Home > Blogs > Tribal Knowledge

VMware NSX Network Virtualization

by Hatem Naguib,
Vice President
Networking & Security
*Co-Authored by Brad Hedlund

Networking is stuck in the past

It wasn’t that long ago when provisioning server resources for an application was manual, time consuming, hardware dependent, error prone, and grossly inefficient.  As with many computer science problems, the solution to this inefficiency was automation through software abstraction – enabled by server virtualization.  The release of VMware ESX paved the way for enterprises to rapidly deploy any application on any server, non-disruptively, by enabling the fundamental abstraction of servers from hardware – creating the virtual machine.  Through server virtualization software, application servers are encapsulated into virtual machines, and programmatically deployed with APIs on top generalized pools of CPU and memory resources.  The first important step toward the software defined data center.

Meanwhile, through all of the advances in server virtualization and cloud computing, networking has remained stuck in the past.  Still today, provisioning network and security for an application is a manual effort; requiring a human, keyboard, and CLI.  Each manual configuration must be carefully engineered across numerous devices, resulting in time consuming and error prone deployments.  And coupling the network’s capabilities to hardware limits choice, creates choke points, and restricts workload placement – creating an unnecessary drag on the overall efficiency of everything in the infrastructure (servers and storage) attached to the traditional networking paradigms conceived in the 20th century.

It’s time to virtualize Networking

To realize the full potential of the software defined data center, networking and security must move forward into the 21st century with a similar software abstraction layer that transformed computing – network virtualization.  VMware NSX paves the way for enterprises to rapidly deploy networking and security for any application, on any general purpose hardware, non-disruptively, by enabling the fundamental abstraction of networks from networking hardware – creating the virtual network.

Through network virtualization, more simplified logical networking devices and services can be abstracted away from the complexities of physical network engineering, exposed as logical networking objects across a fully distributed virtualization layer, and consumable through northbound APIs.  In this process, the network virtualization layer leaves behind a more simplified physical network layer.  VMware NSX exposes these simplified logical networking devices and services as logical ports, logical switches, logical routers, distributed virtual firewalls, virtual load balancers, and more, with monitoring, QoS, and security; backed by VMware NSX edge virtualization software or partner appliances.

These logical network abstractions are similar in principle to how server virtualization abstracts and exposes simplified elements of virtual CPU, virtual memory, and virtual storage – assembled in any combination to create a virtual machine.  And like server virtualization, any combination of logical network device and security policy can be assembled together into any topology -- creating a virtual network -- deployed programmatically through APIs.  A complete and feature rich virtual network can be defined at liberty from any constraints in physical switching infrastructure features, topologies or resources.

With network virtualization, each application’s virtual network and security topology is equally mobile and in lock-step with the fluid virtual compute layer, automated with APIs, and decoupled from custom/proprietary hardware.

VMware NSX: a platform for Network Virtualization

VMware NSX will be the world’s leading network and security virtualization platform providing a full-service, programmatic, and mobile virtual network for virtual machines, deployed on top of any general purpose IP network hardware.  The VMware NSX platform brings together the best of Nicira NVP and VMware vCloud Network and Security (vCNS) into one unified platform.  VMware NSX exposes a complete suite of simplified logical networking elements and services including logical switches, routers, firewalls, load balancers, VPN, QoS, monitoring, and security; arranged in any topology with isolation and multi-tenancy through programmable APIs – deployed on top of any physical IP network fabric, resident with any compute hypervisor, connecting to any external network, and consumed by any cloud management platform (e.g. vCloud, OpenStack, CloudStack).

The VMware NSX platform is assembled with five basic components: Controller Cluster, Hypervisor vSwitches, Gateways, Ecosystem partners, and NSX Manager.

Controller Cluster

The VMware NSX controller cluster is the highly available scale-out distributed system of x86 machines responsible for the programmatic deployment of virtual networks across the entire architecture.  The controller cluster accepts API requests from northbound management platforms (e.g. vCloud, OpenStack), calculates the virtual network topology, and proactively programs the hypervisor vswitches and Gateways with the appropriate real-time configuration and forwarding state.  As the computing environment dynamically changes, the controller cluster updates the necessary components to keep the virtual network state in lock-step with the virtual computing state.

The NSX controller cluster provides a logically centralized, yet physically distributed control layer.  Each x86 machine in the cluster shares an equal portion of all the work required, and provides immediate backup capacity for any lost cluster nodes.  Additional nodes can be added to the cluster as needed when the virtual networks under management need to scale.

The NSX controller cluster has visibility to all virtual machines and network services provisioned with NSX.  With this authoritative knowledge, the NSX controller cluster can preemptively program all NSX components with the virtual network topology.  The NSX controller cluster is completely out-of-band, and never handles a data packet.

Hypervisor vSwitch

Each hypervisor has a high performance in-kernel vSwitch with a programmable L2-L4 data plane and configuration database.  The controller cluster programs each hypervisor vSwitch with a real-time configuration and forwarding state, to match the desired virtual network topology to which the virtual machines are attached.  As any given virtual network spans multiple hypervisors, the controller dynamically programs IP encapsulation tunnels (STT and VXLAN) between hypervisors, decoupling the VM address space and virtual networks from the physical network fabric – similar to the encapsulation and decoupling of virtual machines from physical machines.

The combination of API interfaces, intelligent scale-out controller, scale-out in-kernel L2-L4 software data plane, and tunneling, form the basic building block exposing simplified L2-L4 virtual network elements arranged in any arbitrary topology, for any application.

Beyond simple network topology virtualization, VMware NSX enables new and previously unthinkable paradigms in network security virtualization.  Paradigms such as decoupling network security from IP addressing, enabled by a high performance fully distributed in-kernel state full firewall attached directly to virtual machines, capable of triggering on a rich set of high level objects and context – far beyond basic TCP/IP header inspection.


VMware NSX provides scale-out Gateway services that connect virtual networks within VMware NSX to non-virtual hosts, remote sites, and external networks.  Gateway nodes provide a Gateway service, implementing the same programmable vSwitch as hypervisors, and managed by the controller cluster.

VMware NSX Gateway services provide a secure path into and out of the software defined data center. NSX Gateway nodes can be deployed in active/active HA pairs, and offer IP routing, MPLS, NAT, Firewall, VPN, and Load Balancing services for securing and controlling traffic at the north/south edge of one or more NSX virtual networks.

Some applications within NSX might need to connect to services on non-virtual hosts within the data center, such as IP storage.  For this requirement, NSX offers L2 Gateway services where HA pairs of dedicated L2 Gateway nodes, or partner Top of Rack switches, can bridge between NSX virtual networks and VLANs on a physical network.  L2 Gateway services can also be placed at remote sites, bridging a remote VLAN to an NSX virtual network, for migrating workloads to and from the cloud data center.

The cloud management platform defines any necessary L2 or L3 Gateway services via API requests to the controller cluster, which calculates the topology and programs Gateway nodes with the necessary tunnels (VXLAN, STT) and forwarding state, thereby attaching the NSX virtual networks to the appropriate Gateway service.

Note: VMware NSX provides intelligent replication (over tunnels) for broadcast, multicast, and unknown unicast frames – providing logical switches within NSX a familiar L2 service model over any standard IP routed network, with or without IP multicast.  VMware NSX can also offload IPSec encryption for NSX virtual networks and tunnels that extend to remote sites.

Ecosystem Partners

At the heart of VMware NSX is an extensible platform that enables partners to register their services with the VMware NSX controller, and seamlessly insert the respective capabilities into virtual networks.  The use of open interfaces and open protocols allows an ecosystem of partners to easily integrate with VMware NSX using well known interfaces based on widely used open source software. More on this topic is available in this blog.  Likewise, partners can attach L4-L7 service appliances to VMware NSX to be exposed as services available to virtual networks.

NSX Manager

VMware NSX Manager provides a web-based GUI management dashboard for user friendly human interaction with the VMware NSX controller cluster API, for system setup, administration and troubleshooting.  The system administrator can view logs and connectivity status of all VMware NSX components and virtual network elements (logical switches, logical routers, gateways, etc.).  Powerful troubleshooting tools facilitate an easy mapping between virtual network topologies and the physical underlying IP network.

Like a virtual machine, VMware NSX Manager can take snapshots of the entire state of the virtual network for backup, restores, introspection, and archival.

Bringing it all together

VMware NSX is the unified platform for network and security virtualization, accelerating the capabilities of networking into the 21st century through the very same software-driven abstractions that enabled virtualized computing.  In doing so, VMware NSX brings with it the same desirable properties of server virtualization to networking and security; rapid programmatic provisioning, non-disruptive deployment, supporting legacy and new applications simultaneously on any general purpose IP networking hardware, and decoupling networking services from rigid hardware into flexible and scalable software.

VMware NSX reproduces the useful properties of a traditional physical network into a more simplified logical network abstraction layer, with high fidelity, delivering flexible network topologies, features, and security for both enterprise applications and web scale cloud computing workloads.

Expected to launch in the second half of 2013, VMware NSX represents the full potential of network virtualization by working across VMware and non-VMware hypervisors and cloud management systems, as well as any underlying networking hardware.  Customers already leveraging vCloud Networking and Security and the Nicira Virtualization Platform (NVP) to virtualize networking will have a simple path to migrate to VMware NSX.

Editor's Note: To stay up to date with the latest on Network Virtualization follow the VMware Network Virtualization Blog


29 thoughts on “VMware NSX Network Virtualization

  1. Darren

    What is VMware doing to make fault-tolerant, high-performance storage more affordable? This is where the problem lies for 95 percent of your customers.

  2. chad.sakac@emc.com

    Disclosure, EMCer here...

    Hatem - great post, and NSX is a big deal. Looking fwd to seeing the shipping capability and core dvSwitch support.

    @ Darren - VMware is developing their own native capability (vSAN), augmenting it with data services (Virsto and other projects). They are doing it at the same time that the storage folks (including, but not limited to EMC) are also tackling it and working to become more invisible (automation) and efficient.

  3. Vincent JARDIN

    I do not understand how it helps to bring performance. It solves some management issues, but what about the IOs/throughput issues? For instance, how to sustain 10s of Million of frame per second of traffic loads?

    1. relsethagen

      If the network services, FW, IPS, LB etc.. are performed in the hypervisor the traffic is not forced through traditional appliances that have always been a bottleneck in the Datacenter. While there will be increased overhead in the hypervisor this overhead is now distributed. The network teams have always hated traffic engineering their networks through these appliances or performing these functions on their core routing/switching devices. Moving these functions to the Host will make traditional datacenter networking much simpler.

      1. Peter Phaal

        I would agree that virtualizing and distributing FW, IPS, LB functions helps eliminate an important class of performance problem.

        However, the architecture is built on a shared physical infrastructure and visibility into this infrastructure is essential if the orchestration layer is to optimally place services and the tunnels connecting them in order to reduce congestion and delay. Without visibility into the network, performance problems can easily propagate and result in system wide failures.

        Bruce Davie's article was referenced, http://cto.vmware.com/open-source-open-interfaces-and-open-networking/. He says, "Another area of focus for an open networking ecosystem should be defining a framework for common storage and query of real time and historical performance data and statistics gathered from all devices and functional blocks participating in the network. This is an area that doesn’t exist today." I would argue that standard instrumentation is embedded within the devices and functional blocks participating in the network and that these metrics need to be integrated into the orchestration framework so that it is aware of the physical infrastructure and can deliver performance guarantees, http://blog.sflow.com/2012/05/tunnels.html

        Nicira's Open vSwitch includes scaleable real-time performance monitoring - I hope this technology is making it into the NSX platform, http://blog.sflow.com/2013/01/rapidly-detecting-large-flows-sflow-vs.html

        Traffic engineering is difficult, particularly in large scale cloud deployments, but I think the way forward is to automate the process, rather than hide it under the virtual network rug.

  4. Pingback: So Non Fiction VMware targets rival “bookseller” Amazon with its own public cloud – Ars Technica | So Non Fiction

  5. Pingback: VMware to virtualize networks with software incorporating Nicira’s capabilities ← techtings

  6. Pingback: VMware announces Network Virtualization platform NSX | Go Que

  7. Pingback: VMware Outlines Corporate Strategy, Innovations Across Software-Defined Data Center, Hybrid Cloud and End-User Computing : VMblog.com - Virtualization News and Information for Everyone

  8. Mr. Darren P. Green

    As a Student at ITT Technical Institute this is a real break through especially with everyone just had a reality check finding out Jay-z, Hillary Clinton, Michelle Obamarecently had all their personal information posted on a Russian website. I really can not wait to see all the new improvements because utilizing, VMware to bring my Linux and Microsoft Windows Servers up and running your added security will be a great selling point to all Local Businesses and Corporate Structures alike. This should be used as a great selling tool especially with all the, Companies which lost not only consumer confidence our own United States Government who seems to be powerless on stopping these Cyber Attacks.

    1. Alpha DEV

      Wow! This has got to be the most senseless post. Bar none....never knew you could use that many words to mean exactly NOTHING!

  9. Pingback: VIRTUAL-BLOG.COM - VMware NSX Network Virtualization announced - My take - VIRTUAL-BLOG.COM

  10. Pingback: VMware to launch public cloud to fight Amazon & Nicira-based software-defined data centers | CrowdBacon – The Startup Blog

  11. Pingback: VMware to launch public cloud to fight Amazon & Nicira-based software-defined data centers | TechKudos

  12. Pingback: The Capitals™ – Capitalists' Magazine | 資本家札記 | VMware to launch public cloud to fight Amazon & Nicira-based software-defined data centers

  13. steinweo

    Great, but really looks like network virtualization available in OpenSolaris / Solaris 11 for years.

      1. Mr B

        I don't think so. Network provisioning via CLI is so 1990s. Where's the API in Cisco Nexus 1000V? Where's the L3? When will the Nexus 1000V be able to run on more than just 64 servers?

  14. Nur Aabideen

    Finally! This is a great news!
    Was wondering why it was not already done.
    This will make life so easy.

  15. Jay Reynolds

    I have been looking into securing my network but I am unsure where to start. I was told to set up a small business firewall, as well as get some software to monitor traffic. Has anyone used this software to successfully secure their servers?


    Nicira controller initially worked with open vswitch only.
    Does this means ESXi will incorporate open vswitch or ESXi SS or vDS have become compatible with Nicira Controller.

  17. Art Cummings

    Not a networking guy but the question for me is how can the virtual software environment be faster than hardware that is designed and optimized to handle the network traffic? The management seems cool, having the ability to do smart monitoring with traffic beyond just looking at packet data is also cool, just wondering about performance, similar to Vincent Jardin's query.


    1. jjardina

      The hardware is still running the packets. From what I am reading this is more of a management front end with a spiffy title. The hardware ASICs are still going to be passing the traffic, vmware is putting the layer of the management, which is traditionally done by a network engineer at the cli, to a gui interface. The one thing that is different about this than just a regular gui to a switch, is that the abstraction layer talks to all switches and configures them for end to end QoS and bandwidth at the application layer. There are several companies doing this now, Cisco just bought a company that does it in the"cloud" called Meraki (http://www.meraki.com/). Where this has the advantage, is that it can tie into your vmware cluster, so you have true end to end managed networking from the hypervisor, to the desktop.

      As more and more of the network layer gets abstracted, standards develop and network vendors take hold, this will become the norm. There may or may not still be access to a cli on the the actual equipment, it all depends on the vendor. As usual today, the marketing folks are trying to sell you gold, when in fact its just diet coke. This is the natural progression of the network and plenty of vendors are out there working on this and have been for several years. These guys want you to think its the second coming of Christ.

  18. Eiad Al-Aqqad

    I guess between NSX & vSAN we are getting much closer to a fully virtualized Datacenter. The Software Defined Datacenter is approaching fast, so a new knowledge brushing will be required soon :).

  19. Sanders

    Looks like a cool product. Does this mean that a virtual network can eliminate the need for advanced hardware provisioning software that would help me expand a physical server system?

Comments are closed.