In a multi-tenant NSX environment, you can configure a subset of NSX features under projects.
This provides flexibility to the tenants while allowing Enterprise Admin and other administrators of the default space to control the overall system life cycle and connectivity.
NSX Feature |
Available Under Projects |
Notes |
---|---|---|
System |
||
Edge Clusters |
Assigned during project creation |
During project creation, the Enterprise Admin assigns an edge cluster from the default space to a project. |
System Life cycle |
Managed by the Enterprise Admin |
Platform-wide operations such as install, upgrade, and backup are managed by the Enterprise Admin. |
Certificates |
Yes |
Certificate management tasks are available under projects only for service certificates. |
Networking |
||
Tier-0 or Tier-0 VRF Gateway |
Assigned during project creation |
During project creation, the Enterprise Admin assigns a tier-0 gateway or a tier-0 VRF gateway from the default space to a project. The services on the tier-0 gateway are managed by the Enterprise Admin from the default space. |
Dynamic Routing (BGP/OSPF) |
Managed by the Enterprise Admin |
Dynamic routing is configured on the tier-0 gateway or tier-0 VRF gateway by the Enterprise Admin. |
EVPN |
Managed by the Enterprise Admin |
EVPN is configured on the tier-0 gateway or tier-0 VRF gateway by the Enterprise Admin. |
Tier-1 Gateway |
Yes |
|
Static Routing |
Yes |
Static routing on the tier-1 gateway is configured by the Project Admin. |
Overlay Segments |
Yes |
|
VLAN Segments |
No |
|
Segment Profiles
|
Yes |
|
L2 Bridge |
No |
|
L2 VPN |
Yes |
On each tier-1 gateway of the project, you can configure only one L2 VPN service. |
IPSec VPN (L3 VPN) |
Yes |
On each tier-1 gateway of the project, you can configure only one IPSec service. For configuring route-based IPSec VPN, static-routes are supported. Dynamic routing with virtual tunnel interface (VTI) using BGP is not supported on the tier-1 gateway of the project. |
NAT |
Yes |
|
Load Balancer |
No |
|
DNS Forwarder
|
Yes |
|
IP Address Pools/IP Address Blocks |
Yes |
|
IPv6 Profiles (DAD/ND) |
Yes |
|
Gateway QoS Profiles |
Yes |
|
DHCP and DHCP Relay |
Yes |
|
Security |
||
Distributed Firewall |
Yes |
Only for VMs that are connected to segments in a project. Firewall rules that are managed by the Enterprise Admin in the default space have the highest precedence followed by the project policies. DFW policies with Antrea groups in the Sources, or Destinations, or Applied To of the firewall rules are not supported under projects. |
Exclusion List |
Managed by the Enterprise Admin |
Exclusion list excludes a VM from all the firewall application rules. |
Gateway Firewall |
Yes |
The Enterprise Admin and Project Admin can manage the gateway firewall rules on the tier-1 gateways of the project only within the context of a project. The Project Admin can delete or modify the gateway firewall rules in the project that are created by the Enterprise Admin. |
Identity Firewall |
No |
Identity firewall is not available under projects. Identity firewall rules can be configured only in the default space and these rules can be applied to VMs inside projects. |
Distributed IDS/IPS |
Yes (starting in NSX 4.1.1) No (in NSX 4.1) |
|
Gateway IDS/IPS Malware Prevention TLS Decryption |
No |
|
TLS Inspection FQDN Filtering URL Filtering |
No Yes Yes |
FQDN Analysis dashboard is not exposed to the Project Admin. It is available only to the Enterprise Admin. |
Firewall Profiles
|
Yes |
|
Inventory |
||
Services |
Yes |
|
Groups (static and dynamic memberships) |
Yes |
Kubernetes member types are not available under a project for creating dynamic membership criteria. |
Antrea Groups |
No |
|
Context Profiles/L7 Access Profiles |
Yes |
|
Tags |
Yes |
|
Virtual Machines (visibility/tagging) |
Yes |
Only for VMs that are connected to segments in a project. |
Container Clusters |
No |
Kubernetes resources in Antrea Kubernetes clusters that are registered to NSX are not exposed to the project inventory. |
Plan and Troubleshoot |
||
Traceflow |
Yes |
Traceflow can only use VMs and ports that are a part of the project. If the destination is an IP that routes to another project, these details are hidden in the Traceflow output. |
Antrea Traceflow |
No |
|
Live Traffic Analysis |
No |
|
IPFIX |
Managed by the Enterprise Admin |
IPFIX is managed centrally by the Enterprise Admin in the default space. |
Port Mirroring |
Managed by the Enterprise Admin |
Port mirroring is configured centrally by the Enterprise Admin in the default space. |
Security Intelligence |
No |
Security Intelligence features are not exposed to the Project Admin. Only the NSX Enterprise Admin has full access to all the Security Intelligence features. The Security Intelligence features (network flow visualization, micro-segmentation recommendations, and suspicious traffic analysis) are not project-aware. These features work with all the network traffic flow data within your entire on-premises NSX environment. If multi-tenancy is used, that is, if projects are defined in your NSX environment, Security Intelligence displays all the NSX objects that are in the default space and all the NSX objects from all the projects, whether you are using the Default view or the All Projects view. |