Distributed Network Encryption (DNE) authenticates and encrypts intra-data center traffic between two endpoints such as VMs, VIFs, or security groups within data centers managed by the same
NSX Manager. DNE is an optional feature in NSX-T.
About Distributed Network Encryption Distributed Network Encryption (DNE) encrypts network traffic in the hypervisor based on a group-keying concept in which VMs with common features or requirements defined by the administrator share a single key. The NSX Manager provides a consumption model that supports granular, rule-based group key management.
How DNE Processes Network Packets Before you configure DNE, it is important to understand how DNE processes network packets that are transmitted between two endpoints in an NSX-T deployment.
Manage DNE Settings By default, DNE is disabled, and port mirroring for DNE-encrypted packets is also disabled. You can enable both from the NSX Manager GUI.
Add, Edit, and Delete an Encryption Rule Section Encryption rule sections are used to organize a set of encryption rules, manage them independently, and apply them as a group. Sections are used for multi-tenancy, such as defining specific rules for sales and engineering departments in separate sections.
Enable and Disable All Encryption Rules in a Section You can enable or disable all encryption rules in a section. If disabled, all encryption rules in that section are ignored during rule processing.
Enable and Disable All Encryption Logs in a Section To record information about packet processing, you can enable logs for all encryption rules in a section. Encryption logs record information about the packets and traffic matching the rules in the section.
About Encryption Rules Encryption rules define what data flow (source and destination) to protect, the action to perform if a packet matches the rule criteria, and the policy enforcement points.
Add, Clone, and Delete an Encryption Rule Encryption rules are added at the NSX Manager scope. Using the Applied To field, you can then narrow down the scope at which you want to apply the rule. You can add multiple objects at the source and destination levels for each rule, which helps reduce the total number of encryption rules to be added.
Edit Encryption Rule Settings After adding or cloning a rule, you can edit the rule settings.
Enable and Disable an Encryption Rule You can enable or disable an encryption rule. An encryption rules is enabled by default. An enabled rule is enforced, while a disabled rule is ignored.
Enable and Disable Encryption Rule Logging Enable logging for an encryption rule to record information about the packets it processes. All sessions matching the rule will be logged.
Change the Processing Order of an Encryption Rule For any traffic attempting to pass through the endpoints, the packet information is subjected to the rules. Within a section, rules are processed in sequential order, starting from the top of the list and proceeding to the bottom. The first rule in the list has the highest priority.
Filter Encryption Rules When you navigate to the encryption section, initially all the rules are displayed. You can apply a filter to control what is displayed so that you see only a subset of the rules. This can make it easier to manage the rules.
About Key Policies When a rule requires a key, a key policy is used to determine which key instance to use for a network packet.
Add, Edit, and Delete a Key Policy You can add or edit key policies. You can delete policies that you added but not the two pre-defined system default policies.
Rotate a Key Policy Key rotation is the process of obtaining new keys from the DNE Key Manager. Rotation occurs automatically based on frequency or expiration settings. You can also manually rotate the key.
Revoke a Key Policy Key revocation is the process of invalidating a key and keep it from being used. Revocation is typically triggered when one or more keys becomes untrusted for some reason, for example, a data breach. Revocation stops the use of the key and initiates a request for a new key from the DNE Key Manager. Revocation affects traffic, as some packets could be dropped while hosts await the new key.