Tigera: NSX DFW to Calico: Migrating Security Policy Without Starting Over
When organisations move VMs off vSphere and onto Kubernetes, one of the roadblocks is security. Security teams have spent years building NSX DFW policy. They look at a Kubernetes cluster with its flat network and worry that they will not be able to configure the same workload isolation and access control outcomes.
Fortunately, NSX DFW and Calico network policy are built on the same core principles: distributed enforcement at the workload interface, policy that travels with the workload rather than staying tied to a network location, a tiered model that separates infrastructure rules from application rules, and attribute-based identity that doesn’t depend on IP addresses. The concepts transfer. Only the language changes.
In this session we walk through the NSX DFW model in detail and map each of its properties to the Calico equivalent, then demonstrate what a policy migration looks like in practice expressing NSX rules as Calico network policy and showing how this can be done incrementally, without a big-bang cutover.
You will learn: How NSX DFW Maps to Calico Network Policy: Walk through the four core properties of the NSX distributed firewall, kernel-level enforcement at every workload interface, policy that travels with the VM, tiered rule precedence, and tag-based dynamic grouping. See exactly how each one is expressed in Calico. The enforcement model, the governance structure, and the dynamic membership behavior all have direct equivalents. From NSX Tags and Security Groups to Kubernetes Labels: Understand why the tag-based security model that many NSX teams already rely on is the closest thing to Kubernetes-native policy that exists in the VMware world. See how security group membership defined by tags maps to Calico policy selectors, and how IP-based DFW rules for external endpoints translate to NetworkSets rather than disappearing entirely. Replicating the Tier Model and Locking It Down: Configure a tiered policy structure in Calico that mirrors NSX’s category-based governance: security team rules at the top that application teams cannot modify, platform-level defaults in the middle, and namespace-level policies that developers manage themselves. See how Kubernetes-native RBAC enforces tier boundaries so that access controls are structural rather than procedural. Migrating Policy Without a Cutover Event: See how Calico flow logs can be used to observe actual east-west traffic before writing a single policy rule, and walk through a staged approach to retiring NSX DFW rules incrementally as Calico equivalents are validated on the security team’s timeline, not the migration project’s.Join us to see how much of your existing NSX security posture is already expressible in Calico, and what a migration looks like when it’s treated as a translation project rather than a rebuild.