vmware nsx - all in the loop operations –summary of ... arkin confidential 31 virtual: vmware...

VMware NSXThe Platform for Network and Security Virtualization

Frederick [email protected], Sr. Specialist Systems Engineer,Networking & Security

What VMware does best…

2

…

…

App

VM

Server Virtualization

x86

Server Virtualisation

Create + Snapshot+ Store+ Move+ Delete+ Restore------------------------------------------------------= Automated and Programmatical Model

Physical Network

App

VM

App

VM

Physical Network has not evolved.

Static Services remain unchanged last decade(s)

Operational Overhead:- to link the Automated with Static- to secure the Automated with Static- to extend the Automated with Static

The foundation remains unchanged;Everything needed for end-to-end, secure communications is static and not programmable

DHCP

L2L3

FW

VPN

IPS

LB

“ANY”

“MANY”

What VMware does best… applied to network services

3

…

…

App

VM

Network and Server

Virtualization

x86

Physical Network

App

VM

App

VM

L2 L3 FW

VPNIPS LB

“ANY”

“MANY”

Pooled compute and network capacity

Vendor and topology independent

Simplified configuration & Management

Intelligence in the Virtualization Layer

!! …No longer tied to a box…!!

An SDN platform to enable true SDDC

Network Virtualisation

Create + Snapshot+ Store+ Move+ Delete+ Restore------------------------------------------------------= Automated and Programmatical Network

VMware NSX: Virtualize the Network

LogicalSwitching

LogicalRouting

LoadBalancing

Physicalto Virtual

Firewalling& Security

Layer 2 over Layer 3, decoupled from the physical network

Routing between virtual and physical networks

Application Load Balancing for VMs or entire networks

Bridging physical workloads with virtual ones(VXLAN <> VLAN)

Distributed Firewall, Kernel Integrated, High Performance, 3rd Party integration

VPNDistributed Firewall, Kernel Integrated, High Performance, 3rd Party integration

APIRESTful API for integration and consumption from any Cloud Management Platform

Virtual Networks – Like Virtual Machines for the Network

Internet

Creating Sophisticated Application Topologies

Web-Tier

App-Tier

DB-Tier

VMs Connect to Virtual Networks

Virtual Networks Connect tonon-virtualized Workloads

Security Enforcement atvnic level

With Physical ServicesIntegration

NSX Components

Cloud Consumption • Self Service Portal

• vCloud Automation Center, OpenStack,

Custom CMP

Data Plane

NSX Edge

ESXi Hypervisor Kernel Modules

Distributed Services

• High – Performance Data Plane

• Scale-out Distributed Forwarding Model

Management Plane

NSX Manager

• Single configuration portal

• REST API entry-point

Control Plane

NSX Controller

• Manages Logical networks

• Control-Plane Protocol

• Separation of Control and Data Plane

Distributed

Firewall

Distributed

Router

Logical

Switch

Lo

gic

al N

etw

ork

Ph

ys

ica

l

Ne

two

rk

…

…

Backplane

From the POV of a switch

8

RE / Control Plane

B

L

A

D

E

B

L

A

D

E

B

L

A

D

E

B

L

A

D

E

B

L

A

D

E

B

L

A

D

E

Management NSX Manager vCenter1:1

ESXi

(vSwitch)

NSX ControllerNSX Controller

NSX Controller

ESXi

(vSwitch)

ESXi

(vSwitch)

ESXi

(vSwitch)

ESXi

(vSwitch)

IP NETWORK

USE CASES

Ground-breaking use cases

10

Enterprises can often justify the cost of NSX through a single use case

Micro segmentation

DMZ anywhere

Secure end user

Security

IT automating IT

Multi-tenant infrastructure

Developer cloud

IT automation

Disaster recovery

Metro pooling

Hybrid cloud networking

Application continuity IT optimization

Server asset utilization

Price | performance

Hardware lifecycle

$

Breaches still occur in data centers with a secure perimeter

1 2 3

4 5 6

Today’s data centers are protected by strong perimeter defense…

But threats and exploits still infect servers. Low-priority systems are often the target, and SSL is no guarantee of protection.

Threats can lie dormant, waiting for the right moment to strike.

Attacks spread inside the data center, where internal controls are often weak. Critical systems are targeted.

Server-server traffic growth has outpaced client-server traffic. The attack spreads and goes unnoticed.

Possibly after months of reconnaissance, the infiltration relays secret data to the attacker.

11

Targeted system

Critical system

The solution is Micro-SegmentationAssume everything is a threat and act accordingly.

SegmentationIsolation Advanced services

Controlled communication path within

a single network

Advanced services: addition of 3rd

party security, as needed by policy

No communication path between

unrelated networks

12

Central Policies, Distributed Enforcement, Move with VMs

Internet

Security PolicySecurity Policy

- Reduce Choke Point Security

- Centrally Define Policies, Distribute Rule Enforcement for Segmentation

- Security Policies Move with VMs

- Changes to central policies automatically

distributed to affected VMs

Service Insertion – Example: Palo Alto Networks Next Gen Firewall

Internet

Security Policy

Security Admin

TrafficSteering

Standard Desktop VM Policy

Anti-Virus – Scan

Quarantined VM Policy

Firewall – Block all except security tools

Anti-Virus – Scan and remediate

Automated Security in a Software Defined Data CenterQuarantine Vulnerable Systemsuntil Remediated

15

Security Group = Quarantine Zone

Members = {Tag = ‘ANTI_VIRUS.VirusFound’, L2 Isolated Network}

Security Group = Desktop VMs

Policy Definition

16

A ubiquitous software layer means security is

everywhere

Visibility Policy

Service Insertion

Context

Ubiquitous software layer


17


Micro segmentation

DMZ anywhere

Secure end user

Security

IT automating IT


Developer cloud

IT automation

Disaster recovery

Metro pooling




Price | performance

Hardware lifecycle

$

Why can’t IT move as fast as the business today?

The business

wants their

applications

now! Physical Network Complexities

Manual Config& Processes

3

More for Less

slow restrictive riskyinconsistent

Application with on-demand networking & securityDeployed and managed in the application context

19

Logical Switch

Logical Router

NSX

Logical Firewalling

Logical Load Balancer

On-Demand Application Delivery

Web

App

Database

vRealize Automation

Network Profiles

Security Policies Security Groups

Multi-Machine Blueprint

Service Catalog

API

APIs

Support for multi-tier apps on multiple

networks or single flat network

Automating app updates and changes App blueprints can be updated and changes automatically pushed out

Standardize configurations

Avoid configuration drift

Centrally update policiesChanges made to blueprintblueprint

20

Accelerate workload deployment Avoid risk from human errors Compliance and auditability


21


Micro segmentation

DMZ anywhere

Secure end user

Security

IT automating IT


Developer cloud

IT automation

Disaster recovery

Metro pooling




Price | performance

Hardware lifecycle

$

NSX Logical Networking and Security (6.1 and earlier)

CONFIDENTIAL

Single NSX Domain can spanmore than one site

vC with NSX Manager

vC with NSX Manager

vC with NSX Manager

Logical Switch

Local VC Inventory Local VC Inventory Local VC Inventory

vCenter A vCenter B vCenter C

NSX ControllerCluster



Distributed Logical RouterDistributed Logical Router Distributed Logical Router

Logical Switch

Logical Switch

22

Distributed Logical Router

Cross-VC NSX Logical Networking and Security

CONFIDENTIAL 23

vC with NSX Manager

vC with NSX Manager

vC with NSX Manager

Logical Switch

Local VC Inventory Local VC Inventory Local VC Inventory

vCenter A vCenter B vCenter C


Logical Switch



Distributed Logical Router

Logical Switch

Distributed Logical Router Distributed Logical Router

LogicalSwitches

Beyond the

Datacenter

Public

CloudInternet/

WAN

VM VM VM APP

CONTINUITY

BURSTING

AUTOMATION

Monitoring and Troubleshooting

NSX Operations – Summary of Capabilities

NSX for vSphere

Logical Network HealthUI: NSX Manager

CLI: Central NSX Controller, NSX Edge

VM to VM connectivity (Logical) NSX Controller Central CLI, Host level CLI

Traffic Flow visibilityIPFIX (VDS)

NSX Edge – Flow Monitoring

Traffic Analysis per VMRSPAN/ERSPAN (VM Traffic)

UW Packet Capture (Overlay)

Network Inventory, Fault Management NSX Manager, SNMP (MIBS for ports, Switch etc)

Multi-level logging, Event tracking & Auditing Syslog Export (NSX controller, NSX Manager, NSX Edge etc.)

Transport (Overlay) HealthNSX Manager Connectivity Check

NSX Controller Central CLI, Per host CLI

Upgrade Management NSX Manager (Automated VIB and Controller upgrades)

API visibility NSX Manager API

External Tools vROPs, Log Insight

DFW Dashboard - Overview

27

DFW Dashboard - Traffic

28

DFW Dashboard - Hypervisor

29

Big Data applied onphysical and virtual networks

Platform Overview

Arkin Confidential 31

VIRTUAL:

VMware vSphere, VMware NSX

(Edge, Controller, LDR), Palo Alto

Virtual Firewalls

PHYSICAL:

Cisco, Juniper, Arista, Brocade,

Dell, HP, VCE, Palo Alto, ..

HYBRID CLOUD:

IBM Softlayer, AWS

ARKIN SDDC MODELS, SEARCH & ANALYTICS

APPLICATION

CONNECTIVITY ACROSS

OVERLAY & UNDERLAY

VXLAN MANAGEMENT

AND ANALYTICS

MICRO-SEGMENTATION

MODELING & DFW

OPERATIONS

Application Visibility Across Overlay And Underlay


Connectivity Graphs

VM to VM, VM to Physical, VM to

Internet

Hop-by-Hop Path across Overlay

(LDRs, Edge Gateways) and Underlay

(Physical VDCs & VRFs). See V-To-P

Boundary

Correlated Problems And Performance

Metrics Across Virtual and Physical

See Effective Firewall Rules and

Security Policies in Distributed

Environment

Confidential 33

Security Planning: Flow Analysis & NSX Micro-Segmentation


Breakdown of Data Center Traffic by

East-West, VM-to-VM, VM-to-Physical,

Switched, Routed, etc.

Risk Analysis and SDDC Benefits

Compilation

NSX Micro-Segmentation Examples

(Security Groups and Firewall Rules)

Confidential 35

Confidential 36

SummaryVMware NSX is The Platform for Network Virtualization

Reliability: Built for high availability and business continuity. No single point of failure. Distributed architecture

Security: Native multi-tenancy capabilities. Secure workload separation and segregation. Compliance

Scalability: Unmatched oversubscription ratios and performance. Thousands of logical entities

Flexibility: VMware NSX operates on anyone’s Ethernet/IP fabric. No changes in fabric and/or compute topology required

Visibility: Sophisticated tools for troubleshooting, traffic pattern characterization and traffic statistics

37

Reducing the friction from before

Faster time to market and time

to value

OpEx savings and productivity

gains

Increased competitive advantage

23

IT as leader and innovator

speed agility securitystandardization

Questions ?

TitleArtificial Intelligence

Visit our partners

11:30 – 12:00

15:30 – 16:00

17:30 – 18:00

Leader in virtualization Solutions for DataCenters

vmware nsx - all in the loop operations –summary of ... arkin confidential 31 virtual: vmware...

Documents