introduction to vmware nsx and network …...introduction to vmware nsx and network virtualization...

1Confidential │ ©2019 VMware, Inc.

Tuan Nguyen, Sr Technical Product Manager

Susan Wu, Sr Product Marketing Manager

Varun Santosh, Sr Product Marketing Manager

Introduction to VMware NSX and Network Virtualization

08/2019

Confidential │ ©2019 VMware, Inc.

Agenda

2

SDN 101- What is Network VirtualizationOptional subtitle

NSX-T Use CasesOptional subtitle

Customer Case – IHS MarkitOptional subtitle

NSX-T ArchitectureProblem definition, components, services, and demo

SummaryResources, Q&A

Confidential │ ©2019 VMware, Inc. 3

host3

host2

host1

VDS

VDS

VDS

host6

host5

host4

VDS

VDS

VDS

rack1 rack2

Network Virtualization

Host virtualization

• Several VMs per host– Snapshot, backup

• vMotion

vMotion across racks?

• Stretch Subnet A to the whole data center?

The case for network overlays

VM1 VM2

Subnet A Subnet B

VM1

Logical View

VM2

Subnet A

Subnet A

Subnet A Subnet B


host3

host2

host1

VDS

VDS

VDS

host6

host5

host4

VDS

VDS

VDS

rack1 rack2

Network Virtualization

How do you:

• Provision physical services

The case for network overlays

VM1

Subnet A

VM1 VM2

Logical View

Subnet A

?

VM2VM1

VM2

VM1 VM2

Subnet A

• Add a new subnet? Delete them?

• Steer traffic through the appliance?

• Overlapping subnets and IP addresses in the same environment?


N-VDS

N-VDS

N-VDS

N-VDS

N-VDS

N-VDS

rack1 rack2

The Overlay ModelIntroducing the segment (a Virtual L2 Broadcast Domain)

Subnet A Subnet B

VM1

VM2

VM1 VM2

Logical View

IP N.1 IP N.2

VM (vNIC) Location

Mac VM1 TEP A.1

Mac VM2

Segment

TEP: Tunnel End Point

TEP A.1

TEP A.2

TEP A.3

TEP B.1

TEP B.2

TEP B.3TEP A.3 TEP B.3

Segments are instantiated on the hypervisors

N-VDS: NSX Virtual Distributed Switch (NSX data plane)

Segments are extended between hypervisors using IP tunnels

NSX maps the virtual elements to the physical network

What if the workload moves


NSX Controller

NSX Manager

Private Cloud

NSX-T componentsNSX Architecture

ESXi host

N-VDS

KVM host

N-VDS

NSX EdgeBare MetalServer

NSX

LinuxVM

NSX

WindowsVM

NSX

NSXCloudGW NAT

VMs Containers

VM Cluster (scale out + redundancy)

NSX Manager Appliance

NSX Manager Appliance

NSX Manager Appliance Cloud Service Manager

NSX Container Plugin

vCenter(s)

CMP, Automation

Public Cloud

VMware Cloud on AWS

DataPlane

Transport Nodes:

• Host workloads (VMs, containers) and services

• Switch data plane traffic

ControlPlane

• Maintain and propagate dynamic state within the system

ManagementPlane

• UI/API entry point, Store desired configuration

• Interact with other management components


NSX Terminology

Transport Node (TN)

Data plane node prepared for NSX and participating in traffic forwarding. Ex: Hypervisor, Edge Node, bare metal server with NSX Agent

NSX Virtual Distributed Switch (N-VDS)

NSX software component that performs switching on a Transport Node (N-VDS typically owns several physical NICs on the Transport Node)

Transport Zone (TZ)

Defines the boundary for logical networks over the physical infrastructure. (N-VDS on the transport nodes binds to specified Transport Zone)

Logical Segment (LS)

A virtual Layer 2 broad-cast domain created within a Transport Zone

N-VDS N-VDS N-VDS

host host hostNSX Edge

Transport Zone “TZ1”Overlay LS1

Overlay LS2LS not extended to this TN as it is not attached to TZ1


Register compute manager and create transport zone to deploy N-VDSNSX-T Switching

Screen Capture on the NSX-T Manager UI

NSX Manager

vCenter

web1 web2 app1

OVERLAY_TZ1


Create logical segments and attach the VMsNSX-T Switching

NSX Manager

vCenter

web1 web2 app1

LS-T1-WEB LS-T1-APP


OVERLAY_TZ1


The routing function:• is distributed on the transport nodes• is performed in kernel space of the transport node• is not a VM

NSX-T Logical RoutingInstantiated on every transport node

Transport Node

web1 app1

app1web1

Logical View

segment1 segment2

segment1segment2

Overlay Tunnel

Transport Node 1 Transport Node 2

Physical Implementation

web1 app1

segment1

segment2

Physical Implementation


NSX-T Logical RoutingCreate logical router and connect the segments


NSX Manager

vCenter

web1 web2 app1

LS-T1-WEB LS-T1-APP

T1-WEB

OVERLAY_TZ1

T1-APP

DFW-T0


Switching

NSX-T Network ServicesNSX goes beyond Layer 2

VM1 VM2

Logical View

VM5 VM6

VM3 VM4

VM1 VM2

VM3 VM4

Internet

VM5 VM6

Routing Load Balancing

VPN Firewalling Connect to physical

NAT DHCP Meta Data Proxy

N-VDS

N-VDS

N-VDS

N-VDS

N-VDS

N-VDS

rack1 rack2

TEP A.1

TEP A.2

TEP A.3

TEP B.1

TEP B.2

TEP B.3

Subnet A Subnet B

Proxy


NSX Cross Cloud SecurityConsistent networking and security for applications

Private Cloud AWS/Azure

web1 web2

Web

db1

DB

web3 web4

Web

AD NTP

Services

DNS

• Consistent security policy across clouds– Granular control over E-W traffic

• Consistent operations control across clouds– Consistent tooling on-prem and in

public clouds

• Visibility across clouds– Network flow and packet visibility

for identifying and troubleshooting issues quickly

• Efficient control over cloud networking– Simplified VPN, dual-homed

tunnels for resiliency

Defines security policiesIT

Cloud Service Manager | NSX Manager


NSX Cross Cloud SecurityOn-prem security and load balancing


NSX Manager

web1 web2 db

Web DB

Cloud Service Manager

DFWWP_LB1

DFW_T1_WORDPRESS

DC


web

Web

AWS/Azure

NSX Cross Cloud SecurityCross cloud security and load balancing


NSX Manager Cloud Service Manager

DC

web

Web


Network Automation

Cloud Management

NSX REST API

NSX Manager(s)

vRealize AutomationvRealize Orchestrator

PivotalApplication

Service

Programming Languages Configuration Management


All companies aresoftware companies

(but most are not operating like it.)


ESX

NSX Evolution

BRANCH

DC

EDGE/IOT

PUBLIC CLOUD

PRIVATE CLOUDvSphere


vSphere

BRANCH

BRANCH

EDGE/IOT

TELCO/NFV

BRANCH

BRANCHDCDC

DC

EDGE/IOT

Virtual Cloud NetworkNSX Evolution

Tied Together.Everywhere.

vRNI

CLEAR VISIBILITY

Virtual Machines | Containers | Bare Metal

VCN


NSX – A Powerful Enabler

Service-Defined Firewall

Multi-Cloud Networking

Network Automation

Cloud-Native Networking





Network Automation



Bringing it togetherVMware Service-Defined Firewall

Learnthe app at a computeand network level

Lockboth network and compute

Adaptsegments as the application changes

Human Expertise[ Knowledge ]

Machine Learning[ scale ]

PROCESS

PROCESS

PROCESS

OS

PROCESS

PROCESS

PROCESS

OS

svc

svc

Modern App

Distributed Firewall | AppDefenseNSX

NSX INTELLIGENCECLOUD


Service Defined FirewallSteps to the solution

Understand the complete application

Dynamic, object-based policy

model

Comprehensive threat detection and

intelligence

Distributed policy enforcement

Visibility and Troubleshooting


SDDC turbo charge Porsche’s infrastructure

Porsche Informatik

“As leading automotive retail group, we are the target of criminal hackers. That’s why the innovative firewall concept part of VMware NSX was so important to us.”

Intrinsic Security : How VMW Infra can turn the tide on Cybersecurity

SEC3412KU | Tues, Aug 27 at 5:30 PM

— Lisa SiegesleitnerSecurity Specialist, Porsche Informatik






Network Automation



Virtualization Layer

NSX Data Center

DATA CENTER

NSX Platform

vSwitch

Workloads


Seamlessly extend to multiple locationsData Center Extension

Data Center Extension

Compute

Storage

Network

Private Cloud Remote Data Center Public Cloud

NSX Data Center

NSXCloud

NSX Data Center

Benefits• Consistent

networking and security

• Improved application resiliency

• Hardware independence

• End-to-end visibility

Disaster Avoidance and Recovery

Workload Mobility


DATA CENTER

vSwitch

CLOUD

Native Clouds

VMware Clouds

NSX Data Center


“With NSX micro-segmentation on VMware Cloud on AWS and the ability to easily and securely interconnect from our legacy systems to VMware Cloud on AWS, we have made a big leap in our digital transformation journey.”

— Néstor RodríguezIT & Change Director, Provident Mexico

VMware helped Provident Mexico with Digital Transformation

Provident MexicoNSX Cloud: Consistently Extend NSX to AWS and Azure

CNET1600BU | Mon, Aug 26 at 3:30 PM






Network Automation



Service Catalog

Cloud Management Platform

Cloud ResourcesNetwork profile

Endpoint Management

Blueprint

Cloud Automation with NSX-T Data CenterDynamically configure NSX-T logical services

NSX-T Services

vRealize Automation –Cloud Automation Services

On Demand Application and Network Delivery

NAT

DHCP

Routing

Distributed Firewall

+ VM VM

VM

VM VM VM

Web

App

Db


How do you automate infrastructure in an application rollout?Network Infrastructure as Code: API Simplicity

Traditional Network Automation

Config…VLAN (multiple switches)IP subnet (Router)Security Policy (Firewall)NAT service (Router)Load Balancing (ADC)

Standardized API ONE JSON File

POST/GET Logical Switch(~12) POST/GET Tier-1 Router(~2)POST/GET NSGroups(~3)POST DFW-Section(~2)POST EDGE Firewall (~2)POST NAT (~2)POST LB Config (~10)

Automation with NSX

PATCH https://<ip>/policy/api/v1/infrra

{

desired outcomehuman-readable JSON

}

…Taken to a New Level

Scripting


Network automation use case

IHS MarkitNetwork Automation with NSX-T and vRealize Automation

CNET2588BU | Wed, Aug 28 at 8:30 AM

“When we bring up an application, it’s automatically tagged and associated with the security polices that we’ve created.”

- Andrew HrycajSenior Network Operations Specialist IHS Markit

Confidential │ ©2019 VMware, Inc.





Network Automation



InfrastructureOperator

Kubernetes is a Critical Piece of a Container-as-a-Service Stack

Image Registry

Framework Lifecycle Management

Security and Networking

Storage Persistence

Virtual Infrastructure

Physical Infrastructure

Monitoring, Logging, Analytics

Cluster Health Monitoring, Healing and Lifecycle Management

Developer

Scheduling, Orchestration, Service Creation

APPS

Scheduling, Orchestration, Service Creation


End-to-end, Troubleshooting, Configuration, Metrics

Unified Separate tools

Networking for Containers: Simple, Lightweight, Portable

Patchwork Do-It-Yourself

Single NSX Stack

Layer 4(Sec Policy)

Layer 7

Layer 3

Layer 2


5.1 million prices changes daily running on Kubernetes + VMs

William Hill Introduction to Container Networking

CNET2604BU | Monday, Aug 26 at 2:30 PM


“With Kubernetes and VMware NSX-T Data Center on-premises, we can scale out easily for major events like the Grand National, where we see five or six times more load than we would do on a normal Saturday.”— Ben Fairclough

Infrastructure Architect, William HIll


Driving Value with our NSX Partner Ecosystem

Cloud

Orchestration and Management Operations and Visibility

The picture can't be displayed.

Networking and Security Services

Network Infrastructure


VMware Networking Customer and Partner Momentum

10,000+ NSX customers

100+ Service Providers Platform for Telco

Networking Community13,000+ certifications issued 31,000+ VMUG-NV members


Software Defined Networking EverywhereSummary

Multi-VendorMultiple vendors

and multiple generations

Any TopologyL2 end-to-end, Spine/Leaf, L3

aggregation etc.

Heterogenous End-points

VMs, containers, bare metal servers

Cross Hypervisor

ESXi, KVM

Multiple CloudsPrivate, public,

hybrid, and edge clouds

41Confidential │ ©2019 VMware, Inc.

Book Signings at the VMware Booth

VMware Cloud on AWS: Networking and SecurityTuesday, August 27 at 11:30 AM

Network Virtualization for DummiesTuesday, August 27 at 5:00 PM

New Book Launch!


How to get startedResources

LEARN TRY

nsx.techzone.vmware.com

CONNECT

TRY

@VMwareNSX#runNSX

Learn ConnectTry

Design Guides Demos

Take a Hands-on Lab

Join VMUG, VMware Communities (VMTN)

introduction to vmware nsx and network …...introduction to vmware nsx and network virtualization...

Documents