We can deploy logical firewall at every vNIC by decoupling network and security. Firewall instances at every vNIC to any kind of vSwitch embedded in the hypervisor as close as possible to the guest VM but not part of the guest VM. We won't move the traffic from the source to an inspection point, but instead move the inspection point to the source of the traffic with network infrastructure irrelevant to the granular protection of servers.

Distributed Firewall at vNIC is the right spot, and fully integrated to apply policies most effectively. Integrated means that it doesn't matter where we are or where we go—even if we are off the track or change direction—it still works because it is built into hypervisor. Integrated also means that it is not our responsibility as a driver or passenger to put on our protection, we can't forget or avoid it because it is built into hypervisor. Integrated also means it is physically and functionally integrated with some sensors and will set off the air-bags at the right time. NSX DFW define automation with Service Composer by abstracting and automating based on vCenter/active directory rulesets.