← Back to Engineering Blog
πŸ—“οΈ Dec 5, 2022 ⏱️ 1 min read

Day-0 Firewall Rules: Automating Security Baseline Insertion

How we automated the injection of Day-0 compliance firewall rules into newly provisioned NSX-T logical segments.

πŸŽ™οΈ Listen to Article READY
AI Audio Synthesis Narrator
Share Post:

β€œSecurity cannot be an afterthought added after infrastructure is deployed. Security rules must be injected automatically on Day 0.”

At NTT Data, we created automated Day-0 Firewall Rule Injection pipelines using the NSX-T Policy API.


Day-0 Compliance Injection

Whenever a new segment is created by an automated pipeline, an automated hook applies mandatory security baseline rules:

  • Block Inbound SSH from Untrusted Subnets.
  • Allow Internal Monitoring & Log Ingestion Telemetry.
  • Restrict Cross-Tenant Inter-VLAN Routing.
// # NSX-T Policy API Day-0 Rule Payload
{
  "display_name": "Day-0-Default-Sec-Baseline",
  "sequence_number": 10,
  "rules": [
    {
      "display_name": "Allow-NTP-Telemetry",
      "action": "ALLOW",
      "services": ["/infra/services/NTP"]
    }
  ]
}

The Verdict

Key Takeaway

Inject Security Baselines at Provisioning Time.

Ensure newly provisioned logical networks automatically inherit Day-0 Security Rules at instantiation to guarantee continuous compliance.

SKS

Sachin Kumar Sharma

Associate Director (Infrastructure & Cloud Architecture Strategy) | 20+ Yrs Exp

Architecting resilient multi-cloud enterprise landing zones, SDN overlay fabrics, DevSecFinOps automation pipelines, and autonomous Agentic AI platforms.