Based on the traffic scope that you selected at the time you start a recommendation analysis, the NSX Intelligence Recommendation service job selects unmicrosegmented ingress (inbound), egress (outbound), or intra-application traffic flows from and between the compute entities of the specified recommendation boundary.
The NSX Intelligence Recommendation service aggregates the flows by the service (port or protocol) on which these traffic flows are communicating. The Recommendation service groups together the sources and destinations for each of the flows for a particular service. While creating the grouping, the NSX Intelligence Recommendation service uses the user-specified threshold for matching ratio and attempts to reuse groups that exist in the NSX inventory, including those groups that fall within an existing IP set range of a group.
If the NSX Intelligence Recommendation service does not find an existing group that can satisfy the set grouping threshold, it creates a group to recommend.
Based on the value that you set for the Create Rules for option, the NSX Intelligence Recommendation service only considers the traffic flows in a specific direction when generating a recommendation rule. If the scope of the traffic flow was all traffic, incoming and outgoing, or incoming and intra-application, then the NSX Intelligence Recommendation service aggregates the traffic flows in those directions together to form the rule, based on the service.
Take the following flows, for example.
Boundary is set using VM1 and VM2
Groups: CG with VM1 and VM2 as members
Groups: G3 with VM3 and VM4 as members
Assuming Match threshold : 50%
The unsegmented traffic flows are as follows.
VM3 to VM1 using SSH
VM1 to VM2 using SSH
The following is the resulting microsegmentation recommendation, which is a single rule for SSH.
Source Group |
Destination Group |
Service |
Applied-to Group |
---|---|---|---|
G3 + CG (existing groups reused) |
CG with VM1, VM2 as members |
SSH |
Group CG with VM1 and VM2 as members |
If the traffic flows are originating from outside the configured mask of private IP addresses, then the flows from and to such IP addresses that are not included in the private IP prefix list will be marked as “ANY”.
Consider the following unsegmented flows.
ANY flows to VM1 using SSH
Flows from VM1 to VM3 using SSH
Boundary is set using VM1 and VM2
Group defined is CG with VM1 and VM2 as members
In this case, when the ingress and egress flows are aggregated, they become ANY flows from VM1 to VM2 and VM3, using SSH.
This in turn results in the following microsegmentation rule.
Source |
Destination |
Service |
Applied To |
---|---|---|---|
ANY |
[VM1] in CG, [VM3] in G3 |
SSH |
CG [VM1, VM2] |
All the rules are always applied only to the members of the recommendation boundary that you had specified before generating the recommendation. The reason aggregation is used is to reduce the number of rules that would result based on the service.