NSX Service InsertionWelcome to part 4 in the Micro-Segmentation Defined– NSX Securing “Anywhere”  blog series. Today we will cover the role of NSX as a foundational security platform through NSX Micro-segmentation with Service Insertion. Previous topics covered in this series includes

This blog covers the following topics:

  1. Defining Service Insertion
  2. The Role of Service Insertion in Micro-segmentation
  3. Network and Guest Introspection
  4. NSX Service Insertion

Defining Service Insertion

In modern datacenters, network and compute services either have been or are being decoupled from the physical appliances on which they have traditionally run. In the past, a datacenter service required traffic to be steered through a series of such appliances in order to be serviced appropriately, through services such as firewalls, intrusion detection and prevention, and load balancing services. As infrastructure services transition from physical appliances to software functions, it becomes possible to deploy these services with greater granularity by inserting them into a specific forwarding path. Combining multiple functions in this manner is generally referred to as a service chain or service graph.

service insertion-Picture1aFigure 1: Two distinct service chains utilizing different functions

Once infrastructure services are defined and instantiated in software, they can be created, configured, inserted, and deleted dynamically between any two endpoints in the infrastructure. This allows the deployment and configuration of these services to be automated and orchestrated as part of a Software Defined Data Center (SDDC).

The Role of Service Insertion in Micro-segmentation

Micro-segmentation allows for application-centric topology agnostic segmentation. For additional detail on the definition of Micro-segmentation, please see the first blog post in this series. Service insertion in this context allows granular security policies to be driven at the unit or application level rather than at the network or subnet level. This enables the creation and management of functional groupings of workloads and applications within the datacenter, regardless of the underlying physical network topology.

service insertion-Picture2Figure 2: Logical functional groupings of workloads and applications

This capability dramatically shortens the amount of time required to deploy an end-to-end service for a customer or internal use, as segmentation and servicing can be defined and deployed using centralized automation and orchestration tools. From a capacity perspective, this approach does not require allocating a share of the servicing capacities of a set of hardware appliances and allows for unit level service granularity. Additionally, services can be dynamically added or removed from the servicing chain without a service outage for the involved, or adjacent, functional groupings. In this way, datacenter infrastructure can more effectively conform to business and technical requirements, rather than imposing burdensome restrictions upon applications and their users. Other operational benefits of micro-segmentation are discussed in the third entry in this blog series.

Network and Guest Introspection

There are two families of infrastructure services that can be inserted into an existing topology; network services and guest services.

In order to insert a network service, network traffic is dynamically steered through a series of software functions. For this reason, network services may be referred to as “data in motion”. Network functions inspect, and potentially act on the information stream based on its network attributes. These attributes could include the traffic source, destination, protocol, port information, or a combination of parameters. Typical examples of network services include firewall, IDS/IPS, and load balancing services.

Guest services act on the endpoints, or compute constructs, in the data center infrastructure. These functions are concerned with “data at rest”. As such, guest introspection pertains to compute and storage attributes. Agentless anti-virus, event logging, data security, and file integrity monitoring are examples of guest services.

service insertion-pic3Figure 3: Network and guest services within the hypervisor

NSX Service Insertion

As a hypervisor integrated software platform, NSX provides a unique workload-centric insertion point of data center infrastructure services. Service insertion methodologies generally rely upon network traffic steering to a set of software functions via the physical or logical network control plane. This approach requires an increasing amount of element management and control plane steering as the number of software services scales over time.

The NSX approach involves steering specified traffic via the NSX Distributed Firewall (DFW) through one or more service virtual machines (SVMs). These service virtual machines do not receive network traffic through the typical network stack, they instead are passed traffic directly via a messaging channel in the hypervisor layer itself. Network traffic designated for redirection to a third party service is defined in the same manner as NSX Distributed Firewall Rules from the general rule set. The traffic steering rules are based on layer 3 (IP) and layer 4 (transport) objects, however, they redirect traffic to a specific SVM rather than taking an allow, block, or reject action.

service insertion-pic4Figure 4: The NSX Distributed Firewall Partner Security Services tab

This framework for traffic redirection is known as VMware Network Extensibility or NetX. The NetX program features a variety of technology partners across the application delivery, security, operations, and inter-domain feature sets. Additional partners will continue to be added to this ecosystem. At the time of this post, the NetX framework contains slots for up to eight different NetX services to utilized in a single NSX domain.

service insertion-pic5Figure 5: The NSX Partner Ecosystem


Service Insertion allows additional services to be dynamically added, modified, or removed from the physically independent topologies which micro-segmentation enables in a Software Defined Datacenter. In addition to the granularity with which these services can now be applied, the ability to leverage these capabilities through automation and  orchestration offer the potential for operational benefits as well.

VMware NSX offers a hypervisor based implementation of service chaining through the NetX framework. NetX allows up to eight 3rd party services to be utilized within an NSX domain. The steering of desired traffic to these services is accomplished via the Partner Security Services area of the NSX Distributed Firewall using a comparable format to the filtering rules. As micro-segmentation deployments continue to mature, additional services and capabilities will continue to become generally available.