This is a very specific feature of NSX-T, and I needed to study this as I was doing a client's project which involve integrating their NSX-T with a 3rd party services. One of the reasons clients may opt to do this is when they already have a large footprint of Palo Alto or Checkpoint firewall, and feel comfortable managing them. Other reasons may be because the client feels that some of these 3rd party services have some features which NSX-T does not provide.
Service Insertion Basics
Allows NSX-T to integrate 3rd party services
Must be on the supported list
i.e. IDS, IPS, Next Gen FW, URL filtering
i.e. Agentless Antivirus
Can be applied to East-West traffic, and North-South
Not all partner services are supported for both use cases
Checking for supported partner services
Under 'What are you looking for:', select 'Networking and Security Services for NSX-T'
Select version, partner name, API integration, solution category (Edge service insertion refers to N-S insertion)
Service Virtual Machine (SVM)
A 3rd party VM that provides services to NSX-T traffic
North-South Service Insertion:
Deployed on/near edge nodes, and attached to T0/T1
East-West Service Insertion (2 modes):
Deployed on each ESX host (Traffic need not go out of the host, but not resource-efficient)
or deployed in a separate service cluster (Traffic needs to go out of the host and come back even if the target VM sites are on the same ESXi host)
Routing to SVM is based on policy
Redirection policy (Which traffic to be/not to be redirected)
To 'chain' multiple SVMs together
To specify inspection by multiple SVMs in the forwarding path
E.g. Use a redirection policy that uses a Service Chain that directs traffic to Checkpoint for Next-Gen FW services 1st. If it passed, then forward to Palo Alto for URL filtering. If it passed, then the traffic is allowed to proceed.
Service Insertion Deployment
1. Service Registration
From the 3rd party service's management console (or API/CLI), to make a call to register itself with NSX-T.
This makes the 3rd party service available for deployment in NSX-T (Catalog)
2. Service Deployment
Deployment of SVMs (Specify datastore, networks, etc)
SVM can only connect to a single gateway (T0/T1)
SVM sits on the host where edge sits
The host which SVM sits must be prepped for NSX-T (Transport node), because overlay networking is used to send traffic to the SVM. If not, actually edge host doesn't need to be prepped for NSX-T
3. Service Consumption
Creation of service profile, service chain
Set up redirection policies
"What do you think?"
Let me know if you think there are any important/useful details I have missed in the above write-up.