VMware NSX-T 2.5 New Features with NSX Intelligence

VMware NSX-T 2.4 was certainly a game changer in the world of VMware software-defined networking. With the release of NSX-T 2.4, VMware was certainly putting the writing on the wall that NSX-T is the way forward from 2.4 onward. However, at VMworld 2019, VMware has announced NSX-T 2.5. In this post we will take a look at VMware NSX-T 2.5 new features with NSX Intelligence and see how VMware is continuing to push the envelope of software-defined networking with NSX-T.

VMware NSX-T 2.5 New Features with NSX Intelligence

There are three key areas of new functionality included with NSX-T 2.5. The key improvements can be found in:

  • NSX Cloud
  • Expanded Security Features
  • NSX-T Analytics
Key themes for NSX-T 2.5

Let’s look at the improvements in each of these areas and see what functionality is brought to the table with NSX-T 2.5.

Improved NSX-V to NSX-T Migration

New with NSX-T 2.5 is improvements made to the V2T pre-migration checks including adding vSAN health checks. Additionally, the downtime for E/W traffic has been reduced. It also supports LACP and migration of powered off VMs in maintenance mode.

NSX Cloud

There are some key features that have been introduced in the realm of NSX Cloud. These include:

  • Agent-less micro-segmentation based on native cloud security controls
  • Service Endpoint Discovery and Policy Enforcement

NSX-T 2.5 Cloud Enforced Mode

The new agent-less micro-segmentation based on native cloud security controls is introduced with a new Native Cloud Enforced Mode. What are the features of this new Cloud Enforced Mode? This features the ability to define security policies in NSX based on VM attributes, tags, and NSX groups. It also translates NSX Policies to Native Cloud Security policies. This leads to many benefits to the NSX customer. This includes:

The ability for NSX customers to have a choice when installing NSX on their VMs in the public cloud. This also provides a large competitive advantage over ACI Anywhere, Illumio, and other NSX competitors.

New NSX-T 2.5 Cloud enforced mode

Expanded Security Features

There are many expanded security features to mention with NSX-T 2.5. These include the following:

  • Extended L7 App-ID to gateway features
  • Automated Drafts & Rollbacks
  • Enhanced partner integration
  • FIPS 140-2 compliance

New to NSX-T 2.5, there is now Layer-7 APP-ID support on the gateway firewall. Previously this was L3-L4 GW FW. as of NSX-T 2.5, APP-ID based policies are supported on T1 GW FW. This includes:

  • Used in rules via Context Profiles
  • Same Context-Profiles/APP-IDs as for distributed firewall
  • Sub-attributes (version/Cipher suite) supported
  • Used in rules via Context Profiles
  • FQDN whitelisting not supported on GW FW
  • Requires medium or large edge node
  • Not supported on T0 GW
Expanded NSX-T 2.5 Layer 7 App-ID

FQDN Filtering Enhancements

There are a couple of very welcomed enhancements to the FQDN filtering functionality including:

  • FQDN whitelisting support for KVM
  • FQDN blacklisting support for ESXi

With the new features especially in ESXi, this allows customers to explicitly allow/deny access to specific URLs/domains

Let’s now take a look at the expanded analytics in NSX-T 2.5 by way of NSX Intelligence.

NSX Intelligence – What is it?

NSX Intelligence is a distributed analytics engine, that leverages context in NSX, to deliver security policy management, analytics and compliance with data-center wide visibility. What are the capabilities of NSX Intelligence in the v1.0 release?

What is NSX Ingelligence
  • NSX Intelligence builds on the unique NSX context and data as the hypervisor is in the middle of all these network communications
  • NSX Intelligence is VMware’s introduction into the emerging networking and security analytics market
  • NSX Intelligence has a strong vision leveraging our VMware portfolio and partner ecosystem to build
  • Version 1.0 provides the foundation for further innovation and differentiation
  • Intelligence Visualizations
  • Security Policy Recommendations

NSX Intelligence – Benefits

NSX Intelligence allows for the distribution of Analytics which results in teh following benefits:

Native Security:

  • Built-in to the hypervisor on top of the NSX Platform
  • Simplified deployment and lightweight footprint
  • SEcurity recommendations are enforced through proven scalable NSX platform

Distributed Analytics to Each Host:

  • Architecture enables scalable inline analytics, with reduced overhead
  • Reduces size and complexity of NSX Intelligence appliance
  • Eliminates traffic duplication, network degradation, or need for parellel analytics network

Comprehensive Analysis:

  • Instpect every packet from every workload
  • No sampling of data, full visibility into traffic flow
  • Context and analysis extending to Layer 7

Features of the NSX Intelligence User Interface

The NSX Intelligence User Interface features a clean, modern UI that seamlessly integrates with VMware NSX. It provides a centralized view of analyzed data across the NSX domain.

Currently supported objects are groups and VMs. The group view will show the flow information between objects at all levels. Information within and without the NSX domain is available including VMs, external IPs, and public IPs.

You can filter communication map to VM level, view correlated VM and network context, show related groups, and display flow details.

NSX Intelligence UI in NSX-T 2.5

NSX Intelligence Recommendations Engine

The NSX Intelligence recommendations engine provides analyzed recommendations for security rules, groups and services. It also generates new DFW policy sections and inventory groups or services. It initially supports recommendations for up to 100 VMs per session. The time range is based on data retention.

NSX Intelligence Data Platform

The NSX Intelligence Data Platform receives streams from NSX manager and transport nodes. Flow and Guest information is distributed and optimized directly at the source. Flows are sent at 5-minute intervals. As data is directly sourced from NSX components there is no dependency on copying traffic IPFIX or log data.

How is NSX Intelligence Deployed?

The NSX-T NSX Intelligence is delivered in a virtual form factor. The NSX Intelligence appliance is a separate download and is deployed from within the NSX Manager.

Summary of all New NSX-T 2.5 Enhancements

Summary of all new NSX-T 2.5 enhancements

Wrapping Up

VMware has continued to make NSX-T the defacto standard for new greenfield deployments of NSX technology. The much improved V2T mechanism makes it easier to migrate from NSX-V to NSX-T as NSX-T is the way forward for NSX.

Perhaps the standout new feature with this release of NSX-T however is NSX Intelligence. The distributed analytics with NSX-T 2.5 NSX Intelligence is going to be a game changer in how NSX analytics are captured. Stay tuned for more NSX-T 2.5 information and posts as details are released and we can get hands on the release.

Subscribe to VirtualizationHowto via Email 🔔

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Brandon Lee

Brandon Lee is the Senior Writer, Engineer and owner at Virtualizationhowto.com and has over two decades of experience in Information Technology. Having worked for numerous Fortune 500 companies as well as in various industries, Brandon has extensive experience in various IT segments and is a strong advocate for open source technologies. Brandon holds many industry certifications, loves the outdoors and spending time with family.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.