• Mike Ghazaleh

How to write NSX-T firewall rules with IP Addresses

One of the most common things I hear from my students when they're learning to configure the NSX-T Distributed Firewall, is: "How can I configure a firewall rule to a specific IP address in NSX?"

Technically, this was possible in all versions of NSX-T, but you had to create a group, and make the individual IP a member of that group. Ouch. Kinda painful.

In NSX-T 3.2 however, this is no longer an issue. In this article, I'm going to show you exactly how to accomplish this.

Why do we need to do this?

For all of your VMs, NSX can easily firewall, and writing rules for those VMs is something covered extensively in my courses here @ Most datacenters, however, aren't 100% virtualized. As a result, you likely have a few legacy servers that can't be prepped for NSX-T. If you want to control communication between your VMs and these servers, this is a great solution.

VM to Bare Metal Lab Setup

In the diagram below, we have a single VM (, and a legacy server ( Our objective is to block communication between these two. Note that we do not need to prep the legacy server, or install anything on it. The VM, however, must be on an NSX-T-prepped host, and must be connected to a Distributed Port Group which is configured for NSX-T.

VM to Bare Metal Lab Setup

Our first step is to create a new policy, and a new rule under that policy. Easy enough! To do this, we can simply hit "Add Policy", then click the three little dots next to our new policy, and select "Add Rule". The screenshot below is what you should have after these steps.

Configuring firewall rules in NSX-T screenshot
Creating our Policy ("VM->Bare Metal Policy")

Next, we need to specify our source in our firewall rule. To do that, we'll just click the pencil icon next to "Any" under Source. Then, we select our group that contains our Source VM:

Selecting a Source Group in NSX-T
Selecting our Source Group

NOTE: In the step above, we selected a group that contained our VM. We could have alternately simply selected the "IP Addresses (0)" menu item in the above screenshot, and put the source IP of the VM. Both are valid options.

At this point, your rule should look like this:

For our next step, we'll configure the destination for the firewall rule. This is the same process as we did for the source, but one major change - instead of selecting a Group, we're going to select "IP Addresses" and input the IP address in CIDR format for our Legacy Server.

Setting firewall rule with IP address in NSX-T
Be sure to select "IP Addresses" when choosing your Destination

Next, we just input our IP address (or even an entire subnet). Make sure it's in CIDR format like below. To make the configuration stick, you'll want to hit "tab" or enter:

That's it! For the final step, make sure you change "Action" to either Drop or Reject. Once you've done that, you should have a similar result to the screenshot below:


That's really all there is to it! At this point, we're now blocking all traffic (note that we didn't specify a specific TCP or UDP port- that would be done under "Services" in the above screenshot) between our VM, and the Legacy Server.

While you're here, if you haven't checked out our VMware On-Demand Video training, you should absolutely do that before you leave! We're releasing new video courses which are packed full of hands-on demonstrations and actual video (with yours truly!). You can check out our current courses here.


Recent Posts

See All