VMware NSX‑T Distributed Firewall Engineer

Insight Global is seeking a expert‑level VMware NSX‑T Distributed Firewall Engineer to support and extend our client's enterprise micro segmentation program. This role will work both on our backlog of new application micro segmentation efforts and on supporting and enhancing existing NSX‑T DFW policies already deployed in their environment. The engineer will collaborate directly with application owners, IT engineering, and security teams to drive dependency discovery, rule refinement, validation, and safe enforcement of east/west controls.

• Micro segmentation Delivery
§ Execute micro segmentation for existing and new applications using NSX‑T DFW
§ Perform dependency analysis and flow validation using NSX tools (Traceflow, flow logs, Intelligence/vRNI if present)
§ Build, refine, and enforce east/west traffic policies following our internal segmentation patterns
§ Coordinate with application owners to gather requirements, review flows, validate connectivity, and schedule cutovers

• Support for Existing Segmentation
§ Troubleshoot and resolve issues related to existing DFW policies, group membership, rule order, or Applied‑To scopes
§ Review and optimize legacy segmentation rules to align with current standards
§ Investigate reported application connectivity issues and perform root cause analysis related to the DFW
§ Maintain and update supporting documentation, runbooks, and operational procedures

• Policy Implementation & Validation
§ Develop and implement new DFW sections, groups, rules, and services using Policy API or Manager UI
§ Validate policies before and after enforcement; ensure successful migration from “discover” to “enforce” mode
§ Implement blocking/default deny rules as appropriate after validation
§ Ensure changes follow approved change control processes with rollback plans

We are a company committed to creating diverse and inclusive environments where people can bring their full, authentic selves to work every day. We are an equal opportunity/affirmative action employer that believes everyone matters. Qualified candidates will receive consideration for employment regardless of their race, color, ethnicity, religion, sex (including pregnancy), sexual orientation, gender identity and expression, marital status, national origin, ancestry, genetic factors, age, disability, protected veteran status, military or uniformed service member status, or any other status or characteristic protected by applicable laws, regulations, and ordinances. If you need assistance and/or a reasonable accommodation due to a disability during the application or recruiting process, please send a request to HR@insightglobal.com.To learn more about how we collect, keep, and process your private information, please review Insight Global's Workforce Privacy Policy: https://insightglobal.com/workforce-privacy-policy/.

• 5+ years of hands‑on VMware NSX‑T experience, with a heavy emphasis on Distributed Firewall architecture and real‑world implementation at scale
• Full understanding of:
o DFW sections, Applied‑To models, rule ordering
o Dynamic groups, membership criteria, tags (tagging strategy is already defined)
o Services, context profiles, L7 capabilities
o Traceflow, port mirroring, IPFIX, and distributed flow logging
• Proven ability to build least‑privilege east/west segmentation policies across complex applications
• vSphere & Infrastructure Knowledge
§ Strong knowledge of vCenter, ESXi, VM lifecycle, and how NSX‑T DFW integrates with hypervisor kernels
§ Competent in interpreting logs and packet-level troubleshooting
• Comfortable working directly with app owners and non‑network teams to gather requirements and validate segmentation policies
• Strong documentation discipline (change plans, validation results, rollback procedures)

○ Familiarity with NSX‑T Policy API, PowerCLI, or Python for network automation and policy export/import
○ Experience with Aria for reporting and visibility
○ Experience with vRealize Network Insight (vRNI) for traffic analysis, specifically identifying legitimate application and network traffic pattern

Benefit packages for this role will start on the 1st day of employment and include medical, dental, and vision insurance, as well as HSA, FSA, and DCFSA account options, and 401k retirement account access with employer matching. Employees in this role are also entitled to paid sick leave and/or other paid time off as provided by applicable law.