VMware NSX-T 2.4 was certainly a game changer in the world of VMware software-defined networking. With the release of NSX-T 2.4, VMware was certainly putting the writing on the wall that NSX-T is the way forward from 2.4 onward. However, at VMworld 2019, VMware has announced NSX-T 2.5. In this post we will take a look at VMware NSX-T 2.5 new features with NSX Intelligence and see how VMware is continuing to push the envelope of software-defined networking with NSX-T.
VMware NSX-T 2.5 New Features with NSX Intelligence
There are three key areas of new functionality included with NSX-T 2.5. The key improvements can be found in:
- NSX Cloud
- Expanded Security Features
- NSX-T Analytics
Let’s look at the improvements in each of these areas and see what functionality is brought to the table with NSX-T 2.5.
Improved NSX-V to NSX-T Migration
New with NSX-T 2.5 is improvements made to the V2T pre-migration checks including adding vSAN health checks. Additionally, the downtime for E/W traffic has been reduced. It also supports LACP and migration of powered off VMs in maintenance mode.
There are some key features that have been introduced in the realm of NSX Cloud. These include:
- Agent-less micro-segmentation based on native cloud security controls
- Service Endpoint Discovery and Policy Enforcement
NSX-T 2.5 Cloud Enforced Mode
The new agent-less micro-segmentation based on native cloud security controls is introduced with a new Native Cloud Enforced Mode. What are the features of this new Cloud Enforced Mode? This features the ability to define security policies in NSX based on VM attributes, tags, and NSX groups. It also translates NSX Policies to Native Cloud Security policies. This leads to many benefits to the NSX customer. This includes:
The ability for NSX customers to have a choice when installing NSX on their VMs in the public cloud. This also provides a large competitive advantage over ACI Anywhere, Illumio, and other NSX competitors.
Expanded Security Features
There are many expanded security features to mention with NSX-T 2.5. These include the following:
- Extended L7 App-ID to gateway features
- Automated Drafts & Rollbacks
- Enhanced partner integration
- FIPS 140-2 compliance
New to NSX-T 2.5, there is now Layer-7 APP-ID support on the gateway firewall. Previously this was L3-L4 GW FW. as of NSX-T 2.5, APP-ID based policies are supported on T1 GW FW. This includes:
- Used in rules via Context Profiles
- Same Context-Profiles/APP-IDs as for distributed firewall
- Sub-attributes (version/Cipher suite) supported
- Used in rules via Context Profiles
- FQDN whitelisting not supported on GW FW
- Requires medium or large edge node
- Not supported on T0 GW
FQDN Filtering Enhancements
There are a couple of very welcomed enhancements to the FQDN filtering functionality including:
- FQDN whitelisting support for KVM
- FQDN blacklisting support for ESXi
With the new features especially in ESXi, this allows customers to explicitly allow/deny access to specific URLs/domains
Let’s now take a look at the expanded analytics in NSX-T 2.5 by way of NSX Intelligence.
NSX Intelligence – What is it?
NSX Intelligence is a distributed analytics engine, that leverages context in NSX, to deliver security policy management, analytics and compliance with data-center wide visibility. What are the capabilities of NSX Intelligence in the v1.0 release?
- NSX Intelligence builds on the unique NSX context and data as the hypervisor is in the middle of all these network communications
- NSX Intelligence is VMware’s introduction into the emerging networking and security analytics market
- NSX Intelligence has a strong vision leveraging our VMware portfolio and partner ecosystem to build
- Version 1.0 provides the foundation for further innovation and differentiation
- Intelligence Visualizations
- Security Policy Recommendations
NSX Intelligence – Benefits
NSX Intelligence allows for the distribution of Analytics which results in teh following benefits:
- Built-in to the hypervisor on top of the NSX Platform
- Simplified deployment and lightweight footprint
- SEcurity recommendations are enforced through proven scalable NSX platform
Distributed Analytics to Each Host:
- Architecture enables scalable inline analytics, with reduced overhead
- Reduces size and complexity of NSX Intelligence appliance
- Eliminates traffic duplication, network degradation, or need for parellel analytics network
- Instpect every packet from every workload
- No sampling of data, full visibility into traffic flow
- Context and analysis extending to Layer 7
Features of the NSX Intelligence User Interface
The NSX Intelligence User Interface features a clean, modern UI that seamlessly integrates with VMware NSX. It provides a centralized view of analyzed data across the NSX domain.
Currently supported objects are groups and VMs. The group view will show the flow information between objects at all levels. Information within and without the NSX domain is available including VMs, external IPs, and public IPs.
You can filter communication map to VM level, view correlated VM and network context, show related groups, and display flow details.
NSX Intelligence Recommendations Engine
The NSX Intelligence recommendations engine provides analyzed recommendations for security rules, groups and services. It also generates new DFW policy sections and inventory groups or services. It initially supports recommendations for up to 100 VMs per session. The time range is based on data retention.
NSX Intelligence Data Platform
The NSX Intelligence Data Platform receives streams from NSX manager and transport nodes. Flow and Guest information is distributed and optimized directly at the source. Flows are sent at 5-minute intervals. As data is directly sourced from NSX components there is no dependency on copying traffic IPFIX or log data.
How is NSX Intelligence Deployed?
The NSX-T NSX Intelligence is delivered in a virtual form factor. The NSX Intelligence appliance is a separate download and is deployed from within the NSX Manager.
Summary of all New NSX-T 2.5 Enhancements
VMware has continued to make NSX-T the defacto standard for new greenfield deployments of NSX technology. The much improved V2T mechanism makes it easier to migrate from NSX-V to NSX-T as NSX-T is the way forward for NSX.
Perhaps the standout new feature with this release of NSX-T however is NSX Intelligence. The distributed analytics with NSX-T 2.5 NSX Intelligence is going to be a game changer in how NSX analytics are captured. Stay tuned for more NSX-T 2.5 information and posts as details are released and we can get hands on the release.