NSX is designed to address the emerging application frameworks and architectures that have heterogeneous endpoints and technology stacks. In addition to vSphere, these environments may also include other hypervisors, containers, bare metal, and public clouds.

VMware Aria Operations for Networks supports NSX deployments where the VMs are managed by VMware vCenter.

Considerations

  • VMware Aria Operations for Networks supports only the NSX-T setups in which VMware vCenter manages the ESXi hosts.
  • VMware Aria Operations for Networks supports NSGroups, NSX-T Firewall Rules, IPSets, NSX-T Logical Ports, NSX-T Logical Switches, NSX-T distributed firewall IPFIX flows, Segment, Group, and Policy Based VPN.
  • VMware Aria Operations for Networks supports both NSX-V and NSX-T deployments. When you use NSX in your queries, the results include both NSX-V and NSX-T entities. NSX Manager lists both NSX-V and NSX-T Managers. NSX Security Groups list both NSX-T and NSX-V security groups. If NSX-V or NSX-T is used instead of NSX, then only those entities are displayed. The same logic applies to the entities such as firewall rules, IPSets, and logical switches.
  • With NSX-T 2.4 release, VMware Aria Operations for Networks supports NSX Declarative Policy Management which simplifies and automate network and security configurations through outcome-driven policy statements.
    Note: Micro-segmentation for Security Group is done based on NSX Policy data. But in case there is no corresponding NSX Policy Group, the standalone NS Group is included in the Micro-segmentation analysis. For more details on NS Group, see NSX-T product documentation.
  • Ensure to add only local users in an NSX-T Federation setup.

Prerequisites

Here are the prerequisites for adding an NSX-T Manager as a data source:
  • You must have at least the Read only privilege.
  • You must add all the VMware vCenter associated with NSX-T Manager as data sources in VMware Aria Operations for Networks.
    Note: If you add the NSX-T Manager before adding VMware vCenter, then VMware Aria Operations for Networks takes around four hours to stabilize.
  • Ensure that there are no logical switches in the exclusion list in the Distributed Firewall (DFW). If there are any logical switches in this list, then the flows are not reported for any VMs attached to these logical switches.

Procedure

  1. Go to Settings > Accounts and Data Sources > Add Source.
  2. Under VMware Manager, select VMware NSX-T Manager.
  3. Provide the user credentials.
    Option Action
    Collector VM Select a collector VM from the drop-down menu.
    IP Address/FQDN Enter the IPv4 management address or the FQDN details.
    Note: Currently, VMware Aria Operations for Networks does not support IPv6 NSX-T management addresses.
    Authentication Method Select the authentication method from the drop-down menu.
    Username/Password Enter the user name and the password.
    Certificate (Principal Identity)
    • Certificate: Click Browse and upload the principal identity certificate.
    • Private Key: Click Browse and upload the principal identity private key.
      Note: VMware Aria Operations for Networks does not support encrypted principal identity private key.
    Note:
    • If you have more than one management node in a single NSX-T deployment, you must add only one node as a data source in VMware Aria Operations for Networks or use Virtual IP (VIP) (of those nodes). If you add more than one management node, then VMware Aria Operations for Networks might not function properly.
    • Ensure that you use VIP when you add NSX-T as a data source. If you add a management node IP instead of a VIP, and later if you want to add a VIP or another management node IP, then you have to delete the existing data source to add the new VIP or the Management IP.
    • Ensure that each management node in the cluster is reachable from the collector.
    • If IPFIX is not required, the user must be a local user with audit level permissions. But if IPFIX is required, the user must have one of the following permissions: enterprise_admin, network_engineer, or security_engineer.
    Note: You must add the data source using either IP address or FQDN. Do not add the data source using both IP address and FQDN.
  4. Click Validate.
  5. (Optional) Select Enable DFW IPFIX to update the IPFIX settings on NSX-T. By selecting this option, VMware Aria Operations for Networks receives DFW IPFIX flows from NSX-T. For more information on enabling IPFIX, see Enable VMware NSX-T DFW IPFIX.
    Note:
    • DFW IPFIX is not supported in the Standard Edition of NSX-T.
    • VMware Aria Operations for Networks does not support NSX-T Switch IPFIX flows.
  6. (Optional) If you want to collect latency metrics data, select Enable latency metric collection check box. If you select this option, VMware Aria Operations for Networks receives latency metrics such as VTEP - VTEP, vNIC - pNIC, pNIC - vNIC, vNIC - vNIC from NSX-T. For more information about network latency, see Network Latency Statistics.
    Note:
    • This option is available only for NSX-T 2.5 and later.
      • VTEP - VTEP is available from NSX-T 2.5 and later.
      • vNIC - pNIC, pNIC - vNIC, vNIC - vNIC are available from NSX-T 3.0.2 and later.
    • To enable latency metric collection, you must have enterprise_admin permission.
    • Ensure that the port 1991 is open on the collector to receive the latency data from the ESXi node.
  7. (Optional) To enable the flow collection from NSX Intelligence, select the Enable NSX Intelligence check box.

    NSX Intelligence provides deep packet inspection with the application layer visibility. After receiving flows from NSX Intelligence, you can see L7 (application layer) information such as App-Id.

    Note: To enable NSX Intelligence in VMware Aria Operations for Networks, you must deploy the NSX Intelligence appliance. VMware Aria Operations for Networks supports NSX Intelligence 1.2 with NSX 3.1 and later.

    NSX Intelligence takes at least 12 minutes to process and send the flow information to VMware Aria Operations for Networks.

    Note: To enable the flow collection from NSX Intelligence, you must select the Enable DFW IPFIX check box as VMware Aria Operations for Networks uses the DFW IPFIX as a primary source of flows.

    L7 information is not available for dropped flows as it is not supported by NSX Intelligence.

  8. In the Tags (Optional) key-value pair text box, enter a key and a value.

    Key-value pair could be any text. For example, you can use Layer Access as key-value pair where layer is the key and access is the value.

    • To apply the tag in all the associated entities, click the Apply above tag operations to all associated entities check box. For more details about the associated entities, see Working with Local Tags.

      If you clear the Apply above tag operations to all associated entities check box, the assigned tag is removed from all the associated entities.

  9. In the Nickname text box, enter a nickname.
  10. In the Notes (Optional) text box, add a note if necessary.
  11. Click Submit.
    Note: For NSX-T version 4.x and later, VMware Aria Operations for Networks doesn’t support VM-VM path for federation deployment and VMware Aria Operations for Networks Assurance and Verification.

Examples for Queries

Here are some examples for queries related to NSX-T:

Table 1. Queries for NSX-T
Queries Search Results
NSX-T Manager where VC Manager=10.197.53.214 NSX-T Manager where this particular VC Manager has been added as the compute manager.
NSX-T Logical Switch Lists all the NSX-T Logical switches present in the instance of VMware Aria Operations for Networks. including the details on whether it is a system-created or a user-created switch.
NSX-T Logical Ports where NSX-T Logical Switch = 'DB-Switch' Lists the NSX-T logical ports belonging to that particular NSX-T logical switch, DB-Switch.
VMs where NSX-T Security Group = 'Application-Group'

Or

VMs where NSGroup = ‘Application-Group’
Lists all the VMs in that particular security group, Application-Group.
NSX-T Firewall Rule where Action='ALLOW' Lists all the NSX-T Firewall Rules which have their action set as ALLOW.
NSX-T Firewall Rule where Destination Security Group = ‘CRM-Group’ Lists the firewall rules where the CRM-Group is the Destination Security Group. The results include both Direct Destination Security Groups and Indirect Destination Security Groups.
NSX-T Firewall Rule where Direct Destination Security Group = ‘CRM-Group’ Lists the firewall rules where the CRM-Group is the Destination Security Group. The results include only the Direct Destination Security Groups.
VMs where NSX-T Logical Port = ‘App_Port-Id-1’ Lists all the VMs which have that particular NSX-T Logical Port.
NSX-T Transport Zone Lists the VLAN and the overlay transport zone and the respective details associated with it including the type of the transport node.
Note: VMware Aria Operations for Networks does not support KVM as a data source.
NSX-T Router Lists the TIER 1 and TIER 0 routers. Click the router shown in the results to view more details associated with it including the NSX-T Edge Cluster and the HA mode.
Table 2. Queries for NSX Policy
NSX Policy Segment Lists all the NSX Policy Segments present in the instance of VMware Aria Operations for Networks.
NSX Policy Manager Lists all the NSX Policy Manages present in the instance of VMware Aria Operations for Networks.
NSX Policy Group Lists all the NSX Policy Groups present in the instance of VMware Aria Operations for Networks.
NSX Policy Firewall Lists all the NSX Policy Firewalls present in the instance of VMware Aria Operations for Networks.
NSX Policy Firewall Rule Lists all the NSX Policy Firewall Rules present in the instance of VMware Aria Operations for Networks.
NSX Policy Firewall Rule where Action = 'ALLOW' Lists all the NSX Policy Firewall Rules which have their action set as ALLOW.
NSX Policy Based VPN Lists all the NSX Policy Based VPNs present in the instance of VMware Aria Operations for Networks.
Note: If NSX-T 2.4 and VMware Cloud (VMC) are added as data sources in your VMware Aria Operations for Networks, then to get the NSX entities, you must add SDDC type = ONPREM filter in your query. For example, NSX Policy Based VPN where Tier0 = ‘’ and SDDC Type = ‘ONPREM’.

Support for NSX-T Metrics

The following table displays the VMware Aria Operations for Networks entities that support the NSX-T metrics currently and the widgets that display these metrics on the corresponding entity dashboards.
Entities Widgets on the Entity Dashboard Supported NSX-T Metrics
Logical Switch

Logical Switch Packet Metrics

Logical Switch Byte Metrics

Multicast and Broadcast Rx

Multicast and Broadcast Tx

Unicast Rx

Unicast Tx

Dropped Rx

Dropped Tx

Rx Packets (Total)

Tx Packets (Total)

Logical Port

Logical Port Packet Metrics

Logical Port Byte Metrics

Multicast and Broadcast Rx

Multicast and Broadcast Tx

Unicast Rx

Unicast Tx

Rx Packets (Total)

Tx Packets (Total)

Router Interface

Router Interface Metrics

Rx Packets

Tx Packets

Dropped Rx Packets

Dropped Tx Packets

Rx Bytes

Tx Bytes

Firewall Rule

Firewall Rule Metrics

Hit Count

Flow Bytes

Flow Packets

Here are some sample queries for NSX Metrics:
  • nsx-t logical switch where Rx Packet Drops > 0

    This query lists all the logical switches where the count of the dropped received packets is greater than 0.

  • nsx-t logical port where Tx Packet Drops > 0

    This query lists all the logical ports where the count of the dropped transmitted packets is greater than 0.

  • top 10 nsx-t firewall rules order by Connection count

    This query lists the top 10 firewall rules based on the connection count(Hit Count).

Security Planning for NSX-T

To plan security for the NSX-T network, you can select the scope as NSXT Layer2 Network and use the following query:
plan NSX-T Layer2 Network ‘<NAME_OF_NSX_T_LOGICAL_SEGMENT>’
You can also obtain the same result by performing the following steps:
  1. Select Plan & Assess > Security Planning from the left navigation from.
  2. Select either NSX-T L2 Network or NSX Policy Segment as the scope from the drop-down menu.
Note: NSX related entities such as NSX-T L2 Network and NSX Policy Segment are available in the scope. You can use these NSX related entities for security planning.