- \n
- “Web talks to backend on 443”
instead of<\/li>\n<\/ul>\n\n\n\n- \n
- “10.10.10.0\/24 talks to 10.10.20.0\/24 on 443”<\/li>\n<\/ul>\n\n\n\n
Example: You add a new backend VM. With IP rules, you update firewall policy. With tags, you simply apply app=backend<\/strong>. Policy follows automatically.<\/p>\n\n\n\n
![\"\"](\"\/wp-content\/uploads\/2025\/12\/image-1.png\")
<\/figure>\n\n\n\nPros<\/strong><\/p>\n\n\n\n
- \n
- Policies scale naturally (no rule edits on scale-out)<\/li>\n<\/ul>\n\n\n\n
- \n
- Clearer security intent for audits and reviews<\/li>\n<\/ul>\n\n\n\n
- \n
- Works perfectly with IaC (Terraform\/Ansible\/GitOps)<\/li>\n<\/ul>\n\n\n\n
Cons<\/strong><\/p>\n\n\n\n
- \n
- Tag governance is mandatory (or you get outages)<\/li>\n<\/ul>\n\n\n\n
- \n
- Mistagging can open access or block production<\/li>\n<\/ul>\n\n\n\n
- \n
- Requires naming standards and ownership rules<\/li>\n<\/ul>\n\n\n\n
<\/p>\n\n\n\n
DFW is only as good as your tagging discipline. If tags are treated like a first-class asset (enforced, audited, standardized), NSX-T security becomes clean and resilient. If tags are ad hoc, you end up debugging policy more than traffic.<\/p>\n","protected":false},"excerpt":{"rendered":"
Distributed Firewall (DFW) is powerful, but it becomes truly scalable only when you stop thinking in IPs. IP-based rules still work, but they don’t age well in dynamic environments: VMs move, IPs change, autoscaling expands, and suddenly your policy becomes fragile. The NSX-T mindset is intent-based security: Example: You add a new backend VM. With […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"_links":{"self":[{"href":"https:\/\/bogdanburuiana.com\/index.php\/wp-json\/wp\/v2\/posts\/1447"}],"collection":[{"href":"https:\/\/bogdanburuiana.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bogdanburuiana.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bogdanburuiana.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/bogdanburuiana.com\/index.php\/wp-json\/wp\/v2\/comments?post=1447"}],"version-history":[{"count":1,"href":"https:\/\/bogdanburuiana.com\/index.php\/wp-json\/wp\/v2\/posts\/1447\/revisions"}],"predecessor-version":[{"id":1449,"href":"https:\/\/bogdanburuiana.com\/index.php\/wp-json\/wp\/v2\/posts\/1447\/revisions\/1449"}],"wp:attachment":[{"href":"https:\/\/bogdanburuiana.com\/index.php\/wp-json\/wp\/v2\/media?parent=1447"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bogdanburuiana.com\/index.php\/wp-json\/wp\/v2\/categories?post=1447"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bogdanburuiana.com\/index.php\/wp-json\/wp\/v2\/tags?post=1447"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- Requires naming standards and ownership rules<\/li>\n<\/ul>\n\n\n\n
- Mistagging can open access or block production<\/li>\n<\/ul>\n\n\n\n
- Tag governance is mandatory (or you get outages)<\/li>\n<\/ul>\n\n\n\n
- Works perfectly with IaC (Terraform\/Ansible\/GitOps)<\/li>\n<\/ul>\n\n\n\n
- Clearer security intent for audits and reviews<\/li>\n<\/ul>\n\n\n\n
- Policies scale naturally (no rule edits on scale-out)<\/li>\n<\/ul>\n\n\n\n
- “10.10.10.0\/24 talks to 10.10.20.0\/24 on 443”<\/li>\n<\/ul>\n\n\n\n