NSX-T | Policy or Advance Interfaces

Hi Guys,

While working on NSX-T, I noticed that the component (Like Tier-0, Tier-1, or any logical switch) which I created using the below interface (Advance Networking & Security) doesn't come up in the "Networking" tab.

Advance Interface

Policy Interface
But the component which I created in the "Networking" tab that does show in the "Advance Networking & Security" tab with an icon ⊜ which means that it is protected object and in read-only mode and cannot be configured through "Advance Networking & Security" tab.

After a little bit of study, I found that both interfaces do the same work. Just difference is that

- If you are deploying a new environment with NSX-T 2.4 or later then to use this policy based interface is the best to proceed.
- Some features (Below is the detail) are not available in the policy-based interface so to use those feature you can use Advance interface
- If you are upgrading to NSX-T 2.4 or later, continue to use Advance Networking & Security interface.

Below is the detail of when to use policy-based and when to use advance interface for any configuration in NSX-T

Policy Interface Advanced Interface
Most new deployments should use the policy-based interface. Deployments which were created using the advanced interface, for example, upgrades from versions before the the policy-based interface was present.
NSX Cloud deployments Deployments that integrate with other plugins. For example, NSX Container Plug-in, Openstack, and other clouds management platforms.
Networking features available in the Policy interface Networking features available in the Advanced interface
DNS Services and DNS Zones Layer 3 forwarding for IPv4 and IPv6
VPN Forwarding up timer
Forwarding policies for NSX Cloud Change internal transit network IP

VIP HA support on Tier-0

Standby relocation

Route advertisement filtering based on the list of prefixes on Tier-1

Loopback creation

BGP multihop

BGP source addresses

Static routes with BFD and interface as next-hop

Metadata proxy

DHCP server attached to an isolated segment and static binding
Security features available in the Policy interface only Security features available in the Advanced interface only
Endpoint Protection Ability to enable or disable Distributed Firewall, Identity Firewall, and Gateway Firewall
Network Introspection (East-West Service Insertion) Distributed Firewall session timers
Context Profiles - L7 applications, FQDN Exclusion lists
New Distributed Firewall and Gateway Firewall Layout - Categories, Auto service rules CPU and memory thresholds

Sections for stateless rules

Bridge Firewall

Section Locking

Distributed Firewall rule IDs

Distributed Firewall rules based on IPs in source and destination

Note that if you are using the "Advanced Networking & Security" interface then us it only and if you are using "Policy Interface" then use only that interface. Do not use both interfaces to create objects. However, objects which you create in "Policy Interface" can be visible in "Advance Networking & Security" but vice-versa doesn't happen.

Now, there is a difference in names as well. Refer to the below table, please and remember both do the same thing just name is different due to interface difference.

Objects Created Using the Policy Interface Objects Created Using the Advanced Interface
Segment Logical switch
Tier-1 gateway Tier-1 logical router
Tier-0 gateway Tier-0 logical router
Group NSGroup, IP Sets, MAC Sets
Security Policy Firewall section
Rule Firewall rule
Gateway firewall Edge firewall

All this I learned from https://docs.vmware.com/en/VMware-NSX-T-Data-Center/2.4/nsxt_24_admin.pdf from page number 12.

Hope you find this information informative. Stay tuned for more information.

Thank you,


Post a Comment