Traffic flowing between Guest VMs on an on-premises data center is protected by third-party services provided by partners. There are a few concepts that aid your understanding of the workflow.
Service: Partners register services with NSX-T Data Center . A service represents the security functionality offered by the partner, service deployment details such as OVF URL of service VMs, point to attach the service, state of the service. When a notification is generated for a service, NSX-T Data Center notifies the partner after a time interval of 30 seconds.
- Vendor Template: It consists of functionality that a service can perform on a network traffic. Partners define vendor templates. For example, a vendor template can provide a network operation service such as tunneling with IPSec service.
- Service Profile: Is an instance of a vendor template. An NSX-T Data Center administrator can create a service profile to be consumed by service VMs.
- Guest VM: a source or destination of traffic in the network. The incoming or outgoing traffic is introspected by a service chain defined for a rule running east-west network services.
- Service VM: A VM that runs the OVA or OVF appliance specified by a service. It is connected over the service plane to receive redirected traffic.
Service Instance: Is created when a service is deployed on a host. Each service instance has a corresponding service VM.
- Service Segment: A segment of a service plane that is associated to a transport zone. Each service attachment is separated from other service attachments and from the regular L2 or L3 network segments provided by NSX-T Data Center. The service plane manages service attachments.
Service Manager: Is the partner service manager that points to a set of services.
- Service Chain: Is a logical sequence of service profiles defined by an administrator. Service profiles introspect network traffic in the order defined in the service chain. For example, the first service profile is firewall, second service profile is monitor, and so on. Service chains can specify different sequence of service profiles for different directions of traffic (egress/ingress).
- Redirection Policy: Ensures that traffic classified for a specific service chain is redirected to that service chain. It is based on traffic patterns that match NSX-T Data Center security group and a service chain. All traffic matching the pattern is redirected along the service chain.
Service Path: Is a sequence of service VMs that implement the service profiles of a service chain. An administrator defines the service chain, which consists of a pre-defined order of service profiles. NSX-T Data Center generates multiple service paths from a service chain based on the number, and locations of guest VMs and service VMs. It selects the optimum service path for the traffic flow to be introspected. Each service path is identified by a Service Path Index (SPI) and each hop along a path has a unique Service Index (SI).