Set up redirection rules to send traffic to third-party services inserted at a Tier-0 or Tier-1 router.


  • Register and deploy third-party services on NSX-T.
  • Configure Tier-0 or Tier-1 router.


  1. With admin privileges, log in to NSX Manager.
  2. Select Security > North South Security > Network Introspection (N-S) > Add Policy.
    A policy section is similar to a firewall section where you define rules that determine how traffics flows.
  3. Set Redirection To field for a service instance or a service chain to a Tier-0 or Tier-1 logical router to perform network introspection of traffic flowing between source and destination entities.
  4. To add a policy, click Publish.
  5. Click the vertical ellipsis on a section and click Add Rule.
  6. Edit the Source field to add a group by defining membership criteria, static members, IP/MAC addresses, or active directory groups. Membership criteria can be defined from one of these types: Virtual Machine, Logical Switch, Logical Port, IP Set. You can select static members from one of these categories: Group, Segment, Segment Port, Virtual Network Interface, or Virtual Machine.
  7. Click Save.
  8. To add a destination group, edit the Destination field.
  9. In the Applied To field, you can do one of the following:
    • For a service inserted at Tier-0 logical router, select the uplink of Tier-0 router.
    • For a service inserted at Tier-1 logical router, you do not need to select any uplinks.
  10. Each rule can be enabled individually. After you enable a rule, it is applied to the traffic that matches the rule.
  11. Click Advanced Settings to configure the traffic direction and to enable logging.
  12. In the Action field, select Redirect to redirect traffic along the service instance or Do Not Redirect not to apply network introspection on the traffic.
  13. Click Publish.
  14. To revert a published rule, select a rule and click Revert.
  15. To add a policy, click + Add Policy.
  16. To clone a policy or a rule, select the policy or rule and click Clone.
  17. To enable a rule, enable the Enable/Disable icon or select the rule and from the menu click Enable > Enable Rule.
  18. After enabling or deactivating a rule, to enforce the rule, click Publish.


Based on the actions set, NSX-T redirects north-south traffic to the service instance for network introspection.

Traffic on NSX Edge nodes is redirected to a service path for traffic introspection. After the service path introspects traffic, packets are sent to their original destination.

Starting in NSX-T 3.2, north-south traffic redirected to a service chain can use multiple service paths for load balancing. NSX-T selects one of the optimal service paths currently available to serve each new traffic flow. Each flow is pinned to a single path. Different flows can use different paths based on round robin policy. North-South service chaining can use a maximum number of 16 service paths.