Nutanix Flow

Nutanix Tech Note

Version 1.1 • May 2018 • TN-2094

 Nutanix Flow

Copyright
Copyright 2018 Nutanix, Inc.
Nutanix, Inc.
1740 Technology Drive, Suite 150
San Jose, CA 95110
All rights reserved. This product is protected by U.S. and international copyright and intellectual
property laws.
Nutanix is a trademark of Nutanix, Inc. in the United States and/or other jurisdictions. All other
marks and names mentioned herein may be trademarks of their respective companies.

Copyright | 2
 Nutanix Flow

Contents

1. Executive Summary................................................................................ 4

2. Introduction..............................................................................................5
2.1. Audience........................................................................................................................ 5
2.2. Purpose..........................................................................................................................5

3. Nutanix Enterprise Cloud Overview...................................................... 6

3.1. Nutanix Acropolis Architecture...................................................................................... 7

4. Nutanix Flow............................................................................................ 8
4.1. Architecture.................................................................................................................... 8
4.2. Enabling Flow Microsegmentation and Visualization.................................................... 9
4.3. Categories....................................................................................................................11
4.4. Security Policies.......................................................................................................... 14
4.5. Using Quarantine Policies........................................................................................... 16
4.6. Using Isolation Policies................................................................................................19
4.7. Using Application Policies........................................................................................... 23

5. Conclusion............................................................................................. 36

Appendix......................................................................................................................... 37
References.......................................................................................................................... 37
About Nutanix......................................................................................................................37

List of Figures................................................................................................................38

List of Tables................................................................................................................. 40

3
 Nutanix Flow

1. Executive Summary
Flow is a software-defined networking product tightly integrated into Nutanix AHV and
Prism. Flow provides rich visualization, automation, and security for VMs running on AHV.
Microsegmentation is a component of Flow networking that simplifies policy management. Using
multiple Prism Central categories (logical groups), you can create a powerful distributed firewall
that gives administrators an application-centric policy management tool for securing VM traffic.
Categories enable flexible, attribute-based grouping of VMs to define security policies. By
using logical categories, you no longer need to base policy definitions on network addresses
or manually update policies to handle network changes. Your security policy can automatically
apply to a VM independent of its network configuration. With Flow, administrators can visualize
traffic between groups of VMs to create plain-language policies based on application behavior,
rather than defining allowed traffic in the language of IP addresses and subnets.
With Flow, Nutanix extends Prism Central’s consumer-grade simplicity and ease of use beyond
virtualization and storage infrastructure management to the world of network security.

1. Executive Summary | 4
 Nutanix Flow

2. Introduction

2.1. Audience
This tech note is part of the Nutanix Solutions Library. It is intended for architects and
administrators who are responsible for VM networking and security. Readers of this document
should already be familiar with Nutanix AHV and Prism Central.

2.2. Purpose
In this document, we cover the following topics:
• Nutanix Flow.
• Flow microsegmentation.
• Flow visualization.
• Creating and managing categories.
• Creating and managing security policies.

Table 1: Document Version History

Version
Published Notes
Number
1.0 April 2018 Original publication.
1.1 May 2018 Added Service Chain KB article.

2. Introduction | 5
 Nutanix Flow

3. Nutanix Enterprise Cloud Overview

Nutanix delivers a web-scale, hyperconverged infrastructure solution purpose-built for
virtualization and cloud environments. This solution brings the scale, resilience, and economic
benefits of web-scale architecture to the enterprise through the Nutanix Enterprise Cloud
Platform, which combines three product families—Nutanix Acropolis, Nutanix Prism, and Nutanix
Calm.
Attributes of this Enterprise Cloud OS include:
• Optimized for storage and compute resources.
• Machine learning to plan for and adapt to changing conditions automatically.
• Self-healing to tolerate and adjust to component failures.
• API-based automation and rich analytics.
• Simplified one-click upgrade.
• Native file services for user and application data.
• Native backup and disaster recovery solutions.
• Powerful and feature-rich virtualization.
• Flexible software-defined networking for visualization, automation, and security.
• Cloud automation and life cycle management.
Nutanix Acropolis provides data services and can be broken down into three foundational
components: the Distributed Storage Fabric (DSF), the App Mobility Fabric (AMF), and AHV.
Prism furnishes one-click infrastructure management for virtual environments running on
Acropolis. Acropolis is hypervisor agnostic, supporting three third-party hypervisors—ESXi,
Hyper-V, and XenServer—in addition to the native Nutanix hypervisor, AHV.

Figure 1: Nutanix Enterprise Cloud

3. Nutanix Enterprise Cloud Overview | 6

 Nutanix Flow

3.1. Nutanix Acropolis Architecture

Acropolis does not rely on traditional SAN or NAS storage or expensive storage network
interconnects. It combines highly dense storage and server compute (CPU and RAM) into a
single platform building block. Each building block delivers a unified, scale-out, shared-nothing
architecture with no single points of failure.
The Nutanix solution requires no SAN constructs, such as LUNs, RAID groups, or expensive
storage switches. All storage management is VM-centric, and I/O is optimized at the VM virtual
disk level. The software solution runs on nodes from a variety of manufacturers that are either
all-flash for optimal performance, or a hybrid combination of SSD and HDD that provides a
combination of performance and additional capacity. The DSF automatically tiers data across the
cluster to different classes of storage devices using intelligent data placement algorithms. For
best performance, algorithms make sure the most frequently used data is available in memory or
in flash on the node local to the VM.
To learn more about the Nutanix Enterprise Cloud, please visit the Nutanix Bible and
Nutanix.com.

3. Nutanix Enterprise Cloud Overview | 7

 Nutanix Flow

4. Nutanix Flow
Nutanix Flow delivers advanced networking and security services, providing visibility into the
virtual network, application-centric protection from network threats, and automation of common
networking operations.
Fully integrated into Nutanix AHV virtualization and the Nutanix Enterprise Cloud OS, Flow allows
organizations to deploy software-defined virtual networking without the complexity of installing
and managing additional products that have separate management and independent software
maintenance requirements.
Flow provides application-centric policies that enable complete visibility and traffic control. This
policy model allows administrators to implement fine-grained rules regarding traffic sources and
destinations, or microsegmentation. These same policies make it possible to visualize traffic
flowing within and between application VMs. This granular level of control is an important part of
a defense-in-depth strategy against modern datacenter threats.
Nutanix Flow protects against new threats that are designed to spread laterally from one system
to another within the same protected datacenter. Because perimeter-based firewalls traditionally
only protect the environment from external threats, it can be difficult to repurpose them to
protect internal traffic. Flow applies security rules between all applications and VMs within the
datacenter, thus adding internal protection behind your perimeter firewall.

4.1. Architecture
The Nutanix management plane, Prism Central, provides policy administration for Nutanix Flow.
Prism Central and the registered Nutanix clusters combine to form the control plane for Flow. The
data plane is the Nutanix AHV host Open vSwitch, which processes VM network traffic.

4. Nutanix Flow | 8
 Nutanix Flow

Figure 2: Flow Microsegmentation Architecture

4.2. Enabling Flow Microsegmentation and Visualization

Nutanix Flow is disabled by default. To enable Flow in Prism Central, click the question mark,
select New, and then click Microsegmentation. Refer to the requirements section in the Policies

4. Nutanix Flow | 9
 Nutanix Flow

Management documentation before enabling Flow. Flow is a licensed feature, but Nutanix offers
customers a free 60-day trial period.

Figure 3: Enable Microsegmentation

4. Nutanix Flow | 10
 Nutanix Flow

4.3. Categories
Categories allow you to group entities such as VMs together logically. When creating a category,
you can assign it multiple potential values. The administrator selects from this list of potential
values when adding the category to an entity. For example, the Environment key could have
several values, such as Production, Development, Staging, or Test. When assigned to a VM,
each category consists of a text-based key-value pair—for example, Environment: Production,
with a key of Environment and a value of Production.
Categories are extremely flexible, and you can create new high-level key-value pairs to group
VMs based on application requirements. Categories are the building blocks of security policies,
so think carefully about what groups you may need to segment network traffic along existing
logical boundaries. For example, production may be isolated from development, or a perimeter
network may have special access from the Internet.
There are a number of system categories built into Prism Central that have a special meaning
when used in Nutanix Flow. Start with the existing categories and add your own if needed. The
following sections describe several important system categories that Flow requires for building
policies.

AppType
The category AppType defines a group of VMs that belong to the same application. You can
use AppType: Exchange, for example, to define all of the entities that belong to the Exchange
application. Nutanix recommends creating new values inside the AppType category to match the
applications running in your AHV environment.

Figure 4: AppType Category List

When creating Application Security Policies, Nutanix Flow uses AppType categories to manage
traffic to and from an application, so be sure to define your applications with the appropriate
AppType values. Select AppType, then select Update to add your own custom application
names.

4. Nutanix Flow | 11
 Nutanix Flow

Figure 5: AppType Custom Application Name

AppTier
The category AppTier defines a set of entities that serve the same function within an application.
For example, AppTier: Exchange_Mailbox and AppTier: Exchange_Edge_Transport are two tiers
of VMs within the Exchange application, each serving a different function.

Figure 6: AppTier Categories

When creating application security policies, Nutanix Flow uses AppTier categories to secure
communication to, from, and between application tiers. Create custom tiers for your application
by selecting AppTier, then Update.

Creating Custom Categories

Nutanix recommends updating the existing system categories where possible and expanding
these with values that suit your needs. For example, expand the AppType and AppTier
categories by adding your own applications and tiers as values. You can create entirely new
categories as needed, but Nutanix recommends keeping things as simple as possible while still
achieving the desired result. Creating the smallest logical number of categories helps ensure that
policy creation remains quick and easy for the administrator.

4. Nutanix Flow | 12
 Nutanix Flow

The creation of branch office policies offers an example of the tradeoff between the number of
categories and the number of policies. Consider the categories and policies required based on
the two following approaches: one category per site type, and one category per site.

Figure 7: Approach 1: One Category per Site Type

Figure 8: Approach 2: One Category per Site

With the first approach, it’s easy to create a security policy as long as all branches have the
same relationship to the HQ application. The second approach gives more control per site, but
we must define the relationship between each site and HQ. If we have a large number of sites,
this definition process could be time consuming.

Quarantine
By default, Quarantine categories isolate a VM from all other network devices. In addition to the
standard Quarantine category—Default, which denies all traffic—a Forensic category allows
quarantined VMs access to and from a policy-defined set of destinations and sources to assist
in analyzing the quarantined VM. The Quarantine: Default and Quarantine: Forensic categories

4. Nutanix Flow | 13
 Nutanix Flow

cannot be modified, and you cannot manually apply them to a VM. Nutanix Flow uses these
categories when you select the quarantine action for a VM.

Applying Categories to VMs

To apply categories to VMs, navigate to Explore in Prism Central, then click VMs in the Entities
menu. Select the VMs you want, then click Manage Categories in the Actions drop-down menu.
You can apply more than one category to each VM, so it’s possible to apply both of the
approaches described in the Creating Custom Categories section above. With VM-level
categories, we could allow connectivity between branches based on one attribute (such as
Site: Branch-001), and connectivity from branches to HQ based on another attribute (such as
SiteType: Branch).

Figure 9: Site and SiteType Categories on a VM

With the Site category, you can define complex relationships between sites. For simpler policy
creation, you can use the SiteType category to define relationships between sites and HQ. This
flexibility demonstrates the power of categories and shows that thinking about the relationships in
an application can help you create more useful categories.

4.4. Security Policies

Security policies managed in Prism Central use categories to define the network traffic allowed
or denied between VMs. Different security policy types describe the relationships between
categories. In AOS 5.6, we offer the following policy types: quarantine, isolation, and application.
The quarantine policy has two available tiers: Strict and Forensic. Strict quarantine blocks all
traffic to and from VMs. Forensic quarantine allows specific predefined sources and destinations
for quarantined VMs. Use Strict quarantine to completely block all inbound and outbound traffic

4. Nutanix Flow | 14
 Nutanix Flow

to a VM. Use Forensic quarantine to allow a defined set of administrators to troubleshoot and
analyze a VM.
Isolation policies define specific categories of VMs that should be disallowed from communicating
with each other. For example, you could create an isolation policy to ensure that the development
environment can never communicate with the production environment.
Finally, application security policies allow you to define a multitiered application and control traffic
to and from as well as within the application tiers. For example, you could create an application
policy to define a mailbox and an edge tier inside the Exchange application. Furthermore, you
can then set this policy to allow sources such as Marketing and Sales access to the mailbox tier,
with both Exchange tiers allowed access to AD and Windows Update servers.
Nutanix Flow evaluates security policies in the order shown in the figure below to build traffic
rules. If traffic encounters a matching quarantine or isolation rule, Flow blocks it, and further
policy processing stops. If no quarantine or isolation rule blocks the traffic, then the application
rule evaluates it. If the traffic source or destination does not match any rules, Flow allows the
traffic.

Figure 10: Policy Evaluation Order

Combining Policies
Combine multiple policies and policy types to build a complete security solution for a set of
applications. First, use quarantine policies to temporarily isolate a specific VM from all other

4. Nutanix Flow | 15
 Nutanix Flow

VMs. Next, use isolation policies to define which groups of VMs must never be allowed to talk
with other groups. Finally, use application policies to control traffic allowed to, from, and within
applications. Application policies can allow traffic between two or more applications as well, but
remember to ensure that the policy of each application allows this traffic.

Policy Mode
The two selectable modes for security policies are Apply and Monitor. A policy in Monitor mode
allows traffic, even if the policy does not specifically define that traffic as allowed. In contrast,
Apply mode only allows specifically defined traffic.
Monitor mode is the default state for a newly created isolation or application policy. Use Monitor
mode in combination with flow visualization to track flows on a newly created policy, ensuring that
it contains the expected traffic.
Once you have confirmed policy accuracy, you can move policies from Monitor to Apply mode.
Use flow visualization in Apply mode to see blocked traffic.

4.5. Using Quarantine Policies

The option to place a VM into a quarantine category is in the VM action menu.

4. Nutanix Flow | 16
 Nutanix Flow

Figure 11: Quarantine VM Action

You can place VMs into either Strict or Forensic quarantine.

4. Nutanix Flow | 17
 Nutanix Flow

Figure 12: Quarantine Methods

Select Strict to place the VM into the default quarantine category, which restricts all traffic to and
from the VM. Select Forensic to place the VM into the forensic category, which allows a defined
set of sources and destinations.
The forensic quarantine policy controls which forensic tools have access to VMs in the forensic
category. Modify the quarantine policy to add your own tools as needed. In this example, the
security team is allowed access to the forensic quarantined VMs on specific ports. You can add
inbound sources and even outbound sources to the forensic category; however, you cannot add
any sources or destinations to the default strict category.

4. Nutanix Flow | 18
 Nutanix Flow

Figure 13: Quarantine Policy Definition

Quarantine Flow Visualization

Use the quarantine policy view to visualize the traffic to and from quarantined VMs. Traffic
blocked by the quarantine policy displays a red blocked symbol.

Figure 14: Quarantine Flow Visualization

4.6. Using Isolation Policies

Isolation policies prevent two defined groups of entities (VMs) from communicating with each
other. This kind of restriction is useful in instances with a limited number of groups, where these
groups require absolute isolation from other defined groups. Isolation policies still allow traffic to
undefined groups and traffic within a group. To restrict traffic to undefined groups and to control
traffic within the group, use application policies instead of isolation policies.
Environment isolation is a great example of how to use isolation policies, where VMs in category
Environment: Production should not communicate with VMs in Environment: Dev.

4. Nutanix Flow | 19
 Nutanix Flow

Create isolation policies by selecting Explore, then Security Policies. Click Create Security
Policy, then select Isolate Environments.

Figure 15: Isolation Policy Menu

Give the isolation policy a name and select the two categories that should be separated from
each other. You can use any two categories to create an isolation policy.

4. Nutanix Flow | 20
 Nutanix Flow

Figure 16: Isolation Policy Creation

If you have more than two groups that require separation (for example, Production, Dev,
Staging, and Testing), then create an isolation policy for each unique pair of groups. For a large
list of groups, this list of isolation policies can grow long, so you may find application policies to
be more effective than isolation policies if you have a large number of groups to isolate.
For example, to separate four groups, you would need the following six policies.

4. Nutanix Flow | 21
 Nutanix Flow

Figure 17: Isolation Policies for Four Categories

Adding one more group that required isolation, such as Environment: Backup, would require
four new isolation policies—one to isolate each of the previously existing groups from the new
group.

Isolation Flow Visualization

Use the flow visualization feature in an isolation policy to view connection attempts between
isolated VMs.

4. Nutanix Flow | 22
 Nutanix Flow

Figure 18: Isolation Flow Visualization

Isolate Within a Subset

In addition to simple isolation between two groups, Nutanix Flow also offers the option for
the isolation policy to function within only a subset of VMs in the matching pair. For example,
our previous isolation policy separated all Environment: Production from all Environment:
Development. If we only wanted to separate Production from Development when the VMs also
had the category businessUnit : payroll applied, we would add businessUnit : payroll as a
subset to the isolation policy.

Figure 19: Isolate Within a Subset

4.7. Using Application Policies

Application policies are the most flexible type of security policy, defining both inbound traffic
sources and outbound destinations for a single- or multitiered application. An application policy
can also control traffic to, from, and within individual application tiers. An application policy
must be configured with a single AppType category that acts as the target group, because the
mapping between application policies and AppType categories is 1:1. For example, you can use
the category AppType: Exchange as the AppType in only one application security policy.
Use application policies whenever traffic must be allowed on specific ports and protocols
between sources and destinations. Application policies can also isolate one group of AppType
VMs from all other AppType VMs, without needing to use isolation policies. The key difference
between these two policy types is that application policies allow configurable sources and
destinations between apps, while isolation policies enforce strict separation with no exceptions.

4. Nutanix Flow | 23
 Nutanix Flow

The diagram below shows the allowed inbound sources on the left and outbound destinations on
the right, with a single-tiered application in the center. The central application is labeled Your App
in the diagram, but in some contexts Nutanix also calls it the target group.

Figure 20: Application Policy Source, Application, and Destination

To create application policies in Prism Central, navigate to Explore, select Security Policies,
click Create Security Policy, and then select Secure an Application.

Figure 21: Create Application Policy

4. Nutanix Flow | 24
 Nutanix Flow

Enter a name for the policy and a helpful text description. The application drop-down menu
shows a list of all available AppType categories.

Note: You can only use an AppType category to create an application policy.

Figure 22: Application Policy Creation

Sources and Destinations

After selecting the application, choose whether to allow or whitelist the sources and destinations
associated with it. With the Allow All option, all sources or destinations can communicate with
the application. To control which sources and destinations are allowed, use the Whitelist Only
option to allow explicit categories or IP subnets and block any unspecified traffic.

4. Nutanix Flow | 25
 Nutanix Flow

Figure 23: Allow All vs. Whitelist

Add sources on the left side of the application policy (refer to the Application Policy Source,
Application, and Destination figure above) by category and IP subnet. Select Category from the
drop-down menu and use the text box to search for and select the desired category.

4. Nutanix Flow | 26
 Nutanix Flow

Figure 24: Add Source by Category

Select Subnet/IP and enter the IPv4 network address in CIDR notation (IP/mask length). For
example, use a mask length of 24 to allow an entire Class C subnet, or a mask length of 32 to
allow only a single host IP address. Using IP subnets is helpful when the source or destination
you’re adding is external to the Nutanix cluster.

4. Nutanix Flow | 27
 Nutanix Flow

Figure 25: Add Source by Subnet/IP

After adding a source, click the plus sign to select the traffic’s destination, allowing traffic to a
specific tier within the application.

Figure 26: Connecting a Source to AppType

Add allowed protocols and ports such as TCP, UDP, and ICMP to the flow.

4. Nutanix Flow | 28
 Nutanix Flow

Figure 27: Allowed Flow Specification

Adding categories and IP subnets as destinations in an application policy works in a similar way,
but you would select the plus sign on the source tier of the application after adding a destination.

Application Tiers
Add tiers to an application that requires granular traffic control for the different VMs within the
application. In the previous example, we combined the Exchange AppType category with two
AppTier categories: Exchange_Mailbox and Exchange_Edge_Transport. To add these AppTier
categories in the application policy, select Set rules on App Tiers, instead to allow traffic to and
from individual tiers of the application.

4. Nutanix Flow | 29
 Nutanix Flow

Figure 28: Add Application Tiers

Now you can control sources and destinations at the individual tier level.

Figure 29: Source to AppTier

4. Nutanix Flow | 30
 Nutanix Flow

To control traffic between application tiers, click Set Rules within App at the top of the screen
and select the tiers from which traffic should be allowed. Use the plus signs that appear on the
other tiers to define the allowed traffic.

Figure 30: Set Rules Within App

To control traffic between VMs within a single application tier, select whether traffic is allowed
within the same tier. For Exchange, it is desirable to allow traffic between servers in the same
tier, but an administrator may want to disallow traffic between web VMs in the same front-end
web application tier for additional security.

Service Chain Insertion

Each defined flow in an application policy can be directed through a service chain when a
chain exists. Service chains define a set of network function VMs (NFVs) for advanced traffic
processing. For example, the service chain can direct network traffic on a specific port to a VM
for antivirus scanning, deep packet inspection, or packet capture. You can combine multiple
NFVs in a chain to apply multiple functions to guest VM traffic.

4. Nutanix Flow | 31
 Nutanix Flow

Figure 31: Network Function VM Chain

Follow the documentation for service chain creation in KB 5486. In Prism Central, create the
allowed inbound or outbound flow as usual, then select the desired service chain from the drop-
down menu.

4. Nutanix Flow | 32
 Nutanix Flow

Figure 32: Redirect Through a Service Chain

Flow Monitoring
Application policies provide flow visualization based on collected traffic statistics to monitor
blocked and allowed traffic flows. Nutanix AHV hosts collect traffic information and send it to
Prism Central, which builds a flow visualization view inside the application policy.

4. Nutanix Flow | 33
 Nutanix Flow

Figure 33: Flows Detected in Monitor Mode

When an application policy is in Monitor mode, traffic to the application that isn’t allowed in the
policy is shown in yellow. Hovering over the traffic flow shows a history of connection attempts
along with details about port and protocol. Hovering over the traffic inbound source or outbound
destination allows the administrator to add a specific flow to the policy. This flexibility helps create
an accurate policy, ensure that no traffic is missed, and see what activity is taking place.
When an application policy is in Apply mode, denied traffic displays with a red X, denoting
connection attempts that the policy blocked.

Figure 34: Flows Blocked in Apply Mode

4. Nutanix Flow | 34
 Nutanix Flow

Application Policies Filter

During application policy creation, you can also select a specific subset of categories where
this application rule applies. Using the AppType: Exchange example and selecting a filter of
Environment: Production, the application policy would only apply to AppType: Exchange VMs
that also shared the category Environment: Production.
To avoid ambiguity, when the AppType policy uses the Environment filter, all sources and
destinations must have an Environment category explicitly defined.

Figure 35: Application Policies Within a Subset

4. Nutanix Flow | 35
 Nutanix Flow

5. Conclusion
Nutanix Flow is a software-defined networking solution for AHV that provides visualization,
automation, and security. As part of Flow, microsegmentation uses Prism Central categories
and security policies to protect VMs. By using categories to create flexible groups of VMs, Flow
simplifies security policy definition. With security policies, administrators can protect or isolate
applications or environments and quarantine infected or rogue VMs.
Through policy- and application-centric traffic monitoring, flow visualization answers the vital
question of what VM traffic is actually sent and received in the virtual system.
The ease of creating and applying categories and policies opens the door for automation.
Security is no longer tied directly to VMs or IP addresses, and administrators can respond quickly
to datacenter changes.
Because Nutanix Flow is built into Prism Central and works natively in AHV, there are no
additional components to install or manage. Network security is now just one click away.
For feedback or questions, please contact us using the Nutanix NEXT Community forums.

5. Conclusion | 36
 Nutanix Flow

Appendix

References
1. Creating Service Chains with REST KB 5486
2. Nutanix AHV Administration Guide: Integration with Network Functions
3. Nutanix Prism Central Guide: Category Management
4. Nutanix Prism Central Guide: Policies Management

About Nutanix
Nutanix makes infrastructure invisible, elevating IT to focus on the applications and services that
power their business. The Nutanix Enterprise Cloud OS leverages web-scale engineering and
consumer-grade design to natively converge compute, virtualization, and storage into a resilient,
software-defined solution with rich machine intelligence. The result is predictable performance,
cloud-like infrastructure consumption, robust security, and seamless application mobility for a
broad range of enterprise applications. Learn more at www.nutanix.com or follow us on Twitter
@nutanix.

Appendix | 37
 Nutanix Flow

List of Figures
Figure 1: Nutanix Enterprise Cloud................................................................................... 6

Figure 2: Flow Microsegmentation Architecture................................................................ 9

Figure 3: Enable Microsegmentation...............................................................................10

Figure 4: AppType Category List.................................................................................... 11

Figure 5: AppType Custom Application Name................................................................ 12

Figure 6: AppTier Categories.......................................................................................... 12

Figure 7: Approach 1: One Category per Site Type....................................................... 13

Figure 8: Approach 2: One Category per Site................................................................ 13

Figure 9: Site and SiteType Categories on a VM........................................................... 14

Figure 10: Policy Evaluation Order................................................................................. 15

Figure 11: Quarantine VM Action....................................................................................17

Figure 12: Quarantine Methods.......................................................................................18

Figure 13: Quarantine Policy Definition...........................................................................19

Figure 14: Quarantine Flow Visualization........................................................................19

Figure 15: Isolation Policy Menu..................................................................................... 20

Figure 16: Isolation Policy Creation................................................................................ 21

Figure 17: Isolation Policies for Four Categories............................................................ 22

Figure 18: Isolation Flow Visualization............................................................................ 23

Figure 19: Isolate Within a Subset.................................................................................. 23

Figure 20: Application Policy Source, Application, and Destination................................ 24

Figure 21: Create Application Policy............................................................................... 24

38
 Nutanix Flow

Figure 22: Application Policy Creation............................................................................ 25

Figure 23: Allow All vs. Whitelist..................................................................................... 26

Figure 24: Add Source by Category................................................................................27

Figure 25: Add Source by Subnet/IP.............................................................................. 28

Figure 26: Connecting a Source to AppType..................................................................28

Figure 27: Allowed Flow Specification.............................................................................29

Figure 28: Add Application Tiers..................................................................................... 30

Figure 29: Source to AppTier.......................................................................................... 30

Figure 30: Set Rules Within App.....................................................................................31

Figure 31: Network Function VM Chain.......................................................................... 32

Figure 32: Redirect Through a Service Chain.................................................................33

Figure 33: Flows Detected in Monitor Mode................................................................... 34

Figure 34: Flows Blocked in Apply Mode........................................................................34

Figure 35: Application Policies Within a Subset..............................................................35

39
 Nutanix Flow

List of Tables
Table 1: Document Version History.................................................................................. 5

40