The NSX Intelligence Recommendations feature can provide you with recommendations to help you microsegment your applications.

Generating an NSX Intelligence recommendation involves recommendations of security policies, policy security groups, and services for the application. NSX Intelligence makes the policy recommendations based on the traffic pattern of communication between virtual machines (VMs) and physical servers in your NSX environment.

You can generate an NSX Intelligence recommendation by selecting the input entities of groups or 100 VMs and physical servers, or a combination of groups, VMs, and physical servers, or existing security policies. The total number of VMs and physical servers that you can select as input cannot exceed 100 of those entities. The total number of effective VMs and physical servers that you can use in an input that includes groups, VMs, or physical servers cannot exceed 250 input entities.

For example, if you select 50 VMs and 50 physical servers as part of your recommendation input entities, you can only select groups with no more than 150 compute members combined.

Important:

You can only generate a new recommendation for security groups that were created in Policy mode. The security groups must have at least one of the supported member types in order for the NSX Intelligence feature to begin a recommendation analysis for those security groups. The supported member types include virtual machines, physical servers, virtual network interfaces (VIFs), logical ports, and logical switches. If at least one supported member type is present in the security group, the recommendation analysis can proceed, but unsupported member types are not considered during the recommendation analysis.

There are multiple ways to generate a recommendation using the NSX Intelligence user interface. The following procedure describes the available methods to use.

Prerequisites

  • Activate NSX Intelligence 3.2 or later on the NSX Application Platform 3.2 or later. See the Activating and Upgrading VMware NSX Intelligence 3.2 or later document.

  • Ensure that you have the required privileges to generate recommendations. See Role-Based Access Control in NSX Intelligence for more information.

Procedure

  1. From your web browser, log in with the required privileges to an NSX Manager at https://<nsx-manager-ip-address>.
  2. Initiate the generation of a new recommendation using one of the following methods.

    Where to Start

    Next Step

    Select Plan & Troubleshoot > Recommendations.

    Click Start New Recommendation.

    Select Plan & Troubleshoot > Discover & Take Action

    1. Click the recommendation icon recommendation icon located on the left side of the Flows bar.
    2. Select Start Recommendations.

    For a recommendation for a group or multiple groups, select Plan & Troubleshoot > Discover & Take Action.

    1. Verify that the Groups view is selected in the Security view selection area.

    2. Right-click the node for the group on which you want to generate a recommendation. Alternatively, select one or more group nodes using the select icon select icon.

    3. Right-click one of the nodes in your selection and select Start Recommendation from the drop-down menu.

      Alternatively, if you used the select icon select icon to make your selection, click the recommendation icon recommendation icon in the Selected panel.

    For recommendations for VMs or physical servers, select Plan & Troubleshoot > Discover & Take Action.

    Select at least one VM or physical server, or a combination of both.

    1. In the Security view selection area, click the down arrow next to Groups and select Computes.

    2. Click All and select specific VMs or physical servers or combination of both from the Available items list. Alternatively, click All > Show All Types and select VMs or Physical Servers from the drop-down menu.

    3. Click Apply.

    4. Click the recommendation icon recommendation icon located on the left side of the Flows bar.

    5. Select Start Recommendations for the Filtered Computes.

      Alternatively, if you selected the compute entity nodes using the select icon select icon, click the recommendation icon recommendation icon in the Selected panel.

  3. In the Start New Recommendation dialog box, change the default value for the Recommendation Name text box.

    Give a name that reflects the application for which the segmentation is being done. This name is used when creating the names of the recommended groups and rules created during the recommendation analysis.

  4. Change the default value for the Description text box to make it easier to recall the information about the recommendation.
  5. Define or modify the VMs or physical servers that are to be used as the boundary for the security policy recommendation.
    1. In Selected Entities in Scope section, click Select Entities. If you already selected the groups, VMs, or physical servers, click the link to the number of selected entities to modify your current selection.
    2. In the Select Entities dialog box, click Groups to select one or more groups, if you want to include them. To select the VMs or physical servers that you want to use as the boundary for the analysis, click the VMs tab or the Physical Servers tab, and make your selection.

      You can select groups and up to 100 VMs or physical servers, but no more than 250 effective compute entities to use for the recommendation boundary. Deselect the ones you do not want to include. You can also click Filter and select the attributes you want to use to filter the groups, VMs, or physical servers that you want selected. To deselect any currently selected entities, click Clear Selection.

    3. Click Save.
    4. (Optional) If the system found that there is an existing distributed firewall (DFW) section associated with the groups you selected in the previous step, in the Select Distributed FW Section dialog box, select whether you want to use the existing distributed firewall (DFW) section or create a new one. Click Save.

      The system updates the Selected Entities in Scope text box with links that indicate the number of entities that you selected. To modify your selections, click the number links.

      If you selected to use an existing distributed DFW section during the recommendation analysis, the system indicates that under the Selected Entities in Scope text box.

  6. In the Time Range text box, optionally change the default value shown.

    The default time range value is Last 1 Month. The network traffic flows that occurred between the selected VMs or physical servers, or groups of VMs or physical servers are used during the recommendation analysis. Other values to select from are Last 1 hour, Last 12 hours, Last 24 hours, Last 1 week, or Last 2 weeks.

  7. Expand the Advanced Options section and modify the assigned default values, if necessary.

    If you are not using an existing DFW section, you can modify the default assigned values. If you chose to use an existing DFW section, the values shown in this section are obtained from that existing DFW section.

    1. In the Create Rules For drop-down menu, select the type of traffic flows to consider in the recommendation analysis. The default is All Traffic.
      • Incoming and Outgoing Traffic - All traffic flow types that originate from inside the application boundary to outside the boundary, and from outside the application boundary to inside of the boundary are considered.

      • Incoming Traffic - Only traffic flows that originate outside of your application boundary are considered.

      • All Traffic - All outbound, inbound, and intra-application traffic flow types are considered.

      • Incoming and Intra-application Traffic - All traffic flow types that originate from outside of your application boundary and intra-application traffic are considered.

    2. From the Default Rule drop-down menu, select a connectivity strategy to use to create the default rule for the security policy. An appropriate action is set on the rule based on the value of the connectivity strategy. The default is None.
      • Denylist - Creates a default allow rule.

      • Allowlist - Creates a default drop rule.

      • None - No default rule is created.

    3. Change the default value for the Recommendation Output, if necessary.
      • Compute-Based is the default output mode used. This mode means the DFW policy recommendation that the recommendation engine generated contains groups whose members are VMs, physical servers, or both.

      • If the IP-Based recommendation output mode is selected, the generated DFW policy recommendation contains groups whose members are IPSet objects with a static list of IP addresses. An IP-based recommendation is not tightly bound to a VM. If a VM gets deleted and its IP address gets assigned to a new VM, the new VM gets assigned to the same group. NSX Intelligence also applies the existing DFW policies for the group to the new VM.

    4. Change the default value for the Group Reuse Threshold as you see fit to use when generating the rule recommendation.

      You can set the threshold percentage value from 10 through 100. The value specifies how strictly the system reuses existing compute-based groups (non-IP Set groups) to cover the detected flows that are not micro-segmented. Use this value to control whether existing groups should be reused or new groups created. The group reuse feature is applicable for any recommendation job with existing security policy or new security policy.

      Setting this value to 100 means that only compute-based groups with exactly and only the same members as the compute entities the system is seeking to group can be picked as additional rule sources or destinations. Using a very high value can result in creating more new groups, however, as existing groups are less likely to be reused in rules being modified.

      Setting this value to lower values, like 10 or 20, means that even compute-based groups with extraneous members, other than the compute entities the system is seeking to group, can be picked as additional rule sources or destinations. Using a lower value can result in an aggressive group reuse and hence fewer new groups will be recommended.

    5. If necessary, change the value for Recommendation Service Type.

      The default type is L4 Services, which is composed of the respective Layer 4 port and protocol. Alternatively, you can select L7 Context Profiles for Layer 7 context profiles.

    6. In the Exclude Flows text box, select the types of traffic flows that you want to exclude during the recommendation analysis. Click the drop-down arrow and select Multicast flows or Broadcast flows, or both flow types. The default is to exclude both flow types.
    7. To exclude the infrastructure compute entities from being included in the new recommendation analysis, toggle Exclude Infrastructure Workloads to Activated.

      When you activate this toggle, the Recommendation engine excludes all infrastructure compute entities and traffic flows that occurred with them from the recommendation analysis. The Recommendation engine does not reuse groups that contain infrastructure entities. The context input does not change even if it contains any infrastructure compute entities. However, the Recommendation engine does not recommend any firewall rules that has any infrastructure compute entities in the rule source or destination.

      See Managing Compute Entity Classifications in NSX Intelligence for more information.

  8. To begin the recommendation analysis, click Start Discovery.

    NSX Intelligence processes recommendations jobs serially. On average, it can take anywhere between three to four minutes to finish each recommendation analysis, depending on whether there are other recommendations that are waiting to be processed. If NSX Intelligence must analyze many traffic flows, the generation of a recommendation can take anywhere from 10 to15 minutes.

    The Recommendations table displays the status of the recommendation jobs. The following sample screenshot shows a recommendation that is ready to publish and another that has been published.


    Screenshot of the Recommendations pane with one of the newly generated recommendations expanded to show the details.
    • You can track the status of the recommendation analysis job in the Status column of the Recommendations table. The status progresses from Waiting, to Discovery in Progress, to Ready to Publish, and Published. If the system does not generate a recommendation, the Status value gets set to No Recommendations Available. If the recommendation analysis failed for some reason, the displayed status is Failed.

      Recommendation jobs that have the Waiting status or the Discovery in Progress status can be canceled. Click the Actions menu icon Actions menu and select Cancel Discovery.

      Canceling a recommendation job removes the job from the recommendation queue and its status is changed to Discovery Canceled. After a recommendation discovery is canceled, you can select Review and Rerun in the Actions menu, make any modifications to your previous input selections, and resubmit the recommendation analysis job.

      You can also select Delete from the Actions menu if a recommendation job is in the Waiting or Discovery in Progress or Discovery Canceled state. Deleting a recommendation job removes all information about the selections you made before initiating the recommendation analysis.

    • The Input Entities column lists the entities that were used to generate the recommendation. Clicking the linked text in this column displays the Selected Entities dialog box in a read-only mode. You review the groups and their members, and any VMs that were included in the recommendation analysis.

    • The Monitoring column indicates whether changes are being monitored for the original input entities used to generate the recommendation. This feature is available for recommendations with a status of Ready to Publish, No Recommendations Available, or Failed. You can toggle the Monitoring button to On or Off. When the toggle is on, changes in the scope of the input entities or connectivity strategy are checked every hour.

    • If any changes occurred with any of the input entities used, the change-detected icon icon when change is detected in the input entities used for the recommendation appears next to the Ready to Publish, No Recommendations Available, or Failed status. You can review the changes and rerun the recommendation. See Rerun NSX Intelligence Recommendations for more information.

    • When you click the canvas icon canvas icon on the rightmost side of the recommendation row, the visualization of the selected entities is displayed in the graphical canvas under the Plan & Troubleshoot > Discover and Take Action user interface. If the recommendation status displayed is Published, when you click the canvas icon, recommended groups are displayed in the Discover and Take Action graphical canvas.

  9. When the Status value is Ready to Publish, review the generated recommendation and decide whether to publish it. See Review and Publish Generated NSX Intelligence Recommendations.