Book of Network Services

Flow (Microsegmentation)

Flow is a distributed stateful firewall that enables granular network monitoring and enforcement between entities running on the AHV platform as well as external things they communicate with.

Supported Configurations

The solution is applicable to the configurations below (list may be incomplete, refer to documentation for a fully supported list):

Core Use Case(s):

Management interfaces(s):

Supported Environment(s):


Compatible Features:

The configuration is done via Prism Central by defining policies and assigning to categories. This allows the configuration to be done in a central place and pushed to many Nutanix clusters. Each AHV host implements the rules using OpenFlow.

Implementation Constructs

Within Nutanix Flow, there are a few key constructs:


Categories are used to define groups of entities which policies and enforcement are applied to. They typically apply, but are not limited to: environment, application type, application tier, etc.

For example, a VM providing production database services may have the following assigned categories:

These categories can then be leveraged by policies to determine what rules / actions to apply (also leveraged outside of the Flow context).

Security Rule

Security rule(s) are the defined rules and determine what is allowed between defined categories.

Flow - Microsegmentation - Rules Flow - Microsegmentation - Rules

There are a few types of security rules:

The following shows an example utilizing Flow - Microsegmentation to control traffic in a sample application:

Flow - Microsegmentation - Example Application Flow - Microsegmentation - Example Application


Enforcement determines what action is taken when a rule is matched. With AHV Flow - Microsegmentation there are two types of enforcement:

Flow - Microsegmentation rules are the first applied to a packet once it leaves the UVM. This occurs in the microsegmentation bridge (br.microseg):

Flow - Microsegmentation - Flow Flow - Microsegmentation - Flow