Supportability of third-party firewalls as inline SDDC security components within VMware Cloud on AWS

VMware Cloud on AWS does not support third-party firewalls as inline SDDC security components.

While customers may deploy third-party software within the SDDC, VMware by Broadcom does not validate, integrate, or support firewall appliances that modify or override the NSX-managed routing and security services.

VMC relies on NSX Distributed Firewall and Gateway Firewall as the supported north-south and east-west enforcement mechanisms. Routing and packet flow inside the SDDC are managed exclusively by NSX-T.

Running Third-Party firewall VMs inside the SDDC places them in a role that is not supported by VMware, not recommended by AWS/VMware architecture guides, and not natively compatible with NSX-T routing. This can lead to operational issues that cannot be resolved within the VMC support boundaries.

Third-party firewall VMs can cause instability and unexpected behavior

Firewall VMs placed in the traffic path inside the SDDC can conflict with:

• NSX-T routing
• Distributed Firewall rules
• Edge Gateway policies
• VMC’s managed networking lifecycle

This can result in packet drops, asymmetric routing, failover issues, performance issue, and connectivity symptoms that VMware Support cannot remediate.

AWS and VMware recommend placing Third-Party NGFW appliances in a dedicated Security or Transit VPC — NOT inside the SDDC

Official design guidance from both AWS and VMware advises deploying next-generation firewalls outside the SDDC and integrating them via VMware Transit Connect or a Transit/Security VPC.

AWS Partner Blog: Integrating Third-Party Firewall Appliances with VMware Cloud on AWS Using VMware Transit Connect

This model provides:

• Supported routing behavior
• Scalable traffic inspection
• High availability
• Clean separation between managed NSX components and third-party firewalls

Recommended and Supported Solutions

To maintain a stable, supportable environment and achieve the desired inspection/security capabilities, VMware and AWS recommend:

1. Deploy third-party firewalls in a dedicated Security/Transit VPC
   
   Connect them to the SDDC using:
   
   - VMware Transit Connect
   - AWS Transit Gateway routing
   - Appropriate inspection VPC architectures
   
   
2. Use NSX Distributed Firewall and Gateway Firewall for intra-SDDC security
   
   These components are fully managed and supported as part of the VMC service.