VCF 9 – NSX VPC Part 3 – Security

How VMware NSX 9 and VCF 9 strengthen VPC security through isolation, flexible firewalling, and advanced protection

In his latest blog post, Daniel Krieger from evoila takes a practical look at how NSX 9’s VPC features can be used to build a solid security foundation.

He starts with NSX Projects (tenants), which are an easy way to keep traffic between different environments fully isolated. From there, Distributed Firewalls can be configured so that external access is blocked by default while internal communication still flows — ideally done right when the project is created. For traffic entering or leaving the VPC (north-south), you can add a Gateway Firewall, though this does require Edge Nodes.

Daniel also walks through the role-based model, which includes Enterprise Admin, Project Admin and VPC Admin, and explains why the order of firewall rules and their categories (Environment, Application, etc.) matter for enforcement across both distributed and gateway firewalls.

One of the most interesting parts of his post is the look at TCP Strict. This feature validates the TCP handshake more rigorously. Using hping3 flood tests, he shows that with default policies (no TCP Strict), VMs can quickly become overwhelmed, whereas enabling TCP Strict in custom rules stops unsolicited ACK floods in their tracks.

Throughout the post, he includes plenty of hands-on examples:

• Screenshots of default DFW rules and security group setups
• CLI listings (vsipioctl getrules) showing rule priorities
• hping3 test runs and BTOP output to visualize CPU and network load
• Side-by-side comparisons of firewall behavior with and without TCP Strict

His takeaway is clear: the default rule set gives you a decent baseline for isolating VPCs, but true protection comes from tailored policies, smart use of Apply To scoping, possibly adding perimeter firewalls, and most importantly regular testing. That includes running your own pen-tests so you know exactly how your environment holds up under real-world pressure.

👉 Read the full blog post here