• Skip to primary navigation
  • Skip to main content
site logo
  • About
    • Approach
    • Partnerships
    • Mission
    • Leadership
    • Awards
    • Arraya Cares
  • Solutions
    • Solutions

    • Hybrid Infrastructure
      • Hyperconverged
      • Infrastructure as a Service
      • Servers, Storage, and Virtualization
      • Data Protection
      • Disaster Recovery & Business Continuity
    • Apps & Data
      • AI
      • Automation
      • Customizations
      • Visualizations & Integrations
      • Migrations
    • Network
      • Enterprise Networks
      • Wireless Connectivity
      • Cloud Networking Solutions
      • IoT
    • Cybersecurity
      • Endpoint Security
      • Network Security
      • Cloud Security
      • Application Security
    • Modern Workplace
      • Microsoft Licensing
      • Productivity & Collaboration
      • Modern Endpoint Deployment & Management
      • Microsoft Compliance & Risk
      • Backup
      • Cloud
  • Services
    • Services

    • Managed Services
      • Service Desk
      • Outsourced IT
      • Managed Security
      • Managed NOC
      • Arraya Adaptive Management for Microsoft Technologies
      • ADEPT: Arraya's White Label Program
    • Advisory Services
      • Assessments
      • Strategy
      • vCTO
      • vCISO
      • Enterprise Architecture
    • Staffing
      • Infrastructure Engineering
      • Security & Compliance
      • Application & Software
    • Professional Services
      • Project Management 
      • Systems Integration 
      • Mergers & Acquisitions
      • Knowledge & Skills Transfer 
  • Industries
    • Education
    • Finance
    • Healthcare
    • Legal
    • Manufacturing
    • Software and Services
  • Insights
    • News
    • Blog
    • Events
    • Videos
    • Case studies
  • Careers
  • CSP Login
search icon
Contact Us

VMware Partner Exchange 2015 Recap and NSX Introduction

After a long week of pre-conference boot camp training, the “Big Game,” and plenty of sessions and meetings, as well as a visit (and escape!) to Alcatraz, I’ve returned from VMware Partner Exchange (PEX) in San Francisco. VMware certainly made some exciting announcements, including the much anticipated introduction of vSphere 6.0. You can learn about all of the details of vSphere 6 in this whitepaper and this video. Other significant announcements during the week of PEX included EMC’s introduction of their EVO:RAIL device, VSPEX BLUE, VMware VSAN 6 and Virtual Volumes and the VMware acquisition of Immidio and its user environment management software. 

Instead of rehashing all of the announcements that you can read all about in the preceding links, I’m going to focus on VMware NSX. I participated in the Advanced NSX Boot Camp in the days prior to PEX. NSX is often dubbed a “network hypervisor” for virtualized networks, but let’s dissect what that really means. It means taking concepts and features traditionally available only in physical network devices such as routers, switches, firewalls and load balancers and bringing them into the virtual world. 

You no longer need separate physical devices for many of these functions (aside from switching), each with their own, often complex, management interface or command line interface. Everything in NSX is managed via the vSphere Web Client, with command line interfaces only needed for things like packet capture and advanced troubleshooting. Just like with server virtualization versus physical servers, network virtualization provides capabilities and features that are simply not possible in a traditional physical networking environment. 

In order to demonstrate the power of NSX, I’ll demonstrate a real-world example of how it can be used. VMware Horizon (with View) offers a wide array of capabilities for end-user computing, but often relies on the configuration of underlying networking features to implement various security measures. With NSX, we can provide a secure demilitarized zone (DMZ)network for View security servers, load balancing between View connection and security servers, and firewalling between desktops and servers (or between desktops and other desktops). 

Creating a DMZ network often requires a physical firewall device as well as network switch configuration to support its deployment. With NSX, we start by defining a new logical switch to support our new DMZ network: 

NSX logical switches use Virtual Extensible LAN (VXLAN) technology to create secure isolated networks without requiring configuration changes to the underlying physical switches. The logical switch is automatically made available as a port group on the VMware vSphere Distributed Switch for use with virtual machines. We then create an Edge Gateway to handle routing into and out of the DMZ network:

NSX Edge Gateway

The Edge Gateway interface IP addresses are used for routing as well as network address translation (NAT) to allow traffic selectively into and out of the DMZ network. NAT rules are then added to configure which ports and IP addresses are routed: 

NSX NAT rules

Source NAT (SNAT) rules allow the traffic from the DMZ to route to the rest of the network, and Destination NAT (DNAT) rules allow traffic into the DMZ to specific destinations. Firewall rules then control which systems can communicate with each other, and on which ports: 

NSX firewall rules

It is important to note that these firewall rules are not required to be based on traditional networking concepts such as IP addresses or subnets, but can also be based off of vCenter objects and NSX security groups. In this example, we used NSX security tags assigned to View security server and connection server virtual machines in the vSphere Web Client to identify what NSX security group(s) each VM should belong to. This essentially teaches NSX what the servers actually are, so it can firewall accordingly. 

 We’ve also defined firewall rules between the security servers group and the View Desktops resource pool object. Different types of desktops can be placed in different resource pools, allowing you to have different sets of firewall rules for each desktop type. The ports allowed through the firewall rules are defined using services or service groups, many of which are pre-defined in NSX for View and other common application services. 

Once the firewall rules are defined, it’s possible to pair the security servers inside the DMZ with the connection servers and to allow users to connect through the security servers, while preventing them from any access to the internal network except for the systems and ports they are allowed to communicate with. 

This sample from our demo lab environment is just a basic example that only scratches the surface of the full power of NSX network virtualization. Any application, not just View, can benefit from these capabilities. Other advanced features such as micro-segmentation and automated network security deployed via vRealize Automation can truly unleash the full power of VMware’s Software Defined Datacenter (SDDC) in your own environment. 

Contact an Arraya representative to learn more and be sure to follow us on Twitter @ArrayaSolutions.

Arraya Insights
Back to Top
Arraya Solutions logo

We combine technological expertise and personal service to educate and empower our customers to solve their individual IT challenges.

518 Township Line Road
Suite 250, Blue Bell, PA 19422

p: (866) 229-6234     f: (610) 684-8655
e: info@arrayasolutions.com

  • Careers
  • Privacy Policy
  • Contact Us

© 2025 Arraya Solutions. All rights reserved.

Facebook Twitter YouTube LinkedIn
Manage Cookie Consent
We use cookies to enhance your experience. By selecting “Accept,” you agree to our cookie policy.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
View preferences
{title} {title} {title}