The micro-segmentation planning topology shows all the flows that are present in your environment by dividing the flows into segments.

In vRealize Network Insight , a flow is a 4-tuple. It includes:

  • source IP

  • destination IP

  • destination port

  • protocol

You can analyze the flows by selecting scope and segment them accordingly based on entities such as VLAN/VXLAN, Security Groups, Application, Tier, Folder, Subnet, Cluster, VM, Port, Security Tag, Security Group, and IPSet. The blue lines denote the outgoing flows, the green lines denote the incoming flows, and the yellow lines denote the flows that are bidirectional. You can click any of the segments to view its details.

The VMs that are outside the selected scope are grouped as Other Entities in the micro-segmentation planning topology.

You can also analyze the flows by creating subgroups as per Physical, Other Virtual, and Internet categories.

Each group is expanded into a wedge. In the following topology, the wedge for Physical group is seen.

There is also a Traffic Distribution pin that shows the amount of traffic that is flowing in different parts of your data center.

The Flows pin shows that the flows for different time intervals segregated by ports. You can either view all the flows or view the flows between two entities. You can filter the flows by Allowed and Blocked flows. Flows can be viewed by either Total Bytes or by Allowed Session Count. For the flows that are protected by a firewall, a Protected by Firewall sign is used to denote that the flows in that port that are protected by a firewall.

Application-Centric Micro-Segmentation

An application is a collection of tiers. Each tier in an application is a collection of VMs based on the user-defined filter criteria. The applications allow you to create a hierarchical group of VMs and visualize traffic/flows between the tiers of the same application. The traffic/flows can be visualized between applications.

To add application:

  1. In the Search box, type application, and press Enter.

  2. Click Add Application.

  3. On the Add Application page, in the Application Name box, type a name for the application, which you want to create.

  4. In the Tier section, type a name of the tier, which you want to create under Application (parent level). You can create a tier for VMs or physical machines as per requirements.

  5. In the Virtual Machines/IP Addresses box, select the appropriate VMs by any of the following conditions:

    • VM PROPERTIES

      • VM Names - Name of the VMs, which you want to group in the tier you are creating

      • IP Addresses - IP Addresses of the VMs or physical machines, which you want to group in the tier you are creating. The count of the IP addresses is shown at the right side of the field.

      • VMs with Service Ports - Service ports of the VMs, which you want to group in the tier you are creating

      • Custom Search - It is an open search

    • VMs IN

      • Application - Select this option if the VMs are located in any previously created application

      • Cluster - Select this option if the VMs are located in any cluster

      • Folders - Select this option if the VMs are located in any folder

      • VXLAN - Select this option if the VMs are located in any VXLAN

      • VLAN - Select this option if the VMs are located in any VLAN

    Note:

    For entering multiple values, set apart the individual values by comma.

    Optional: In case, you want to create multiple tiers under one application, click Add Tier.

  6. Select Analyze Flows to view the flows before you finally add the application. You will be able to see the tiers based on VMs or physical addresses accordingly.

  7. Click Save to create the application.

Exporting Rules

You can export rules as XML for the entire topology. You can find this option in the Micro-Segmentation Planning page as follows:

You can also export rules related to the underlying security groups belonging to multiple NSX managers. And then you can import these rules directly into NSX.