to define the intent of the entire topology in just one API call, making operations very easy. Please refer to the NSX Policy API Getting Started Guide for detailed API samples in this example workflow.

Modern Automation Frameworks for NSX

NSX is extensible with all major automation frameworks, including PowerCLI, Ansible, and Terraform. As a result, you can deliver infrastructure as code and enable self-service environments for developers and others. This change helps increase automation efficiency across the organization. NSX also supports creating automation tools using standard programming languages through SDKs.

This section describes the various tools available for NSX and provides an overview of those tools, such as SDKs, PowerCLI, Ansible, and Terraform with NSX.

A screenshot of a computer

Description automatically generated with medium confidence

Figure 2 - NSX Automation Frameworks




Open-sourced SDKs such as Python and Java are readily available as any other Python or Java library. You first connect to the NSX manager and invoke the required method to perform NSX automation. The API spec generates these SDKs, so when a new API is introduced or an API changes, it automatically reflects them.

NSX Ansible modules

The NSX Ansible module is a fully open-sourced tool, and you can use these modules to create complete end-to-end automation and deploy a fully functional production–ready NSX environment.

NSX Terraform provider

NSX Terraform provides an infrastructure provisioning tool, which has become synonymous with "Infrastructure as Code (IaC)," to manage the entire infrastructure lifecycle, including provisioning the SDDC, NSX networking, and security, such as setting up distributed firewall rules.


VMware PowerCLI provides a command-line scripting tool for interacting with NSX utilizing Windows PowerShell. NSX PowerCLI works similarly to Java or Python SDK. You first make a connection and then interact with the NSX objects.

VMware Aria Automation

VMware Aria Automation is a modern infrastructure automation platform that enables rapid implementation of powerful self-service VMware cloud environments, which provides an easy, fast setup and integrates with other automation frameworks such as Terraform and Ansible with centralized governance policies for better insight and control.

Please refer to VMware Developer centers to find Developer and DevOps Resources for APIs, SDKs, docs, code samples, tools, workshops, and other resources for VMware Cloud products and platforms.

VMware Aria Automation

This section explains the use cases and benefits of the VMware Aria Automation solution. It provides a low-code graphical interface approach that is easy to learn and leverages existing skillsets enabling organizations to ramp up their Infrastructure as Code skills.

VMware network automation solution automates NSX with VMware Aria Automation to manage the provisioning, deployment, operations, and retirement of networking and security infrastructure and applications from a central control pane.

A picture containing text, screenshot, diagram, parallel

Description automatically generated

Figure 3 - Rapid and repeatable deployments with automated NSX networking and security.

As the scope and pace of organizations continue to grow and accelerate, the manual management of network configurations and security policies becomes increasingly expensive and error-prone, which can introduce significant security and operational risks.

The table below summarizes the key use cases and benefits of utilizing VMware Aria Automation to accelerate application rollout with enhanced networking and security services.

Use cases


Self-service automation and centralized governance

  • Provides DevOps capabilities with a self-service consumption layer with governance control, aggregating all services, templates, and images from multiple VMware clouds, native public cloud services, and traditional VM applications.
  • Provides holistic visibility of policies and violations within VMware cloud environments with templatized cloud configuration and policy definitions to create compliant, policy-enforced cloud environments.

Cloud Landing Zones Automation

  • Provides centralized lifecycle automation of traditional and modern applications with networking and security services to ensure consistent compliance, policy, and control across VMware cloud landing zones.
  • Event-driven automation capabilities provide full-service, closed-loop IT compliance enforcement and vulnerability remediation.

Infrastructure as code and Kubernetes automation

  • Provide DevOps platform capabilities with infrastructure as code (IaC), infrastructure pipelining, Tanzu Kubernetes automation, and seamless integrations with native state management and third-party tools like Ansible, Puppet, and Terraform with governance, visibility, and simplicity.

The table below summarizes the key differentiating capabilities of automating NSX with VMware Aria Automation.

Key Differentiators


VMware Cloud Templates and Landing Zones

  • All network configurations can be spun up, topologically mapped, and managed using simple, human-readable RESTful API calls.
  • VMware Aria Automation and NSX are aligned with the VMware SDDC strategy and provide a single point of contact for support, helping save time and cost.
  • The integration enables Aria Automation to embed VMware NSX constructs directly into the infrastructure and application-level VMware Cloud Templates and Landing Zones, eliminating the need for network provisioning outside Aria Automation.

Security automation

  • Aira Automation can create and manage NSX security groups using Policy APIs, enabling security automation without impacting the business. Including security doesn't have to be complicated—there's no need to ensure security at the expense of innovation. Issues can be quickly remediated with Aria Automation SaltStack Config.

Extensible framework and fine-grained governance

  • Aria Automation and NSX provide an extensible framework with standardized APIs and plugin models to integrate with third-party solutions easily. vRealize Automation helps provide flexible guardrails, including role-based policies to maintain proper security and compliance for network automation. It also provides the ability for automation to support the creation of an entire intent in a single transaction without manually identifying dependencies and invoking services in the correct order with multiple API calls.

DevOps for infrastructure and application lifecycle

  • The DevOps for infrastructure capabilities within vRealize Automation, such as infrastructure as code and infrastructure pipelining, can be applied to network automation with NSX to ensure network configurations and security policies follow workloads—they automatically move between different environments, change, or are retired in lockstep. Security policies also get retired with the workloads/applications to which they apply, ensuring there isn't firewall rule sprawl and that stale firewall rules don't pose security risks.

By leveraging the VMware network automation solution, organizations increase business agility, consistent infrastructure, and consistent operations to enable faster delivery of applications while reducing CapEx and OpEx.

With VMware NSX automation, organizations can establish consistent networking and security services across applications environments on VMware Clouds, helping speed infrastructure and application provisioning from weeks to minutes while ensuring standardized environments and avoiding configuration drift.

Network Visibility

As organizations scale infrastructure and application deployments across VMware cloud environments, the volume of machine-generated data grows tremendously. Because of the cloud traffic behavior across multiple deployment zones, analyzing and extracting actionable insights from the data at scale can be challenging.

The table below summarizes the typical challenges of enterprise-scale organizations for unified visibility across VMware Cloud SDDCs.

Design Consideration

Design Justification

Design Implication

Log visibility and analytics

  • Lack of unified visibility to log streams across VMware Clouds and native public cloud environments.
  • Lack of ability to collect and analyze audit, operations, and security logs for VMware Clouds and NSX at Scale.
  • Ineffective monitoring and troubleshooting tools that can't handle the complexity of today's cloud environments.
  • The challenges mentioned for log visibility necessitate organizations to leverage the intelligence log management solution for unified visibility across VMware Clouds and native public clouds by adding structure to unstructured log data, intuitive dashboards, and leveraging machine learning for faster troubleshooting.
  • Organizations benefit from quick time to value with out-of-the-box log collection and analytics, increased productivity by automatically collecting and organizing information via centralized log management across VMware Clouds, and cost savings from high-performance indexing and search capabilities, which supports faster end-to-end troubleshooting.
  • Centralized Log management solutions will incur additional costs or subscription fees.

Network visibility and analytics

  • Lack of flexibility in monitoring network and cloud infrastructure
  • Understanding poor user experience by manually monitoring app data flow
  • Analyzing and optimizing traffic flow is time-consuming, with the lack of converged visibility across cloud networks to improve application performance.


  • The challenges with the cloud-based network necessitate the simple, easy-to-use, end-to-end network monitoring solution designed to help with application discovery, troubleshooting, and ensuring best practices network compliance across VMware Clouds, native public cloud, and their physical infrastructure deployments.
  • Customer benefit from the hassle-free and complete multi-cloud network monitoring solution with flexibility that reduces the intricacies of cloud adoption.
  • Advanced Network Monitoring solution will incur additional costs or subscription fees.

The following section explains the use cases and benefits of the VMware Aria Operations for Logs and Networks solution, which enables organizations to monitor, discover and analyze networks and applications to build an optimized, highly available, and secure network infrastructure across VMware Clouds.

VMware Aria Operations for Logs

VMware Aria Operations for Logs, the modern log management and analysis solution under VMware Aira Multi-Cloud Management solutions, manages data at scale with centralized log management, deep operational visibility, and intelligent analytics for troubleshooting and auditing across VMware Clouds and multi-cloud environments. It addresses unstructured log data through predictive analytics, machine learning, and root-cause analysis techniques for intelligent log management and faster problem resolution.

Figure 4 - End-to-end Centralized Log Management at Scale

The table below summarizes the key use cases and benefits of utilizing VMware Aria Operations for Logs, providing unified visibility into VMware Cloud's NSX networks and security packet logs.

Use Cases


  • Monitor logical network segments to assist in the troubleshooting of any network issues due to network change or visibility into the networks created in the VMware Cloud.
  • NSX Firewall logging for auditing, monitoring, and troubleshooting purposes
  • VMware Aria Operations for Logs provides seamless integration with VMware Cloud SDDC to provide audit logs and alerting when a logical network is created, changed, or deleted.
  • Provides real-time visibility into the NSX network packet logs for both gateway firewall and distributed firewall, with the ability to perform rapid troubleshooting and root cause analysis.
  • Monitoring firewall rules is critical in ensuring the security of your SDDC.
  • NSX Firewall logs archival for security compliance
  • Provides NSX audit logs and alerts when a firewall rule is created, changed, or deleted in VMware Cloud SDDC.
  • Provides the ability to store unlimited data without losing capabilities and ingest petabytes of data at low cost with scalable analytics and intelligent insight.
  • Monitor NAT rules to analyze traffic sources and destinations for the applications entering and existing in the VMware Cloud SDDC.

VMware Aria Operations for Logs provides audit logs and alerts when a NAT rule is created, changed, or deleted in VMware Cloud SDDC.

VMware Aria Operations for Networks

VMware Aria Operations for Networks delivers intelligent operations for cloud networking and security. It helps organizations build an optimized, highly available, secure network infrastructure across VMware Cloud environments. It accelerates micro-segmentation planning and deployment, enables visibility across virtual and physical networks, and provides operational views to manage and scale VMware NSX deployments.

Figure 5 - VMware Aria Operations for Networks provides security planning and visibility across the virtual cloud networks.

Many network administrators have a visibility gap between the virtual and physical network when managing, troubleshooting, and securing the network at Scale across VMware Cloud deployments. Those challenges necessitate organizations to have a simple, easy-to-use, end-to-end management tool to troubleshoot and get best practices compliance for NSX and VMware Cloud deployments.

The table below summarizes the key use cases and benefits of utilizing VMware Aria Operations for Networks, providing unified visibility across VMware hybrid and multi-cloud environments.

Design Consideration


Manage and scale NSX

  • Gain unified visibility, analytics, and scale across multiple VMware Cloud environments and visibility between overlay and underlay networks.'
  • Boost uptime by proactively detecting misconfiguration errors.
  • Ensure compliance for NSX

Optimize and troubleshoot virtual and physical networks

  • Reduce mean time to resolution for application connectivity issues.
  • Measure application latency and performance
  • Optimize application performance by eliminating network bottlenecks.
  • Operationalize Kubernetes and troubleshoot connectivity issues between containerized workloads.
  • Audit network and security changes over time for designated crown jewels across virtual machines (VMs), containers, and clouds.

Plan application security and migration

  • Accelerate micro-segmentation deployment by providing recommended firewall policies and security groups based on observed traffic flows. As a result, a precise firewall micro-segmentation policy is created for review and is readily exportable to NSX.
  • Troubleshoot security for the VMware Clouds SDDC, native AWS, and hybrid applications.
  • Enable application discovery, map dependencies, and plan application migrations, which helps minimize business risk during cloud migration.

The table below summarizes the key differentiating capabilities of intelligent network and application monitoring with VMware Aria Operations for Networks.

Design Consideration

Design Justification

Niche and legacy network management tools do not provide converged visibility across virtual and physical networks to optimize performance.

  • VMware Aria Operations for Networks integrates with VMware Clouds and many vendors to help provide end-to-end visibility across the virtual and physical infrastructure with a comprehensive flow assessment. In addition, it can help you improve the performance and availability of your business-critical applications with converged visibility across hybrid and multi-cloud networks.
  • Organizations benefit from simplified NSX operations management with an intuitive UI and natural language search to quickly pinpoint issues, troubleshoot, and get best practices deployment and compliance recommendations.

Traditional tools for monitoring the data flow for optimum east-west traffic can be challenging and time-consuming because they involve manual processes.

  • Provides visibility for modeling security and firewall rules and viewing that network segmentation works by monitoring compliance postures over time.
  • Customer benefits from the accelerated network segmentation planning and deployment with VMware Aria Operations for Networks working with NSX Intelligence.

Traditional network performance and security management practices force network professionals to scramble when troubleshooting and understanding the root cause. It involves spending too much time troubleshooting the network without proactively identifying network performance issues and poor visibility into performance across the network. They still rely on conducting manual checks like traceroutes, pings, and opening up browsers.

  • Networks Assurance and Verification features provide a proactive and comprehensive approach to improving network reliability and security. It improves network performance with more proactive monitoring capabilities than typical reactive network monitoring.
  • Organizations benefit from intent-based networking to help with application-aware network modeling, analysis, and verification for better network planning and troubleshooting, assuring better uptime and resiliency.

By leveraging the VMware Aria Operations for Logs and Networks solution, organizations accelerate application discovery, migration, network segmentation planning, and deployment; enable visibility across virtual and physical networks; and provide operational views to manage and scale NSX and VMware Cloud deployments.

With VMware Aria Operations for Logs and Networks, organizations benefit from optimized, highly available, and secure network infrastructure across VMware multi-cloud environments, simplifying cloud adoption and eliminating all the complexities that come with it.

Filter Tags