What is NSX Intelligence?
With NSX-T 2.5 VMware has announced NSX Intelligence. What is it and what are the use cases behind it?
NSX Intelligence is a native distributed analytics engine that aims to converge security visibility, granular policy management, analytics and compliance across the datacenter by leveraging deep workload and network context within NSX. Intelligence is feeded from the NSX-T Manager and from the ESXi Hosts, other different sources are also planned, like VMware Carbon Black Cloud.
NSX Intelligence is only available for NSX-T, there is no comparable feature in NSX-V.
VMware has included NSX-T Intelligence version 1.0 within the NSX-T 2.5 version. This feature is available with the NSX Enterprise Plus license. With the initial NSX Intelligence solution you get the capabilities for visualization and policy planning. For future versions VMware is planning to have bundles for security analytics for anomaly analysis of network behaviour and threat detection.
How the current feature set looks like?
As mentioned Visualization and Policy Planning is included in NSX Intelligence Version 1.0. NSX Intelligence provides a user interface via a single management plane within the NSX Manager, and provides the following features:
Close to real-time flow information for workloads in your environment.
NSX Intelligence correlates live or historic flows, user configurations, and workload inventory.
Ability to view past information about flows, user configurations, and workload inventory.
Automated micro-segmentation planning by recommending firewall rules, groups, and services.
What is NSX Intelligence built for?
Many companies do not have Netflow solution in place because it is expensive, needs high operation efforts and is complex to implement. Thus NSX Intelligence is a easy way to get connection flow visiblity without much costs, plannings and operation efforts.
Another use case is the security planning. Especially when security administrator wants to deploy Micro-segmentation rules they need information about every connection stream. It is very difficult to get this information from the application owners because software engineers have other priorities and the application ports are changing from time to time. NSX Intelligence provides security rule and security grouping recommendations (see picture 1). This recommendations are shown directly within the NSX-T manager GUI and can be modified and published from there.
Picture 1: Screenshot from NSX Intelligence security planning view
How does this work?
The NSX Intelligence Data Platform gets the stream from the NSX-T Manager and from the ESXi Hosts which are prepared as NSX-T Transport Nodes. Flows are send with a 5-minute interval. This means that flow and guest information is distributed and optimized directly from the source, no agent is necessary. The NSX Intelligence appliance will be deployed from the NSX-T Manager GUI and is also managed monitored from there.
The Architecture converged security visibility and analytics (see picture 2 below).
Picture 2: NSX Intelligence Architecture
What is the difference between NSX Intelligence and vRealize Network Insight?
vRealize Network Insight should be used for end-to-end network visibility and Day 2 Operations for SD-WAN, cloud, 3rd party, physical and virtual infrastructure. The application modeling micro-segmentation is also a good use case. This means when you start with micro-segmentation and you have no idea how your application is structured, then you get inputs to start with security group and policy planning. The Networking Operations team is the main user group for vRealize Network Insight.
NSX Intelligence is used from the Networking and Application Security team. The core use case is simplify rule recommendation and deployment into NSX.
Summary
From my point of view NSX Intelligence is a game changer because you get all flows directly from the ESXi Host and the NSX-T Manager (and more sources are planned) and it is possible to publish directly the security policy. If you need more information for this topic I can recommend to watch two YouTube Videos from the VMware Technical Product Manager Ray Budavari who has been presented during “Networking Field Day 22”.
