NSX Intelligence

What is NSX Intelligence?

NSX Intelligence is an analytics engine that examines the type of traffic that runs through NSX and makes recommendations for the firewall rules to be implemented.

Essentially, it looks at traffic and is able to create a set of recommended firewall rules based on the traffic detected. It is able to monitor suspicious traffic and compare that traffic with a known baseline in the application platform as well as with a set of sensors called “detectors”. These are based on the MITRE ATT&CK framework to enable intelligent traffic analysis.
NSX Intelligence sammelt Netzwerkverkehrsdaten auf allen Einzel- und Cluster-Hosts in der NSX-Umgebung und erstellt eine detaillierte Visualisierung. Das ermöglicht ein umfassendes Verständnis der Kommunikation zwischen den Workloads und Anwendungen. Als Analyse- und Netzwerk-Traffic-Monitor kann die Intelligence Application Platform also ein Basis-Traffic-Verhalten für alle NSX Data Center-Workloads erstellen.

NSX Intelligence eases policy discovery challenges by combining the following key steps:

1. Analysis of current applications and associated communication flows
2. Creating a comprehensive “Apps & Flows” map
3. Generating recommendations for safety policies
4. 1-click push of policies to distributed service-defined firewall nodes
5. A colour-coded visual indication of actual compliance with micro-segmentation.

Requirements for the NSX Intelligence Installation

The NSX Application Platform (NAPP), which runs on Kubernetes, is a foundation (from NSX v3.2.0.1) for the following NSX features:

• Intelligence
• Network Detection and Response
• Malware Prevention
• Metrics

NAPP System requirements per NSX environment

• Supervisor Control Plane: Supervisor Control VMs Size 3 Nodes: 12 vCPU, 48 GB RAM, 96 GB Storage
• TKG: 1 Control Node and 3 Worker Nodes
• Control Node: 4 vCPU, 16 GB RAM, 1 TB storage, 64 GB ephemeral storage (etcd)
• Pro worker node: 16 vCPU, 64 GB RAM, 1 TB storage, 64 GB ephemeral storage (containerd)
• Total (Supervisor Control Plane VMs and NAPP TKGs): 64 vCPU, 256 GB RAM, 4.4 TB storage
  In a TKG environment, all 4 NSX features (Intelligence, Network Detection and Response, Malware Protection and Metrics) can be enabled, but do not have to be enabled. NSX Intelligence needs to meet these system requirements.

NAPP and Intelligence Scaling

Components and their maximum sizes:

• NAPP K8s Node: 8
• ESXi hosts: 250
• VMs: 5,000
• VMs per recommendation (microsegmentation): 100
• VM members in NSX group: 100
• Flows per 5-minute interwall: 3 knots 500,000 and 8 knots 1,000,000
• Retention period: 3 months

NAPP Infrastructure requirements

In order to install NAPP, the following requirements must be met:

• NSX Data Center from v3.2.0.1
• One of these load distributors: NSX Embeded LB, HAProxy Appliance or ALB
• vSphere v7.0U3c
• TKG – vSphere with Tanzu (v1.17.17 to v1.21.6 – It is recommended to use v1.20.7 or newer due to important fixes and enhancements)
• Access to the Docker registry (Public/VMware or Private)
• Access to the Helm repository (Public/VMware or Private)
• *NSX v3.2.0.1, intelligence can only be installed on NAPP. Until NSX v3.2.0.1, intelligence could be rolled out with OVA.

NAPP Deployment Options

Once the infrastructure requirements are met, we have the following deployment options:

• vSphere with Tanzu and NSX Embeded LB
• vSphere with Tanzu and VDS - HAProxy Appliance as LB
• vSphere with Tanzu and NSX with ALB - ALB Essentials Edition is enough – L4 LB
• Upstream K8s or Tanzu Community Edition (not officially supported by VMware)
  In Options 2 and 3, NAPP can be installed with NAPP Automation Appliance.

Architecture overview for different NSX intelligence scenarios