Securing Your Hybrid Cloud with Nutanix Security Central and Flow Network Security

It's 2:47 AM. A finance VM in your datacenter starts beaconing out to an IP in Eastern Europe. By the time your Security Operations Center sees the alert, the attacker has already pivoted to three other VMs on the same VLAN — a domain controller, a backup server, and a database holding customer PII.

The perimeter firewall didn't stop it. It couldn't. The traffic never crossed the perimeter. It moved east-west — VM to VM, inside the trusted zone — and your traditional security stack was never built to see it, let alone stop it. This is the reality security teams live with today. Workloads don't sit still. VMs spin up and down hourly. Applications sprawl across on-prem clusters, AWS, and Azure. IPs change. Perimeters blur. And every lateral hop an attacker makes inside your network is a hop your firewall never sees.

The old castle-and-moat model is broken. What you need is a way to see every flow, understand every conversation between VMs, and enforce policy inside the hypervisor — without agents, appliances, or re-architecting your network. That's the problem Nutanix Security Central and Flow Network Security (FNS) were built to solve.

What is Nutanix Security Central?

Nutanix Security Central is a SaaS-based security operations platform — a single pane of glass that unifies security posture, compliance, and microsegmentation planning across your entire hybrid cloud.

Think of it as the brain. It collects IPFIX metadata from on-prem AHV clusters through a lightweight Flow Security Central (FSC) VM, ingests inventory and posture data from AWS and Azure, and pushes everything into a cloud-hosted dashboard where ML models turn raw traffic into actionable policy recommendations.

What makes it different from a traditional SIEM or CSPM tool:

  • Unified posture across AWS, Azure, and Nutanix in one view
  • Continuous compliance against CIS, STIG, PCI-DSS, HIPAA, and NIST CSF
  • VM-to-VM traffic visualization across categories, VLANs, and clusters
  • ML-based policy recommendations built from real observed traffic — not guesses
  • Anomaly detection at both the network and user level

And critically — Security Central doesn't stop at telling you what's wrong. It pairs with Flow Network Security to actually do something about it. One architectural note: an FSC VM is needed for each Prism Central deployment, regardless of how many clusters that PC manages. IPFIX logs are transmitted in 15-minute batches over HTTPS/TLS, which keeps bandwidth requirements reasonable.

Nutanix Security Central and Flow Network Security Architecture
Nutanix Security Central and Flow Network Security Architecture

A Real-World Scenario

Let's ground this. Meet Acme Financial — a mid-sized bank running 800 VMs across three Nutanix clusters, plus workloads in AWS for dev/test. Their security team has three problems keeping them up at night:

  • Problem 1: They don't know what talks to what. The core banking app has 40 VMs. Nobody's entirely sure which tiers talk to which, which services need internet access, and which are legacy VMs nobody owns anymore but still somehow receive traffic.
  • Problem 2: Their auditor wants PCI-DSS evidence — monthly. Right now, compliance reporting is a spreadsheet exercise. Two engineers lose a week every month.
  • Problem 3: They had a scare last quarter. A contractor's laptop got infected, connected to the VPN, and started scanning internal subnets. Nothing bad happened — but the incident response team needed four hours to isolate the affected workload, because it required a firewall change request, a change advisory board approval, and a manual VLAN move.

Here's how Security Central + FNS changes that story:

  • Within 24 hours of deploying the FSC VM, the team has a complete map of every flow in their environment. The 40-VM banking app reveals itself as five clear tiers. Three "mystery VMs" turn out to be decommissioned — but still running.
  • Within a week, Security Central's ML has recommended App Policies for the banking stack, automatically grouping VMs by observed behavior. The team reviews, tweaks, and deploys them in Monitor mode first to confirm nothing breaks.
  • PCI-DSS compliance becomes a live dashboard, not a spreadsheet. The auditor gets read-only access.
  • And next time a VM is compromised? Two clicks in Prism Central — right-click → Quarantine → Forensic mode. The VM is isolated in seconds, but forensic tools can still reach it for investigation. No firewall ticket. No CAB meeting. No four-hour MTTR.

That's not hypothetical — that's the out-of-the-box workflow.

Walkthrough: From Zero to Enforced

Deploying Security Central

Security Central deploys into both brownfield and greenfield environments — no cluster rebuild needed. The onboarding flow is:

  • Download the FSC (Flow Security Central) qcow2 image.
  • Deploy a VM using the FSC image on any AHV cluster and power it on.
  • Browse to the FSVM IP, ignore the self-signed cert warning, and log in with default credentials.
  • Enter Prism Central details (username, password, IP, port) and validate.
  • Enable network log collection for security planning and traffic visualization.
  • Generate a token for each Prism Central you want to onboard.
  • In Flow Security Central, pick Nutanix (alongside AWS and Azure options) on the onboarding page.
  • Enter the Prism Central name and token, select the clusters, and click verify & save.

Within a few minutes real traffic flow data starts populating the dashboard.

The Dashboard: Your Mission Control

Once onboarded, the dashboard gives an at-a-glance overview of network traffic across your clusters — unprotected flows, blocked flows, and active security policies. The VM Security Status widget surfaces how many VMs are currently running without policies or categories, a critical number to drive down.

Security Central Dashboard
Security Central Dashboard

From the dashboard you typically work through three feature areas: Investigate, Security Planning, and ongoing Dashboard monitoring.

Investigate

The Investigate feature lets you run customized queries against your network logs and get near-real-time results.

The Query Library ships with prebuilt queries — packets exchanged between two VMs, microsegmentation policy status, VMs communicating with the public internet — and you can author your own for things like cross-environment Dev-Prod traffic.

Investigate View with Query Editor
Investigate View with Query Editor

Security Planning (Visualize → Analyze → Review → Apply → Enforce)

This is where Security Central earns its keep. It visualizes every VM in your network and uses ML to categorize them based on observed traffic patterns.

Within each stage you can:

  • Visualize networks across VMs, grouped by categories, VLANs, or clusters, with up to two levels of grouping (e.g., Level 1 = AppType, Level 2 = VM)
  • Drill down to VM groups or individual VMs
  • View traffic flows classified as allowed, dropped, or unprotected

Security Planning Workflow
Security Planning Workflow

Security Central then recommends groupings and policies based on the actual network logs, not on how someone thinks the application behaves.

Security Planning — Network View with Recommendations
Security Planning — Network View with Recommendations

Findings, Alerts, and Compliance

Beyond planning, Security Central continuously surfaces misconfigurations, threat indicators, and compliance gaps.

Findings are grouped by audit category (Access Security, Network Security, Data Security, etc.), and many common issues — AWS IAM Users without Group, EC2 without Instance Profile Role — have a One-Click Fix that remediates the issue without leaving the console. Compliance cards track pass/fail trends against HIPAA, PCI-DSS, CIS, and NIST CSF continuously.

Findings and Alerts by Audit Category
Findings and Alerts by Audit Category

Compliance Overview
Compliance Overview

PCI Regulatory Compliance
PCI Regulatory Compliance

Flow Network Security: Where Enforcement Happens

Security Central is the brain. FNS is the muscle — a distributed, stateful firewall built directly into AHV. No in-guest agents, no extra appliances. Policies are defined in Prism Central and enforced on every AHV host.

Packets leaving a user VM hit the microsegmentation bridge (br.microseg) before reaching any other VM. FNS evaluates categories, matches rules, programs them into br.microseg on every host where protected VMs run — and the policy follows the workload. Migrate the VM, change its IP, nothing breaks.

Four policy types cover most use cases:

  • App Policy — segment an AppType into AppTiers (Web → App → DB)
  • Isolation Policy — prevent two groups from communicating (e.g., Dev vs. Prod)
  • VDI Policy — identity-aware rules for virtual desktops, tied to AD groups
  • Quarantine Policy — incident response, with Strict (total isolation) or Forensic (isolated except from forensic tools) modes

Creating an Isolation Policy (Prod ↔ Dev)

  • Name the policy
  • Select Prod category in "Isolate this category"
  • Select Dev category in "From this category"
  • Click Create
  • Choose Monitor mode first — always

Monitor mode allows all flows but flags packets that would have been dropped. Once you've confirmed nothing critical is caught in the crossfire, flip to Enforce.

Create Isolation Policy Dialog
Create Isolation Policy Dialog

Quarantine in Two Clicks When a VM is compromised: right-click in Prism Central → Quarantine VMs → Strict or Forensic. Effective in seconds. No physical network change. No firewall ticket. No reboot.

Quarantine VMs from Prism Central
Quarantine VMs from Prism Central

Key Benefits

  • See before you enforce. ML-driven recommendations from real traffic mean you're not guessing at policy — you're codifying what's already happening, minus the bad flows.
  • No agents. No appliances. FNS lives in AHV. Policies are distributed via OVS and OpenFlow to every host. Nothing to install inside the guest OS.
  • Policies follow the workload. Categories drive rules; IPs are just enforcement handles. VM migration and IP changes never break policy.
  • Compliance becomes continuous. HIPAA, PCI-DSS, CIS, and NIST CSF reporting shifts from a monthly spreadsheet to a live dashboard with pass/fail trending.
  • Incident response in seconds, not hours. Quarantine (especially Forensic mode) collapses MTTR from "change ticket + CAB" to two clicks.
  • Monitor-first workflow. Every policy rolls out safely — you see what would have dropped before you drop anything.
  • One pane of glass for hybrid. AWS + Azure + Nutanix posture in one portal, with One-Click Fix for common misconfigurations (IAM users without groups, EC2 without instance profiles, etc.).

Competitive Positioning

  • vs. VMware NSX — NSX is powerful but heavy: separate managers, edge nodes, and a steep licensing uplift. FNS is built into AHV — no extra controller, no edge tier, no second product to learn.
  • vs. Illumio — Best-in-class visibility, but agent-based on every workload. Security Central gets you there via hypervisor IPFIX — no agents, no OS matrix, no patch cycle.
  • vs. Cisco Secure Workload — Capable but operationally expensive, with its own agents and analytics cluster. FNS + Security Central delivers the 80% use case at a fraction of the weight.
  • vs. AWS/Azure native controls — Cloud-only. Nutanix gives you one policy model across on-prem and cloud, in a single dashboard.

The Nutanix bet: if you're already on AHV, microsegmentation should be a feature of the platform, not a product bolted on top.

Conclusion

The perimeter is dead. Your datacenter is no longer a castle with a moat — it's a city, and every workload is a building that needs its own locks.

Nutanix Security Central and Flow Network Security give you those locks without handing you a second platform to operate. Security Central sees every flow, learns what normal looks like, and tells you what policies to build. FNS drops the bad packets at the hypervisor, in br.microseg, before they can reach another VM. Together they close the loop: observe → plan → apply → enforce → monitor → repeat.

If you're already on AHV, the cost of turning this on is a lightweight FSC VM and a few hours of onboarding. The cost of not turning it on is measured in the four hours it takes to isolate the next compromised VM — or in the audit finding you'll explain to your board next quarter.

Zero trust isn't a product you buy. It's a posture you build. Nutanix just happens to give you the shortest path there.