NSX-T Modern Architecture Deep Dive

NSX-T has matured enormously since it replaced NSX-v as VMware's primary network virtualization platform. The architecture has been simplified, performance has improved, and the operational model has shifted in ways that matter for day-to-day administration. This post covers the core architectural components of modern NSX-T and how they fit together in a VCF or standalone deployment.

Why NSX-T Replaced NSX-v

NSX-v was tightly coupled to vSphere and the vCenter Server architecture, which made it powerful in pure VMware environments but inflexible everywhere else. NSX-T was designed from the ground up to support heterogeneous environments including bare metal workloads, containers, and multiple hypervisors. The control plane was decoupled from vCenter, which means NSX-T can be managed independently and supports a broader range of workloads including Kubernetes via the NSX Container Plugin (NCP).

Transport Zones and Segments

Transport zones define the scope of network connectivity in NSX-T. An overlay transport zone uses GENEVE encapsulation to create logical networks that span physical boundaries. A VLAN transport zone bridges logical and physical networks for external connectivity. Segments are the logical equivalent of port groups in vSphere — workloads attach to segments, which are backed by either an overlay or VLAN transport zone. In most production deployments, you will have at least one overlay transport zone for east-west workload traffic and one VLAN transport zone for uplink connectivity to the physical network.

Tier-0 and Tier-1 Gateways

NSX-T uses a two-tier gateway model for routing. The Tier-0 (T0) gateway handles north-south traffic between the NSX overlay and the physical network. It peers with physical routers using BGP or static routes and runs on Edge nodes. The Tier-1 (T1) gateway sits between the T0 and your workload segments, handling internal routing between segments. Most architectures use a single T0 per site with multiple T1 gateways per tenant or application tier. T1 gateways can run in either a centralized service router mode on Edge nodes or in a distributed router mode on transport nodes for optimal east-west performance.

Edge Nodes and Edge Clusters

Edge nodes are dedicated NSX-T appliances (available as VMs or bare metal) that run services requiring centralized processing: T0 gateways, load balancers, NAT, and VPN. Edge clusters group two or more Edge nodes for high availability and load distribution. In a VCF deployment, the Edge cluster is deployed automatically as part of the workload domain provisioning process. For production environments, a minimum of two Edge nodes per cluster is required, and sizing them appropriately for your north-south throughput requirements is critical.

Distributed Firewall (DFW)

The NSX Distributed Firewall is one of its most powerful capabilities. Unlike traditional perimeter firewalls, the DFW enforces policies at the vNIC level of every protected workload. This means east-west traffic between two VMs on the same host is inspected without ever leaving the hypervisor. DFW policies are defined using Groups, which can be based on VM tags, IP addresses, segments, or AD group membership for identity-based policies. This micro-segmentation capability dramatically reduces the blast radius of a potential breach and is a key component of a zero-trust architecture.

NSX Intelligence and Advanced Threat Prevention

NSX Intelligence provides traffic flow visualization and automated security policy recommendations based on observed traffic patterns. This is invaluable when you are trying to build a micro-segmentation policy for an existing application where network flows are not well-documented. NSX Advanced Threat Prevention (ATP) adds IDS/IPS capabilities to the DFW and gateway firewall, bringing deep packet inspection to east-west and north-south traffic. Both features require additional licensing beyond the base NSX entitlement included in VCF.

Understanding the NSX-T architecture is foundational for anyone managing a modern VMware environment. The platform has a learning curve, but once the transport zone, gateway, and firewall models click, the operational benefits are significant. Future posts will go deeper on specific topics including BGP configuration on T0 gateways and building a practical DFW micro-segmentation policy from scratch.