We’re excited to announce the general availability of VMware NSX-T 3.2, one of the largest NSX releases so far. NSX-T 3.2 includes key innovations across multi-cloud security, scale-out networking for containers, VMs, and physical workloads. It also delivers simplified operations that help enterprises achieve a one-click, public cloud experience wherever their workloads are deployed. 

Strong Multi-Cloud Security 

NSX-T 3.2 provides strong, multi-cloud, easy-to-operationalize network defenses that secure application traffic within and across clouds. NSX-T 3.2 goes a step further in making it easy to enable Zero Trust application access across multi-cloud environments — enabling customers to secure traffic across applications and individual workloads with security controls that are consistent, automated, attached to the workload, and elastic in scale. 

Tapless Network Traffic Analysis (NTA)

Network traffic analysis (NTA) and sandboxing solutions are integrated directly into the NSX Distributed Firewall (DFW). NSX eliminates traffic hairpins by distributing NTA as a service within the hypervisor. Combined with distributed IDS/IPS capabilities, security teams can now virtualize the entire security stack and eliminate blind spots while allowing security policies and controls to follow workflows throughout their lifecycle, regardless of the underlying infrastructure. 

Gateway Firewall

The enhanced gateway firewall serves as a software-based gateway with L2-L7 controls — including URL filtering and advanced threat prevention with malware analysis and sandboxing. This extends centralized security controls to physical workloads, the data center perimeter, and the public cloud edge — ensuring consistent security controls across both east-west and north-south application traffic that are all managed centrally from NSX Intelligence.

Integrated NDR with NSX Intelligence

Integrating the NSX Network Detection and Response (NDR) solution into our centralized management platform, NSX Intelligence, allows the NDR solution to correlate signals from IDS/IPS, NTA, and the sandbox to identify true intrusions. NSX Intelligence now offers scale-out performance, as well as improvements to firewall rule recommendations, to further simplify and automate the task of network segmentation across application traffic. 

Switch-agnostic distributed security

The NSX Distributed Firewall now supports workloads deployed on Distributed Port Groups on VDS switches. This allows customers to deploy the NSX firewall without changes to the vSphere Distributed Switch. Customers can leverage Distributed Firewall capabilities for VDS-based VLAN networks without having to convert the switchport to N-VDS or deploy network overlays, thereby further simplifying the security architecture. 

Networking and Policy Enhancements 

Scaling up and managing a cloud environment — whether public or private — requires simplified network configuration and management, visibility and control, and the ability to rapidly add new capabilities into an existing environment. 

Container Networking and Security with NSX-T and Antrea

With NSX-T 3.2, network administrators can now define Antrea networking and security policies for containers from the NSX-T Manager user interface. Policies are applied on K8s clusters running Antrea 1.3.1-1.2.2 using the interworking controller. Kubernetes objects such as pods, namespaces, and services are collected in NSX-T inventory and tagged so that they can be selected in Distributed Firewall policies. Additionally, the NSX-T user interface can manage Antrea Traceflow and also collect log bundles from Kubernetes clusters using Antrea. 

Enhanced Migration Coordinator

The NSX Migration Coordinator has been enhanced to support customer defined NSX topologies, larger scale, and several other features and environments not previously supported, including VMware Integrated OpenStack (VIO), fixed topologies with OSPF, guest introspection for partners that support Migration Coordinator, and identity-based firewall (IDFW/RDSH) configurations. 

NSX Federation

NSX Federation, first introduced in NSX-T 3.0, helps deliver a public cloud-like operating model, enabling an operator to manage a multi-site network as a single entity while keeping configuration and operational state synchronized across multiple locations. NSX Federation is enhanced in NSX-T 3.2 to support VM tag replication between local managers so that VMs replicated and restarted during a Disaster Recovery (DR) event retain the necessary security policies. NSX-T 3.2 also implements enhanced health monitoring for communication channels between global and local managers. 

Streamlined Network Provisioning and Operations 

Simplified NSX deployment with use case-driven prescriptive provisioning

With NSX-T 3.2, admins can now deploy NSX-T manager and networking and security use cases directly from vSphere clients — greatly simplifying NSX-T deployment in vSphere environments. Guided workflows simplify the deployment of NSX Manager as well as networking and security policies. 

Simplified provisioning for NSX Advanced Load Balancer 

Installing and configuring the NSX Advanced Load Balancer (ALB) is further simplified through tighter integration with NSX Manager. You can use the NSX Manager UI to install and configure NSX Advanced Load Balancer controllers and cross-launch the VMware NSX ALB UI for advanced features.  Furthermore, NSX customers interested in Advanced Load Balancer features can migrate their load balancing solution from NSX for vSphere to the VMware NSX Advanced Load Balancer using the Migration Coordinator. See the Advanced Load Balancer migration page for more details. 

vRealize Network Insight Support for NSX-T Federation and Firewall

Tight integration between vRealize Network Insight 6.4 and NSX-T Federation delivers comprehensive network visibility across multiple NSX-T data centers at the global, regional, and local site level. New capabilities to optimize application performance and traffic flows are available with simplified views into inter-site VM-to-VM paths and intra-site VM-to-VM paths in a Federation topology. vRealize Network Insight 6.4 now supports NSX-T Distributed Firewall (DFW) on Distributed Port Groups (DVPG), which gives security admins enhanced visibility into unprotected traffic flows, security features such as Name Space (NS) groups, and distributed firewall rules on existing vSphere VLAN DVPGs in a topology. New 1-year and 3-year vRealize Network Insight term licenses are now available with NSX-T Advanced Threat Prevention. 

Network monitoring and troubleshooting enhancements 

Newly introduced Edge and L3 time-series monitoring implements a time-series view of Edge and L3 metrics such as CPU, memory, disk usage, packets per second, bytes per second, packet drop rate, and more in NSX Manager. This will make it easier for network operators to monitor key performance indicators, perform before and after analysis, and access historical context that is helpful in troubleshooting. Furthermore, Live Traffic Analysis in NSX Manager provides unified troubleshooting and diagnosis across data centers by combining Traceflow and packet captures. NSX-T 3.2 also implements several new events and alarms for enhanced troubleshooting across cluster health, management plane, Federation, health of the transport node, distributed firewall, Edge, VPN, NAT, Load Balancing, and the NSX Application Platform. 


The NSX-T 3.2 release expands the breadth and depth of NSX-T use cases across multi-cloud security, scale-out networking for containers, VMs, bare metal workloads, and simplified operations.  The release is generally available along with detailed Release Notes covering all the features and capabilities delivered.

Follow us on Twitter @vmwarensx and LinkedIn for updates, and stay tuned for series of deep-dive blogs on the key capabilities delivered in NSX-T 3.2. 

NSX-T Resources 

VMware NSX-T 3.2 Resources

NSX-V to NSX-T Migration 

VMware vRealize Network Insight 6.4 Resources 

VMware is a registered trademark or trademark of VMware, Inc. in the United States and other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.