For East-West Network Introspection, create a service segment and an overlay transport zone. However, you can back all other segments or logical switches on a VLAN transport zone.

East-West Network Introspection is applied to an entire NSX deployment. You can deploy the service at a cluster-level or on a per-host basis.

Multiple deployment methods are supported. One of them is host-based deployment. The type of deployment decides where service VMs run for a particular service. However, irrespective of the type of deployment, service VMs can be accessed by all East-West Network Introspection workloads. For example, a workload running on cluster A can use a service VM running on cluster B if there is no better alternative. So, picking a cluster-based deployment does not limit East-West Network Introspection to that cluster.

Even if you plan a deployment using only VLAN-backed segments, East-West traffic passes through overlay transport zones and overlay-backed segments. East-West Network Introspection is applied to all segments in the topology, whether they are backed by overlay or VLAN transport zones.

Requirements for East-West Network Introspection

  • Ensure the transport nodes that host guest VMs and service VMs are configured with an overlay transport zone. An overlay transport zone is a requirement to use East-West Network Introspection on all the transport nodes in the system.
  • Create an overlay-backed service segment that will be used by East-West Network Introspection service.

  • All the segments must be backed by the same host switch on each host.

  • If a guest VM running on an ESXi host is connected to a VLAN segment but that ESXi host is not configured to an overlay transport zone, then traffic destined to a service VM is disrupted. Such a configuration can also cause traffic to be routed to a black hole.

vMotion of Guest VMs

During a vMotion, the guest VM can be successfully migrated to another host only if the destination host is configured with an overlay transport zone and there is a single host switch. However, if there is no overlay transport zone where the service segment is created or if there are multiple host switches configured, then the virtual NIC of the guest VM goes into disconnected state even after vMotion.

Unsupported environments

  • A few transport nodes are configured for VLAN transport zone, while the remaining hosts are configured for VLAN and GENEVE (overlay) transport zones. Ensure all transport nodes are configured for both VLAN and GENEVE (overlay) transport zones.
  • Traffic exiting out of a guest VM virtual NIC carries .1q VLAN tag.
  • Trunk port (which can carry multiple VLANs from guest VM) backed guest VMs.
  • Any topology involving multiple host switches does not support east-west network introspection.

An overlay-backed (GENEVE-backed) segment is provisioned for internal use by East-West Network Introspection. On the NSX Manager UI, go to Security → Network Introspection Settings → Service Segment.