NSX Cloud supports the use of third-party services in your public cloud for NSX-managed workload VMs in the NSX Enforced Mode.

NSX Cloud supports Service Insertion for the following:
  • North-south traffic from workload VMs via a service appliance hosted in a Transit VPC/VNet..
  • VPN traffic from the PCG to an on-prem edge or gateway. This traffic can be routed via a service appliance in a Transit VPC/VNet as well.

Here is an overview of the configurations to allow service insertion for your NSX-managed workload VMs.

Table 1. Overview of configurations required for service insertion for NSX-managed workload VMs in the NSX Enforced Mode.
Frequency Task Instructions
Follow these instructions for the initial setup if you want to set up service insertion for north-south traffic. Set up the service appliance in your public cloud preferably in a Transit VPC or VNet (where you have deployed the PCG. See instructions specific to the third-party service appliance and the public cloud.
Register the third-party service in NSX-T Data Center. See Create the Service Definition and a Corresponding Virtual Endpoint
Create a virtual instance endpoint of the service using a /32 Virtual Service IP address (VSIP) to be used only for service insertion by the service appliance. The VSIP should not conflict with the CIDR range of VPCs or VNets. This VSIP is advertised over BGP to the PCG. See Create the Service Definition and a Corresponding Virtual Endpoint
Create an IPSec VPN tunnel between the service appliance and the PCG. See Set up an IPSec VPN Session
Configure BGP between the PCG and the service appliance and advertise the VSIP from the service appliance and the default route (0.0.0.0/0) from the PCG. See Configure BGP and Route Redistribution
Follow these instructions for the initial setup for VPN traffic from the public cloud to on-prem. Create a VPN tunnel between the PCG and the on-prem edge or gateway. See Set up VPN in the NSX Enforced Mode.
Follow these instructions for both types of service insertion as part of the initial setup. Create a lowest priority default catch-all rule with the action set to Do Not Redirect. This ensures that no packets are redirected on the VTI interface of the PCG and the Service Appliance. See Set up Redirection Rules.
Follow these instructions as and when necessary for each type of service insertion use case.

After the one-time configurations are complete, set up redirection rules to reroute selective traffic from NSX-managed workload VMs to the VSIP. These rules are applied to the uplink port of the PCG for north-south service insertion and to the VTI interface of the PCG for traffic to on-prem.

See Set up Redirection Rules.