Objective 1.5 – Understand VMware NSX Integration with vRealize Automation (vRA)


  • Understand integration with vRealize Automation
  • Demonstrate NSX deployment capabilities built into vRealize Automation
  • Compare and contrast Network Profiles available in vRealize Automation
  • Understand NSX preparation tasks for attaching a network profile to a blueprint5
  • Discern vRealize Automation preparation tasks for deploying a machine with on-demand network services


  • VMware-NSX-And-vRealize-Automation-Solution-Overview.pdf


  • vrealize-automation-62-iaas-configuration-for-virtual-platforms.pdf


  • vrealize-automation-62-iaas-integration-for-multi-machine-services.pdf


vRealize and NSX Integration

Understand Integration with vRealize Automation

vRealize Automation delivers application-centric network and security services by leveraging the automation and flexible provisioning capabilities of NSX. In addition to VM provisioning, applications need the following items correctly configured:

  • Connectivity
    • Automated placement of workloads meet connectivity requirements through:
      • Resource Reservations
      • Service Blueprints
      • Network Profiles
    • Business Groups can be configured with specific, reserved connectivity.
  • Security
    • On-demand network security through application of NSX Security Policies including:
      • Firewall Rules
      • Intrusion Detection
      • Agentless Anti-Virus
    • Intra-Datacentre firewall policy enforcement aka “East-West” Firewall policies
    • Dynamic Security Groups (through matching criteria such as VM Tags, Name etc.) ensure policies are portable i.e. they are not tied to a specific VM location. If the moves, the policy moves with it
  • Availability
    • On-demand Load Balancer deployment as part of blueprint
    • Shared or dedicated load balancer pools
  • Scale and Performance
    • Built in governance policies and automated provisioning balance application load across the infrastructure
    • Distributed Routing and Firewall minimised cross-host communication

vRA automates multi-tiered application provisioning by deploying logical Switches, Routers and applying the appropriate set of Security Policies + Load Balancers to improve Availability, Scale and Performance

Automation improves provisioning by standardising configurations and minimising manual tasks, thereby accelerating delivery and in a repeatable, error free manner.

Compare and contrast Network Profiles available in vRealize Automation

Network Profiles are required for connecting VMs to Logical Switches and Routers that are pre-defined by administrators. There are four types of Network Profile:

  • External
  • Routed
  • NAT
  • Private

Network Profiles in vRA are distinguished from Network Paths in that they do not specify where a VM is to be placed but how the logical network is to be configured.


External Network Profiles are used to simply allocate IP Address to workload VMs and specify a default gateway. This configuration requires that the network patch or Logical Switch is pre-created in NSX along with the appropriate gateway for that network which can an NSX Edge, DLR or other upstream Layer 3 device.

Note: External Network Profiles also form part of a NAT and Routed profiles.


Routed Network Profiles are used where multi-machine blueprints are to be utilised. In this configuration, the network profile allows a single segment to be sub-netted into smaller networks for separate application deployments e.g. Web Servers or Database Servers. The resulting networks are routed through an existing DLR with the appropriate routing configuration applied by vRA. The DLR configuration can either be Static Routes for each subnet or Dynamic Routing where OSPF or BGP is already in effect on the DLR.

For example network may be split along a /29 subnet mask, resulting in the following subnets. Each subnet has 4 usable IP Addresses, meaning a blueprint using this profile can deploy up to 3 VMs per network (1 IP is used by the DLR)

Example:,, …..


NAT Network Profiles use an on-demand Edge-Service Gateway to provide NAT services to VM workloads. An External network profile is associated with NAT profiles that determine the IP Addresses the NSX Edge Service Gateway will expose.

In the diagram above, the network to the right of the NAT Gateway is known as a “Transit Network” in the NAT network profile. In One-to-One NAT configurations a single IP Address configured on the External network is mapped to multiple VMs on a given backend NAT network e.g. Web. Conversely, when using a One-to-One mapping, an IP address is allocated for each VM behind the NAT Gateway.


Private Network Profiles are self-contained and not connected to any external network. Therefore VMs provisioned with Private network profiles are only able to communicate with one another. VMs can be access through a vRA Remote Console.

Understand NSX preparation tasks for attaching a network profile to a blueprint

Discern vRealize Automation preparation tasks for deploying a machine with on-demand network services