Based on the traffic scope that you selected at the time you start a recommendation analysis, the NSX Intelligence Recommendation service job selects unmicrosegmented ingress (inbound), egress (outbound), or intra-application traffic flows from and between the compute entities of the specified recommendation boundary.

The NSX Intelligence Recommendation service aggregates the flows by the service (port or protocol) on which these traffic flows are communicating. The Recommendation service groups together the sources and destinations for each of the flows for a particular service. While creating the grouping, the NSX Intelligence Recommendation service uses the user-specified threshold for matching ratio and attempts to reuse groups that exist in the NSX inventory, including those groups that fall within an existing IP set range of a group.

If the NSX Intelligence Recommendation service does not find an existing group that can satisfy the set grouping threshold, it creates a group to recommend.

Based on the value that you set for the Create Rules for option, the NSX Intelligence Recommendation service only considers the traffic flows in a specific direction when generating a recommendation rule. If the scope of the traffic flow was all traffic, incoming and outgoing, or incoming and intra-application, then the NSX Intelligence Recommendation service aggregates the traffic flows in those directions together to form the rule, based on the service.

Take the following flows, for example.

• Boundary is set using VM1 and VM2

• Groups: CG with VM1 and VM2 as members

• Groups: G3 with VM3 and VM4 as members

• Assuming Match threshold : 50%

The unsegmented traffic flows are as follows.

• VM3 to VM1 using SSH

• VM1 to VM2 using SSH

The following is the resulting microsegmentation recommendation, which is a single rule for SSH.

Source Group	Destination Group	Service	Applied-to Group
G3 + CG (existing groups reused)	CG with VM1, VM2 as members	SSH	Group CG with VM1 and VM2 as members

If the traffic flows are originating from outside the configured mask of private IP addresses, then the flows from and to such IP addresses that are not included in the private IP prefix list will be marked as “ANY”.

Consider the following unsegmented flows.

• ANY flows to VM1 using SSH

• Flows from VM1 to VM3 using SSH

• Boundary is set using VM1 and VM2

• Group defined is CG with VM1 and VM2 as members

In this case, when the ingress and egress flows are aggregated, they become ANY flows from VM1 to VM2 and VM3, using SSH.

This in turn results in the following microsegmentation rule.

Source	Destination	Service	Applied To
ANY	[VM1] in CG, [VM3] in G3	SSH	CG [VM1, VM2]