VMware NSX

VMware NSX is a virtual networking and security software product family created from VMware's vCloud Networking and Security (vCNS) and Nicira's Network Virtualization Platform (NVP) intellectual property.

Expert Guide: Most popular articles from SearchVMware.com

Due to popular demand, our editors have put together this complimentary 32-page guide highlighting some of our most visited and most useful – as chosen by your peers – SearchVMware articles so far this year.

NSX software-defined networking (SDN) is part of VMware's software-defined data center (SDDC) concept, which offers cloud computing on VMware virtualization technologies. VMware's stated goal with NSX is to provision virtual networking environments without a command-line interface (CLI) or other direct administrator intervention. Network virtualization abstracts network operations from the underlying hardware onto a distributed virtualization layer, much like server virtualization does for processing power and operating systems (OSes). VMware vCNS virtualizes Layer 4-7 (L4-L7) of the network. Nicira's NVP virtualizes the network fabric, Layer 2 (L2) and Layer 3 (L3).

NSX exposes logical firewalls, switches, routers, ports and other networking elements to enable virtual networking among vendor-agnostic hypervisors, cloud management systems and associated network hardware. It also supports external networking and security ecosystem services.

Important features of NSX

• Switching: NSX logical switches use unique Virtual Extensible LAN (VXLAN) network identifiers to create a logical overlay extension for the L2 network, to which applications and tenant virtual machines (VMs) can then be logically wired. These logical broadcast domains enable greater flexibility and faster deployment, all while providing the characteristics of a virtual LAN (VLAN) without the risk of sprawl.
• Routing: NSX performs routing with both logical distributed routers, which create routes between virtual networks at the hypervisor kernel and physical routers for scale-out routing with active-active failover.
• Distributed firewalling: The NSX distributed firewall is a hypervisor kernel-embedded firewall that spreads out over the ESXi host. A network administrator can create custom firewall policies, which are enforced at the virtual network interface card (vNIC) level, to enforce stateful firewall services for VMs and increase visibility and control for virtualized networks and workloads.
• Load balancing: NSX offers a L4-L7 load balancer that intercepts, translates and manipulates network traffic to improve enterprise application availability and scalability. The NSX load balancer includes support for Secure Sockets Layer (SSL) offload for pass-through and server health checks. The L4 load balancer offers packet-based load balancing, which sends the packet to a specific server after it's manipulated; the L7 load balancer offers socket-based load balancing, which establishes client- and server-facing connections for a single request.
• Virtual private network (VPN): NSX includes site-to-site and remote access VPN capabilities and unmanaged VPN for cloud gateway services.
• NSX Edge gateway: The NSX Edge gateway is a VM that behaves like an appliance to perform L3 routing, firewalling, site-to-site virtual private networking, load balancing and more. This feature also offers support for VXLAN to VLAN bridging for seamless connection to physical workloads.
• Application programming interface (API): NSX uses a representational state transfer (REST)-based API to simplify third-party product and service integration and to integrate NSX with cloud management for additional automation capabilities.
• Operations: Native operations capabilities include central CLI, Switch Port Analyzer (SPAN), IP Flow Information Export (IPFIX), Application Rule Manager (ARM), Endpoint Monitoring and integration with VMware vRealize Suite for proactive monitoring, analytics and troubleshooting.
• Dynamic security policy: NSX Service Composer enables the network administrator to provision and assign network and security services to applications. The administrator can also use Service Composer to create dynamic security groups with custom filters, such as VMware vCenter objects and tags, OS type and Active Directory (AD) roles.
• Cloud management: NSX natively integrates with vRealize Automation and OpenStackfor cloud management.
• Cross-vCenter Networking and Security (Cross-VC NSX): This capability scales NSX vSphere across vCenter and data center boundaries. This enables the network administrator to address capacity pooling across vCenters, simplify data center migration, perform long-distance vMotions and perform disaster recovery (DR).
• Log management: NSX integrates with vRealize Log Insight, which receives log entries from ESXi hosts, uses content packs to process the information each log entry contains and identifies issues within the NSX deployment.

NSX use cases

According to VMware, the top three use cases driving NSX adoption are microsegmentation, IT automation and DR. These use cases aim to resolve issues commonly associated with network virtualization, such as poor traffic performance and insufficient security.

The first of these use cases, microsegmentation, addresses network security. Microsegmentation takes the common networking practice of segmentation and applies it at a granular level. This enables the network administrator to establish a zero-trust security perimeter around a specific set of resources -- typically workloads or network segments -- and add east-west firewall functionality to the data center. NSX also enables the administrator to create additional security policies for specific workloads, regardless of where they sit in the network topology.

NSX uses data center automation for fast and flexible network provisioning. The network administrator can rapidly provision a new network or network segment with workloads, resources and security policies already attached to it. This eliminates bottlenecks and makes NSX ideal for application testing and working with erratic workloads, which NSX can keep logically isolated on the same physical network.

Automation is also essential to DR. NSX integrates with orchestration tools, such as vSphere Site Recovery Manager (SRM), which automates failover and DR. When paired with NSX, SRM can be used for storage replication and to manage and test recovery plans. SRM also integrates with Cross-VC NSX. Introduced in NSX 6.2, Cross-VC NSX enables logical networking and security across multiple vCenters, which makes it easier to enforce consistent security policies without the need for manual intervention. When used in conjunction with Cross-VC NSX, SRM automatically maps universal networks across protected and recovery sites.

NSX licensing and versions

In May 2016, VMware updated its NSX licensing scheme, introducing two new licenses -- Standard and Advanced -- to complement the full Enterprise product license.

According to VMware, the NSX Standard license is intended for organizations that require network agility and automation and includes features such as distributed switching, distributed routing and integration with the vRealize Suite and OpenStack. The mid-range license, NSX Advanced, offers the same capabilities as the Standard license, as well as microsegmentation for a more secure data center and features such as NSX Edge load balancing and distributed firewalling. The highest-tier license, NSX Enterprise, includes the same capabilities as the Advanced license, as well as networking and security across multiple domains through features such as Cross-VC NSX.

VMware updated the NSX licensing scheme once again in May 2017 -- this time, introducing an edition of NSX for Remote and Branch Offices (ROBO).

In addition to these NSX licenses, VMware customers have the option of purchasing NSX-T and NSX Cloud. Released in February 2017, NSX-T offers networking and security management for non-vSphere application frameworks, multiple Kernel-based Virtual Machine (KVM) distributions and OpenStack environments. NSX-T also supports Photon Platform, VMware's cloud-native infrastructure software for containers. NSX Cloud takes NSX-T components and integrates them with the public cloud. NSX Cloud customers have access to a multi-tenant dashboard, which is integrated with VMware Cloud Services, and can develop and test applications with the same network and security profiles used in the production environment.

Certification and training

VMware offers five certifications for NSX at varying levels. VMware's entry-level NSX certification, VMware Certified Professional 6 - Network Virtualization (VCP6-NV), demonstrates the candidate's ability to install, configure and administer NSX virtual networking implementations.

How do you use VMware NSX in your data center?

VMware's mid-level NSX certification, VMware Certified Advanced Professional 6 - Network Virtualization (VCAP6-NV), demonstrates the candidate's ability to deploy an NSX-based data center networking infrastructure.

At present, there is only one option for VCAP6-NV certification -- VCAP6-NV Deploy -- but VMware has plans to add a Design track as well. Any candidate who earns VCAP6-NV Design certification is eligible for VMware Certified Implementation Expert 6 - Network Virtualization (VCIX6-NV) certification. Once VMware releases the VCAP6-NV Design certification, candidates who achieve both VCAP6-NV Deploy and Design certifications will automatically earn VCIX6-NV status.

The highest level of NSX certification, VMware Certified Design Expert 6 - Network Virtualization (VCDX6-NV), demonstrates the candidate's familiarity with vSphere and NSX and the ability to design an NSX-based data center networking infrastructure.

VMware provides a number of resources for NSX certification training, including instructor-led courses, self-paced courses, cloud-based lab environments and learning subscriptions. NSX certification candidates are also encouraged to review the official exam blueprint, take an online practice exam and find or join a study group.