NSX-T provides contextual security solutions for micro-segmentation of Horizon VDI workloads by providing granular Layer 2 through
Layer 7 firewalling capabilities between workload VMs and also providing user-based context for VDI and Remote Desktop Session
Host (RDSH) workloads.
• Edge and Partner Services
NSX-T provides software solutions for Equal Cost Multipath (ECMP), NAT, SSL-Offloading, DHCP Relay, Gateway Firewalling and
Routing, and Load Balancing for the Horizon infrastructure and the workloads Horizon manages and deploys. NSX-T also provides the
Guest and Network Introspection platform for 3
rd
party partners to inject their services such as IDS/IPS, agent-less Anti-
Virus/Malware, and Next-generation Firewalling capabilities.
• Network Virtualization
NSX-T provides core networking services in software (e.g., switching and routing) that can be automatically provisioned to create
various topologies. This allows for elastic spin up of new desktop pools or expansion of pools in an existing infrastructure. Network
virtualization is also a key tenant of micro-segmentation, enabling the rapid provisioning of isolated network segments.
5. NSX-T Features for Horizon
NSX-T provides network virtualization capabilities using industry standard GENEVE encapsulated overlay networks. This section
examines design considerations for a logical topology deployment of Horizon on an overlay network. It covers deploying both the
Horizon infrastructure components and Horizon desktop pools connected to overlays created by NSX. Network virtualization requires a
basic understanding of how switching and routing are done with NSX-T. Below are the components associated with NSX-T network
virtualization and how they can be used together in a Horizon design.
• NSX-T Logical Routing
NSX-T provides capabilities to interconnect both physical and virtual workloads in different logical Layer 2 networks. NSX-T does this
using software to create these logical constructs and embeds them into the hypervisor layers, abstracted from the physical
hardware. Since these network elements are logical entities, multiple logical routers can be created in an automated and agile
fashion. NSX-T routing is instantiated for East/West traffic flows in a distributed manner within each hypervisor. NSX-T routing is
instantiated for North/South traffic flows in a centralized manager within the NSX-T Edge Node.
• NSX-T Two-Tier Routing
In addition to providing optimized distributed and centralized routing functions, NSX-T supports a multi-tiered routing model with
logical separation between provider router function and tenant routing function. The concept of multi-tenancy is built into the
routing model. The top-tier logical router is referred to as tier-0 while the bottom-tier logical router is tier-1. This structure gives both
provider and tenant administrators complete control over their services and policies. The provider administrator controls and
configures tier-0 routing and services, while the tenant administrators control and configure tier-1. Configuring two tier routing is not
mandatory and NSX-T Segments can be attached to the Tier-0 Gateway just like they can with a Tier-1 Gateway.
• NSX-T Segment
The NSX Segment is virtual Layer 2 broadcast domain. Segments are created and attached to a Transport Zone. The span of a
Segment is defined by the Transport Zone. An NSX-T Segment can either be a type Overlay or VLAN and inherits the type from the
Transport Zone of which it’s attached. It can be associated with a network subnet and its default gateway is typically the tier-0 or
tier-1 logical NSX-T router. A VLAN Segment represents a software extension of a physical layer 2 broadcast domain into the
virtualized environment. The subnet ID of the underlying physical network is associated with the VLAN Segment, and the default
gateway is typically the physical router that already provides the gateway in the underlay network.