nedg2600bu achieving a best-of- breed sd-wan
TRANSCRIPT
Achieving a Best-of-Breed SD-WAN Technology Ecosystem
Tony Banuelos, Vmware, Inc.
#vmworld #NEDG2600BU
NEDG2600BU
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 2
Forward Looking Statements
Disclaimer
• This presentation may contain product features or functionality that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new features/functionality/technology discussed or presented, have not been determined.
The information in this presentation is for informational purposes only and may not be incorporated into any contract. There is no commitment or obligation to deliver any items presented herein. VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 3
vSphere
BRANCH
BRANCH
EDGE/IOT
TELCO/NFV
BRANCH
BRANCH
DCDC
DC
BRANCH
Virtual Cloud Network
Tied Together.Everywhere.
vRNI
CLEAR VISIBILITY
Containers | Virtual Machines | Bare Metal
VCN
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 4
Hyperscale
Client to Cloud to Container
Emerging Trends for WAN Edge
Multi- & Hybrid Cloud
Native Advanced Security
Advanced Analytics
Self-healing Networks
SD-WAN enables all enterprises to reach any cloud - private, public, mid-mile, security, application, IoT - securely at scale.VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc.
Agenda
5
VMware SD-WAN Overview
VMware SD-WAN as a Security Platform
VMware SD-WAN as a Network Monitoring Platform
VMware SD-WAN as a Multi-Cloud Platform
Summary
VMworld 2019 Content: Not for publication or distribution
6©2019 VMware, Inc.
VMware SD-WAN by VeloCloudOverview
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 7
Cloud-Delivered Network for Today’s Cloud Era
Data Center Application Storage Network
The Cloud is the..
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 8
Simplified WAN Management
Assured Application Performance
Managed On-ramp to the Cloud
VMware SD-WAN by VeloCloud Benefits
Branch Edges
SaaS / IaaS
Zero-touch deployments, simplified operations, one-click service insertion
Direct cloud access with performance, reliability and security
Datacenter Edges
Transport independent performance for the most demanding apps, leverages economical bandwidth
SD-WAN OverlayPrivate /MPLS 3G/4G LTE
Internet Broadband
VMware SD-WAN Orchestrator
Cloud Gateways
Software Defined WAN Overlay
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 9
• Zero-touch provisioning
• Group business-level policies
• Automatic link profiling
Multi-Tenant All-In-One OrchestrationMulti-tenant managed IT portal * Enterprise wide * Site drill down: link and usage discovery
CLIVMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 10
VMware SD-WAN “Zero Touch Provisioning” (ZTP)Unique Flexibility of Two Options
No IT required on-site nor online
No pre-staging required
No security riskif box lost
No site by site linkprofile needed
Step 1 Step 1
Step 2 Step 2
Orchestrator
Activation code
Pull config
Staging Profile
Call home
Push config
Logical Edge
Profile
Staging Profile
Physical install only
Pull Activation• Handles static IP / No serial number tracking
Push Activation• No activation code to installer
Interchangeable approaches:• Can install (Push) then still follow up with activation code• Can Pull but use staging profile, then Push final profile
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 11
• Drives automation and optimization
Assured Application Performance over Any Type of Link
VMware SD-WAN DMPO - MEASURE, STEER, REMEDIATE
• Sub-second steering without session drops
• Aggregated bandwidth for single flows
• Protects against concurrent degradation
• Enables single link performance
Dynamic Per Packet Steering
On Demand Remediation
Continuous Link Monitoring
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 15
Video conference over a WAN link with 2% packet loss
End-user Experience
Without VMware SD-WAN With VMware SD-WANVMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 16
• O365 on a Single Link (Brownout condition) from Branch in Thailand to Gateway in Singapore
VMware SD-WAN
Non-SDWAN
Optimized Performance for Cloud Apps – Office 365
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 17
Cloud Infrastructure
Cloud Scale Redundancy
SSAE16 Type II Audited Data
Centers
99.99% Reliability SLA
Regions
30
Orchestrators
60+Gateways
1000+
VMworld 2019 Content: Not for publication or distribution
18©2019 VMware, Inc.
VMware SD-WAN as a Security Platform
VMworld 2019 Content: Not for publication or distribution
19©2019 VMware, Inc.
Admin access security
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 20
VMware SD-WAN by VeloCloud Orchestrator Single Sign-OnVeloCloud
Orchestrator Admin authentication performed by IdPVCO redirects login to IdP
Manage SD-WAN Network
Admin clicks Sign In with provider option button
Enters assigned Enterprise domain VCO redirects
to IdP sign-in page
Admin successfully signs in with IdP and is redirected to VCO management landing page
1
2
34VMworld 2019 Content: Not for publication or distribution
21©2019 VMware, Inc.
Network Security
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 22
Why VMware SD-WANSimple Control and Management To Secure WAN Traffic
Utilizing Deep Application Recognition and Business
Policies, VMware SD-WAN allows enterprises to selectively backhaul
Internet traffic to DC’s and simplify Cloud Migration without compromising
user traffic filtering
Per-Application Business Policies
Architecture to integrate with the major CloudWeb Security (CWS)
services in a secure and scalable manner
VNF Integration
Leverage Firewall VNF’s to build a strong security
ecosystem for branch of the future
Cloud Web Security (CWS) Integration
Further Segregation of trusted and
untrusted user trafficat the branch
Segmentation
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 23
Distributed Services Insertion
On-premises SecurityCorporate / Regional
Cloud Security Service
VMware SD-WAN by VeloCloud Dynamic Multipath Optimization delivers application performance and reliability to cloud
Automated tunneling eliminates site by site configurations
Single-click Application-Aware Policiesfor granular service insertion
Branch Site
VMware SD-WANEdge Hub
VMware SD-WANGateway by VeloCloud
Internet / web
VNF or Native Security
VMware SD-WANEdge by VeloCloud
Dynamic Multi-Path Optimization
Datacenter
Intelligent Backhaul Security
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc.
VMware SD-WAN Security for OnPrem Branch Deployments
Partner NGFW VMware Stateful Firewall* Partner CWS
Delivery ModelPartner Virtual Network
FunctionNative Integration Partner Cloud Security
Management
Simple service insertion from VCO
Multi-vendor management(VMware SD-WAN Orchestrator and Partner VNF Orchestrator)
Single Orchestrator for SD-WAN and Security
(VMware SD-WAN Orchestrator)
Simple service insertion from VCO
Multi-vendor management(VMware SD-WAN Orchestrator and Partner VNF Orchestrator)
Target Enterprise Market Segments
Security First EnterprisesAll Market Segments
(SMB-Large)All Market Segments
(SMB-Large)
InternetInternet Internet
* Coming Q4CY2019VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 25
Cloud Web Security (CWS) Integration Options
Simplify tunnel configuration to Cloud Web Security
VCGs are in close proximity to the partner Cloud Web Security PoP. Leverage DMPO for performance.
Per-app service insertion when connect through VCG or direct Edge
IPS
ec
IPS
ec
IPS
ec
Direct tunnel from Edge
DMPO tunnel to VCG, VCG to CWS
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 26
Simple insertion of security servicesCloud Web Security Service Insertion
Cloud Security via VMware SD-WAN Gateway
Internet
MPLS
Untrusted mission-critical internet traffic uses DMPO up to CWS via VCG
Cloud Security Direct from Branch
Internet
MPLS
Untrusted non-mission critical web traffic goes direct to interne via CWS
Web bound traffic needing inspectionVMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 27
Provide option for CSS when it is
configured.
● Creates a business policy rule for
internet backhaul via CSS.
● Backhaul is achieved just like GW,
create a backhaul business policy
rule for direct.
New Internet Backhaul Option for CSS
New capability
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 29
VMware SD-WAN Virtual Services Platform
3rd-party Firewall VNF on Edge
Virtual Ready Edges
ETA: Oct CY 19
(Edge 520v, Edge 840)
Available NOW
Leverage best-of-breed VNF with SD-WAN
Simple, one-click service insertion
Automate VM lifecycle and registration
VMware SD-WAN Edge
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 30
On-Prem Security Services Partner VNFSingle Box solution with best of breed network services
VMware SD-WAN Edge OS
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc.
VMware SD-WAN Native Security
Security Service Stateful Firewall URL Filtering
Delivery Mode Native Integration Native Integration
ManagementSingle Orchestrator for SD-WAN and
Security(VMware SD-WAN Orchestrator)
Single Orchestrator for SD-WAN and Security
(VMware SD-WAN Orchestrator)
Market Segments Target Enterprise Market Segments Security First Enterprises
Target Release Q4CY2019 Q1CY2019
VMworld 2019 Content: Not for publication or distribution
32©2019 VMware, Inc.
VMware SD-WAN as a Network Monitoring Platform
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc.
VMware SD-WAN Network Visibility
Open Interfaces for monitoring
• SD-WAN platform provides system level events, device and link status, traffic flow details and network topology details
• Protocols supported: Netflow IPFIX, RESTful API, SNMP* v2 and v3, Syslog*
• Partners will obtain SDK documentation, Netflow template definitions, list of system events and alerts and SNMP MIB definitions
• External open interfaces provide the platform necessary to perform advanced network monitoring and analytics
Netflow Collector
Internet
MPLS
VCO
VMware SD-WAN Hub Edge
VMware SD-WAN Edge
VMware SD-WAN Edge
VMware SD-WAN Edge
VCG
Netflow IPFIX
SNMP*
Syslog*
API
*Coming Q4CY2019
VMworld 2019 Content: Not for publication or distribution
34©2019 VMware, Inc.
External monitoring integrations(vRNI and Plixer)
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 35
Agent-less, Vendor-neutral, End-to-End, Scale-out Software Solution
vRNI: Most Comprehensive Network & Security Visibility Solution
VMC, Public Clouds
(VMC, AWS, Azure, etc.)
Containers(K8s, PKS,OpenShift)
Virtual(NSX V & T,
PACE,vSphere)
Physical Network(Switches/Routers)
vRNI
FW and LBs SD-WANEdges
In-band Telemetry
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 36
vRNI: App-Centric workflows
Flows
Blueprints/Templates
(CAS)
ComputeManagers,
PACE
SNOW (CMDB)
Tags
PacketSignatures/
DPI
EndpointProcess
APM/Sectool
UserConfig
App-Centric Network Operations
Application network topology, APM and troubleshooting
App-Centric Security Visibility/Planning
Assessment, Planning business level policy
Detect unprotected apps
App-Centric Predictive Analytics based on
Collective IntelligenceOutlier, Threshold, Behavior
Analysis
Automated App Reconciliation,Mapping
Future
VMNames
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc.
VMware SD-WAN Network VisibilityEnd-to-end Visibility and Analytics across Branch, WAN, SDDC, Cloud for NSX/non-NSX customers
Assessment Visibility & Analytics Troubleshooting Capacity Planning Security*
Analyze existing WAN Infra B/W analysis, type of traffic, Infra/App QOE Cost Optimization Recommendation
Dashboards, Site/App/Flow Analysis Top Performance Dashboards Analytics Path visibility and hotspots
(SDDC to branch to SAAS apps)
Predictive based on ML Current capacity based
on analytics.
Unprotected Apps Business Policy
recommendation Audit & Compliance
*Future
VCO
Edges/Hubs
Config, Runtime
IPFIX, SNMP*
Use-Cases
VMworld 2019 Content: Not for publication or distribution
38©2019 VMware, Inc.
Plixer Scrutinizer SD-WAN view
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc.
Application Policies
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc.
Application Priority
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc.
Application Route Type
VMworld 2019 Content: Not for publication or distribution
42©2019 VMware, Inc.
VMware SD-WAN as a Cloud Platform
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 43
SD-WAN On-Ramp to IaaS
On-Ramp via SD-WAN Cloud Gateways• Aggregate multiple Internet links• Reduce Management Cycles• Extend SD-WAN to IaaS Door Step
On-Ramp via SD-WAN virtual Edge• Simplify Hybrid Connection• Enable End to End SD-WAN• Launch Virtual Edge from Marketplace
VMware SD-WAN Cloud Gateways
IPSec
VMware SD-WAN Edge
VMware SD-WAN Edge
VMware SD-WAN Virtual Edge
CY2H2019
SD-WAN
SD-WAN
Flexible Hybrid and Multi-Cloud support
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 44
Seamlessly Service Insertion On-Prem and Cloud Deployment
Flexible Hybrid and Multi-Cloud Support
Public Internet
Private Data
Center Edges
Provider
Edge
Internet
MPLSPrivate
Circuit
Orchestrator
Branch
Provider
Edge
IPSec
Branch
VMC/NSX Cloud Azure vWAN
AliCloud
AliCloud
CY 2H 2019
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 45
VMware SD-WAN + Azure virtual WANSimplify deployment with automation
VMware SD-WAN Edge VMware SD-WAN
Cloud Gateway
IPSecSD-WAN
Azure Virtual Hub
Azure Virtual WAN High scale and throughput VPN headend Low latency, optimal routing within Azure Single tunnel to reach multiple Azure workload
Integration with VMware SD-WAN Simplified and aggregated secure connectivity vs
NxN manual tunnel configuration Optimized last mile access vs best effort
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 46
VMware SD-WAN + AWSLeveraging AWS native Transit GW solution
VMware SD-WAN Edge
VMware SD-WAN Gateway
AWS Transit Gateway
IPSec
IPSec
IPSec
IPSec
IPSec
Enterprise Option 2
(Q4 2019)
MSP Option
Available w/ Static Route
Enterprise Option 1
Available Today
VMware SD-WAN Edge
MSP hosted Multi-tenant GWVMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 47
Automate access to Google Services
VMware SD-WAN + Google Cloud
1000s Branches
10s
Data Centers
MPLS
Internet
VMware SD-WAN Orchestrator
With VMware SD-WAN• Simplified IP entry points into Google Services via cloud
gateways • Built in outcome driven policies to automate and simplify
configuration
BigQueryCloud VPN
Challenges for Enterprise accessing GCP• Complexing firewall configuration due to multiple IP
entry points into Google Services in GCP• Need to allow Cloud Web Security Service bypass for
Google Cloud services
Non-Google Traffic
Google Traffic
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 48
SD-WAN is not just WAN networking
VMware SD-WAN platform enables the delivery of best in class security, cloud and monitoring services
VMware SD-WAN will provide the most secure and optimal path to your end users applications
Summary
VMworld 2019 Content: Not for publication or distribution
VMworld 2019 Content: Not for publication or distribution
VMworld 2019 Content: Not for publication or distribution