NSX-T Data Center isolates and secures the traffic paths across workloads, the tenant switch, and the routing fabric. Advanced security policies and rules can be applied at the VM boundary to further control unwarranted traffic.

NSX-T Data Center uses a two-tiered routing architecture for network management:

  • Logical Tier-0 router defines and isolates the provider tier.

  • Logical Tier-1 router defines and isolates the tenant tiers.

The provider routing tier connects to the physical network for north-south traffic. The tenant routing context connects to the provider Tier-0 and manages east-west communications. The Tier-0 router provides traffic termination to the cloud physical gateways and existing CSP underlay networks for inter-cloud traffic communication.

Each tenant vDC has a single Tier-1 distributed router with intra-tenant routing capabilities. This distributed router can also be enabled for stateful services such as firewalls, NAT, and load balancers. VMs belonging to Tenant A can be connected to multiple logical interfaces for layer 2 and layer 3 connectivity.

By using VMware Integrated OpenStack as the IaaS layer, user profiles and RBAC policies can be used to restrict access to the networking fabric at the Tier-1 level.

Two-tiered routing architecture for network management isolation