NSX

Complement your VDI environment with NSX

Introspection Services

Posted by Chris Noon on Sun, Feb 28, 2021

Unfortunately, this post will be more of a theoretical one. I don’t have access to any introspection service providers. That said, I think it is something that should be discussed as it adds huge benefits.

If any partner out there is reading this and wants to give me a trial of their product, I’m happy to write a Part 4.5 of this series.

Introspection Services Concepts.

Introspection services come in two (2) flavours. File and Network introspection services.

File introspection services are focused on Anti-Virus and Malware detection/removal. This allows an Anti-Virus partner to install and configure a management appliance, similar to an NSX Manager. This appliance will then be linked to the vCenter and NSX Managers. It allows service VM’s to be pushed to each ESXi host requiring the consumption of this service. Allowing the service VM workloads to be distributed across the ESXi hosts, provides horizontal scaling and no single point of failure. An additional benefit is the Anti-Virus processing is now removed from the VM (VDI/RDSH) and moved onto a dedicated service VM. Allowing for better use of VDI/RDSH resources without compromising on protection.

Network introspection services are similar to file introspection. The key difference is that instead of offloading Anti-Virus and Malware to a service VM, it offloads Layer 4-7 Network services. An example of this would be leveraging IDS/IPS services from an NSX partner. Wait a minute, or we could use NSX’s native IDS/IPS, which is the next blog in the series. There are many other use cases for Network introspection services. The key here is that these L4-L7 services are now run in a distributed manner which allows for horizontal scaling and no single point of failure, much like the File introspection.

Both these services are set up and linked to the NSX Manager. However, consumption of them vary. File introspection is configured from the partner management Appliance, whereas the Network Introspection services are configured on both the NSX Manager and the partner management Appliance. When applying either File or Network Introspection services, double-check the installation and admin guides.

Below is a diagram that shows how those Partner Managers and Service VM’s are plummed into NSX and vCenter/ESXi.

Logical Diagram

https://www.vmware.com/resources/compatibility/search.php?deviceCategory=nsxt&details=1&releases=538&page=1&display_interval=10&sortColumn=Partner&sortOrder=Asc

There is great VMware documentation on Introspection Services and if you are interested in deploying Introspection Services, definitely check it out:

https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.1/administration/GUID-CDFE1F13-7D9A-4C3E-B567-C4A34A98AD8C.html