Problem solve Get help with specific problems with your technologies, process and projects.

How VMware vShield Zones aids VM security, monitoring

VMware's vShield Zones allows you to secure virtual machines, monitor network traffic and ensure regulatory compliance by segmenting VMs and data into policy-driven 'zones.'

What is vShield Zones?

With VMware's vShield Zones, you can monitor network traffic in a virtualized environment and ensure regulatory compliance by segmenting users and sensitive data on a network.VMware's vShield Zones is VMware's virtualization security offering that is based on technology that VMware bought from Blue Lane Technologies in October 2008.

Just as many companies need to create demilitarized zones (DMZs) for their physical servers, vShield Zones lets them create security zones for virtual servers. An added benefit of vShield Zones is that companies can receive a tremendous amount of network traffic flow-monitoring, analysis, and reporting.

How vShield Zones works
VShield performs Stateful Packet Inspection (SPI) and tracks dynamic connections such as FTP. Better yet, vShield understands your virtual infrastructure and works with vCenter to track traffic between virtual machines and event, VMotion-associated traffic.


VMware virtualization products and features overview

VMware vSphere features

VMware ESX features

VMware ESXi features

VMware VMotion and live migration

How Storage VMotion works

Pros and cons of VMware HA

VMware Consolidated Backup: When should you use it?

VMware vShield Zones

VMware Fault Tolerance benefits and requirementsUsing

VMware Distributed Power Management

With vShield, you can create various levels of administrative permission and assign that to your hierarchy of network and VMware administrators.

VShield Zones works by having a single virtual machine (VM) act as the vShield management station. vShield monitoring VMs are then deployed to monitor each virtual switch (vSwitch) on each ESX Server. To do so, each vSwitch to be monitored is actually cloned and the vShield monitor is connected between the cloned vSwitch (with the VMs) and the original vSwitch. The data collected is sent back to the vShield management station where it is logged and analyzed. You can create policies on the management station to police your virtual infrastructure network traffic and report on both allowed and denied network traffic.

VMware's vShield Zones is offered in three of the six vSphere Editions: Advanced, Enterprise and Enterprise Plus. Additionally, VMware's vCenter is required. And check out this writeup on vShield Zones on

For more information, read all about DPM at VMware's vShield Zones product page and the vShield Zones 1.0 FAQ.

Return to the guide's main page for more on VMware virtualization products and features .

About the author
David Davis is the director of infrastructure at -- the global leader in video training for IT pros. He has several certifications including vExpert, VMware Certified Profession (or VCP), CISSP, and CCIE #9369. Additionally, Davis has authored hundreds of articles and six video training courses at Train Signal, where one of the most popular course is the VMware vSphere 4 video training course. His website is You can follow Davis on Twitter or connect with him on LinkedIn.

Dig Deeper on VMware management tools

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.