VMware NSX, formerly known as Nicira NVP (Network Virtualization Platform) is essentialy what we’ve been doing to servers for years: abstracting the physical layer from the logical one - or in other words - virtualizing the network in such a way that all you end up with is software running on the top of hypervisors which can be dynamically configured and updated.

The most important features of NSX are:

• Logical L2 switching - extending the traditional L2 layer
• Distributed routing - routing between subnets without traffic going out (north) to the physical network
• Distributed firewall - enforcing security rules at either the kernel or vNIC level
• Logical load balancing - supporting L4 through L7 load SSL termination
• SSL VPN services - creating L2 virtual private network

NSX Structure⌗

VMware NSX is built upon three different planes (pictured below), each having little to no effect on the functions of the planes below it.

We are going to go through each and every layer one by one starting with…

Data Pane⌗

A classic distributed switch (vDS) works solely at L2 and virtual machines need to be on the same L2 subnet to communicate with each other. NSX provides new functionalities by installing three VIBs modules at the kernel level so that they hypervisor is capable of the following:

• VXLAN encapsulation
• Distributed logical routing
• Distributed logical firewalling

After these three VIBs are added to the distributed switch it is then referred as a VMware NSX Virtual Switch.

The L2 boundary mentioned above is no longer a problem, as NSX leverages VXLAN encapsulation.

Control Plane⌗

This plane manages logical networks and runtime states and is controlling the data path where I/O actually happens.

• NSX Controller - the central control point for all logical switches within a network and maintains information MAC, ARP and VTEP tables.
• Logical Router Control VM - virtual machine that is instantiated to handle routing tables information and pass it to the NSX Manager (Remember the Linux Router from 2017? This one is quite similar)
• UWA (User World Agent) - ntcapd and vsfwd daemons running on the ESXi host responsibile for proxying the communication between NSX Manager and NSX Controller

NSX Controllers are deployed from NSX Manager as VMs (either 3, 5, 7 or more; the number of them is always odd). This is because the algorithm behind the scenes is Apache ZooKeeper - a distributed coordination service for distributed systems - and it requires an odd number for avoid a “split brain” scenario.

The NSX controllers have can act as one of the following 5 managers (servers):

• Logical Manager - computing policies and network topologies
• Switch Manager - pushing settings to ESXi hosts
• Directory Server - managing VXLAN and DLR databases (Distributed Logical Routing)
• API Provider - providing web-services API consumed by NSX Manager
• Persistence Server - supervising data preservation across nodes for critical data

Management Plane⌗

NSX Manager communicates with a vCenter Server system and is responsible for all the APIs required for 3rd party integrations. The NSX Manager is installed as a virtual appliance on any ESX host in the vCenter environment.

Consumption Plane⌗

The consumption of NSX can be driven directly through the NSX Manager UI, which is the Web Client, however NSX provides rich integration into virtually any CMP (Cloud Management Platform) through REST APIs.

Out-of-the-box integration is also available through vRA (vvRealize Automation), vCD (vCloud Director) and OpenStack with the Neutron plug-in for NSX.