With VMware Cloud Director 10.6.1, service providers gain greater flexibility and control over firewall configurations, ensuring compliance with licensing entitlements while delivering scalable, high-value security services. This update aligns with VMware Cloud Foundation (VCF) networking licensing, enabling providers to selectively offer the VMware Advanced Networking & Security (ANS) Add-On to customers based on their needs and cost agreements.
Impact of VMware NSX Licensing Changes
Recent changes to VMware’s NSX licensing model have significantly altered how firewall features are provisioned. Under the new structure:
- Stateless Firewall is included in the VMware Cloud Foundation (VCF)
- Stateful Firewall now requires an additional, separate license documented Here
This change impacts how service providers manage network security within VMware Cloud Director environments. To address these shifts, Cloud Director 10.6.1 introduces new controls that give providers flexibility in defining which firewall type—stateless or stateful—is available to their tenants. This ensures security policies align with business needs while optimizing costs associated with VMware licensing.
VMware Cloud Director with NSX supports both stateful and stateless firewalls, each serving different security needs:
What is a Stateless Firewall?
A stateless firewall inspects traffic on a per-packet basis without maintaining the state of active connections. Unlike stateful firewalls, which track the context of traffic flow, stateless firewalls apply predefined rules to each packet independently.
💡 Key Benefits:
✔ Faster packet processing for high-performance workloads.
✔ Ideal for perimeter protection and edge security use cases.
✔ Lower resource consumption compared to stateful firewalls.
Stateful vs. Stateless Firewalls in Cloud Director
| Feature | Stateful Firewall | Stateless Firewall |
|---|---|---|
| Connection Tracking | ✅ Maintains connection state | ❌ No connection awareness |
| Security Context | ✅ Applies rules based on traffic flow | ❌ Evaluates each packet independently |
| Performance | Higher resource usage | Lightweight, optimized for speed |
Configuring in Cloud Director
This feature is designed to help cloud service providers who wish to control which tenants can access Stateless/Stateful Firewall services. The goal is to enforce better governance over the consumption of advanced network services, such as Stateful Firewall and Distributed Firewall.
The license selection is made at the Edge Cluster level in VCD. The service provider determines which type of firewall can be applied to a specific Edge Cluster. Consequently, all Provider/Organization and vApp Edge Gateways utilizing that cluster will have firewall rules configured as either stateful or stateless, depending on the selection.
This will have corresponding changes in NSX, while The firewall rule configuration remains the same in vCD. below is the VMware Cloud Director (VCD) view of the Org VDC Edge Gateway firewall configuration deployed on an Edge Cluster designated with the stateless firewall option inside NSX Manager.
NOTE : Changing an Edge Cluster from Stateful to Stateless or vice versa will not impact existing deployed Gateways.
Gateway Firewall Enforcement Control in VCD
One key use case is when a service provider or tenant is using an appliance-based third-party firewall instead of the NSX-integrated firewall in Cloud Director. In such cases, they may not require NSX-based firewall enforcement and prefer to manage security through their own solution. This feature allows them to disable the NSX firewall, ensuring flexibility in security architecture without unnecessary conflicts.
Now with this release both service providers and tenants can disable or enable the firewall at the Provider or Org Gateway level without removing existing firewall rules. A new “Active” switch has been introduced in the Firewall UI (top right corner), allowing users to toggle firewall enforcement as needed while preserving the configured rules.
Conclusion
The new firewall flexibility in Cloud Director 10.6.1 ensures that service providers can:
✅ Optimize licensing costs by choosing stateless or stateful firewall options.
✅ Align security offerings with customer needs.
✅ Enhance governance and compliance around advanced network security services.
✅ Seamlessly integrate third-party firewall solutions into their cloud environments.
By leveraging these new capabilities, Cloud Director providers can deliver scalable, efficient, and cost-effective security solutions while adapting to the evolving VMware NSX licensing model.
VMTECHIE 
Leave a comment