How we deliver on the vision of the Virtual Cloud Network is with a complete virtual network infrastructure delivered in software with the VMware NSX portfolio essentially creating an easy button for connecting and protecting workloads for the business, developers, and so on.

It can deliver more operational speed and agility, simplified compliance, increased competitiveness, and increased revenue. This can only be done in software – providing consistent networking from end to end.  Because the network is all delivered in software, it brings together programmability, agility, and adaptability that enables organizations to move faster based on applications that they are deploying and managing.​

Security is built in as opposed to being bolted on. This is key, as the old rule of perimeter security evolved from building a perimeter around a data center to one that is application and data centric. It’s about building consistency in the network and security policy for data and applications regardless of where they are running. In this way, security follows the application, rather than the other way round.

Lets us check how the VMware vRealize Network Insight architecture works.

  1. First is How Does NSX Assessment Work?

•Captures IP Fix data (Netflow) from vSphere/VDS switches
•Uniquely configures port groups within hosts from vRNI UI for filtered views.
•Five tuple packet data is processed and analyzed based on traffic patterns, application ports, top talkers, and security groups.
•Analyzed data is represented within modern day topology user interface as well as best practice network/NSX design recommendations

•Brick model with layered and zero-coupling architecture, each layer encapsulated and horizontally stretchable independently
•Asynchronous event driven DAG computing at large scale – containers grid with DAG of analytical programs with no coupling
•Time as fundamental dimension of every data and program – anything Now is also possible at time T
•Richer the context, richer the analytics – full connected graph across pillars, vendors and layers, largely vendor agnostic
•Efficient technique to apply/consume analytics is semantic slice/dice on top of models/API – semantics aware search engine


Analytics grid
•Store data from proxy VMs
•Processes in real time, batch
•VXLANs graphs, paths, MTU events

​Storage and search engine
•Stores configurations, changes, performance stats
•Indexes configurations, events
•Supports data retention policy ​

UI, REST API, search engine
•UI on top of REST API (private)
•Search engine –SDDC models awareness –Combines configuration, flows, performance data
•Flow analytics components (high performance) –Access flows at large scale –Analyze flows, rules, micro-segmentation graphs

PLATFORM VMaka the Collector

Collects data from data sources using appropriate protocol(s).
Receives IPFIX (NetFlow) data from ESX on port UDP:2055
Securely pairs with platform before uploading data or getting instructions
Reduces / batches data significantly before upload

Collector process
Only way to upload data, receive instructions from platform
Platform not available? Store in offline message store
Has specific adapters for data sources, get data messages from them
Receives data from Flow Processor
Adapters may use Postgres to keep some state

Offline message store
Stores latest data here temporarily if platform is unavailable
Restricted to % of disk space
Good for few hours to days of data depending on size of environment

Flow processor (high performance)
Processes raw flow records files (nfcapd), generates 5-tuples, 4-tuples, and aggregate statistics
Apply algorithms, heuristics to stitch records, dedups, avoid negative scenarios (port scan, …)
Supports up to 600K unique 4-tuples at any point of time. Good for all deployments so far
Flows of servers with millions of clients on internet are collapsed to smaller number of 4-tuples
Postgres, mainly keep state for functioning of components on proxy VM, not for data center data

Platform to Proxy VM Relationship

​Proxy talks to platform over HTTPS:443
•Uploads data to platform
•Long polls for instructions (add / stop data source, and so on)
•Platform is not available?
–Latest data is stored locally on proxy per disk space limit
–Stored data is uploaded to platform once available ​

Platform does not connect to proxy (one-way) ​
Platform buffers data from proxy, then processes it
•Latest data is stored in buffer, per disk space limit
•Platform is too busy to take data? –Proxy slows down the upload ​

UI shows the proxy status, its last heartbeat (notification)
•Proxy fails?
–No failover of its data sources to a new proxy
–UI status reflects its last heartbeat

Platform to Proxy VM Relationship

Proxy owns the data source credentials (encry)
​One data source can feed exactly one proxy
•For example, cannot split a VMware vCenter Server across multiple proxies ​

Multiple data sources can feed one proxy VM ​Proxy fails?
•No failover of data sources to a new proxy
•Delete/add data source to new proxy in UI ​

Proxy cannot connect to the data source?
•Data source status (UI) reflects the error

Proxy too busy?
•Slows the data fetch and upload
•Data source status (UI) reflects the lag in some cases