Skip to content. | Skip to navigation

IT Virtualization Blog

Personal tools

This is SunRain Plone Theme
You are here: Home / Users / lmarzke / howto / NSX / Intro


by lmarzke last modified Oct 26, 2017 06:51 PM

Intro to NSX


What is NSX ?

VMware ESX is the versatile hypervisor from VMware that virtualizes 'compute' workloads.    There is no question that virtual workloads have many advantages over the old physical one-server-per-host model.   It is so much easier to snapshot, clone,  and recover a VM than a physical server.   Disaster recover is made easier as well.

NSX is VMware's answer to controlling networking features in the modern data center.    Just like ESX was the hypervisor for 'compute' workloads,  'NSX' is the 'hypervisor' (really a set of services) to virtualize networking.    Of course this means that we get the ability to snapshot, clone and recover entire networks and make disaster recover of the network much easier.

But what does virtualizing the network actually mean ?   It signifies, for instance, that all the internal networks and their properties of a 3-tier application,  and their firewall configurations can be snapshot, cloned, and recovered.   So basically an entire 3-tier application can be treated as a single entity.

Of course there is much more to NSX than that.   NSX has performance advantages by performing routing and firewalling on the ESXi host.   In the case of two VM's on the same host,  a non-NSX environment would require all inter-vm traffic to exit the host and top-of-rack switch to the firewall/router , while in NSX the traffic never leaves the host.



From a high level,  NSX, together with vSAN attempt to virtualize the Data Center , instead of the server.   This means it will be possible to replicate or replace any VMware Data center easily in the cloud with minimal changes.    Think of it as VMware moving up the stack from controlling the VM to controlling the DC.

For those thinking of a hybrid-cloud solution, having a cloud solution that is exactly the same as the in-house solution makes a lot of sense as workloads can be moved back-and-fourth to the cloud without any changes.   Even live vMotion is supported in many cases.

However there are more items that NSX addresses that we covered above.

  • Supports massive East/West (E/W) connectivity as is typical in the modern DC.
    • The E/W firewall rules are applied by the host kernel,  so VM's on the same host can talk directly to each other without hair-pinning traffic out through the physical network to a physical firewall.
    • E/W rules can be written in high-level terms ( such as by VM name, Folder Name, Tag ).    Rules written in such terms automatically apply to new VM's matching the VM name regEX,  Folder, or Tag.    So in essence firewall rules are automatically written and removed as VM's are added or removed from the infrastructure.   No more stale firewall rules from years ago that are left behind.
  • North/South traffic uses VM appliances supporting ( DHCP, NAT, Firewall, routing , VPN , etc. )
  • All of the above is controlled by a new Menu tab ( Networking & Security ) inside vCenter web appliance.


Use cases

The top use cases for deploying NSX then are:

  1. Security - Enable micro-segmentation ( also called zero-trust )
    Every NIC connection to/from a VM is inspected via a firewall rule.
    This means for instance, that the web-tier can only talk to the db-tier on ONE port, to one VM.
    Since the hypervisor enforces this,  no hair-pinning results
    Firewall rules are generated automatically for new VM's according to a template.

  2. Disaster Recovery - DR location is identical to source
    This means that IP's do not need to change, and all load-balancers, firewalls, etc. are the same on both ends.
    Optionally cross-vCenter NSX can keep both main site and DR site in sync.

  3. Automation - Automatically deploy entire 3-tier applications and their networks, load-balancers etc.



Document Actions