Skip navigation

Here we go. This is another big chunk of Vmware technology. I should start this article long time ago, but I am always got carried away. Therefore, I have decided to discuss this topic in couple of posts(it’s big, isn’t it). Due to not too much information around, I will do my best to explain what I have learned and understand. If I made mistakes, please let me know. Thanks

Why do we need vShield?

Before we start to explain how and what, we need to understand why VMWARE makes this product. It’s all about vCloud. Vmware ambition is focusing holding multiple company infrastructures into a virtual Datacenter. In other word, a vDC needs to hold up different companies private clouds and hybrid clouds. Hence, Vmware need a product to isolate vClouds and acting as either internal firewall(isolation) and gateway between datacenter and Enterprise private cloud. Plus with a neutral anti-virus system which will scan the VMs without causing any performance and confidential information leaking issues. Hence that’s why vShield is a must have software with vCloud Director.

Family members of VMware vShield

VMvShield has different parts for different reasons. Let’s take a look.


At first glance, vEdge, vZone,vApp, vEndpoint and even manager are look so similar. That’s where  you start to get headache. The strategy of Vmware is clear. VMware give you different appliance (ova file) and you install them into your vmware platform and running them as just normal Linux VMs. Each linux VM will start to install components into ESX hosts and change vm configuration file in terms of let module running on host work or effect.

VMware vShield Manager:

Why do I introduce this part first? Because this part is back bone of whole vShield products. It installed a new tab into  your vSphere Client and allow you to manage entire vShield family. It’s base on linux and support SSH, WEB console, vSphere Client and REST API, most of importantly, it generate other components of vShield to install. If you got on VMware website, you can download this ova file.

This Open Virtualization Archive (OVA) file includes vShield Manager, vShield Edge, vShield App and vShield Endpoint. vShield App, Endpoint, and Edge components are managed by vShield Manager. The minimum requirement for vShield products are vSphere 4.0 U1 (Essentials Plus and above), vCenter 4.0 and vSphere Client 4.1. Only vShield Endpoint requires vSphere 4.1.

Please be aware: vSphere Manager VM is vMotionable.

VMware vShield Zones:


This is basic firewall product and vShield App is upgrade version of Zones. The vSheild Manage will generate a customized ova file (according to your answers on the wizard) and install it on host you want vZones on. Each It is loaded to each ESX/ESXi host as part of kernal module and it create its own vSwitch to filter the traffic. Please be aware each Host will have it’s own Linux vm running as VMware Zone VM and it can’t be vMotioned! You may have to manually power off if you want to enter maintenance mode.


Notice: As you see from the picture, each host will have their own vZone VM.


Error I got when I tried to vMotion vZone VM.


Well, it’s is firewall after all. It does have same infrastructure as vShield App but it can’t App work due to license issue.  According to Vmware site,

Get basic firewalling of traffic between virtual machines with vShield Zones, allowing for connections to be filtered and grouped based on the 5-tuple – source IP address, destination IP address, source port, destination port, protocol. Depending on how services are virtualized, this may be sufficient for security policies that do not require much granularity.

so what it didn’t do? Let’s check out vShield Apps

Vmware vShield App:


Here it is. The advanced version of firewall for internal protection purpose. It’s not only do what vZone does, it can understand traffic at application level.

Because vShield is working on logic concept to group VMs. Therefore, you can group VMs by function, department or organizational need instead of just IP or VLAN which is the part vShield try to avoid to use. In the traditional infrastructure, Internal firewall can’t only use VLAN to isolate VMs in the cluster. Now, you have much more options and power.


VMware vShield Edge:


This is purely design for vDC to holding different private clouds in their platform. If we consider vSheild app is for internal Firewall, then vEdge is for external firewall.

Get essential security capabilities including port group isolation, network security gateway services and web load balancing for performance and availability. vShield Edge is deployed as a virtual appliance to provide firewall,VPN, Web load balancer, NAT, and DHCP services. Eliminate the need for VLANs by creating a barrier between the virtual machines protected by vShield Edge and the external network for port group isolation.

VMvSheild Endpoint


This is Vmware cloud base anti-virus solution. It’s designed for Cloud base and VDI base. There are lots of details and pictures I would like to show you. But let’s just take a brief concept first. What it can do.


Offload key antivirus and anti-malware functions to a hardened, tamperproof security virtual machine, eliminating agent footprint. The robust and secure hypervisor introspection capabilities in vSphere prevent compromise of the antivirus and anti-malware service. vShield Endpoint plugs directly into vSphere and consists of hardened security virtual machine (delivered by VMware partners), a driver for virtual machines to offload file events, and the VMware Endpoint security (EPSEC) loadable kernel module (LKM) to link the first two components at the hypervisor layer.


Like what I mentioned from beginning, it’s big topic. In the next post, I will break down vShield into small piece. Let’s see how it goes.





What is REST API?,,sid26_gci823682,00.html


  1. Great post dude! At least I can ask my junior now to start learning vShield from here.

  2. During the install of vshield apps it says not to install on the same cluster as vshield manager or it could cause issues? Your thoughts? I was hoping to have vShield Manager and Vshield apps all running on my esx hosts in my dmz to keep them isolated??

4 Trackbacks/Pingbacks

  1. […] This post was mentioned on Twitter by Park SangUk パク サンウク, Silver Chen. Silver Chen said: Vmware vSphere vShield 4.1 Understanding Part 1: […]

  2. […] article is a good overview of VMware vShield, including Zones, App, Edge, and […]

  3. […] VMware vSphere vShield 4.1 Understanding Part 1 VMware vShield Endpoint and Trend Micro Deep Security 7.5 understanding Part 2 VMware vShield Endpoint and Trend Micro Deep Security 7.5 understanding Part 3 […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: