You must set up a default redirection rule as part of the initial setup for service insertion.

After the initial setup is completed, you can create and edit redirection rules as necessary for rerouting different types of traffic for your NSX-managed workload VMs through the service appliance.

These are the two types of redirection rules:
  1. As part of the initial service insertion setup, you must create a catch-all rule to prevent redirection for traffic for the VTI interface of the VPN tunnel between the PCG and the service appliance. This rule must have the lowest possible priority and must be created for both use cases of service insertion.
  2. The second rule sets up specific redirection for traffic for the service appliance. You can adjust this rule and add others as necessary.

Procedure

  1. To add the default catch-all rule to complete the one-time setup, follow these steps:
    1. Navigate to Security > North South Firewall > Network Introspection (N-S)
    2. Click Add Policy.
      Option Description
      Name Provide a descriptive name, for example, Default_No-Redirect-Policy.
      Redirect To: Select the name of the Virtual Endpoint you created for this service appliance when registering the service.
      Apply To: Select the PCG's tier-0 gateway.
    3. Select the new policy and click Add Rule. Note the following values specific to service insertion:
      Option Description
      Sources Any
      Destinations Any
      Applied To Select the VTI interface between the PCG and the service appliance.
      Action Select Do Not Redirect.
    Important: This rule must have the lowest possible priority.
  2. For the second rule, follow these steps:
    1. Navigate to Security > North South Firewall > Network Introspection (N-S)
    2. Click Add Policy.
      Option Description
      Name: Provide a descriptive name for the policy, for example, On-Prem Service Insertion for AWS VMs or North-south Service Insertion for Azure VMs.
      Redirect To: Select the name of the Virtual Endpoint you created for this service appliance when registering the service.
      Apply To: Select the PCG's tier-0 gateway.
    3. Select the new policy and click Add Rule. Note the following values specific to service insertion:
      Option Description
      Sources Select a group of subnets whose traffic must be redirected, for example, a group of your NSX-managed workload VMs.
      Destinations Select a list of destination IP addresses or services, such as YouTube, that you want to route through the service appliance.
      Applied To
      • If you are using north-south service insertion with the service appliance in the public cloud: select the uplink port of the active and standby PCG.
      • If you are using VPN traffic to on-prem: select the VTI interface of the active and standby PCG to the on-prem service appliance.
      Action Select Redirect.