Software-defined Layer 7 micro-segmentation firewall built directly into the vSphere hypervisor. Inspect and control east-west traffic between every workload in your data center without network changes, traffic hairpinning, or dedicated firewall appliances.
Best for
VMware vDefend Distributed Firewall — Add-on to VMware Cloud Foundation
What is VMware vDefend Distributed Firewall?
VMware vDefend Distributed Firewall is a software-defined Layer 7 stateful firewall built into the vSphere hypervisor. It inspects east-west traffic between workloads inside the data center and enforces per-workload micro-segmentation policies. No network changes, no traffic hairpinning through external appliances, and no agents inside VMs. It is an add-on subscription to VMware Cloud Foundation.
Traditional perimeter firewalls only inspect traffic entering and leaving the data center. Once an attacker gets past the perimeter, they move freely between workloads. Most breaches today involve lateral movement — and most organizations have no visibility or controls on that internal traffic.
Perimeter firewalls inspect north-south traffic at the network edge. But the majority of data center traffic flows east-west between workloads — server to server, VM to VM. Most organizations have no visibility into this internal traffic.
The Distributed Firewall inspects every packet between workloads at the hypervisor level, providing full visibility into internal traffic patterns.
Organizations that try to segment internal traffic with physical or virtual firewall appliances face appliance sprawl, complex routing, and traffic hairpinning through chokepoints. This adds latency, increases cost, and creates bottlenecks.
The Distributed Firewall runs in the hypervisor kernel — no appliances to deploy, no traffic rerouting, and it scales automatically with your workloads.
VLAN-based segmentation and manual firewall rules do not scale. As environments grow, maintaining thousands of IP-based rules becomes error-prone and creates policy drift. Compliance audits become a recurring burden.
vDefend uses object-based policies tied to workload attributes — not IP addresses. Policies follow VMs when they move and are enforced automatically when new workloads are provisioned.
Organizations deploying VMware vDefend Distributed Firewall report measurable improvements in security posture, deployment speed, and infrastructure cost compared to traditional firewall approaches.
Fewer breaches on average with micro-segmentation
Faster security policy deployment
CapEx reduction vs. traditional firewall appliances
vDefend Distributed Firewall is the right fit for organizations that need east-west security controls at the workload level. These are the most common deployment scenarios.
Organizations implementing zero-trust security need to segment every workload individually. Traditional approaches require network redesign, VLAN changes, and physical firewall appliances at every segment boundary.
The Distributed Firewall micro-segments every VM and container at the hypervisor level. No network changes required. Policies are enforced at the virtual NIC of each workload.
Typical scenario: A healthcare organization needs to isolate patient record systems from general office workloads. Instead of rebuilding network VLANs, they deploy Distributed Firewall policies that isolate the EMR application tier at the VM level — completed in hours, not weeks.
Ransomware and advanced threats exploit the flat internal network to spread between VMs after an initial compromise. Perimeter firewalls cannot stop this lateral movement because the traffic never crosses the network edge.
vDefend Distributed Firewall creates a firewall boundary around every workload. If one VM is compromised, the attacker cannot reach other workloads because each connection is inspected and controlled independently.
Typical scenario: A financial services firm experiences a compromised web server. With Distributed Firewall in place, the attacker cannot move from the web tier to the database tier because east-west traffic is filtered at Layer 7 — limiting the blast radius to a single workload.
PCI-DSS, HIPAA, and other compliance frameworks require network segmentation of sensitive data environments. VLAN-based segmentation satisfies the requirement but is difficult to maintain and audit at scale.
vDefend provides workload-level segmentation that is more granular than VLANs, defined as code, and auditable through a central policy console. Policies are consistent and enforceable across the entire environment.
Typical scenario: A retail organization needs PCI-DSS cardholder data environment segmentation. They define policies for the payment processing VMs using workload tags — not IP addresses. When VMs are added or moved, the policies follow automatically. Audit evidence is exported directly from the policy console.
Organizations with multiple sites often deploy separate firewall appliances at each location. This creates inconsistent policies, version drift, and high operational overhead for firewall management across dozens or hundreds of locations.
The Distributed Firewall runs in every hypervisor, so security policy is consistent everywhere VCF is deployed. One policy set covers all sites — no per-location appliances required.
Typical scenario: A manufacturing company with 40 plant locations deploys VCF with Distributed Firewall at each site. Security policies are defined centrally and enforced consistently across all locations — eliminating 40 separate firewall appliances and their individual management overhead.
Traditional perimeter firewalls sit at the network edge and inspect traffic entering or leaving the data center. The Distributed Firewall operates inside the hypervisor at each workload, providing security where the traffic actually flows.
These are the capabilities that differentiate vDefend Distributed Firewall from traditional firewall approaches. Each addresses a specific limitation of perimeter-only security.
Per-workload stateful Layer 7 firewall built into the hypervisor kernel. Every VM and container gets its own firewall boundary enforced at the virtual NIC — before traffic reaches the network.
API-driven, object-based policy model. Define firewall policies using workload attributes and tags instead of IP addresses. Integrate with CI/CD pipelines and automate policy deployment alongside application releases.
Pre-create security policies before workloads are deployed. When a new VM is provisioned, the correct policies are enforced immediately. When a VM moves via vMotion, its firewall policies follow automatically.
Full-stack access control from Layer 2 through Layer 7. Application identity, user identity, and URL filtering capabilities. Inspect application-level traffic without dedicated appliances or traffic redirection.
Traffic analysis that maps application dependencies and recommends firewall policies automatically. See which workloads communicate, identify unexpected connections, and generate policies based on observed traffic patterns.
Works with VMs and containers. Scales linearly as you add workloads — no separate capacity planning for firewall throughput. Every hypervisor in the cluster contributes firewall processing capacity.
VMware vDefend includes three security products. Each addresses a different layer of data center security. Organizations typically start with Distributed Firewall for east-west micro-segmentation and add Gateway Firewall or ATP based on their threat model.
All vDefend products require VMware Cloud Foundation as the base platform. Distributed Firewall and Gateway Firewall can be deployed independently. ATP adds threat detection capabilities on top of either firewall product.
VMware vDefend Distributed Firewall is a software-defined Layer 7 micro-segmentation firewall built directly into the vSphere hypervisor. Unlike traditional perimeter firewalls that only inspect north-south traffic at the network edge, the Distributed Firewall inspects east-west traffic between workloads inside the data center.
It enforces per-workload stateful firewall policies without requiring network changes, traffic hairpinning, or dedicated firewall appliances. Policies are defined using workload attributes and tags — not IP addresses — so they follow VMs automatically when they move.
VMware Cloud Foundation includes NSX with a basic distributed firewall for L2-L4 filtering. This provides basic network-level access control between workloads.
vDefend Distributed Firewall extends this with Layer 7 application identity, user identity-based access control, URL filtering, intelligent flow visualization, and automated policy recommendations. It is designed for organizations that need advanced micro-segmentation and zero-trust capabilities beyond basic network filtering.
No. The Distributed Firewall is built into the hypervisor kernel and enforces policy at the virtual NIC of each workload. There are no network topology changes, no traffic hairpinning through external appliances, and no agents to install inside VMs.
Policies are applied automatically when workloads are provisioned and follow VMs when they move via vMotion. This is one of the primary advantages over traditional firewall approaches that require routing changes or traffic steering to direct traffic through appliances.
vDefend Distributed Firewall is sold as an add-on subscription to VMware Cloud Foundation. VCF is the base platform requirement — you cannot purchase vDefend Distributed Firewall as a standalone product.
The Gateway Firewall component is available separately for organizations that only need north-south perimeter firewall capabilities. Advanced Threat Prevention (ATP) adds sandboxing and network traffic analysis on top of either firewall product.
Contact an authorized VMware reseller like VirtualizationWorks for pricing based on your core count and security requirements.
Yes. PCI-DSS requires network segmentation of cardholder data environments. The Distributed Firewall provides micro-segmentation at the workload level — more granular than VLAN-based segmentation that most organizations use today.
Policies are defined as code, auditable, and enforced consistently across the environment. Organizations use it to meet segmentation requirements for PCI-DSS, HIPAA, and other compliance frameworks without deploying additional firewall appliances or managing complex VLAN architectures.
VirtualizationWorks is an authorized VMware reseller. We help IT and security teams evaluate vDefend Distributed Firewall, size deployments, compare licensing options, and plan micro-segmentation strategies for their environment.
