My Path to a Cloud Project Manager

Naturally Curious

Communication Tower
  • Marcus Yeo

NSX-T Service Insertion

This is a very specific feature of NSX-T, and I needed to study this as I was doing a client's project which involve integrating their NSX-T with a 3rd party services. One of the reasons clients may opt to do this is when they already have a large footprint of Palo Alto or Checkpoint firewall, and feel comfortable managing them. Other reasons may be because the client feels that some of these 3rd party services have some features which NSX-T does not provide.


Service Insertion Basics

  • Allows NSX-T to integrate 3rd party services

  • Must be on the supported list

  • Network Introspection

  • i.e. IDS, IPS, Next Gen FW, URL filtering

  • Endpoint Protection

  • i.e. Agentless Antivirus

  • Can be applied to East-West traffic, and North-South

  • Not all partner services are supported for both use cases

Checking for supported partner services


Service Virtual Machine (SVM)

  • A 3rd party VM that provides services to NSX-T traffic

  • North-South Service Insertion:

  • Deployed on/near edge nodes, and attached to T0/T1

  • East-West Service Insertion (2 modes):

  1. Deployed on each ESX host (Traffic need not go out of the host, but not resource-efficient)

  2. or deployed in a separate service cluster (Traffic needs to go out of the host and come back even if the target VM sites are on the same ESXi host)

  • Routing to SVM is based on policy

  • Redirection policy (Which traffic to be/not to be redirected)

  • Service Chains

  • To 'chain' multiple SVMs together

  • To specify inspection by multiple SVMs in the forwarding path

  • E.g. Use a redirection policy that uses a Service Chain that directs traffic to Checkpoint for Next-Gen FW services 1st. If it passed, then forward to Palo Alto for URL filtering. If it passed, then the traffic is allowed to proceed.

Service Insertion Deployment

1. Service Registration

  • From the 3rd party service's management console (or API/CLI), to make a call to register itself with NSX-T.

  • This makes the 3rd party service available for deployment in NSX-T (Catalog)

2. Service Deployment

  • Deployment of SVMs (Specify datastore, networks, etc)

  • For North-South

  • SVM can only connect to a single gateway (T0/T1)

  • SVM sits on the host where edge sits

  • The host which SVM sits must be prepped for NSX-T (Transport node), because overlay networking is used to send traffic to the SVM. If not, actually edge host doesn't need to be prepped for NSX-T

3. Service Consumption

  • Creation of service profile, service chain

  • Set up redirection policies


 

"What do you think?"


Let me know if you think there are any important/useful details I have missed in the above write-up.

60 views0 comments

Recent Posts

See All

VMware introduced a LOT of new stuffs in their latest version of vSphere 7. One of the most important of which, is probably the introduction of 'vSphere with Kubernetes'. This consist of Kubernetes ru

Having passed the VCP 2019 in Dec last year (which was later automatically upgraded to VCP 2020 by VMware), my natural course of progression is to take the VCAP (VMware Certified Advanced Professional

Last month, I was informed that I have been accepted to the vExpert 2020 program. This is the 2nd year that I have been awarded vExpert and thus, I have 2 stars on my vExpert badge. I started off this

Contact

Your details were sent successfully!

touchscreen computer