In NSX-V, traffic redirection to partner services is at a rule level, and not at the section level. That is, a single section in NSX-V can have rules redirecting the network traffic to multiple service profiles of a single partner service or multiple partner services.

However, in NSX-T, redirection is at a policy level. Therefore, if a single firewall section in NSX-V has rules redirecting to multiple service profiles, multiple NSX-T policies will be created.

Read the scenarios in this topic for examples about rule ordering in NSX-T.

This topic uses the following acronyms:
  • SP: Service Profile
  • SG: Security Group
  • SC: Service Chain

Scenario 1: Single Partner Service, Single Service Profile

A single network introspection partner service is running. This partner service contains a single service profile.

Rule configuration in NSX-V is as follows:
  • SP1 is bound to SG-1 and SG-2.
  • Network traffic from SG-A to SG-B is redirected to SP-1.
  • Network traffic from SG-P to SG-Q is redirected to SP-1.
Migrated rule configuration in NSX-T is as follows:
  • SC-1 contains SP-1 in the forward and reverse path of the traffic.
  • Network traffic from SG-A to SG-B is redirected to SC-1. This rule is applied on SG-1 and SG-2.
  • Network traffic from SG-P to SG-Q is redirected to SC-1. This rule is applied on SG-1 and SG-2.
NSX-V NSX-T

Section 1

  • Rule 1: SG-A to SG-B, Redirect to SP-1
  • Rule 2: SG-P to SG-Q, Redirect to SP-1

Policy 1 (Redirect to SC-1)

  • Rule 1: SG-A to SG-B, Redirect to SC-1
  • Rule 2: SG-P to SG-Q, Redirect to SC-1

Scenario 2: Single Partner Service, Multiple Service Profiles

A partner service has two service profiles SP-1 and SP-2.

Case 2A: SP-1 has higher priority than SP-2

In NSX-V, SP-1 is bound to SG-1, and SP-2 is bound to SG-2.

In NSX-T, SC-1 contains SP-1, and SC-2 contains SP-2 in the forward and reverse path of the traffic.

In this case, rules redirecting to SC-1 are placed first in the NSX-T rule table.

NSX-V NSX-T
Section 1
  • Rule 1: SG-A to SG-B, Redirect to SP-1
  • Rule 2: SG-P to SG-Q, Redirect to SP-2
Policy 1 (Redirect to SC-1)
  • Rule 1: SG-A to SG-B, Redirect to SC-1
Policy 2 (Redirect to SC-2)
  • Rule 2: SG-P to SG-Q, Redirect to SC-2
Case 2B: SP-2 has higher priority than SP-1

In NSX-V, SP-1 is bound to SG-1, and SP-2 is bound to SG-2 and SG-3.

In NSX-T, SC-1 contains SP-1, and SC-2 contains SP-2 in the forward and reverse path of the traffic.

In this case, rules redirecting to SC-2 are placed first in the NSX-T rule table.

NSX-V NSX-T
Section 1
  • Rule 1: SG-A to SG-B, Redirect to SP-1
  • Rule 2: SG-P to SG-Q, Redirect to SP-2
Section 2
  • Rule 3: SG-P to SG-Q, Redirect to SP-1
Policy 1 (Redirect to SC-2)
  • Rule 2: SG-P to SG-Q, Redirect to SC-2
Policy 2 (Redirect to SC-1)
  • Rule 1: SG-A to SG-B, Redirect to SC-1
Policy 3 (Redirect to SC-1)
  • Rule 3: SG-P to SG-Q, Redirect to SC-1

Scenario 3: Two Partner Services, One Service Profile Per Partner

Service-1 from partner 1 has higher precedence than Service-2 from partner 2. Service-1 contains SP-1 and Service-2 contains SP-2. In NSX-V, SP-1 is bound to SG-1, and SP-2 is bound to SG-2 and SG-3.

NSX-V NSX-T
Section 1
  • Rule 1: SG-A to SG-B, Redirect to SP-1
  • Rule 2: SG-A to SG-C, Redirect to SP-1
  • Rule 3: SG-P to SG-Q, Redirect to SP-2
  • Rule 4: SG-A to SG-D, Redirect to SP-1
Section 2
  • Rule 5: SG-P to SG-Q, Redirect to SP-1
Policy 1 (Redirect to SC-1)
  • Rule 1: SG-A to SG-B, Redirect to SC-1
  • Rule 2: SG-A to SG-C, Redirect to SC-1
  • Rule 4: SG-A to SG-D, Redirect to SC-1
Policy 2 (Redirect to SC-1)
  • Rule 5: SG-P to SG-Q, Redirect to SC-1
Policy 3 (Redirect to SC-2)
  • Rule 3: SG-P to SG-Q, Redirect to SC-2