Recently, I’ve been asked about the additional revenue opportunities that can be unlocked with VMware vDefend, beyond its core Distributed Firewall (micro-segmentation) capabilities. This inspired me to explore the advanced features and value-added services that vDefend offers, and how Cloud Service Providers (CSPs) can leverage these to expand their cloud security portfolio and drive new monetization models.
VMware vDefend Core Base Capability
- The fundamental offering is the Distributed Firewall (DFW) — east–west plus north–south firewalling at a software/hypervisor layer.
- It supports Layer 2-7 stateful firewalling, identity- and application-aware policies, dynamic grouping of workloads, etc.
- It’s tightly integrated with VMware Cloud Foundation (VCF).
New Revenue Streams with VMware vDefend Advanced Capabilities:
These are the additional features/capabilities beyond basic micro-segmentation to consider adding to the security services offering portfolio:
-
Gateway Firewall
- In addition to DFW, there’s a “gateway” component for perimeter or segmented zone control (L2/3/4 firewalling at edge points) as part of vDefend.
- Useful for CSPs when offering tenant isolation, controlling ingress/egress traffic, etc.
-
Advanced Threat Prevention (ATP) / IDS/IPS / NDR / Sandbox / Traffic Analysis
- The “vDefend Firewall’s Advanced Threat Prevention” tier adds: IDS/IPS, network traffic analysis (NTA), sandboxing, network detection & response (NDR) capabilities.
- This is a key value add for CSPs – offering more than just segmentation, but threat detection, prevention, and response.
-
Security Intelligence / Segmentation Assessment / Analytics
- Features like the “Security Segmentation Report” analyze flows to identify segmentation gaps, generate a segmentation score, and provide rule recommendations.
- The “Security Services Platform (SSP)” – scale-out architecture for security intelligence and visibility across large environments.
- Particularly useful for CSPs with multi-tenant, large scale, possibly complex workloads, offering visibility dashboards and analytics as part of the service.
-
Container / Multi-workload Support
- vDefend supports workloads beyond VMs, including containers, bare metal, etc.
- Important for CSPs supporting Kubernetes/containers, hybrid or multi-cloud workloads for customers.
-
Multi-tenant / Delegated Administration Capabilities
- Recent enhancements allow for “VPC-Aware Lateral Security” — ability to apply per-tenant or per-VPC policies, with delegated management for tenants/app owners.
- Self-Service Micro-segmentation: app owners can define fine-grained policies inside zones defined by infra.
- Vital for CSPs offering tenants self-service while maintaining central control/oversight.
-
Geo-IP / Edge Controls
- Example: Geo-IP filtering at the gateway firewall (allow/block by country) for traffic flows.
- Useful for compliance/regulatory or global CSP scenarios.
-
Air-gapped / Isolated Environment Support
- The NDR capability now supports environments that don’t connect to the public internet for threat intelligence updates (important for regulated/private CSPs).
What This Means for a CSP Offerings
If you are a CSP evaluating capability and considering vDefend as part of your security stack/service offering, consider:
- Which tier to offer: basic segmentation (DFW) vs full threat prevention (ATP/IDS/IPS/NDR).
- Tenant / multi-tenant needs: per-tenant segmentation, delegated admin, self-service, etc. vDefend supports that.
- Scale & visibility: The analytics & intelligence modules are key for large scale operations.
- Workload types: VMs, containers, bare metal — if you support them, you’ll need the broader features.
- Compliance/regulatory: Policies like geo-IP, offline threat intelligence updates, fully isolated operations.
- Automation/DevOps integration: Micro-segmentation as code, API-driven policy creation, integrate into CI/CD etc.
- Gateway/Edge controls: If offering ingress/egress firewall or edge segmentation for customers, ensure that the gateway firewall capability is included.
Key Licensing Considerations
- VMware vDefend single SKU is sold as an add-on to VMware Cloud Foundation (VCF) and includes all features.
Summary
To maximize revenue, a CSP should focus on packaging these advanced capabilities into differentiated service bundles and focus on selling business outcomes when it comes to security of the environment with a more integrated cloud operating model, beyond IaaS into managed security services.
