The NSX Manager provides a web-based user interface where you can manage the NSX-T environment. It also hosts the API server that processes API calls.

The NSX Manager web interface provides two methods of configuring resources.

  • The Policy interface: the Networking, Security, Inventory, and Plan & Troubleshoot tabs.
  • The Advanced interface: the Advanced Networking & Security tab.

When to Use Policy or Advanced Interfaces

Be consistent about which user interface you use. There are a few reasons to use one user interface over another.

  • If you are deploying a new environment with NSX-T Data Center 2.4 or later, using the new policy-based user interface to create and manage your environment is the best choice in most situations.
    • Some features are not available in the policy-based user interface. If you need these features, use the Advanced user interface for all configurations.
  • If you are upgrading to NSX-T Data Center 2.4 or later, continue to make configuration changes using the Advanced Networking & Security user interface.
Table 1. When to Use Policy or Advanced Interfaces
Policy Interface Advanced Interface
Most new deployments should use the policy-based interface. Deployments which were created using the advanced interface, for example, upgrades from versions before the policy-based interface was present.
NSX Cloud deployments Deployments which integrate with other plugins. For example, NSX Container Plug-in, Openstack, and other cloud management platforms.
Networking features available in the Policy interface only:
  • DNS Services and DNS Zones
  • VPN
  • Forwarding policies for NSX Cloud
Networking features available in the Advanced interface only:
  • Layer 3 forwarding for IPv4 and IPv6
  • Forwarding up timer
  • Change internal transit network IP
  • VIP HA support on Tier-0
  • Standby relocation
  • Route advertisement filtering based on list of prefixes on Tier-1
  • Loopback creation
  • BGP multihop
  • BGP source addresses
  • Static routes with BFD and interface as next-hop
  • Metadata proxy
  • DHCP server attached to an isolated segment and static binding
Security features available in the Policy interface only:
  • Endpoint Protection
  • Network Introspection (East-West Service Insertion)
  • Context Profiles
    • L7 applications
    • FQDN
  • New Distributed Firewall and Gateway Firewall Layout
    • Categories
    • Auto service rules
Security features available in the Advanced interface only:
  • Ability to enable or disable Distributed Firewall, Identity Firewall, and Gateway Firewall
  • Distributed Firewall session timers
  • Exclusion lists
  • CPU and memory thresholds
  • Sections for stateless rules
  • Bridge Firewall
  • Section Locking
  • Distributed Firewall rule IDs
  • Distributed Firewall rules based on IPs in source and destination

Using the Policy Interface

If you decide to use the policy interface, use it to create all objects. Do not use the advanced interface to create objects.

You can use the advanced interface to modify objects that have been created in the policy interface. The settings for a policy-created object might include a link for Advanced Configuration. This link takes you to the advanced interface where you can fine-tune the configuration. You can also view policy-created objects in the advanced interface directly. Settings that are managed by policy but are visible in the advanced interface have this icon next to them: . You cannot modify them from the advanced user interface.

Where to Find the Policy Interfaces and Advanced Interfaces

The policy-based and advanced interfaces appear in different parts of the NSX Manager user interface, and use different API URIs.

Table 2. Policy Interfaces and Advanced Interfaces
Policy Interface Advanced Interface
  • Networking tab
  • Security tab
  • Inventory tab
  • Plan & Troubleshoot tab
Advanced Networking & Security tab
API URIs that begin with /policy/api API URIs that begin with /api
Note: The System tab is used for all environments. If you modify Edge nodes, Edge clusters, or transport zones, it can take up to 5 minutes for those changes to be visible on the policy-based user interface. You can synchronize immediately using POST /policy/api/v1/infra/sites/default/enforcement-points/default?action=reload.

For more information about using the policy API, see the NSX-T Policy API Getting Started Guide.

Names for Objects Created in the Policy and Advanced Interfaces

The objects you create have different names depending on which interface was used to create them.

Table 3. Object Names
Objects Created Using the Policy Interface Objects Created Using the Advanced Interface
Segment Logical switch
Tier-1 gateway Tier-1 logical router
Tier-0 gateway Tier-0 logical router
Group NSGroup, IP Sets, MAC Sets
Security Policy Firewall section
Rule Firewall rule
Gateway firewall Edge firewall