Network virtualization services include logical switches, logical routers, logical firewalls, and other components of NSX for vSphere. 

Logical Switches

NSX logical switches create logically abstracted segments to which tenant virtual machines can connect. A single logical switch is mapped to a unique VXLAN segment ID and is distributed across the ESXi hypervisors within a transport zone. This logical switch configuration provides support for line-rate switching in the hypervisor without creating constraints of VLAN sprawl or spanning tree issues.

Universal Distributed Logical Router

Universal distributed logical router (UDLR) in NSX for vSphere performs routing operations in the virtualized space (between VMs, on VXLAN- or VLAN-backed port groups). UDLR has the following features:

  • High performance, low overhead first hop routing

  • Scaling the number of hosts

  • Support for up to 1,000 logical interfaces (LIFs) on each distributed logical router

A UDLR is installed in the kernel of every ESXi host, as such it requires a VM for the control plane. The Control VM of a UDLR is the control plane component of the routing process, providing communication between NSX Manager and NSX Controller cluster through the User World Agent. NSX Manager sends logical interface information to the Control VM and NSX Controller cluster, and the Control VM sends routing updates to the NSX Controller cluster.

Figure 1. Universal Distributed Logical Routing by Using NSX for vSphere

In each region, the logical routing in the SDDC is configured for BGP and cross vCenter Server. It takes places between the top of rack switches and the ECMP NSX Edge devices for North-South routing, and between the management components of the SDDC. BGP is also used between the UDLR Control VM in Region A and Region B ECMP NSX Edge devices.

Designated Instance

The designated instance is responsible for resolving ARP on a VLAN LIF. There is one designated instance per VLAN LIF. The selection of an ESXi host as a designated instance is performed automatically by the NSX Controller cluster and that information is pushed to all other ESXi hosts. Any ARP requests sent by the distributed logical router on the same subnet are handled by the same ESXi host. In case of an ESXi host failure, the controller selects a new ESXi host as the designated instance and makes that information available to the other ESXi hosts.

User World Agent

User World Agent (UWA) is a TCP and SSL client that enables communication between the ESXi hosts and NSX Controller nodes, and the retrieval of information from NSX Manager through interaction with the message bus agent.

Edge Services Gateway

While the UDLR provides VM-to-VM or east-west routing, the NSX Edge services gateway provides north-south connectivity, by peering with upstream layer 3 devices, thereby enabling tenants to access public networks.

Logical Firewall

NSX Logical Firewall provides security mechanisms for dynamic virtual data centers.

  • The Distributed Firewall allows you to segment virtual data center entities like virtual machines. Segmentation can be based on VM names and attributes, user identity, vCenter Server objects like data centers, and ESXi hosts, or can be based on traditional networking attributes like IP addresses, port groups, and so on. 

  • The Edge Firewall component helps you meet important perimeter security requirements, such as building DMZs based on IP/VLAN constructs, tenant-to-tenant isolation in multi-tenant virtual data centers, Network Address Translation (NAT), partner (extranet) VPNs, and user-based SSL VPNs.

The Flow Monitoring feature displays network activity between virtual machines at the application protocol level. You can use this information to audit network traffic, define and refine firewall policies, and identify threats to your network.

Logical Virtual Private Networks (VPNs)

SSL VPN-Plus allows remote users to access private corporate applications. IPSec VPN offers site-to-site connectivity between an NSX Edge instance and remote sites. L2 VPN allows you to extend your datacenter by allowing virtual machines to retain network connectivity across geographical boundaries.

Logical Load Balancer

The NSX Edge load balancer enables network traffic to follow multiple paths to a specific destination. It distributes incoming service requests evenly among multiple servers in such a way that the load distribution is transparent to users. Load balancing thus helps in achieving optimal resource utilization, improving throughput, reducing response time, and avoiding overload. NSX Edge provides load balancing up to Layer 7.

Service Composer

Service Composer helps you provision and assign network and security services to applications in a virtual infrastructure. You map these services to a security group, and the services are applied to the virtual machines in the security group.

NSX Extensibility

VMware partners integrate their solutions with the NSX for vSphere platform to enable an integrated experience across the entire SDDC. Data center operators can provision complex, multi-tier virtual networks in seconds, independent of the underlying network topology or components.