NSX provides all the Layer 2 to Layer 7 services that are required to build virtualized networks in the software layer for modern user applications. The following sections describe these different services, and the functions they provide.
The segment, previously known as logical switch, is a Layer 2 construct similar to a VLAN backed network except that it is decoupled from the physical network infrastructure. Segments can be created in a VLAN transport zone or an overlay transport zone. Segments that are created in an overlay transport zone have a Virtual Network Identifier (VNI) associated with the segment. VNIs can scale far beyond the limits of VLAN IDs.
A logical router, also known as a gateway, consists of two components: distributed router (DR) and services router (SR).
A DR is essentially a router with logical interfaces (LIFs) connected to multiple subnets. It runs as a kernel module and is distributed in hypervisors across all transport nodes, including Edge Nodes. The DR provides east-west routing capabilities for the NSX domain.
An SR, also referred to as a services component, is instantiated when a service is enabled that cannot be distributed on a logical router. These services include connectivity to the external physical network or north-south routing, stateful NAT, Edge firewall.
A gateway always has a DR. A gateway has SRs when it is a Tier-0 gateway, or when it is a Tier-1 gateway and has configured services such as NAT or DHCP.
Transport zones define the span of a virtual network (segment) across hosts or clusters. Transport zones dictate which ESXi hosts and which virtual machines can participate in the use of a particular network.
Each hypervisor that is prepared for NSX and has an NDVS component installed is an NSX transport node that is equipped with a tunnel endpoint (TEP). The TEPs are configured with IP addresses, and the physical network infrastructure provides IP connectivity either over Layer 2 or Layer 3. An NSX Edge node can also be a transport node that is used to provide routing services. When an Edge Node or ESXi host contains an N-DVS component, it is considered a transport node.
Edge Nodes are service appliances with pools of capacity, dedicated to running network services that cannot be distributed to the hypervisors. Edge Nodes can be viewed as empty containers when they are first deployed. Centralized services such as north-south routing or Stateful NAT require the SR component of logical routers to run on the Edge Node. The Edge Node is also a transport node just like compute nodes in NSX. Similar to a compute node, it can connect to more than one transport zone. The Edge Node typically connects to one for overlay and other for north-south peering with external devices.
An Edge cluster is a group of Edge transport nodes that provides scale out, redundant, and high-throughput gateway functionality for logical networks. An NSX Edge cluster does not have a one-to-one relationship with a VxRail cluster. NSX Edge clusters can be distributed across multiple VxRail clusters.
The NSX firewall is delivered as part of a distributed platform that offers ubiquitous enforcement, scalability, line rate performance, multi-hypervisor support, and API-driven orchestration. NSX distributed firewall provides stateful protection of the workload at the vNIC level. DFW enforcement occurs in the hypervisor kernel, helping to deliver microsegmentation. Uniform security policy model for on-premises and cloud deployment supports multi-hypervisor (that is, ESXi and KVM) and multi-workload, with a level of granularity down to VM and container attributes.