NSX provides a full set of logical network elements, boundary protocols, and security services to organize and manage your virtual networks. Installing an NSX plug-in on the vCenter Server gives you centralized control to create and manage NSX components and services throughout your data center.

See the NSX Administration Guide for descriptions of features and capabilities.

VMware NSX Edge

Provides centralized north-south routing between the logical networks deployed in NSX domains and the external physical network infrastructure. NSX Edge supports dynamic routing protocols such as Open Shortest Path First (OSPF), internal Border Gateway Protocol (iBGP), and external Border Gateway Protocol (eBGP), and can use static routing. The routing capability supports active-standby stateful services and equal-cost multipath routing (ECMP). NSX Edge also provides standard edge services such as network address translation (NAT), load balancing, virtual private network (VPN), and firewall services.

Logical Switching

NSX logical switches provide L2 logical networks enforcing isolation between workloads on different logical networks. Virtual distributed switches can span multiple ESXi hosts in a cluster over an L3 fabric by using VXLAN technology, adding the advantage of centralized management. You can control the scope of isolation by creating transport zones by using vCenter Server and assigning logical switches to the transport zones as needed.

Distributed Routing

Distributed routing is provided by a logical element called Distributed Logical Router (DLR). The DLR is a router with directly connected interfaces to all hosts where VM connectivity is required. Logical switches are connected to logical routers to provide L3 connectivity. The supervisory function, the control plane to control forwarding, is imported from a control VM.

Logical Firewalling

The NSX platform supports the following critical functions for securing multi-tier workloads.

  • Native support for logical firewalling capability, which provides stateful protection of multi-tier workloads.
  • Support for multivendor security services and service insertion, for example, antivirus scanning, for application workload protection.

The NSX platform includes a centralized firewall service offered by the NSX Edge services gateway (ESG), and a distributed firewall (DFW) enabled in the kernel as a VIB package on all the ESXi hosts that are part of a given NSX domain. The DFW provides firewalling with near-line rate performance, virtualization, identity awareness, activity monitoring, logging, and other network security features native to network virtualization. You configure these firewalls to filter traffic at the vNIC level of each VM. This flexibility is essential for creating isolated virtual networks, even for individual VMs if that level of detail is needed.

Use vCenter Server to manage firewall rules. The rules table is organized as sections with each section constituting a specific security policy that can be applied to specific workloads.

Security Groups

NSX provides grouping mechanism criteria that can include any of the following items.

  • vCenter Server objects such as virtual machines, distributed switches, and clusters
  • Virtual machine properties such as vNICs, virtual machine names, and virtual machine operating systems
  • NSX objects including logical switches, security tags, and logical routers

Grouping mechanisms can be either static or dynamic, and a security group can be any combination of objects, including any combination of vCenter objects, NSX Objects, VM Properties, or Identity Manager objects such as AD Groups. A security group in NSX is based on all static and dynamic criteria along with static exclusion criteria defined by a user. Dynamic groups grow and shrink as members enter and leave the group. For example, a dynamic group might contain all VMs that begin with the name web_. Security groups have several useful characteristics.

  • You can assign multiple security policies to a security group.
  • An object can belong to multiple security groups at the same time.
  • Security groups can contain other security groups.

Use NSX Service Composer to create security groups and apply policies. NSX Service Composer provisions and assigns firewall policies and security services to applications in real time. Policies are applied to new virtual machines as they are added to the group.

Security Tags

You can apply security tags to any virtual machine, adding context about the workload as needed. You can base security groups on security tags. Security tags indicate several common classifications.

  • Security state. For example, vulnerability identified.
  • Classification by department.
  • Data-type classification. For example, PCI Data.
  • Type of environment. For example, production or devops.
  • VM geography or location.

Security Policies

Security Policies group rules are security controls that are applied to a security group created in the data center. With NSX you can create sections in a firewall rule table. Sections allow better management and grouping of firewall rules. A single security policy is a section in a firewall rule table. This policy maintains synchronization between rules in a firewall rule table and rules written through the security policy, ensuring consistent implementation. As security policies are written for specific applications or workloads, these rules are organized into specific sections in a firewall rule table. You can apply multiple security policies to a single application. The order of the sections when you apply multiple security policies determines the precedence of rule application.

Virtual Private Network Services

NSX provides VPN services named L2 VPN and L3 VPN. Create an L2 VPN tunnel between a pair of NSX Edge devices deployed in separate datacenter sites. Create an L3 VPN to provide secure L3 connectivity to the data center network from remote locations.

Role Based Access Control

NSX has built-in user roles that regulate access to computer or network resources within an enterprise. Users can only have one role.

Table 1. NSX Manager User Roles
Role Permissions
Enterprise Administrator NSX operations and security.
NSX Administrator NSX operations only. For example, install virtual appliances, configure port groups.
Security Administrator NSX security only. For example, define data security policies, create port groups, create reports for NSX modules.
Auditor Read only.

Partner Integration

Services from VMware technology partners are integrated with the NSX platform in the management, control, and data functions to provide a unified user experience and seamless integration with any cloud management platform. See more at: https://www.vmware.com/products/nsx/technology-partners#security.