Network Security

Getting Started with NSX Application Platform (NAPP)

Introducing the platform

The NSX Application Platform (NAPP) is a high-performance security analytics platform that hosts microservices-based applications (Figure 1.1).

The following NSX Advanced Threat Prevention (ATP) security applications run on NAPP:


NAPP is a microservices application platform that collects and analyzes large data sets. The correlation of network and security events is accomplished using resource-intensive analytics and machine learning.

Figure 1.1 – NAPP Platform

TIP: By choosing an automated NAPP installation, the customer does not need to be concerned with the installation and maintenance of the individual NAPP platform components including TKGs (Kubernetes).

Two ways to install NAPP


    • Bespoke installations where the customer takes ownership of installation and ongoing maintenance of all dependencies and subcomponents of the NAPP platform.
    • Manual installations are complex and generally not necessary or recommended unless there are compelling reasons.


    • Can be compared to a scaled-out virtual appliance that includes a self-contained microservices platform (at the time of writing this is based on the Tanzu Kubernetes Grid Service (TKGs) integrated with vSphere 7.0+).
    • The key benefit of the automated NAPP deployment is that the customer need not be concerned with the deployment and management of the individual dependencies (the NAPP Automation Appliance (.OVA) takes care of all this).

TIP: Since the automated install (Figure 1.2) is the best fit for most scenarios, we will consider the automated NAPP install method for the remainder of this post.

Figure 1.2 – NAPP Automation Appliance Automates Installation of Components

Preparing for your automated deployment (three networks and two DNS records – Figure 1.3)

Figure 1.3 – NAPP Network & DNS

It is highly recommended to use the NAPP IPAM PLANNER spreadsheet below (Figure 1.4) to plan the IP address allocations for your deployment (link). NOTE: Please contact your VMware SE for assistance with these links

Figure 1.4 – NAPP IPAM Planner Spreadsheet

Automated installation in a nutshell (process as of NAPP 3.2.x):

  1. Review NAPP prerequisites (link) and resource requirements (link)
    • NOTE: This document assumes that prerequisites are already in place
      (Example: vCSA, NSX Manager, hosts and clusters prepped for NSX, ESXi Hosts, etc)
  2. Download and follow the NSX NAPP Automation guide (link)
    • NOTE: Please contact your VMware SE for assistance with these links
  3. Define storage policies, verify MTU settings, and Deploy NAPP Automation Appliance (.OVA)
  4. Create any required networks, VLANs, subnets, DNS records per Figures 1.3 and 1.4 above
    • TIP: The installer will primpt for a “Service IP Range,” but what this means is a smaller subnet within the larger load-balancer frontend supernet (see Figure 1.4 – NAPP IPAM PLANNER)
    • Example: Load-balancer supernet 10.1.x.0/24, HA proxy subnet “range” 10.1.x.240/28
  5. Download the NSX NAPP Automation Appliance installer (link)
    • NOTE: Please contact your VMware SE for assistance with these links
  6. Start the automated installation process and assign IP addressing info using the IPAM spreadsheet (Figure 1.4) (link)
    • NOTE: Please contact your VMware SE for assistance with these links
    • TIP: If the NAPP installation process fails, click to start the installer again. Generally, this is a timing issue, in most cases restarting the process will resume where it left off. This process may need to be repeated multiple times.
  7. Follow the on-screen instructions to continue the installation of NAPP
    • TIP: Most of the installation process is conducted from the web GUI which runs on the NAPP Automation Appliance. However, towards the end of the installation process, it is possible to log in to the NSX MAnager GUI and go to System > NSX Application Platform to track the progress.
  8. Activate the microservices-based apps which run on NAPP (NSX Intelligence, etc.)

Final notes and recommendations

For NSX Intelligence to receive data from the ESXi hosts, the clusters/hosts must be prepped for NSX. This is because the NSX Data Exporter enables ESXi hosts to send telemetry data to the apps running on NAPP (NSX Intelligence, NTA, NDR, etc).

Thanks to the VMware Security CoE and VCN team members who contributed to this post!