{"id":1502,"date":"2025-09-18T10:38:41","date_gmt":"2025-09-18T08:38:41","guid":{"rendered":"https:\/\/hentati.org\/?p=1502"},"modified":"2026-02-02T23:42:17","modified_gmt":"2026-02-02T22:42:17","slug":"designing-secure-east-west-traffic-with-nsx","status":"publish","type":"post","link":"https:\/\/hentati.org\/index.php\/2025\/09\/18\/designing-secure-east-west-traffic-with-nsx\/","title":{"rendered":"Designing secure east-west traffic with NSX"},"content":{"rendered":"<p data-start=\"320\" data-end=\"727\"><span style=\"color: #000000;\">In traditional data center architectures, security has long focused on protecting north-south traffic, which flows between internal systems and external networks. However, modern threats increasingly exploit <strong data-start=\"528\" data-end=\"549\">east-west traffic<\/strong>, the communication occurring between workloads inside the data center. Designing secure east-west traffic is therefore a critical requirement for modern enterprise environments.<\/span><\/p>\n<p data-start=\"729\" data-end=\"965\"><span style=\"color: #000000;\">VMware NSX provides native capabilities to control, inspect, and secure east-west traffic at the workload level. This article explains the purpose, benefits, and architectural principles behind secure east-west traffic design using NSX.<\/span><\/p>\n<hr data-start=\"967\" data-end=\"970\" \/>\n<h3 data-start=\"972\" data-end=\"1007\"><span style=\"color: #000000;\">Understanding East-West Traffic<\/span><\/h3>\n<p data-start=\"1009\" data-end=\"1037\"><span style=\"color: #000000;\">East-west traffic refers to:<\/span><\/p>\n<ul data-start=\"1038\" data-end=\"1172\">\n<li data-start=\"1038\" data-end=\"1078\">\n<p data-start=\"1040\" data-end=\"1078\"><span style=\"color: #000000;\">Communication between virtual machines<\/span><\/p>\n<\/li>\n<li data-start=\"1079\" data-end=\"1114\">\n<p data-start=\"1081\" data-end=\"1114\"><span style=\"color: #000000;\">Traffic between application tiers<\/span><\/p>\n<\/li>\n<li data-start=\"1115\" data-end=\"1172\">\n<p data-start=\"1117\" data-end=\"1172\"><span style=\"color: #000000;\">Service-to-service communication inside the data center<\/span><\/p>\n<\/li>\n<\/ul>\n<p data-start=\"1174\" data-end=\"1313\"><span style=\"color: #000000;\">Unlike north-south traffic, east-west flows often bypass traditional perimeter firewalls, making them a primary vector for lateral attacks.<\/span><\/p>\n<hr data-start=\"1315\" data-end=\"1318\" \/>\n<h3 data-start=\"1320\" data-end=\"1354\"><span style=\"color: #000000;\">Why East-West Security Matters<\/span><\/h3>\n<p data-start=\"1356\" data-end=\"1380\"><span style=\"color: #000000;\">Modern applications are:<\/span><\/p>\n<ul data-start=\"1381\" data-end=\"1483\">\n<li data-start=\"1381\" data-end=\"1401\">\n<p data-start=\"1383\" data-end=\"1401\"><span style=\"color: #000000;\">Highly distributed<\/span><\/p>\n<\/li>\n<li data-start=\"1402\" data-end=\"1447\">\n<p data-start=\"1404\" data-end=\"1447\"><span style=\"color: #000000;\">Composed of multiple tiers or microservices<\/span><\/p>\n<\/li>\n<li data-start=\"1448\" data-end=\"1483\">\n<p data-start=\"1450\" data-end=\"1483\"><span style=\"color: #000000;\">Deployed on shared infrastructure<\/span><\/p>\n<\/li>\n<\/ul>\n<p data-start=\"1485\" data-end=\"1707\"><span style=\"color: #000000;\">Once an attacker gains initial access, unrestricted east-west traffic allows rapid lateral movement. Securing these internal flows significantly reduces the attack surface and limits the blast radius of security incidents.<\/span><\/p>\n<hr data-start=\"1709\" data-end=\"1712\" \/>\n<h3 data-start=\"1714\" data-end=\"1755\"><span style=\"color: #000000;\">NSX as an East-West Security Platform<\/span><\/h3>\n<p data-start=\"1757\" data-end=\"1823\"><span style=\"color: #000000;\">VMware NSX embeds security directly into the hypervisor, enabling:<\/span><\/p>\n<ul data-start=\"1824\" data-end=\"1926\">\n<li data-start=\"1824\" data-end=\"1849\">\n<p data-start=\"1826\" data-end=\"1849\"><span style=\"color: #000000;\">Distributed enforcement<\/span><\/p>\n<\/li>\n<li data-start=\"1850\" data-end=\"1873\">\n<p data-start=\"1852\" data-end=\"1873\"><span style=\"color: #000000;\">Line-rate performance<\/span><\/p>\n<\/li>\n<li data-start=\"1874\" data-end=\"1926\">\n<p data-start=\"1876\" data-end=\"1926\"><span style=\"color: #000000;\">Policy consistency regardless of workload location<\/span><\/p>\n<\/li>\n<\/ul>\n<p data-start=\"1928\" data-end=\"2014\"><span style=\"color: #000000;\">Security policies are enforced <strong data-start=\"1959\" data-end=\"1980\">at the vNIC level<\/strong>, not at centralized choke points.<\/span><\/p>\n<hr data-start=\"2016\" data-end=\"2019\" \/>\n<h3 data-start=\"2021\" data-end=\"2066\"><span style=\"color: #000000;\">Key NSX Components for East-West Security<\/span><\/h3>\n<ul data-start=\"2068\" data-end=\"2216\">\n<li data-start=\"2068\" data-end=\"2100\">\n<p data-start=\"2070\" data-end=\"2100\"><span style=\"color: #000000;\">NSX Distributed Firewall (DFW)<\/span><\/p>\n<\/li>\n<li data-start=\"2101\" data-end=\"2126\">\n<p data-start=\"2103\" data-end=\"2126\"><span style=\"color: #000000;\">Dynamic security groups<\/span><\/p>\n<\/li>\n<li data-start=\"2127\" data-end=\"2152\">\n<p data-start=\"2129\" data-end=\"2152\"><span style=\"color: #000000;\">Application-aware rules<\/span><\/p>\n<\/li>\n<li data-start=\"2153\" data-end=\"2184\">\n<p data-start=\"2155\" data-end=\"2184\"><span style=\"color: #000000;\">Layer 4 to Layer 7 inspection<\/span><\/p>\n<\/li>\n<li data-start=\"2185\" data-end=\"2216\">\n<p data-start=\"2187\" data-end=\"2216\"><span style=\"color: #000000;\">Centralized policy management<\/span><\/p>\n<\/li>\n<\/ul>\n<hr data-start=\"2218\" data-end=\"2221\" \/>\n<h3 data-start=\"2223\" data-end=\"2251\"><span style=\"color: #000000;\">Architectural Principles<\/span><\/h3>\n<h4 data-start=\"2253\" data-end=\"2276\"><span style=\"color: #000000;\">Default Deny Model<\/span><\/h4>\n<p data-start=\"2277\" data-end=\"2437\"><span style=\"color: #000000;\">NSX allows organizations to implement a <strong data-start=\"2317\" data-end=\"2333\">default deny<\/strong> posture, where only explicitly authorized traffic is permitted. This aligns with Zero Trust principles.<\/span><\/p>\n<h4 data-start=\"2439\" data-end=\"2466\"><span style=\"color: #000000;\">Least Privilege Access<\/span><\/h4>\n<p data-start=\"2467\" data-end=\"2569\"><span style=\"color: #000000;\">Each workload communicates only with the services it strictly requires, reducing unnecessary exposure.<\/span><\/p>\n<h4 data-start=\"2571\" data-end=\"2612\"><span style=\"color: #000000;\">Policy Decoupling from IP Addressing<\/span><\/h4>\n<p data-start=\"2613\" data-end=\"2714\"><span style=\"color: #000000;\">Policies are based on workload identity, tags, or groups rather than IP addresses, improving agility.<\/span><\/p>\n<hr data-start=\"2716\" data-end=\"2719\" \/>\n<h3 data-start=\"2721\" data-end=\"2759\"><span style=\"color: #000000;\">Designing Secure East-West Traffic<\/span><\/h3>\n<ol data-start=\"2761\" data-end=\"3186\">\n<li data-start=\"2761\" data-end=\"2874\">\n<p data-start=\"2764\" data-end=\"2874\"><span style=\"color: #000000;\"><strong data-start=\"2764\" data-end=\"2787\">Application Mapping<\/strong><\/span><br data-start=\"2787\" data-end=\"2790\" \/><span style=\"color: #000000;\">Identify communication flows between application tiers before enforcing policies.<\/span><\/p>\n<\/li>\n<li data-start=\"2876\" data-end=\"2983\">\n<p data-start=\"2879\" data-end=\"2983\"><span style=\"color: #000000;\"><strong data-start=\"2879\" data-end=\"2903\">Segmentation by Role<\/strong><\/span><br data-start=\"2903\" data-end=\"2906\" \/><span style=\"color: #000000;\">Group workloads by function (web, app, database) using dynamic membership.<\/span><\/p>\n<\/li>\n<li data-start=\"2985\" data-end=\"3091\">\n<p data-start=\"2988\" data-end=\"3091\"><span style=\"color: #000000;\"><strong data-start=\"2988\" data-end=\"3019\">Policy Enforcement at Scale<\/strong><\/span><br data-start=\"3019\" data-end=\"3022\" \/><span style=\"color: #000000;\">Use hierarchical NSX policies to maintain clarity and scalability.<\/span><\/p>\n<\/li>\n<li data-start=\"3093\" data-end=\"3186\">\n<p data-start=\"3096\" data-end=\"3186\"><span style=\"color: #000000;\"><strong data-start=\"3096\" data-end=\"3123\">Progressive Enforcement<\/strong><\/span><br data-start=\"3123\" data-end=\"3126\" \/><span style=\"color: #000000;\">Start in monitor mode, then gradually enforce deny rules.<\/span><\/p>\n<\/li>\n<\/ol>\n<hr data-start=\"3188\" data-end=\"3191\" \/>\n<h3 data-start=\"3193\" data-end=\"3216\"><span style=\"color: #000000;\">Real-World Benefits<\/span><\/h3>\n<ul data-start=\"3218\" data-end=\"3364\">\n<li data-start=\"3218\" data-end=\"3257\">\n<p data-start=\"3220\" data-end=\"3257\"><span style=\"color: #000000;\">Containment of malware and ransomware<\/span><\/p>\n<\/li>\n<li data-start=\"3258\" data-end=\"3293\">\n<p data-start=\"3260\" data-end=\"3293\"><span style=\"color: #000000;\">Reduced impact of insider threats<\/span><\/p>\n<\/li>\n<li data-start=\"3294\" data-end=\"3320\">\n<p data-start=\"3296\" data-end=\"3320\"><span style=\"color: #000000;\">Faster compliance audits<\/span><\/p>\n<\/li>\n<li data-start=\"3321\" data-end=\"3364\">\n<p data-start=\"3323\" data-end=\"3364\"><span style=\"color: #000000;\">Improved visibility into internal traffic<\/span><\/p>\n<\/li>\n<\/ul>\n<hr data-start=\"3366\" data-end=\"3369\" \/>\n<h3 data-start=\"3371\" data-end=\"3397\"><span style=\"color: #000000;\">Operational Advantages<\/span><\/h3>\n<ul data-start=\"3399\" data-end=\"3567\">\n<li data-start=\"3399\" data-end=\"3444\">\n<p data-start=\"3401\" data-end=\"3444\"><span style=\"color: #000000;\">No reliance on physical firewall appliances<\/span><\/p>\n<\/li>\n<li data-start=\"3445\" data-end=\"3473\">\n<p data-start=\"3447\" data-end=\"3473\"><span style=\"color: #000000;\">Simplified rule management<\/span><\/p>\n<\/li>\n<li data-start=\"3474\" data-end=\"3538\">\n<p data-start=\"3476\" data-end=\"3538\"><span style=\"color: #000000;\">Consistent security across hybrid and multi-cloud environments<\/span><\/p>\n<\/li>\n<li data-start=\"3539\" data-end=\"3567\">\n<p data-start=\"3541\" data-end=\"3567\"><span style=\"color: #000000;\">Minimal performance impact<\/span><\/p>\n<\/li>\n<\/ul>\n<hr data-start=\"3569\" data-end=\"3572\" \/>\n<h3 data-start=\"3574\" data-end=\"3600\"><span style=\"color: #000000;\">Common Design Mistakes<\/span><\/h3>\n<ul data-start=\"3602\" data-end=\"3778\">\n<li data-start=\"3602\" data-end=\"3640\">\n<p data-start=\"3604\" data-end=\"3640\"><span style=\"color: #000000;\">Relying solely on perimeter security<\/span><\/p>\n<\/li>\n<li data-start=\"3641\" data-end=\"3670\">\n<p data-start=\"3643\" data-end=\"3670\"><span style=\"color: #000000;\">Using static IP-based rules<\/span><\/p>\n<\/li>\n<li data-start=\"3671\" data-end=\"3718\">\n<p data-start=\"3673\" data-end=\"3718\"><span style=\"color: #000000;\">Enforcing policies without traffic visibility<\/span><\/p>\n<\/li>\n<li data-start=\"3719\" data-end=\"3778\">\n<p data-start=\"3721\" data-end=\"3778\"><span style=\"color: #000000;\">Mixing security and network teams without clear ownership<\/span><\/p>\n<\/li>\n<\/ul>\n<hr data-start=\"3780\" data-end=\"3783\" \/>\n<h3 data-start=\"3785\" data-end=\"3803\"><span style=\"color: #000000;\">Business Value<\/span><\/h3>\n<p data-start=\"3805\" data-end=\"3859\"><span style=\"color: #000000;\">By securing east-west traffic with NSX, organizations:<\/span><\/p>\n<ul data-start=\"3860\" data-end=\"4014\">\n<li data-start=\"3860\" data-end=\"3881\">\n<p data-start=\"3862\" data-end=\"3881\"><span style=\"color: #000000;\">Reduce breach costs<\/span><\/p>\n<\/li>\n<li data-start=\"3882\" data-end=\"3908\">\n<p data-start=\"3884\" data-end=\"3908\"><span style=\"color: #000000;\">Improve cyber-resilience<\/span><\/p>\n<\/li>\n<li data-start=\"3909\" data-end=\"3945\">\n<p data-start=\"3911\" data-end=\"3945\"><span style=\"color: #000000;\">Support cloud-native architectures<\/span><\/p>\n<\/li>\n<li data-start=\"3946\" data-end=\"4014\">\n<p data-start=\"3948\" data-end=\"4014\"><span style=\"color: #000000;\">Enable faster application deployment without compromising security<\/span><\/p>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h2 data-start=\"328\" data-end=\"417\"><span style=\"color: #000000;\">Concrete Example: Securing East-West Traffic with NSX in a Real Enterprise Application<\/span><\/h2>\n<h3 data-start=\"419\" data-end=\"439\"><span style=\"color: #000000;\">Business Context<\/span><\/h3>\n<p data-start=\"441\" data-end=\"672\"><span style=\"color: #000000;\">A medium-sized e-commerce company runs its core online sales platform in a <strong data-start=\"516\" data-end=\"549\">VMware Cloud Foundation (VCF)<\/strong> environment.<\/span><br data-start=\"562\" data-end=\"565\" \/><span style=\"color: #000000;\">The application is business-critical and must remain available 24\/7 while handling sensitive customer data.<\/span><\/p>\n<p data-start=\"674\" data-end=\"689\"><span style=\"color: #000000;\">Key challenges:<\/span><\/p>\n<ul data-start=\"690\" data-end=\"860\">\n<li data-start=\"690\" data-end=\"721\">\n<p data-start=\"692\" data-end=\"721\"><span style=\"color: #000000;\">Increasing ransomware attacks<\/span><\/p>\n<\/li>\n<li data-start=\"722\" data-end=\"757\">\n<p data-start=\"724\" data-end=\"757\"><span style=\"color: #000000;\">Regulatory requirements (PCI-DSS)<\/span><\/p>\n<\/li>\n<li data-start=\"758\" data-end=\"804\">\n<p data-start=\"760\" data-end=\"804\"><span style=\"color: #000000;\">Flat internal network with little visibility<\/span><\/p>\n<\/li>\n<li data-start=\"805\" data-end=\"860\">\n<p data-start=\"807\" data-end=\"860\"><span style=\"color: #000000;\">Security controls focused only on north-south traffic<\/span><\/p>\n<\/li>\n<\/ul>\n<hr data-start=\"862\" data-end=\"865\" \/>\n<h3 data-start=\"867\" data-end=\"917\"><span style=\"color: #000000;\">Application Architecture (Before NSX Security)<\/span><\/h3>\n<p data-start=\"919\" data-end=\"972\"><span style=\"color: #000000;\">The platform is a classic <strong data-start=\"945\" data-end=\"971\">three-tier application<\/strong>:<\/span><\/p>\n<ul data-start=\"974\" data-end=\"1183\">\n<li data-start=\"974\" data-end=\"1057\">\n<p data-start=\"976\" data-end=\"988\"><span style=\"color: #000000;\"><strong data-start=\"976\" data-end=\"988\">Web Tier<\/strong><\/span><\/p>\n<ul data-start=\"991\" data-end=\"1057\">\n<li data-start=\"991\" data-end=\"1018\">\n<p data-start=\"993\" data-end=\"1018\"><span style=\"color: #000000;\">Public-facing web servers<\/span><\/p>\n<\/li>\n<li data-start=\"1021\" data-end=\"1057\">\n<p data-start=\"1023\" data-end=\"1057\"><span style=\"color: #000000;\">Receives traffic from the internet<\/span><\/p>\n<\/li>\n<\/ul>\n<\/li>\n<li data-start=\"1058\" data-end=\"1122\">\n<p data-start=\"1060\" data-end=\"1080\"><span style=\"color: #000000;\"><strong data-start=\"1060\" data-end=\"1080\">Application Tier<\/strong><\/span><\/p>\n<ul data-start=\"1083\" data-end=\"1122\">\n<li data-start=\"1083\" data-end=\"1122\">\n<p data-start=\"1085\" data-end=\"1122\"><span style=\"color: #000000;\">Business logic and payment processing<\/span><\/p>\n<\/li>\n<\/ul>\n<\/li>\n<li data-start=\"1123\" data-end=\"1183\">\n<p data-start=\"1125\" data-end=\"1142\"><span style=\"color: #000000;\"><strong data-start=\"1125\" data-end=\"1142\">Database Tier<\/strong><\/span><\/p>\n<ul data-start=\"1145\" data-end=\"1183\">\n<li data-start=\"1145\" data-end=\"1183\">\n<p data-start=\"1147\" data-end=\"1183\"><span style=\"color: #000000;\">Stores customer and transaction data<\/span><\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p data-start=\"1185\" data-end=\"1304\"><span style=\"color: #000000;\">All VMs are connected to the same internal network.<\/span><br data-start=\"1236\" data-end=\"1239\" \/><span style=\"color: #000000;\">Once inside the data center, <strong data-start=\"1268\" data-end=\"1303\">any VM can talk to any other VM<\/strong>.<\/span><\/p>\n<hr data-start=\"1306\" data-end=\"1309\" \/>\n<h3 data-start=\"1311\" data-end=\"1355\"><span style=\"color: #000000;\">Risk Scenario Without East-West Security<\/span><\/h3>\n<p data-start=\"1357\" data-end=\"1410\"><span style=\"color: #000000;\">An attacker exploits a vulnerability in a web server:<\/span><\/p>\n<ul data-start=\"1411\" data-end=\"1550\">\n<li data-start=\"1411\" data-end=\"1441\">\n<p data-start=\"1413\" data-end=\"1441\"><span style=\"color: #000000;\">Gains access to the Web Tier<\/span><\/p>\n<\/li>\n<li data-start=\"1442\" data-end=\"1470\">\n<p data-start=\"1444\" data-end=\"1470\"><span style=\"color: #000000;\">Scans the internal network<\/span><\/p>\n<\/li>\n<li data-start=\"1471\" data-end=\"1522\">\n<p data-start=\"1473\" data-end=\"1522\"><span style=\"color: #000000;\">Moves laterally to Application and Database tiers<\/span><\/p>\n<\/li>\n<li data-start=\"1523\" data-end=\"1550\">\n<p data-start=\"1525\" data-end=\"1550\"><span style=\"color: #000000;\">Exfiltrates customer data<\/span><\/p>\n<\/li>\n<\/ul>\n<p data-start=\"1552\" data-end=\"1647\"><span style=\"color: #000000;\">Traditional firewalls do not detect this movement because traffic stays inside the data center.<\/span><\/p>\n<hr data-start=\"1649\" data-end=\"1652\" \/>\n<h3 data-start=\"1654\" data-end=\"1686\"><span style=\"color: #000000;\">Target Architecture with NSX<\/span><\/h3>\n<p data-start=\"1688\" data-end=\"1785\"><span style=\"color: #000000;\">The company deploys <strong data-start=\"1708\" data-end=\"1743\">VMware NSX Distributed Firewall<\/strong> and redesigns east-west traffic security.<\/span><\/p>\n<p data-start=\"1787\" data-end=\"1809\"><span style=\"color: #000000;\">Key design principles:<\/span><\/p>\n<ul data-start=\"1810\" data-end=\"1929\">\n<li data-start=\"1810\" data-end=\"1845\">\n<p data-start=\"1812\" data-end=\"1845\"><span style=\"color: #000000;\">Zero Trust inside the data center<\/span><\/p>\n<\/li>\n<li data-start=\"1846\" data-end=\"1882\">\n<p data-start=\"1848\" data-end=\"1882\"><span style=\"color: #000000;\">Default deny for east-west traffic<\/span><\/p>\n<\/li>\n<li data-start=\"1883\" data-end=\"1929\">\n<p data-start=\"1885\" data-end=\"1929\"><span style=\"color: #000000;\">Policies based on workload identity, not IPs<\/span><\/p>\n<\/li>\n<\/ul>\n<hr data-start=\"1931\" data-end=\"1934\" \/>\n<h3 data-start=\"1936\" data-end=\"1967\"><span style=\"color: #000000;\">Step 1: Application Mapping<\/span><\/h3>\n<p data-start=\"1969\" data-end=\"1996\"><span style=\"color: #000000;\">Using NSX visibility tools:<\/span><\/p>\n<ul data-start=\"1997\" data-end=\"2103\">\n<li data-start=\"1997\" data-end=\"2026\">\n<p data-start=\"1999\" data-end=\"2026\"><span style=\"color: #000000;\">Web \u2192 App: HTTPS (TCP 8443)<\/span><\/p>\n<\/li>\n<li data-start=\"2027\" data-end=\"2059\">\n<p data-start=\"2029\" data-end=\"2059\"><span style=\"color: #000000;\">App \u2192 Database: SQL (TCP 1521)<\/span><\/p>\n<\/li>\n<li data-start=\"2060\" data-end=\"2103\">\n<p data-start=\"2062\" data-end=\"2103\"><span style=\"color: #000000;\">No other east-west communication required<\/span><\/p>\n<\/li>\n<\/ul>\n<p data-start=\"2105\" data-end=\"2158\"><span style=\"color: #000000;\">This creates a clear and documented traffic baseline.<\/span><\/p>\n<hr data-start=\"2160\" data-end=\"2163\" \/>\n<h3 data-start=\"2165\" data-end=\"2197\"><span style=\"color: #000000;\">Step 2: Logical Segmentation<\/span><\/h3>\n<p data-start=\"2199\" data-end=\"2235\"><span style=\"color: #000000;\">Dynamic security groups are created:<\/span><\/p>\n<ul data-start=\"2237\" data-end=\"2360\">\n<li data-start=\"2237\" data-end=\"2278\">\n<p data-start=\"2239\" data-end=\"2249\"><span style=\"color: #000000;\"><strong data-start=\"2239\" data-end=\"2249\">SG-Web<\/strong><\/span><\/p>\n<ul data-start=\"2252\" data-end=\"2278\">\n<li data-start=\"2252\" data-end=\"2278\">\n<p data-start=\"2254\" data-end=\"2278\"><span style=\"color: #000000;\">VMs tagged as <code data-start=\"2268\" data-end=\"2278\">role:web<\/code><\/span><\/p>\n<\/li>\n<\/ul>\n<\/li>\n<li data-start=\"2279\" data-end=\"2320\">\n<p data-start=\"2281\" data-end=\"2291\"><span style=\"color: #000000;\"><strong data-start=\"2281\" data-end=\"2291\">SG-App<\/strong><\/span><\/p>\n<ul data-start=\"2294\" data-end=\"2320\">\n<li data-start=\"2294\" data-end=\"2320\">\n<p data-start=\"2296\" data-end=\"2320\"><span style=\"color: #000000;\">VMs tagged as <code data-start=\"2310\" data-end=\"2320\">role:app<\/code><\/span><\/p>\n<\/li>\n<\/ul>\n<\/li>\n<li data-start=\"2321\" data-end=\"2360\">\n<p data-start=\"2323\" data-end=\"2332\"><span style=\"color: #000000;\"><strong data-start=\"2323\" data-end=\"2332\">SG-DB<\/strong><\/span><\/p>\n<ul data-start=\"2335\" data-end=\"2360\">\n<li data-start=\"2335\" data-end=\"2360\">\n<p data-start=\"2337\" data-end=\"2360\"><span style=\"color: #000000;\">VMs tagged as <code data-start=\"2351\" data-end=\"2360\">role:db<\/code><\/span><\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p data-start=\"2362\" data-end=\"2427\"><span style=\"color: #000000;\">Group membership updates automatically when new VMs are deployed.<\/span><\/p>\n<hr data-start=\"2429\" data-end=\"2432\" \/>\n<h3 data-start=\"2434\" data-end=\"2478\"><span style=\"color: #000000;\">Step 3: Micro-Segmentation Policy Design<\/span><\/h3>\n<p data-start=\"2480\" data-end=\"2511\"><span style=\"color: #000000;\">NSX Distributed Firewall rules:<\/span><\/p>\n<ol data-start=\"2513\" data-end=\"2615\">\n<li data-start=\"2513\" data-end=\"2545\">\n<p data-start=\"2516\" data-end=\"2545\"><span style=\"color: #000000;\">Allow Web \u2192 App on TCP 8443<\/span><\/p>\n<\/li>\n<li data-start=\"2546\" data-end=\"2577\">\n<p data-start=\"2549\" data-end=\"2577\"><span style=\"color: #000000;\">Allow App \u2192 DB on TCP 1521<\/span><\/p>\n<\/li>\n<li data-start=\"2578\" data-end=\"2615\">\n<p data-start=\"2581\" data-end=\"2615\"><span style=\"color: #000000;\">Deny all other east-west traffic<\/span><\/p>\n<\/li>\n<\/ol>\n<p data-start=\"2617\" data-end=\"2667\"><span style=\"color: #000000;\">Rules are enforced at the vNIC level for every VM.<\/span><\/p>\n<hr data-start=\"2669\" data-end=\"2672\" \/>\n<h3 data-start=\"2674\" data-end=\"2712\"><span style=\"color: #000000;\">Step 4: Enforcement and Operations<\/span><\/h3>\n<ul data-start=\"2714\" data-end=\"2884\">\n<li data-start=\"2714\" data-end=\"2763\">\n<p data-start=\"2716\" data-end=\"2763\"><span style=\"color: #000000;\">Policies are first deployed in <strong data-start=\"2747\" data-end=\"2763\">monitor mode<\/strong><\/span><\/p>\n<\/li>\n<li data-start=\"2764\" data-end=\"2800\">\n<p data-start=\"2766\" data-end=\"2800\"><span style=\"color: #000000;\">No application disruption observed<\/span><\/p>\n<\/li>\n<li data-start=\"2801\" data-end=\"2841\">\n<p data-start=\"2803\" data-end=\"2841\"><span style=\"color: #000000;\">Policies switched to <strong data-start=\"2824\" data-end=\"2841\">enforced mode<\/strong><\/span><\/p>\n<\/li>\n<li data-start=\"2842\" data-end=\"2884\">\n<p data-start=\"2844\" data-end=\"2884\"><span style=\"color: #000000;\">Logging enabled for audit and monitoring<\/span><\/p>\n<\/li>\n<\/ul>\n<p data-start=\"2886\" data-end=\"2944\"><span style=\"color: #000000;\">No changes to IP addressing, routing, or application code.<\/span><\/p>\n<hr data-start=\"2946\" data-end=\"2949\" \/>\n<h3 data-start=\"2951\" data-end=\"2993\"><span style=\"color: #000000;\">Security Incident After Implementation<\/span><\/h3>\n<p data-start=\"2995\" data-end=\"3029\"><span style=\"color: #000000;\">A web server is compromised again:<\/span><\/p>\n<ul data-start=\"3030\" data-end=\"3194\">\n<li data-start=\"3030\" data-end=\"3066\">\n<p data-start=\"3032\" data-end=\"3066\"><span style=\"color: #000000;\">Attacker attempts lateral movement<\/span><\/p>\n<\/li>\n<li data-start=\"3067\" data-end=\"3125\">\n<p data-start=\"3069\" data-end=\"3125\"><span style=\"color: #000000;\">Traffic to App Tier is blocked unless explicitly allowed<\/span><\/p>\n<\/li>\n<li data-start=\"3126\" data-end=\"3157\">\n<p data-start=\"3128\" data-end=\"3157\"><span style=\"color: #000000;\">Database access is impossible<\/span><\/p>\n<\/li>\n<li data-start=\"3158\" data-end=\"3194\">\n<p data-start=\"3160\" data-end=\"3194\"><span style=\"color: #000000;\">Attack is contained to a single VM<\/span><\/p>\n<\/li>\n<\/ul>\n<p data-start=\"3196\" data-end=\"3276\"><span style=\"color: #000000;\">The incident impact is reduced from a major breach to a minor operational event.<\/span><\/p>\n<hr data-start=\"3278\" data-end=\"3281\" \/>\n<h3 data-start=\"3283\" data-end=\"3318\"><span style=\"color: #000000;\">Business and Technical Outcomes<\/span><\/h3>\n<ul data-start=\"3320\" data-end=\"3520\">\n<li data-start=\"3320\" data-end=\"3358\">\n<p data-start=\"3322\" data-end=\"3358\"><span style=\"color: #000000;\">Lateral movement effectively blocked<\/span><\/p>\n<\/li>\n<li data-start=\"3359\" data-end=\"3388\">\n<p data-start=\"3361\" data-end=\"3388\"><span style=\"color: #000000;\">PCI-DSS audit scope reduced<\/span><\/p>\n<\/li>\n<li data-start=\"3389\" data-end=\"3428\">\n<p data-start=\"3391\" data-end=\"3428\"><span style=\"color: #000000;\">Incident response time reduced by 70%<\/span><\/p>\n<\/li>\n<li data-start=\"3429\" data-end=\"3457\">\n<p data-start=\"3431\" data-end=\"3457\"><span style=\"color: #000000;\">No performance degradation<\/span><\/p>\n<\/li>\n<li data-start=\"3458\" data-end=\"3520\">\n<p data-start=\"3460\" data-end=\"3520\"><span style=\"color: #000000;\">Security policies remain consistent across on-prem and cloud<\/span><\/p>\n<\/li>\n<\/ul>\n<hr data-start=\"3522\" data-end=\"3525\" \/>\n<h3 data-start=\"3527\" data-end=\"3561\"><span style=\"color: #000000;\">Why This Configuration Matters<\/span><\/h3>\n<p data-start=\"3563\" data-end=\"3627\"><span style=\"color: #000000;\">This example shows that <strong data-start=\"3587\" data-end=\"3626\">securing east-west traffic with NSX<\/strong>:<\/span><\/p>\n<ul data-start=\"3628\" data-end=\"3846\">\n<li data-start=\"3628\" data-end=\"3681\">\n<p data-start=\"3630\" data-end=\"3681\"><span style=\"color: #000000;\">Turns the data center into a Zero Trust environment<\/span><\/p>\n<\/li>\n<li data-start=\"3682\" data-end=\"3736\">\n<p data-start=\"3684\" data-end=\"3736\"><span style=\"color: #000000;\">Protects critical assets even after perimeter breach<\/span><\/p>\n<\/li>\n<li data-start=\"3737\" data-end=\"3783\">\n<p data-start=\"3739\" data-end=\"3783\"><span style=\"color: #000000;\">Enables security without sacrificing agility<\/span><\/p>\n<\/li>\n<li data-start=\"3784\" data-end=\"3846\">\n<p data-start=\"3786\" data-end=\"3846\"><span style=\"color: #000000;\">Aligns security design with modern application architectures<\/span><\/p>\n<\/li>\n<\/ul>\n<hr data-start=\"3848\" data-end=\"3851\" \/>\n<h3 data-start=\"3853\" data-end=\"3869\"><span style=\"color: #000000;\">Key Takeaway<\/span><\/h3>\n<p data-start=\"3871\" data-end=\"4116\"><span style=\"color: #000000;\">East-west security with NSX is not about adding more firewalls.<\/span><br data-start=\"3934\" data-end=\"3937\" \/><span style=\"color: #000000;\">It is about <strong data-start=\"3949\" data-end=\"3980\">changing the security model<\/strong>\u2014from perimeter defense to workload-level protection\u2014making security intrinsic to the infrastructure rather than an external constraint.<\/span><\/p>\n<hr data-start=\"4016\" data-end=\"4019\" \/>\n<h3 data-start=\"4021\" data-end=\"4035\"><span style=\"color: #000000;\">Conclusion<\/span><\/h3>\n<p data-start=\"4037\" data-end=\"4444\"><span style=\"color: #000000;\">Designing secure east-west traffic with VMware NSX is no longer optional\u2014it is a foundational requirement for modern data centers. By shifting security enforcement closer to the workload and adopting a Zero Trust mindset, enterprises can significantly improve their security posture while maintaining operational agility. NSX transforms east-west security from a network constraint into a strategic enabler.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In traditional data center architectures, security has long focused on protecting north-south traffic, which flows between internal systems and external networks. However, modern threats increasingly exploit east-west traffic, the communication &#8230;<\/p>\n","protected":false},"author":1,"featured_media":1525,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[6,15,10],"tags":[],"_links":{"self":[{"href":"https:\/\/hentati.org\/index.php\/wp-json\/wp\/v2\/posts\/1502"}],"collection":[{"href":"https:\/\/hentati.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hentati.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hentati.org\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/hentati.org\/index.php\/wp-json\/wp\/v2\/comments?post=1502"}],"version-history":[{"count":4,"href":"https:\/\/hentati.org\/index.php\/wp-json\/wp\/v2\/posts\/1502\/revisions"}],"predecessor-version":[{"id":1533,"href":"https:\/\/hentati.org\/index.php\/wp-json\/wp\/v2\/posts\/1502\/revisions\/1533"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/hentati.org\/index.php\/wp-json\/wp\/v2\/media\/1525"}],"wp:attachment":[{"href":"https:\/\/hentati.org\/index.php\/wp-json\/wp\/v2\/media?parent=1502"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hentati.org\/index.php\/wp-json\/wp\/v2\/categories?post=1502"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hentati.org\/index.php\/wp-json\/wp\/v2\/tags?post=1502"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}