(This blog post is written by my colleague Johan Blom who is also a senior NSX architect/specialist)

I recently did a customer engagement where Service Insertion with Cloud Guard from Check Point was in the scope. To be able to do service insertion, an overlay network is required to send the traffic that should be inspected to the Service Insertion appliance. The thing was that the customer had several clusters cluster running N-VDS VLAN backed switches only. Naturally we added an overlay Transport Zone to the cluster that was supposed to utilize Service Insertion, but we did not add any overlay Transport zone to the other clusters.

When adding a Partner Service for Service Insertion you configure it on the NSX-T manager level and not per cluster.

Rules are created in the ruleset:

The problem that occurred was that the clusters that were not added to any overlay Transport zone will not connect their VMs to the network again after vMotion or a reboot, neither will it connect newly created VMs.

The solution to this is to make sure all your clusters get an Overlay Transport zone. This will hopefully soon be documented in the official VMware documentation.