Advanced Distributed Security for VMware Cloud on AWS workloads

Ensure workloads are secure and compliance goals are met. NSX Advanced Firewall for VMware Cloud on AWS customers provides layer 7 distributed security that scales linearly with VMs, with no blind spots during network traffic inspections.

Distributed IDS/ IPS

Distributed traffic inspection that scales seamlessly, with context based threat prevention.

Distributed Firewall with Active Directory based User ID

Per user and session application access control with an Identity Firewall.

Distributed Firewall with Layer 7 Application ID

Deep Packet Inspection built into the hypervisor with built in profiles for common enterprise applications.

Distributed Firewall with FQDN Filtering

Permit or deny communication to specific destinations in the Internet.

Frequently Asked Questions

The Advanced Firewall Add-On is a new set of capabilities enhancing the security offerings for VMware Cloud on AWS. It features Layer 7 Distributed firewalling, Fully Qualified Domain Name (FQDN) Filter List, Distributed Intrusion Detection/Prevention Services (D-IDS/IPS), and Active Directory Based Identity Firewalling.

The Advanced Firewall Add-On requires an SDDC with VMC release M15 or higher.

The Advanced Firewall Add-On is an additional service that needs to be enabled per SDDC to begin using the additional features. Pricing and billing information can be found on the VMware Cloud on AWS pricing page here: OR the product page here:

Yes, the Advanced Firewall Add-On is enabled at the hypervisor level on all hosts in the SDDC. It applies to all VMs. 

Yes, the Advanced Firewall Add-On protects both East-West and North-South traffic based on the user configured policy. 

Yes, the Distributed IDS/IPS feature can protect against Malware that matches the curated signatures configured.

The Advanced Firewall Add-On is available in all AWS commercial regions where VMC is available.

Please refer to VMC ConfigMax for current scale attributes here.

The Distributed IDS/IPS is enabled or disabled on a per vCenter cluster basis.

Updated signatures for the Distributed IDS/IPS are obtained from the NSX Threat Intelligence Cloud (NTIC) service. This can be configured for automatic updates to streamline administration and ensure the most current signatures are in place.

NSX Threat Intelligence Cloud service is a VMware managed repository of IDS/IPS signatures. It is a cloud based offering hosted in multiple regions across the globe.

The signatures for Distributed IDS/IPS are downloaded initially to NSX Manager inside the SDDC then automatically placed on each host in a cluster that is configured to use Distributed IDS/IPS. 

Yes, when a policy is configured for the Distributed IDS/IPS it can be configured for detect only (IDS) or detect and prevent (IPS) actions.

The primary use case for IDFW is for granular, per user session based firewall policy in Virtual Desktop Infrastructure (VDI) environments.

The IDFW supports both VDI and RDSH methods for remote access.

The IDFW is enabled or disabled on a per vCenter cluster basis.

Guest Introspection is used by the IDFW feature. 

VMware Cloud on AWS uses a kernel based Guest Introspection engine that does not require a dedicated VM to operation.

The IDFW feature requires VMTools 11.x or higher to be installed on the guest VMs. 

The common use case for Layer 7 Firewalling is to allow granular inspection of traffic inside a given port or protocol. This is frequently used to detect and prevent unauthorized traffic to use commonly allowed ports and protocols. It is also used to ensure specific encryption protocols are used for secure traffic.

The Layer 7 Firewalling feature has more than 70 pre-configured application definitions based on commonly used Enterprise applications to enable a fast deployment of the feature.

The Layer 7 Firewall uses Context Profiles to define applications and the ability to add custom profiles is available.

The common use cases for FQDN filtering include restricting access to unauthorized URLs or conversely restricting access to specific authorized URLs.

The FQDN Filtering feature uses DNS Snooping on the Distributed Firewall (DFW) to observe and track the DNS requests from guests.

The Advanced Firewall Add-On can be enabled or disabled by the user at any time.

If the Advanced Firewall Add-On is disabled additional policy for Distributed IDS/IPS, FQDN Filtering, IDFW or Layer 7 firewalling cannot be added, and existing policy cannot be edited.  Previously configured policy will still be enforced and is retained until deleted by the administrator. 

If the Advanced Firewall Add-On is re-enabled, existing policy will become configurable.  

Pricing and billing information can be found on the VMware Cloud on AWS pricing page here: OR the product page here:

Ready to Get Started?