s0x IT Services Cloud Top 50 VMware NSX Interview Questions & Answers

Top 50 VMware NSX Interview Questions & Answers

Top 50 VMware NSX Interview Questions & Answers post thumbnail image

VMware acquired NSX from Nicira in July 2012 which was primarily being used for network virtualization in a Xen-based hypervisor. NSX abstracts the physical layer (virtualize the network) in such a way that software runs on the top of the hypervisor which is dynamically configured and updated. Currently, NSX has two versions: NSX-T (designed for multi-hypervisors and cloud-native applications) and NSX-V (designed for vSphere environments only).

NSX is the future of modern IT infrastructures that offers rich capabilities to manage and secure your virtual infrastructure. 82% of the fortune 100 has adopted VMware NSX. By rapidly adopting VMware NSX, an experienced workforce is always in high demand for the businesses. For this purpose, I’ve prepared some interview questions with explanatory answers and I hope that these questions will not only help job seekers who are interested in making their career in NSX, but also for the professionals who want to become certified in network virtualization.

If you’re interested in learning VMware NSX, Coursera is offering an interactive course title as Networking and Security Architecture with VMware NSX.


These interview questions are categorized into the following technical areas:

  • Basic concepts
  • NSX Core Components
  • NSX Functional Services
  • Edge Services Gateway
  • Service Composer
  • Monitoring
  • Managing NSX
  1. What is decoupling?

An important concept of network virtualization is the decoupling of software and the networking hardware. The software works independently of the networking hardware that physically interconnects the infrastructure. Any networking hardware that can inter-op with the software is always going to enhance the functionality, but it is not necessary. Remember that your throughput on the wire will be always limited by your network hardware performance.

  1. What is Control Plane?

The decoupling of software and networking hardware allows you to control your network better because all the logic resides in the software. This control aspect of your network is called the control plane. The control plane provides the means to configure, monitor, troubleshoot, and also allow automation against the network.

  1. What is Data Plane?

The networking hardware forms the data plane where all the data is forwarded from source to destination. The management of data resides in the control plane; however, the data plane consists of all the networking hardware whose primary function is to forward traffic over the wire from source to destination.

  1. What is the Management Plane?

The management plane primarily consists of the NSX manager. The NSX manager is a centralized network management component and primarily allows for a single management point. It also provides the REST API that a user can use to perform all NSX functions and actions. During the deployment phase, the management plane is established when the NSX appliance is deployed and configured. This management plane directly interacts with the control plane and also the data plane.

  1. What is Logical Switching?

NSX allows the ability to create L2 and L3 logical switching that enables workload isolation and separation of IP address space between logical networks. NSX can create logical broadcast domains in the virtual space that prevent the need to create any logical networks on the physical switches. This means you are no longer limited to 4096 physical broadcast domains (VLANs).

  1. What is NSX Gateway Services?

The Edge gateway services interconnect your logical networks with your physical networks. This means a virtual machine connected to a logical network can send and receive traffic directly to your physical network through the gateway.

  1. What is Logical Routing?

Multiple virtual broadcast domains (logical networks) can be created using NSX. As multiple virtual machines subscribe to these domains, it becomes important to be able to route traffic from one logical switch to another.

  1. What is East-West Traffic in Logical Routing?

East-west traffic is traffic between virtual machines within a data center. In the current context, this typically will be traffic between logical switches in a VMware environment.

  1. What is North-South Traffic?

North-south traffic is traffic moving in and out of your datacenter. This is any traffic that either enters your datacenter or leaves your datacenter.

  1. What is a Logical Firewall?

Logical firewalls are of two types: distributed firewall and Edge firewall. A distributed firewall is ideally deployed to protect any east-west traffic, while an Edge firewall protects any north-south traffic. A distributed logical firewall allows you to build rules based on attributes that include not just IP addresses and VLANs, but also virtual machine names and vCenter objects. The Edge gateway features a firewall service that can be used to impose security and access restrictions on north-south traffic.

  1. What is a Load Balancer?

The logical load balancer distributes incoming requests among multiple servers to allow for load distribution while abstracting this functionality from end-users. The logical load balancer can also be used as a high availability (HA) mechanism to ensure your application has the most uptime. An Edge services gateway instance must be deployed in order to enable the load balancer service.

  1. What is Service Composer?

The service composer allows you to allocate network and multiple security services to security groups. Virtual machines that are part of these security groups are automatically allocated the services.

  1. What is Data Security?

NSX data security provides visibility into sensitive data, ensures data protection, and reports back on any compliance violations. A data security scan on designated virtual machines allows NSX to analyze and report back on any violations based on the security policy that applies to these virtual machines.

  1. Configuration Maximum of NSX 6.2
Description Limit
vCenters 1
NSX Managers 1
DRS Clusters 12
NSX Controllers 3
Hosts per Cluster 32
Hosts per Transport Zone 256
Logical Switches 10,000
Logical Switch Ports 50,000
DLRs per Host 1,000
DLR per NSX 1,200
Edge service gateways per NSX Manager 2,000

NSX Core Components

  1. Define NSX Manager?

The NSX manager allows us to create, configure, and manage NSX components in an environment. The NSX manager provides a graphical user interface and also the REST APIs that allow you to interact with various NSX components. NSX Manager is a virtual machine that you can download as an OVA and deploy it on any ESX host managed by vCenter.

  1. Define NSX Controller Cluster?

NSX controller provides a control plane functionality to distribute logical routing and VXLAN network information to the underlying hypervisor. Controllers are deployed as virtual appliances and should be deployed in the same vCenter NSX manager is connected to. In a production environment, it is recommended to deploy a minimum of three controllers. For better availability and scalability, we need to ensure DRS ant-affinity rules are configured to deploy controllers on a separate ESXi host.

  1. What is VXLAN?

VXLAN is a layer 2 over layer 3 tunneling protocol that allows for logical network segments to extend on routable networks. This is achieved by encapsulating the Ethernet frame with additional UPD, IP, and VXLAN headers. Consequently, this increases the size of the packet by 50 bytes. Hence, VMware recommends increasing the MTU size to a minimum of 1,600 bytes for all interfaces in the physical infrastructure and any associated vSwitches.

  1. What is VTEP?

When a virtual machine generates traffic meant for another virtual machine on the same virtual network, the hosts these source and destination virtual machines run on are called VXLAN tunnel endpoints (VTEP). VTEPs are configured as separate VMKernel interfaces on the hosts. The outer IP header block in the VXLAN frame contains the source and the destination IP addresses that contain the source hypervisor and the destination hypervisor. When a packet leaves the source virtual machine, it is encapsulated at the source hypervisor and sent to the target hypervisor. The target hypervisor, upon receiving this packet, decapsulates the Ethernet frame and forwards it to the destination virtual machine.

Once the ESXi host is prepared from the NSX Manager we need to configure VTEP. NSX supports multiple VXLAN vmknics per host for uplink load balancing features. In addition to this, Guest VLAN tagging is also supported.

  1. Describe Transport Zone?

A transport zone defines the extension of a logical switch across multiple ESXi clusters that span across multiple virtual distributed switches. A transport zone enables a logical switch to extend across multiple virtual distributed switches and any ESXi hosts that are part of this transport zone can have virtual machines as part of that logical network. A logical switch is always created as part of a transport zone and ESXi hosts can participate in them.

  1. What is Universal Transport Zone?

A universal transport zone allows a logical switch to span multiple hosts across multiple vCenters. A universal transport zone is always created by the primary NSX server and is synchronized with the secondary NSX managers.

  1. What is NSX Edge Services Gateway?

The NSX Edge Services Gateway (ESG) offers a feature-rich set of services that include NAT, routing, firewall, load balancing, L2/L3 VPN, and DHCP/DNS relay. NSX API allows each of these services to be deployed, configured and consumed on-demand. You can install the NSX Edge as an ESG or as a DLR. The number of Edge appliances including ESGs and DLRs is limited to 250 on a host. The Edge Services Gateway is deployed as a virtual machine from the NSX manager, which is accessed using the vSphere web client.

Note: Only the enterprise administrator role, which allows for NSX operations and security management, can deploy an Edge services gateway:

  1. Describe Distributed Firewall in NSX?

NSX provides L2-L4 stateful firewall services by means of a distributed firewall that runs in the ESXi hypervisor kernel. Because the firewall is a function of the ESXi kernel it provides massive throughput and performs at near line rate. When the ESXi host is initially prepared by NSX, the distributed firewall service is installed in the kernel by deploying the kernel VIB—VMware internetworking service insertion platform (VSIP). VSIP is responsible for monitoring and enforcing security policies on all the traffic flowing through the data plane. The distributed firewall (DFW) throughput and performance scales horizontally as more ESXi hosts are added.

  1. What is Cross-vCenter NSX?

Beginning from NSX 6.2, you can manage multiple vCenter NSX environments using the cross-vCenter functionality. This allows you to manage multiple vCenter NSX environments from a single primary NSX manager. In a cross-vCenter deployment, multiple vCenters are all paired with their own NSX Manager per vCenter. One NSX Manager is assigned the primary while other NSX managers become secondary. This primary NSX manager can now deploy a universal controller cluster that provides the control plane. Unlike a standalone vCenter-NSX deployment, secondary NSX managers do not deploy their own controller clusters.

  1. What is a VPN?

Virtual private networks (VPNs) allow you to securely connect a remote device or a remote site to your corporate infrastructure. NSX Edge supports three types of VPN connectivity. SSL VPN-Plus, IP-SEC VPN, and L2 VPN.

  1. What is SSL VPN-Plus?

SSL VPN-Plus allows remote users to securely access applications and servers in a private network. There are two modes in which SSL VPN-Plus can be configured: network access mode and web access mode. In the network access mode, a remote user can access the internal private network securely. This is done by virtue of a VPN client that the remote user downloads and installs on their operating system. In web access mode, the remote user is able to access the private networks without any VPN client software.

  1. What is IPSec VPN?

The NSX Edge service gateway supports site-to-site IPSEC VPN that allows you to connect an NSX Edge services gateway-backed network to another device at the remote site. NSX Edge can establish secure tunnels with remote sites to allow secure traffic flow between sites. The number of tunnels an Edge gateway can establish depends on the size of the edge gateway deployed. Before configuring IPsec VPN, ensure that dynamic routing is disabled on the Edge uplink to allow specific routes defined for any VPN traffic.

Note: Self-signed certificates cannot be used with an IPSEC VPN.

  1. What is L2 VPN

An L2 VPN allows you to stretch multiple logical networks across multiple sites. The networks can be both traditional VLANs and VXLANs. In such a deployment, a virtual machine can move between sites without a change in its IP address. An L2 VPN is deployed as a client and server where the destination Edge is the server and the source Edge is the client. Both the client and the server learn the MAC addresses of both local and remote sites. For any sites that are not backed by an NSX environment, a standalone NSX Edge gateway can be deployed.

NSX Functional Services

  1. How many can NSX managers be installed and configured in a cross-vCenter NSX environment?

There can only be one primary NSX manager and up to seven secondary NSX managers. You can select one primary NSX manager, following which you can start creating universal objects and deploying universal controller clusters as well. The universal controller cluster will provide the control plane for the cross-vCenter NSX environment. Remember that in a cross-vCenter environment, the secondary NSX managers do not have their own controller


  1. What is the Segment ID pool and how to assign it?

Each VXLAN tunnel has a segment ID (VNI), and you must specify a segment ID pool for each NSX Manager. All traffic will be bound to its segment ID, which allows for isolation.

  1. What is L2 Bridge?

A logical switch can be connected to a physical switch VLAN by means of an L2 bridge. This allows you to extend your virtual logical networks to access existing physical networks by bridging the logical VXLAN with the physical VLAN. This L2 bridging is accomplished by means of an NSX Edge logical router that maps to a single physical VLAN on the physical network. However, L2 bridges should not be used to connect two different physical VLANs or two different logical switches. You also cannot use a universal logical router to configure bridging, and a bridge cannot be added to a universal logical switch. This means that in a multi-vCenter NSX environment you cannot extend a logical switch to a physical VLAN at another data center by means of L2 bridging.

Edge Services Gateway

  1. What is Equal Cost Multi-Path (ECMP) Routing?

ECMP allows the next-hop packet to be forwarded to a single destination over multiple best paths that can be added statically or dynamically using routing protocols such as OSPF and BGP. These multiple paths are added as comma-separated-values when defining the static routes.

  1. What are the default ranges for directly connected, static, external BGP etc?

The value ranges from 1 to 255 and default ranges are: Connected (0), Static (1), External BGP (20), OSPF intra-area (30), OSPF inter-area (110), and Internal BGP (200).

Note: any of the above values will be entered in “Admin Distance” by editing the Default Gateway configuration in Routing Configuration.

  1. What is Open Shortest Path First (OSPF)?

OSPF is a routing protocol that uses a link-state routing algorithm and operates within a single autonomous system.

  1. What is Graceful Restart in OSPF?

Graceful Restart allows for non-stop packet forwarding even if the OSPF process is being restarted. This helps in non-disruptive packet routing.

  1. What is Not-So-Stubby Area (NSSA) in OSPF?

NSSA prevents the flooding of an external autonomous system link state advertisements by relying on the default routes to external destinations. NSSAs are typically placed at the Edge of an OSPF routing domain.

  1. What is BGP?

The BGP is an exterior gateway protocol designed to exchange routing information among autonomous systems (AS) on the internet. BGP is relevant to network administrators of large organizations that connect to two or more ISPs, as well as to internet service providers who connect to other network providers. If you are the administrator of a small corporate network or an end-user, then you probably don’t need to know about BGP.

  1. What is Route Distribution?

In an environment where there are multiple routing protocols being used, route redistribution enables cross-protocol route sharing.

  1. What is Layer 4 Load balancer?

Layer 4 load balancer takes routing decisions based on IPs and TCP or UDP ports. It has a packet view of the traffic exchanged between the client and a server and takes decisions packet by packet. The layer 4 connection is established between a client and a server.

  1. What is Layer 7 load balancer?

A layer 7 load balancer takes routing decisions based on IPs, TCP, or UDP ports or other information it can get from the application protocol (mainly HTTP). The layer 7 load balancer acts as a proxy and maintains two TCP connections: one with the client and one with the server.

  1. What is Application Profile in configuring Load Balancer?

Before we create a virtual server to map to the pool, we have to define an application profile that defines the behavior of a particular type of network traffic. When traffic is received, the virtual server processes the traffic based on the values defined in the profile. This allows for greater control over managing your network traffic:

  1. What is the sub-interface?

A sub-interface, or an internal interface, is a logical interface that is created and mapped to the physical interface. Sub-interfaces are simply a division of a physical interface into multiple logical interfaces. This logical interface uses the parent physical interface to move data. Remember that you cannot use sub-interfaces for HA because a heartbeat needs to traverse a physical port from one hypervisor to another between the Edge appliances.

  1. Why Force Sync NSX Edge is necessary for your environment?

Force sync is a feature that synchronizes the Edge configuration from the NSX Manager to all of its components in an environment. A synchronization action is initiated from the NSX Manager to the NSX Edge that refreshes and reloads the Edge configuration.

  1. Why a remote Syslog server is necessary to configure in your virtual environment?

VMware recommends configuring Syslog servers to avoid log flooding on the Edge appliances. When logging is enabled, logs are stored locally on the Edge appliance and consume space. If left unchecked, this can have a performance impact on the Edge appliance and can also result in the Edge appliance stopping due to a lack of disk space.

Service Composer

  1. What are Security Policies?

Security policies are sets of rules that apply to a virtual machine, network, or firewall services. Security policies are reusable rulesets that can be applied to security groups. Security policies express three types of rulesets:

  • Endpoint Services: Guest-based services such as anti-virus solutions and vulnerability management
  • Firewall rules: Distributed Firewall policies
  • Network introspection services: Network services such as intrusion detection systems and encryption

These rules are applied to all objects and virtual machines that are part of a security group to which this policy is associated.


  1. What is Endpoint Monitoring in NSX?

Endpoint Monitor provides insight and visibility into applications running within an operating system to ensure that security policies are being enforced correctly. Endpoint Monitoring requires guest introspection to be installed. On virtual machines, you will need to install guest introspection driver, which is part of the VMware tools installation.

  1. What is Flow Monitoring?

NSX Flow monitoring is a feature that allows detailed traffic monitoring to and from protected virtual machines. Flow monitoring can uniquely identify different machines and different services that are exchanging data and when enabled can identify which machines are exchanging data over specific applications. Flow monitoring also allows live monitoring of TCP and UDP connections and can be used as an effective forensic tool.

Note: Flow monitoring can only be turned on for NSX deployments where a firewall is enabled.

  1. What is Traceflow?

Traceflow is an interesting tool and was built to allow administrators to seamlessly troubleshoot their virtual network environment by tracing a packet flow, in a similar way to the legacy Packet Tracer application. Traceflow allows you to inject a packet into the network and monitor its flow across the network. This flow allows you to monitor your network and identify issues such as bottlenecks or disruptions.

Managing NSX

  1. How the Syslog server works in NSX?

Configuring NSX Manager with a remote Syslog server enables you to collect, view, and save all log files to a central location. This enables you to store logs for compliance purposes; when you are using a tool such as VMware vRealize Log insight, it enables you to create alarms and use the built-in search engine to review logs.

  1. How backup and restore works in NSX?

Backups are critical for an NSX environment that allows you to restore them appropriately during a system failure. Apart from vCenter, you can also perform backup operations on the NSX Manager, controller clusters, NSX Edge, firewall rules, and Service Composer. All these can be backed up and restored individually.

  1. What is the SNMP trap?

Simple network management protocol (SNMP) traps are alert messages sent from a remote SNMP-enabled device to a collector. You can configure the SNMP agent to forward SNMP traps.

By default, the SNMP trap mechanism is disabled. When the SNMP trap is enabled, only critical and high severity notifications are sent to the SNMP manager.

I hope you have enjoyed reading this post. Thanks for reading! Be social and share it to social media if you feel worth sharing it.

Resources: Learning VMware NSX 2nd Edition


Author: Nisar Ahmad

Systems Engineer, vExpert 2017-19, owner of My Virtual Journey, with experience in managing a Datacenter environment using VMware and Microsoft Technologies. This blog mainly covers virtualization and cloud technologies but also covers some other technologies such as Cyber Security, Quantum Computing etc.

Related Post

Google Cloud to open new region in MelbourneGoogle Cloud to open new region in Melbourne

<div class="teaser-image"> <a href="/cloud-essentials/public-cloud/9185/google-cloud-to-open-new-region-in-melbourne"><img src="http://s0x.org/wp-content/uploads/2021/08/google-cloud-to-open-new-region-in-melbourne-1.jpg" alt="Google Cloud HQ" title="Google Cloud HQ" /></a> </div> <span class="field field-name-field-article-type field-type-taxonomy-term-reference field-label-hidden"> <span class="field-item even"><a href="/news">News</a></span> </span><div class="field field-name-field-published-date field-type-datetime field-label-hidden"> <div class="field-items"> <div

Mozilla to end support for Firefox Lockwise password managerMozilla to end support for Firefox Lockwise password manager

<div class="teaser-image"> <a href="/it-infrastructure/security/9330/mozilla-to-end-support-for-firefox-lockwise-password-manager"><img src="http://s0x.org/wp-content/uploads/2021/12/mozilla-to-end-support-for-firefox-lockwise-password-manager-1.jpg" /></a> </div> <span class="field field-name-field-article-type field-type-taxonomy-term-reference field-label-hidden"> <span class="field-item even"><a href="/news">News</a></span> </span><div class="field field-name-field-published-date field-type-datetime field-label-hidden"> <div class="field-items"> <div class="field-item even"><span class="date-display-single">24 Nov, 2021</span></div> </div></div><span