One of my readers wondered whether one still needs traditional firewalls in microsegmented environments like VMware NSX.
As always, it depends.
If your security policy requires full stateful inspection (including TCP segment reassembly) between application layers (not that it would make much sense), or application-level firewall or DPI between the web tier and the outside world, you have no other option but deploying a traditional firewall - you cannot implement either one of these requirements with NSX Distributed Firewall, or OpenStack or AWS security groups.
You could implement the standalone classic firewall as a hardware appliance or deploy it in VM format – yet again, depending on what your security policy says about that.
I would go with a VM-based firewall between the microsegmented NSX segment and the outside world, YMMW. Alternatively, you could use Palo Alto firewall integrated with NSX, but do keep in mind that you need a Palo Alto VM (and a separate license for it) for every ESXi host (at least within one vSphere cluster, listen to the Episode 18 of Software Gone Wild for more details).
Finally, there’s usually a load balancer between the web tier and the outside world (or even between tiers) and load balancers tend to be pretty good firewalls when configured properly.
I wrote about a very similar challenge in early 2014, and wrote two case studies addressing firewalls and packet filters in data center environments: Combine physical and virtual appliances in a private cloud and Replacing the central firewall.