Setup guide
Isolating and Protecting Internal Networks
You can use a vShield Edge to isolate an internal network from the external network. A vShield Edge
provides perimeter firewall protection and edge services to secure virtual machines in a port group,
enabling communication to the external network through DHCP, NAT, and VPN.
Within the secured port group, you can install a vShield App instance on each ESX host that the vDS spans
to secure communication between virtual machines in the internal network.
If you utilize VLAN tags to segment traffic, you can use App Firewall to create smarter access policies.
Using App Firewall instead of a physical firewall allows you to collapse or mix trust zones in shared ESX
clusters. By doing so, you gain optimal utilization and consolidation from features such as DRS and HA,
instead of having separate, fragmented clusters. Management of the overall ESX deployment as a single
pool is less complex than having separately managed pools.
For example, you use VLANs to segment virtual machine zones based on logical, organizational, or network
boundaries. Leveraging the Virtual Infrastructure SDK, the vShield Manager inventory panel displays a
view of your VLAN networks under the Networks view. You can build access rules for each VLAN network
to isolate virtual machines and drop untagged traffic to these machines.
Protecting Virtual Machines in a Cluster
You can use vShield App to protect virtual machines in a cluster.
In Figure 1-3, vShield App instances are installed on each ESX host in a cluster. Virtual machines are
protected when moved via vMotion or DRS between ESX hosts in the cluster. Each vApp shares and
maintains state of all transmissions.
Figure 1‑3. vShield App Instances Installed on Each ESX Host in a Cluster
Common Deployments of vShield Edge
You can use a vShield Edge to isolate a stub network, using NAT to allow traffic in and out of the network.
If you deploy internal stub networks, you can use vShield Edge to secure communication between networks
by using LAN-to-LAN encryption via VPN tunnels.
vShield Edge can be deployed as a self-service application within VMware Cloud Director.
Chapter 1 Introduction to vShield
VMware, Inc. 11