NSX-T

NSX-T is a network virtualization and security platform that automates the implementation of network policies, network objects, network isolation, and micro segmentation.

NSX-T network virtualization for Kubernetes

L2 & L3 segregation

NSX-T creates a separate L2 switch, Virtual Distributed Switch (VDS) and L3, distributed logical (DLR) router for every namespace. The namespace level router is called T1 router. All the T1 routers are connected to T0 router, which acts like edge gateway to the IBM® Cloud Private cluster as well as edge firewall and load balancer. Due separate L2 switch, all the broadcast traffic is confined to the namespace and as well as due to separate L3 router, each namespace can host its own pod IP subnet.

Micro segmentation

NSX-T provides distributed firewall (DFW) for managing east-west traffic. The Kubernetes network policies are converted into NSX-T DFW rules. With L2 segmentation, dedicated L3 subnets for namespaces and k8s network policies, you can achieve micro segmentation within and across the namespace.

NAT pools

Edge appliance is an important component of the NSX-T management cluster. It offers routing, firewall, load-balancing, and network address translation among other features. By creating pods on the NSX-T pod network (and not relying on the host network), all traffic can be made to traverse through the edge appliance by using its firewall, load-balancing, and network address translation capabilities. The edge appliance assigns SNAT IPs to outbound traffic and DNAT IPs to inbound traffic from the NAT pool (created as part of the NSX-T deployment). By relying on the network address translation, the cluster node IPs are not exposed on the outbound traffic.

References for network considerations with NSX-T

For more information about integrating NSX-T with IBM Cloud Private, see Integrating VMware NSX-T 2.4 with IBM Cloud Private.