The web application in this example relies on three virtual servers:

  • A web server,
  • An application server, and
  • A database server.


Each server is connected to its own virtual network.

The Distributed Logical Router (Distributed-Router) interconnects these three virtual networks, while the perimeter router (Perimeter-Gateway) connects the physical network to these three virtual networks through a virtual transit network (Transit-Network).

The perimeter router also performs address translation:

  • Source NAT to allow servers to communicate with the Internet,
  • Destination NAT to redirect requests from a public address to the web server.

In this architecture, the rules of the distributed firewall integrated into NSX (perimeter router) resemble the following: