Recently, I’ve been asked several times about what additional revenue opportunities can be unlocked with VMware vDefend, beyond its well-known and well adopted core Distributed Firewall (micro-segmentation) capabilities. This inspired me to write this blog — to explore the advanced features and value-added services that vDefend offers, and how these can be leveraged by Cloud Service Providers (CSPs) to expand their cloud security portfolio and drive new monetization models.
VMware vDefend Core base Capability
- The fundamental offering is the Distributed Firewall (DFW) (sometimes also “Gateway Firewall”) — i.e. east–west plus north–south firewalling at a software/hypervisor layer.
- It supports Layer 2-7 stateful firewalling, identity- and application-aware policies, dynamic grouping of workloads, etc.
- It’s tightly integrated with VMware Cloud Foundation (VCF).
New Revenue Streams with VMware vDefend Advanced Capabilities:
These are the additional features/capabilities beyond basic micro-segmentation that you should look at to add to the security services offering portfolio:
- Gateway Firewall
- In addition to DFW, there’s a “gateway” component for perimeter or segmented zone control (L2/3/4 firewalling at edge points) as part of vDefend
- Useful for CSPs when you’re offering tenant isolation, controlling ingress/egress traffic, etc.
- Advanced Threat Prevention (ATP) / IDS/IPS / NDR / Sandbox / Traffic Analysis
- The “vDefend Firewall’s Advanced Threat Prevention” tier adds: IDS/IPS, network traffic analysis (NTA), sandboxing, network detection & response (NDR) capabilities.
- This is a key value add for CSPs – you can offer more than just segmentation, you’re offering threat detection, prevention and response.
- Security Intelligence / Segmentation Assessment / Analytics
- Features like the “Security Segmentation Report” that analyze flows to identify segmentation gaps, generate a segmentation score, provide rule recommendations.
- The “Security Services Platform (SSP)” – scale-out architecture for security intelligence and visibility across large environments.
- This is particularly useful for CSPs since you have multi-tenant, large scale, possibly complex workloads and want to offer visibility dashboards and analytics as part of the service.
- Container / Multi-workload Support
- vDefend supports workloads not just VMs, but containers, bare metal, etc.
- For CSPs this is important if you’re supporting Kubernetes/containers, hybrid or multi-cloud workloads for customers.
- Multi-tenant / Delegated Administration Capabilities
- Recent enhancements allow for “VPC-Aware Lateral Security” — ability to apply per-tenant or per-VPC policies, with delegated management for tenants/app owners.
- Self-Service Micro-segmentation: app owners can define fine-grained policies inside zones defined by infra.
- For a CSP this is vital: you want to offer tenants self-service while maintaining central control/oversight.
- Geo-IP / Edge Controls
- Example: Geo-IP filtering at the gateway firewall (allow/block by country) for traffic flows
- Useful for compliance/regulatory or global CSP scenarios.
- Air-gapped / isolated environment support
- The NDR capability now supports environments that don’t connect to public internet for threat intelligence updates (important for regulated/private CSPs).
What this means for a CSP Offerings
If you are a CSP & evaluating capability and considering vDefend as part of your security stack/service offering, you should think about:
- Which tier you want to offer basic segmentation (DFW) vs full threat prevention (ATP/IDS/IPS/NDR).
- Tenant / multi-tenant needs: Do you need per-tenant segmentation, delegated admin, self-service, etc. vDefend supports that.
- Scale & visibility: The analytics & intelligence modules are key for large scale operations.
- Workload types: VMs, containers, bare metal — if you support them, you’ll need the broader features.
- Compliance/regulatory: Policies like geo-IP, offline threat intelligence updates, fully isolated operations.
- Automation/DevOps integration: Micro-segmentation as code, API-driven policy creation, integrate into CI/CD etc.
- Gateway/Edge controls: If you’re offering ingress/egress firewall or edge segmentation for customers, ensure that the gateway firewall capability is included.
Key Licensing Considerations
- VMware vDefend single SKU, is sold as an add-on to VMware Cloud Foundation (VCF) & includes all features.
Summary
To maximize revenue, a CSP should focus on packaging these advanced capabilities into differentiated service bundles & focus on selling business outcomes when it comes to security of the environment with more intgrated cloud operating model, beyond IaaS into managed security services.