I configured a vShield Zones firewall rule to block traffic between virtual machines on the same vSwitch but traffic is not being blocked
Details
vShield Zones blocks traffic according to trust zones. A trust zone is a set of two ore more networks that are seperated by a Layer 3 or Layer 4 device. For vShield Zones to block traffic, the traffic must be routed between two separate networks. If the traffic is between two virtual machines on the same vSwitch, the vShield agent protecting the vSwitch detects the traffic, but cannot block the traffic because the traffic does not leave the vSwitch.
Solution
To block traffic between virtual machines on the same vSwitch, you can separate the virtual machines by using different subnets, such as different VLANs. When VLANs are used, the traffic must exit the vSwitch to the network device that handles the VLAN identification. After VLAN identification is complete, the traffic is routed back to the vSwitch, and can then be blocked by the vShield agent.