Day-0 Firewall Rules: Automating Security Baseline Insertion
How we automated the injection of Day-0 compliance firewall rules into newly provisioned NSX-T logical segments.
βSecurity cannot be an afterthought added after infrastructure is deployed. Security rules must be injected automatically on Day 0.β
At NTT Data, we created automated Day-0 Firewall Rule Injection pipelines using the NSX-T Policy API.
Day-0 Compliance Injection
Whenever a new segment is created by an automated pipeline, an automated hook applies mandatory security baseline rules:
- Block Inbound SSH from Untrusted Subnets.
- Allow Internal Monitoring & Log Ingestion Telemetry.
- Restrict Cross-Tenant Inter-VLAN Routing.
// # NSX-T Policy API Day-0 Rule Payload
{
"display_name": "Day-0-Default-Sec-Baseline",
"sequence_number": 10,
"rules": [
{
"display_name": "Allow-NTP-Telemetry",
"action": "ALLOW",
"services": ["/infra/services/NTP"]
}
]
}
The Verdict
Key Takeaway
Inject Security Baselines at Provisioning Time.
Ensure newly provisioned logical networks automatically inherit Day-0 Security Rules at instantiation to guarantee continuous compliance.
Sachin Kumar Sharma
Associate Director (Infrastructure & Cloud Architecture Strategy) | 20+ Yrs Exp
Architecting resilient multi-cloud enterprise landing zones, SDN overlay fabrics, DevSecFinOps automation pipelines, and autonomous Agentic AI platforms.