The endpoint protection workflow needs partners to register their services with NSX and an administrator to consume these services. There are a few concepts that aid your understanding of the workflow.

  • Endpoint Protection Policy: A policy is a collection of rules. When you have multiple policies, arrange them in the order to run them. The same applies for rules defined within a policy. For example, policy A has three rules, and policy B has four rules, and they are arranged in a sequence such that policy A precedes policy B. When guest introspection begins running policies, rules from policy A are run first before rules from policy B.

  • Endpoint Protection Rule: As an NSX administrator, you can create rules that specify the virtual machine groups that are to be protected, and choose the protection level for those groups by specifying the Service Profile for each rule.

  • Service Instance: It refers to the service VM on a host. The service VMs are treated as special VMs by vCenter and they are started before any of the guest VMs are powered on and stopped after all the guest VMs are powered off. There is one service instance per service per host.
    Important: Number of service instances is equal to the number of hosts on which the service is running host. For example, if you have eight hosts per cluster, and the partner service was deployed on two clusters, the total number of service instances running are 16 SVMs.

  • Service Deployment: As an admin you deploy partner Service VMs through NSX on a per cluster basis. Deployments are managed at a cluster level, so that when any host is added to the cluster, EAM automatically deploys the service VM on them.

    Automatically deploying the SVM is important because if the Distributed Resource Scheduler (DRS) service is configured on a vCenter Cluster, then vCenter can rebalance or distribute existing VMs to any new host that got added to the cluster after the SVM is deployed and started on the new host. Since partner Service VMs need NSX platform to provide security to guest VMs, the host must be prepared as a transport node.

    Important: One service deployment refers to one cluster on the VMware vCenter that is managed for deploying and configuring one partner service.
  • If you power off an SVM on an ESXi host, EAM will automatically migrate all guest VMs from that host using the DRS service.