The NSX Intelligence Recommendations feature can provide you with recommendations to help you micro-segment your applications.

Generating an NSX Intelligence recommendation involves recommendations of security policies, policy security groups, and services for the application. The recommendations are made based on the traffic pattern of communication between virtual machines (VMs) and physical servers in your NSX-T Data Center.

You can generate a recommendation by selecting the input entities of up to 1 group or 100 VMs and physical servers, or a combination of a group, VMs, and physical servers. The total number of VMs and physical servers that you can select as input cannot exceed 100 of those entities. The total number of effective VMs and physical servers that you can use in an input that includes a group, VMs, or physical servers cannot exceed 250 input entities.

For example, if you select 50 VMs and 50 physical servers as part of your recommendation input entities, you can only select a group with no more than 150 compute members.

Important: You can only generate a new recommendation for a security group that was created in Policy mode. The security group must have at least one of the supported member types in order for NSX Intelligence to begin a recommendation analysis for that security group. The supported member types include virtual machines, physical servers, virtual network interfaces (VIFs), logical ports, and logical switches. If at least one supported member type is present in the security group, the recommendation analysis can proceed, but unsupported member types are not considered during the recommendation analysis.

There are multiple ways to generate a recommendation using the NSX Intelligence user interface. The following procedure describes the available methods to use.

Prerequisites

  • Install NSX Intelligence. See the Installing and Upgrading VMware NSX Intelligence document.
  • Ensure you have the required privileges to generate recommendations. See Role-Based Access Control in NSX Intelligence for more information.

Procedure

  1. From your browser, log in with the required privileges to an NSX Manager at https://<nsx-manager-ip-address>.
  2. Initiate the generation of a new recommendation using one of the following methods.
    Where to Start Next Step
    Select Plan & Troubleshoot > Recommendations. Click Start New Recommendation.
    For recommendations for a group, select Plan & Troubleshoot > Discover & Take Action.
    1. Verify the Groups view is selected in the Security view selection area.
    2. Right-click the node for the group on which you want to generate a recommendation.
    3. Select Start Recommendation from the drop-down menu.
    For recommendations for VMs or physical servers, select Plan & Troubleshoot > Discover & Take Action.
    Select at least one VM or physical server, or a combination of both.
    1. In the Security view selection area, click the down arrow next to Groups and select Computes.
    2. Click Show All Types and select VMs or Physical Servers. Alternatively, from the Available Items list, select specific VMs or physical servers.
    3. Click Apply.
    4. Click the recommendation wand icon recommendation wand icon on the left-side of the Flows bar.
    5. Select Start Recommendations for the Filtered Computes.
  3. In the Start New Recommendation wizard, change the default value for the Recommendation Name text box.
    Give a name that reflects the application for which the segmentation is being done. The name is used as the prefix for the names of all the recommended groups and rules created during the recommendation analysis.
  4. Change the default value for the Description text box to make it easier to recall the information about the recommendation.
  5. Define or modify the VMs or physical servers that are to be used as the boundary for the security policy recommendation.
    1. In Selected Entities in Scope, click Select Entities. If you already selected the group, VMs, or physical servers, click the link to the number of groups, VMs, or physical servers to modify your current selection.
    2. In the Select Entities dialog box, click Groups to select up to one group, if you want to include one. To select the VMs or physical servers that you want to use as the boundary for the analysis, click the VMs tab or the Physical Servers tab, and make your selection.
      You can select up to one group and up to 100 VMs or physical servers, but no more than 250 effective compute entities to use for the recommendation boundary. Deselect the ones you do not want included. You can also click Filter and select the attributes to use to filter the group, VMs, or physical servers that you want selected.
    3. Click Save.
      You are taken back to the Start New Recommendation wizard. The number of selected group, VMs , physical servers, or a combination of those entities is indicated in Selected Entitites in Scope.
  6. Back in the Start New Recommendation wizard, from the Traffic Considered drop-down menu, select the type of traffic flows to consider in the recommendation analysis. The default is All Traffic.
    • All Traffic - All outbound, inbound, and intra-application traffic flow types are considered.
    • Incoming and Outgoing - All traffic flow types that originate from and outside of your application boundary are considered.
    • Incoming Traffic - Only traffic flows that originate outside of your application boundary are considered.
  7. From the Connectivity Strategy drop-down menu, select the connectivity strategy to use to create the default rule for the security policy.
    • Allowlist - Creates a default drop rule.
    • Denylist - Creates a default allow rule.
    • None - No default rule is created.
  8. Expand Advanced Options and change the default value for the Recommendation Output, if necessary.
    The default output mode used is Object Based, which means the DFW policy recommendation that is generated contains groups whose members are VMs, physical server entities, or both. If the IP Based recommendation output mode is selected, the DFW policy recommendation that is generated contains groups whose members are IPset objects. An IP-based recommendation is not tightly bound to a VM. If a VM is deleted and its IP address is assigned to a new VM, the new VM gets assigned to the same group. The DFW policies for the group are applied to the new VM also.
  9. If necessary, change the value for Recommendation Service Type.
    The default type is L4 Services, which is composed of the respective Layer 4 port and protocol. Alternatively, you can select L7 Context Profiles.
  10. If you want, change the current Time Range value to use to generate the recommendation.
    The default time range value is Last 1 Month. The network traffic flows that occurred between the selected VMs or physical servers, or a group of VMs or physical servers are used during that time range is used during the recommendation analysis. Other values to select from are Lasr 12 hours, Last 24 hours, Last 1 weeek, or Last 1 month.
  11. To begin the recommendation analysis, click Start Discovery.
    Recommendations are processed serially. On average, it can take anywhere from 3 to 4 minutes to finish each recommendation, depending on whether there are other recommendations that are waiting to be processed. If there is a large number of traffic flows between VMs and physical servers that must be analyzed, the generation of a recommendation can take anywhere between 10–15 minutes.
    The recommendations that are initiated are listed in the Recommendations table, similar to what is shown in the following screenshot.

    • The statuses of the recommendation analysis can be tracked in the Status column of the Recommendations table. The status progresses from Waiting, to Discovery In Progress, and to Ready to Publish. If no recommendation was generated, the Status value is set to No Recommendations Available. If the recommendation analysis failed for some reason, the Failed status is displayed.
    • The Input Entities column lists the entities that were used to generate the recommendation. Clicking the linked text in this column displays the Selected Entities dialog box in read-only mode.
    • The Recommended Entities column lists the links to the security policy rules, policy security groups, and services recommended based on the network traffic flows and input boundary.
    • The Monitoring column indicates whether changes are being monitored for the original input entities used to generate the recommendation. This feature is available for recommendations with a status of Ready to Publish, No Recommendations Available, or Failed. You can toggle the Monitoring button on or off. When the toggle is on, changes in the scope of the input entities are checked every hour.
    • If any changes occurred with any of the input entities used, the change detected icon appears next to the Ready to Publish, No Recommendations Available, or Failed status. You can review the changes and rerun the recommendation. See Rerun NSX Intelligence Recommendations for more information.
    • When you click the canvas icon on the rightmost side of the recommendation row, the visualization of the selected entities is displayed in the graphical canvas under the Plan & Troubleshoot > Discover and Take Action user interface.
  12. When the Status value is Ready to Publish, review the generated recommendation and decide whether to publish it. See Review and Publish Generated NSX Intelligence Recommendations.