Should I Use a Traditional Firewall in Microsegmented Environment?

One of my readers wondered whether one still needs traditional firewalls in microsegmented environments like VMware NSX.

As always, it depends.

If your security policy requires full stateful inspection (including TCP segment reassembly) between application layers (not that it would make much sense), or application-level firewall or DPI between the web tier and the outside world, you have no other option but deploying a traditional firewall - you cannot implement either one of these requirements with NSX Distributed Firewall, or OpenStack or AWS security groups.

You could implement the standalone classic firewall as a hardware appliance or deploy it in VM format – yet again, depending on what your security policy says about that.

I would go with a VM-based firewall between the microsegmented NSX segment and the outside world, YMMW. Alternatively, you could use Palo Alto firewall integrated with NSX, but do keep in mind that you need a Palo Alto VM (and a separate license for it) for every ESXi host (at least within one vSphere cluster, listen to the Episode 18 of Software Gone Wild for more details).

Finally, there’s usually a load balancer between the web tier and the outside world (or even between tiers) and load balancers tend to be pretty good firewalls when configured properly.

More information?

I wrote about a very similar challenge in early 2014, and wrote two case studies addressing firewalls and packet filters in data center environments: Combine physical and virtual appliances in a private cloud and Replacing the central firewall.

To learn more about various virtual firewall implementations, watch the Virtual Firewalls webinar.


  1. I agree. And you will still need a physical firewall for any VM that wants to send North/South traffic. --- Christer
  2. Yes Load Balancer is a default-deny device and by forcing the administrator to specially, methodically, and with some effort, intentionally open pathways at layers 2 through 7 truly does resemble a firewall very closely, except in name. By forcing the thought process to think about what is going through it, the security comes naturally -Brett Wolmarans
  3. There's a good talk by Spike Curtis from CoreOSFest on this topic:
Add comment