VMware NSX is a software-defined networking (SDN) and security platform that virtualizes networking infrastructure and enables network virtualization in data centers and cloud environments. It decouples networking and security functions from physical hardware, allowing them to be provisioned and managed programmatically.

As of NSX 4.x (formerly NSX-T Data Center), the architecture is composed of several key components, each serving a specific role in networking, security, and management.

---

🔧 Core Components of VMware NSX (NSX 4.x)

1. NSX Manager

• Role: Centralized management, configuration, and monitoring of the NSX environment.
• Provides a web-based UI and REST API for administration.
• Handles configuration of logical networks, security policies, and integration with vCenter and other systems.
• Can run as a VM appliance (OVA) or in a clustered configuration for high availability.

2. NSX Control Plane (CP)

• Role: Manages control plane functions such as routing, path computation, and state distribution.
• In NSX 4.x, this is based on a centralized control plane (using Management Plane Cluster and Control Plane Cluster).
• Uses PAXOS-based consensus for high availability.
• Communicates with hypervisor hosts (ESXi or KVM) and edge nodes to distribute configurations.

🔹 Control Plane Nodes are internal services (not user-deployed VMs) that run in the NSX Manager cluster or as part of the fabric.

3. NSX Data Plane (Forwarding Plane)

• Role: Handles actual packet forwarding and enforcement of policies.
• Runs on:
  • ESXi hosts (via VIBs – NSX kernel modules)
  • KVM hosts
  • NSX Edge nodes
• Uses Geneve (Generic Network Virtualization Encapsulation) as the overlay protocol.

4. Transport Nodes

• Role: Any host or appliance that participates in NSX data plane forwarding.
• Includes:
  • Hypervisor hosts (ESXi, KVM) with NSX VIBs installed.
  • NSX Edge nodes (for routing and services).
• Must be added to a Transport Zone to participate in overlay or VLAN networks.

5. Transport Zones

• Defines the scope of data plane communication.
• Two types:
  • Overlay Transport Zone: For Geneve-based logical switches (spanning multiple hosts).
  • VLAN Transport Zone: For physical network segments (used for uplinks or bare-metal workloads).

6. Logical Switching

• Role: Provides virtual Layer 2 segments (logical switches) across the data center.
• Implemented using distributed logical switches (DLS).
• Each logical switch is associated with a Segment in NSX 4.x (modern UI terminology).
• Supports VLAN and overlay (Geneve) backings.

7. Logical Routing

• Tier-0 Gateway:
  • Connects NSX to the physical network (often used for north-south routing).
  • Can run in active-active or active-standby mode.
  • Supports BGP, OSPF, and static routing.
  • Can be hosted on Edge nodes.
• Tier-1 Gateway:
  • Connects to Tier-0 for external access.
  • Attaches to one or more Segments (logical switches).
  • Used for east-west traffic and tenant isolation.
  • Typically deployed in active-standby mode.

8. NSX Edge Nodes

• Role: Provide gateway services (routing, NAT, load balancing, firewall, etc.) and act as uplink to physical network.
• Deployed as VMs (in vSphere) or bare metal.
• Must be part of a Edge Cluster.
• Support active-active or active-standby high availability.

9. Fabric

• Role: The underlying physical and virtual infrastructure managed by NSX.
• Includes:
  • Nodes: Transport Nodes (ESXi hosts, Edge nodes).
  • Profiles: Host switch, uplink, and transport node profiles.
  • Inventory: List of all managed nodes and their status.

10. NSX Intelligence

• Role: AI-driven network traffic learning and security policy recommendations.
• Analyzes traffic flows to suggest firewall rules.
• Helps in micro-segmentation planning.

11. NSX Gateway Firewall (Distributed Firewall)

• Role: Enforces security policies at the vNIC level (kernel level).
• Runs distributed on each hypervisor host (no hair-pinning to gateway).
• Policies are based on security groups and applied as rules.
• Supports Layer 3–7 filtering (with L7 application context via Guest Introspection).

12. Gateway Firewall (Tier-0/Tier-1)

• Role: Enforces north-south traffic rules at the gateway level.
• Applied to Tier-0 or Tier-1 gateways.
• Complements the distributed firewall.

13. Network Detection and Response (NDR)

• Role: Threat detection using behavioral analytics and machine learning.
• Monitors east-west traffic for anomalies.
• Formerly known as VMware NSX IDS/IPS.
• Can be integrated with VMware Aria Operations for Logs or third-party SIEMs.

14. Load Balancing

• Role: L4–L7 load balancing (HTTP, HTTPS, TCP, UDP).
• Runs on NSX Edge nodes.
• Supports SSL offloading, content switching, and health monitoring.

15. VPN Services

• Supports:
  • IPsec VPN (site-to-site)
  • L2 VPN (bridge-based extension of Layer 2 networks)
  • OpenVPN (client-based SSL VPN – limited in current versions)

16. DHCP & DNS Services

• NSX DHCP Server:
  • Supports relay and local server modes.
  • Can be deployed as a service on Tier-1 gateways.
• NSX DNS Forwarder:
  • Provides DNS services within the virtual network.

17. Multi-Tenancy & RBAC

• Supports role-based access control (RBAC) and multi-tenancy via:
  • Domains (security policy containers)
  • Groups and Security Tags
  • Integration with LDAP/AD

18. Automation & APIs

• Full REST API support.
• Integration with:
  • Terraform
  • Ansible
  • vRealize Automation
  • Kubernetes (via NSX Container Plugin)

---

📦 Deployment Topology Example

[Physical Network]

↑

[NSX Edge Nodes] ← BGP/OSPF

↑ (Tier-0 Gateway)

[Tier-1 Gateways]

↑

[Logical Switches (Segments)] → Connected to VMs

↓

[ESXi Transport Nodes] → Running VMs with DFW enforcement

Summary Table

Component	Purpose
NSX Manager	Central management and UI
Control Plane	Routing control, state distribution
Data Plane	Packet forwarding (on hosts/edges)
Transport Nodes	ESXi/Edge nodes running NSX data plane
Logical Switching	Virtual Layer 2 networks
Tier-0/Tier-1 Gateways	North-south and east-west routing
Edge Nodes	Gateway and service functions
Distributed Firewall	Micro-segmentation at kernel level
NSX Intelligence	Traffic learning and policy suggestions
NDR / IDS/IPS	Threat detection
Load Balancer	L4–L7 load distribution
VPN	Secure site-to-site or client connectivity