• Mike Ghazaleh

5 Things about NSX-T you probably didn't know

Updated: Apr 6

NOTE: If you're finding this page from google, be sure to check out our VMware training courses! We have a TON currently in production, and our courses are absolutely better than anything out there. You can check our current courses out here.

While VMware NSX-T has been around a while, it's still a fairly complicated product, and it's one that I continue to learn new and interesting things about. In today's post - which should be a fun one - I want to share 5 things that I'm betting you probably don't know about NSX! These aren't secrets, of course, just things that I think are lesser-known in the VMware community. So let's jump right into it!

Thing #1: You can configure time-based rules in the Distributed FW

This one is pretty cool actually. In NSX, you can specify a time window for each distributed firewall policy. One of my favorite uses for this is for contractors leveraging VDI. Here's a quick snapshot of my NSX-T Manager as I set up a basic time-based rule. One thing worth keeping in mind - you need to configure an NTP server on your transport nodes if you expect the rule to work!

NSX-T Time-based rules
NSX-T Time-based rules screenshot

Thing #2: You can deploy NSX-T natively in Azure

A lot of people know that you can deploy NSX-T on-prem, and use it to firewall your native Azure workloads, as well as AWS for that matter. What most people don't know, is that starting in NSX-T 3.1.1, you can actually deploy ALL components of NSX inside of Azure, including your Managers.

This is done using Terraform scripts (link to docs), but there is a documented process for deploying NSX-T Manager and CSM manually as well which you can find here.

Thing #3: NSX Advanced Threat Prevention requires Kubernetes

In NSX-T 3.2, VMware fully integrated (ok, almost) their previous LastLine acquisition - introducing Advanced Threat Prevention components directly into NSX-T. These components include things like Malware prevention, Network Traffic Analysis, and Network Detection & Response capabilities, in addition to the already-existing NSX Intelligence feature.

The downside to all of this cool stuff? It requires that you have a kubernetes environment deployed already, because all of it sits on top of a new component called NSX Application Platform. In a nutshell, NSX Application Platform, also known as NAPP, allows NSX to run these security components as containers on top of kubernetes.

Thing #4: NSX-T supports TLS Decryption (sort of) in 3.2

I'm not going to lie, this one is probably the biggest deal out of what we're talking about today! The ability to take encrypted traffic, decrypt it - inspect with IDS/IPS, and re-encrypt, is awesome. It's also something people have been asking about for a long time. Previously this encrypted traffic was sort of a black box to NSX - in other words, it had no visibility into those flows.

On the technical side, this feature is implemented directly on T1 Gateways, but it is in tech preview currently, meaning it's not supported for production workloads. The nice thing, though, is you can configure this today in 3.2 if you're just wanting to play around with it.

Thing #5: NSX-T includes licensing for VDS, and vRealize Log Insight

One of the biggest things I've heard from customers, is often "but I'm on standard switch! I can't use NSX!" - well, a special license which entitles you to use the vSphere Distributed Switch even if you're not licensed on your current vSphere version - is included with NSX-T. In addition to that, you get vRealize Log Insight licenses for any nodes where your NSX-T workload VMs sit. This mapping is 1:1, and only includes NSX-T assets - so you can't use vRLI to collect logs from anything else without additional licensing.

It's probably also worth mentioning that licensing changes often, so the above could change, but as of this writing - is true. You can check out the NSX datasheet here where it mentions that vRLI is included with NSX. In addition, the official vRLI datasheet discusses feature differences between the standard vRLI license and the NSX-included one too.


That's it for today! I hope you learned something new - and have some homework to do! As always, I'll likely be digging into these components more in subsequent blog posts and/or on the official NRDY Tech YouTube channel.


Recent Posts

See All