Runtime Zero
ESC
Browse by topic
VMware9 AI/ML2 Platform Engineering3 Tech Trends2 vSphere6 Kubernetes11 DevOps3 Cloud Native8 Networking4 Tanzu3 Observability1 NSX2 Security2 vSAN2 Storage1
Articles  /  NSX
NSX VMware Networking Security

NSX-T 4.1 Micro-Segmentation in Practice

Micro-segmentation promises to contain lateral movement in your datacenter. This guide walks through a real NSX-T 4.1 implementation, the pitfalls we hit, and the policy model that actually works at scale.

ER
Jun 05 2024 · 2 min read

The pitch for micro-segmentation is straightforward: if an attacker compromises one VM, distributed firewall rules prevent them from moving to any other VM. The reality of implementing this at scale is considerably messier. Here's what a phased NSX-T 4.1 rollout across 800 VMs taught us.

Phase 1: Discovery Mode First

Never write deny rules before you understand your traffic. NSX's Live Traffic Analysis and the flow visualiser in the NSX Manager are invaluable here. We ran in monitoring-only mode for three weeks, capturing all east-west flows.

The surprises were immediate:

  • An "isolated" finance application was making LDAP calls to three different domain controllers, not one.
  • A legacy Oracle RAC cluster had undocumented interconnects to a middleware tier.
  • Several backup agents were connecting to VMs across security zones.

Without this discovery phase, blocking rules would have caused outages on day one.

The Policy Model That Scales

NSX's Policy API (as opposed to the older Manager API) uses a hierarchical model: Domains → Security Policies → Rules. The hierarchy matters because evaluation order is explicit and auditable.

Domain: Production
├── Policy: Baseline-Deny (priority 10000)
│   └── Rule: ANY → ANY | DROP | Log
├── Policy: Infrastructure (priority 100)
│   ├── Rule: Backup-Agents → ANY | TCP 443 | ALLOW
│   └── Rule: Monitoring → ANY | ICMP | ALLOW
└── Policy: App-Payments (priority 500)
    ├── Rule: Web-Tier → App-Tier | TCP 8080 | ALLOW
    └── Rule: App-Tier → DB-Tier | TCP 5432 | ALLOW

The key insight: tag VMs, not IPs. NSX Security Tags (env:prod, tier:web, app:payments) apply rules dynamically. When you vMotion or clone a VM, its tags travel with it — no manual rule updates.

Applied Tagging Strategy

We automated tag assignment via vCenter custom attributes synced to NSX through a Python script using the NSX-T Policy API. Any VM with a custom attribute nsx-tier=web gets the tier:web security tag automatically within 60 seconds of provisioning.

nsx_client.tags.update(vm_external_id, [
    {"scope": "env", "tag": environment},
    {"scope": "tier", "tag": tier},
    {"scope": "app", "tag": app_name}
])

Operational Gotchas

  • Log volume: Enabling logging on deny rules in a busy datacenter generates enormous syslog volume. Route NSX flow logs to a dedicated log pipeline, not your general SIEM. We use a Kafka topic with a 24-hour TTL for operational review and a separate path for security alerting.
  • vSAN traffic: Ensure your vSAN VMkernel adapters are excluded from DFW processing — NSX applies DFW to VMkernel traffic by default in some versions and you do not want storage I/O going through firewall evaluation.
  • Change management: Micro-segmentation rules are infrastructure-as-code from day one. Store policy JSON in git, review changes via PR, apply with a pipeline. Manual NSX Manager edits at scale become unauditable fast.
← ALL ARTICLES