The modern enterprise is rapidly adopting a private cloud strategy for its environments. A recent research study involving 1,800 senior leaders revealed that their organizations are prioritizing private cloud to address challenges stemming from cost concerns, the need for predictability, AI workload requirements, lateral security, and compliance.
With digital enterprises doubling down on private cloud strategies, IT and security teams face the challenge of securing workloads as quickly and efficiently as possible. With most ransomware breaches involving lateral propagation of threats to hunt for high-value assets, security strategies are evolving to protect both critical and non-critical workloads across all private cloud deployments. vDefend is a leading software-defined, hypervisor-integrated, lateral security solution purpose-built to comprehensively protect every VMware Cloud Foundation (VCF) workload. vDefend brings robust, integrated network security controls directly into the VCF fabric. The solution enables micro-segmentation and threat defense to be rapidly adopted, managed, and scaled, ultimately accelerating an organization’s zero-trust implementation strategies.
We are excited to announce new vDefend innovations for VCF 9.0:
- VPC-Aware Lateral Security: Users can now implement vDefend at the Virtual Private Cloud (VPC) level, applying lateral security policies that are isolated and managed per tenant. This capability adds precise control and delegated administration to enable multi-tenant environments.
- Self-Service Micro-segmentation: Infrastructure teams create centralized firewall policies for walled-garden zones for application deployments. With the new vDefend 9.0 release, application owners can be delegated to create fine-grained policies within these zones. Policies can be automated via APIs in DevOps CI/CD pipelines.
- VCF Import Integration: Existing vDefend deployments outside of VCF can be imported into the VCF 9.0 environment, preserving policies and reducing transition effort. This method simplifies and accelerates their migration to a full-stack VCF platform.
- Global IPS/IDS Policy Management: Centralized management of intrusion prevention and detection policies across multiple sites ensures consistent enforcement and a faster response to threats, regardless of where workloads reside.
- IDS/IPS Signature Portal: Enables real-time research of IDS/IPS signature changes without requiring login to the vDefend console. This streamlines operations, enhances threat coverage awareness, and incident response across the organization. Geo-IP Filtering: vDefend Gateway Firewall can now uniquely manage and secure traffic by allowing or blocking connections to a specific geographic location directly at the T0 gateway firewall, enabling precise control over global traffic flows.
vDefend implementation with VCF 9.0 makes advanced security easier to adopt, tenant-aware, and centrally managed, turning security from a barrier into a built-in capability.
VPC-Aware Lateral Security
Multi-tenancy is foundational for enterprises, but achieving complete isolation across both the data and control planes has been a persistent challenge. The introduction of VPCs brought significant improvements by enabling both data and control plane separation for networking and security, allowing for more granular application-level isolation, often managed by the DevOps team.
With the VMware Cloud Foundation (VCF) 9.0 release, vDefend extends lateral security capabilities to deliver true per-VPC network isolation with microsegmentation, allowing only trusted application traffic. This enhancement enables delegated administration, ensuring that each VPC admin can only view and manage configurations within their own VPC. Teams can now work in parallel with full self-service and complete isolation, making secure multi-tenancy in private clouds a reality.
Self-Service Micro-segmentation
vDefend Firewall empowers both infrastructure administrators and VPC owners. Infrastructure administrators can establish secure Virtual Private Clouds (VPCs), minimizing east-west communication. Simultaneously, VPC owners gain the flexibility to configure detailed rules for their applications, ensuring functionality without compromising central security policies. This approach promotes security self-service for end-users while upholding the organization’s overall security posture.
Seamless Migration with VCF Import
Existing vDefend deployments outside of VCF can be easily imported into the VCF 9.0 environment with their current vDefend Firewall policies intact, which reduces the overhead associated with transition. This streamlined migration process enables customers to transition to a full-stack VCF platform efficiently, reducing overhead and eliminating the need to start from scratch.
Simplified, Centralized IDS/IPS Policy Management Across Multi-instance VCF with Air-Gap support
Large, multi-instance (federated) VCF environments require a consistent, organization-wide IDS/IPS security policy and signature management with efficient and easy operations. Customers can now deliver global IDS/IPS security policies across distributed VCF deployments with centralized policy management capabilities.
In addition, multiple IDS/IPS signature bundle assignments enable users to apply specific signature bundles where needed across their VCF deployments. For air-gapped environments, delivery of IDS/IPS signature bundles to Local Managers is supported even when internet connectivity and compliance restrictions are in place.
Together, these capabilities offer consistent, centralized threat prevention policy management across multi-instance VCF deployments. All IDS/IPS events are visible within a single management console.
Real-Time Visibility With New IDS/IPS Signature Portal
Keeping security defenses current is non-negotiable; enterprises rely on frequent signature updates to stay ahead of emerging threats. While vDefend already makes it easy to download and review the latest IDS/IPS signature bundles through the vDefend console, security analysts often need deeper insight, such as identifying what’s new in each bundle, tracking version history, searching for coverage against specific CVEs (Common Vulnerabilities and Exposures), or looking for coverage against specific attack patterns such as Command and Control communications.
With the new IDS/IPS Signature Portal, we’re introducing a powerful tool that allows operators to research signature updates in real time, without needing to log into the vDefend console. With easy web-based access, the portal lets teams research signatures, search for specific threat coverage, compare versions, and export signature lists. This capability not only streamlines initial planning and deployment but also facilitates easier collaboration and quicker action among teams, ultimately enhancing threat coverage awareness and incident response across the organization.
Precision Control of Traffic Flows with Country-based Geo-fencing of Traffic
Infrastructure administrators can now allow or block incoming and outgoing traffic based on specific geographic locations in vDefend Gateway Firewall. This new capability provides precise, targeted control of traffic, enhancing security posture and ensuring compliance.
Join Us at VMware Explore 2025
Mark your calendars for August 25-28, 2025! We will be sharing all the details of these new innovations at VMware Explore 2025 in Las Vegas. You can find all the exciting event details, including new registration pricing packages here.
The post VMware vDefend Integrations with VMware Cloud Foundation 9.0: Accelerating Lateral Security for All VCF Applications appeared first on VMware Security Blog.
