Setup guide
vShield App
vShield App is a hypervisor-based firewall that protects applications in the virtual datacenter from network
based attacks. Organizations gain visibility and control over network communications between virtual
machines. You can create access control policies based on logical constructs such as VMware vCenter™
containers and vShield security groups—not just physical constructs such as IP addresses. In addition,
flexible IP addressing offers the ability to use the same IP address in multiple tenant zones to simplify
provisioning.
You should install vShield App on each ESX host within a cluster so that VMware vMotion operations work
and virtual machines remain protected as they migrate between ESX hosts. By default, a vShield App virtual
appliance cannot be moved by using vMotion.
The Flow Monitoring feature displays network activity between virtual machines at the application protocol
level. You can use this information to audit network traffic, define and refine firewall policies, and identify
threats to your network.
vShield Edge
vShield Edge provides network edge security and gateway services to isolate a virtualized network, or
virtual machines in a port group, vDS port group, or Cisco Nexus 1000V port group. You install a vShield
Edge at a datacenter level and can add up to ten internal or uplink interfaces. The vShield Edge connects
isolated, stub networks to shared (uplink) networks by providing common gateway services such as DHCP,
VPN, NAT, and Load Balancing. Common deployments of vShield Edge include in the DMZ, VPN
Extranets, and multi-tenant Cloud environments where the vShield Edge provides perimeter security for
Virtual Datacenters (VDCs).
Standard vShield Edge Services (Including Cloud Director)
Firewall
Supported rules include IP 5-tuple configuration with IP and port ranges for
stateful inspection for all protocols.
Network Address
Translation
Separate controls for Source and Destination IP addresses, as well as port
translation.
Dynamic Host
Configuration Protocol
(DHCP)
Configuration of IP pools, gateways, DNS servers, and search domains.
Advanced vShield Edge Services
Site-to-Site Virtual
Private Network (VPN)
Uses standardized IPsec protocol settings to interoperate with all major VPN
vendors.
SSL VPN-Plus
SSL VPN-Plus enables remote users to connect securely to private networks
behind a vShield Edge gateway.
Load Balancing
Simple and dynamically configurable virtual IP addresses and server groups.
High Availability
High availability ensures an active vShield Edge on the network in case the
primary vShield Edge virtual machine is unavailable.
vShield Edge supports syslog export for all services to remote servers.
vShield Installation and Upgrade Guide
8 VMware, Inc.