golden gate bridge san francisco california

Extending Overlay Segments to VLAN via the VMware NSX Edge Bridge

Reading Time: 8 minutes

I’ve worked with many customers over the years who are new to VMware NSX. This generally means a full design and deployment of NSX, but to be honest, a) that’s the easy bit and b) it doesn’t give the customer much in the way of immediate value. After all, all we’ve done is deploy a software-defined networking platform and generally peered it with the physical environment.

The value begins once the Customer’s workload is actually housed on an NSX Segment. This is where we begin discussing workload migrations from physical VLANs/VDS port groups to NSX Overlay Segments. ‘Easy’ you say, ‘just migrate the virtual machines and re-IP, right’? That’s one option, however, what if the Customer has thousands of VMs? What if these VMs host mission-critical applications or applications which are prone to issues following re-IPing? Sometimes this option just isn’t feasible.

The best solution for this Customer might be to migrate workloads and retain IP addressing. We can achieve this by migrating the entire physical network into VMware NSX, however, we can also achieve this by creating a VMware NSX Edge Bridge, which effectively creates a layer-2 extension between a physical VLAN and an NSX Overlay Segment.

In this article, we will detail a number of migration scenarios before detailing the process of deploying and configuring a layer 2 extension via NSX Edge Bridge.

Continue reading → Extending Overlay Segments to VLAN via the VMware NSX Edge Bridge

photo of woman looking through camera

VMware NSX Distributed Firewall (DFW) FQDN Filtering

Reading Time: 4 minutes

I recently had a great VMware NSX discussion with a contact on Twitter. They had reached out to me wondering if there was a way of restricting a VM’s connectivity to the internet by limiting its access to a set of wildcard addresses, e.g. * The specific ask was to restrict access to Microsoft Windows Server Update Services, as the vast list of underlying IP addresses for *, *, etc., changes regularly. In this scenario, utilising wildcards within the VMware NSX DFW rules would be hugely advantageous.

FQDN filtering within VMware NSX has been available for some time and is a quick and easy task to configure, either to allow or restrict traffic. In this article, we look at the process of implementing FQDN filtering and validate post-implementation.

Continue reading → VMware NSX Distributed Firewall (DFW) FQDN Filtering

VMware Explore Europe 2022

Reading Time: 5 minutes

VMware Explore Europe took place once again last week (Mon 7th Nov to Thu 10th Nov) in Barcelona’s Fira Gran Via following a two-year hiatus due to Covid-19. I’ve not attended since 2018 and despite the venue being a little more compact this time around following two years of Covid and the worry that attendance would be lower than usual, not only did numbers far exceed expectations (word on the street is they mirror, if not beat, the San Francisco event), but the session content and the ability to finally meet up with customers, partners and friends within the community in person, was absolutely fantastic.

Continue reading → VMware Explore Europe 2022

flock of birds flying

VMware NSX for vSphere to NSX-T Migration – End-to-End User Defined Topology

Reading Time: 11 minutes

In my previous post, I covered the end-to-end migration of VMware NSX for vSphere to NSX-T Data Center (VMware NSX from v4.0.0.1) via the Fixed Topology Option, however, in real life I don’t see this option utilised very often due to the limited number of supported topologies.

How then can we achieve the same in-place, end-to-end migration of unsupported topologies? This is where the User Defined Topology option comes into play, and it offers much greater flexibility by enabling customers to define/map their own logical routing topologies. This, of course, will require a design and, like the message I tried to impart in my previous post, this must be planned ahead of your proposed change/maintenance/migration window.

Continue reading → VMware NSX for vSphere to NSX-T Migration – End-to-End User Defined Topology

flock of white birds against a black background

VMware NSX for vSphere to NSX-T Migration – End-to-End Fixed Topology

Reading Time: 9 minutes

In a previous post, we discussed the value of pre-migration validation checks, identifying whether a customer environment is aligned to the supported fixed topologies and the process of creating and viewing the JSON output following the successful import of NSX for vSphere configuration.

In this post, we continue on the same theme and will use the NSX-T (VMware NSX from v4.0.0.1) Migration Coordinator to migrate an NSX for vSphere environment, end-to-end, to NSX-T via the Fixed Topology option.

Continue reading → VMware NSX for vSphere to NSX-T Migration – End-to-End Fixed Topology

magnifying glass on top of document

VMware NSX-T Migration Coordinator Report Export for Fixed Topology Migration

Reading Time: 4 minutes

With VMware NSX for vSphere (NSX-V) having gone end of general support on January 16th 2022, there are numerous customers now busily working on migrating to VMware NSX-T Data Center (VMware NSX as of v4.0.0.1).

In future posts, I will detail the end-to-end migration process for both Fixed and User Defined Topologies utilising the NSX-T Migration Coordinator, however, before we jump in, let us look at a rather handy report which is often helpful in validating customer readiness and environmental health for those looking to migrate via the Fixed Topology option.

Continue reading → VMware NSX-T Migration Coordinator Report Export for Fixed Topology Migration

VMware NSX Micro-Segmentation Only Deployment

Reading Time: 7 minutes

When we talk about VMware NSX (formerly VMware NSX-T Data Center), most of us think about abstracting management of the network away from the physical fabric thanks to NSX’s magic sauce and overlay networking capability via Geneve encapsulation. However, overlay networking isn’t always the primary use case, with a high volume of customers opting for micro-segmentation only.

Some customers, for example, are happy to allow the network’s management and physical gateways to remain within the physical fabric. Perhaps their organisation already has an alternative software-defined networking product, or they simply don’t make that many changes within their network. So, how can customers use micro-segmentation via the NSX Distributed Firewall (DFW)? Simply put, by utilising currently existing vSphere environments and VDSs in conjunction with the NSX DFW.

Continue reading → VMware NSX Micro-Segmentation Only Deployment

VMware NSX-T Data Center One-Arm Load Balancer for VLAN-Backed Workloads

Reading Time: 4 minutes

Scenario – Let us say I have a Customer who has a load balancing requirement, however, they do not utilise Overlay networking and, as a result, no Tier-0 or Tier-1 Gateways exist to form a software-defined routing architecture. As such, an Inline load balancer topology will not be possible. However, VLAN-backed NSX-T Segments are in place, as the customer currently utilises distributed firewalling.

This article looks at how we can deploy a Tier-1 Gateway for one-arm load balancing to backend virtual machines housed on VLAN-backed NSX-T Segments. Should we wish, we could expand the server pool by adding physical devices as well.

Continue reading → VMware NSX-T Data Center One-Arm Load Balancer for VLAN-Backed Workloads

Securing Physical Workloads via the VMware NSX-T Gateway Firewall and Service Interface

Reading Time: 5 minutes

Where the NSX-T Distributed Firewall (DFW) provides stateful protection to workloads at the vNIC level from within for micro-segmentation of east-west traffic, the Gateway Firewall (GFW) provides centralised stateful protection of north-south traffic for perimeter firewalling. Depending on the use case, the GFW might secure traffic between physical and virtual servers, physical to physical servers, and within multi-tenant environments, DMZ’s or could be utilised for, for example, PCI compliance.

The GFW can be implemented per Gateway and is supported on both Tier-0 and Tier-1 Gateways. The GFW is also independent of the NSX-T DFW as it holds its own configuration and enforcement policies. Excitingly, we can also leverage the GFW to secure physical workloads housed on VLAN-backed networks via the Service Interface. This is particularly useful where customers are unable to utilise the VMware NSX-T Kernel Agent (think proprietary appliances/servers).

In this article, we take a look at the process of securing physical server workloads housed on VLAN-backed networks.

Continue reading → Securing Physical Workloads via the VMware NSX-T Gateway Firewall and Service Interface

VMware NSX-T Micro-Segmentation via vRealize Log Insight

Reading Time: 6 minutes

I work with a lot of customers to design and deploy secure, zero-trust environments utilising VMware NSX-T Data Center and, specifically, by using its Distributed Firewall (DFW). I’ve also spoken at several VMUGs where I’ve discussed the realities of micro-segmentation using both NSX for vSphere (NSX-v) and NSX-T and the tools that can be utilised to aid in the identification of application dependencies, traffic flows, services, etc.

I also understand that not all customers are able to utilise some of the more advanced VMware toolings such as NSX Intelligence and vRealize Network Insight, however, there is another tool that we can use to identify our application dependencies and, best of all, if you’re a licensed NSX-T customer, you’re also licensed for…vRealize Log Insight (vRLI).

In this article, we explore how we can utilise vRLI to identify and visualise application traffic flows so that we can more effectively secure our applications.

Continue reading → VMware NSX-T Micro-Segmentation via vRealize Log Insight