NSX for vSphere, intro and use cases Oct 2014

Ángel Villar Garea avillargarea@vmware.com @AVillarGarea

DISCLAIMER

2

This is NOT VMware’s official documentation. It is just my understanding of technology and products. Any inaccuracy or error you may

find it is only my responsibility and not VMware’s.

3

The biggest industry transformation since mainframe to client server computing?

What customers demand

Business/IT Execs Speed and Agility Secure Infrastructure Time-to-Market Competitive Advantage

4

IT Operations Efficiency of change

IT Infrastructure & Security Data Center Micro-segmentation Scale-out DMZ Network hardware choice Compute capacity utilization

Data Center Virtualization Layer

Intelligence in Software Operational Model of VM for Data Center Automated Configuration & Management

The Software Defined Data Center (SDDC)

Software

Hardware Compute, Network and Storage Capacity Pooled, Vendor Independent, Best Price/Performance Infrastructure Simplified Configuration & Management

5

Compute Virtualization Abstraction Layer

The Network Is a Barrier to Software Defined Data Center!!

Physical Infrastructure

Software Defined Data Center

•  Provisioning is slow •  Placement is limited •  Mobility is limited •  Hardware dependent •  Operationally intensive

6

Physical Infrastructure

•  Provisioning is slow •  Placement is limited •  Mobility is limited •  Hardware dependent •  Operationally intensive

Introducing VMware NSX

Network Virtualization with NSX

L2 Switch Firewall

Operational model of a VM

Sofare

•  Programmatic provisioning •  Place any workload anywhere •  Move any workload anywhere •  Decoupled from hardware •  Operationally efficient Load Balancer L3 Router

7

Virtual Network – A Complete Network in Software

Internet

8

VMware NSX – Networking & Security Capabilities

Any Application (without modification)

Virtual Networks

VMware NSX Network Virtualization Platform

Logical L2

Any Network Hardware

Any Cloud Management Platform

Logical Firewall

Logical Load Balancer

Logical L3

Logical VPN

Any Hypervisor

Logical Switching– Layer 2 over Layer 3, decoupled from the physical network Logical Routing– Routing between virtual networks without exiting the software container Logical Firewall – Distributed Firewall, Kernel Integrated, High Performance Logical Load Balancer – Application Load Balancing in software Logical VPN – Site-to-Site & Remote Access VPN in software NSX API – RESTful API for integration into any Cloud Management Platform Partner Eco-System

9

VMware NSX Transforms the Operational Model of the Network

Network provisioning time reduced from days to seconds

Reduce network provisioning time from days to

seconds

Cost Savings

Reduce operational costs up to 80% Increase compute asset utilization up to 90% Reduce hardware costs by 40-50%

Operational Automation Simplified IP hardware

Choice

Any Hypervisor: vSphere, KVM, Xen, Hyper-V Any CMP: vCAC, OpenStack Any Network Hardware Broad Partner Ecosystem

Any hypervisor Any CMP

with Partner

10

Gartner Data Center Networking Magic Quadrant 2014

11

“The  NSX  solu-on  should  be  considered  by  exis-ng  VMware  customers  as  a  way  of  providing  network  agility  and  reducing  network  opera3onal  challenges  within  the  data  center.”    

Gartner  Data  Center  Networking  Magic  Quadrant,  April  24,  2014

12

Use cases

Rack N’ Roll!!

13

Web

App

Database

VM VM

VM VM VM

VM

Deploy Applications from CMP VMs, Logical Networks and Security

Add Capacity on Demand

Virtual Networks are isolated from each other (Overlapping IP Addresses)

Virtual Networks are isolated from underlying physical network (IPv6 over IPv4)

Multitenancy – Complete Isolation

14

Problem – Data Center Network Security Perimeter-centric network security has proven insufficient, and micro-segmentation is operationally infeasible

Little or no lateral controls

inside perimeter

Internet Internet

Insufficient Operationally Infeasible

15

CONFIDENTIAL 16

Solution – Micro-segmentation with NSX

CONFIDENTIAL

Control Plane NSX Manager

Physical workloads and VLANS

Data Plane Distributed switching, routing, firewall

REST API

Management Plane vCenter

Unit-level trust

§  Each hypervisor has its own firewalling with flexible granularity: entire data center down to the vNIC

§  Security is shrink-wrapped around each workload

§  Faults and threats are contained with micro-granularity

CONFIDENTIAL 17

Control Plane NSX Manager

Physical workloads and VLANS

Data Plane Distributed switching, routing, firewall

REST API

Management Plane vCenter

Central Management / Distributed Control

§  Security policies are coordinated and centralized

§  Security actions are orchestrated centrally

§  Firewall policies are provisioned, moved, and retired with their associated workloads

Solution – Micro-segmentation with NSX

Segmentation with NSX

18

DMZ/Web VLAN

App VLAN

HR

Finance

Services/Management VLAN

DB VLAN

HR Finance

Services Mgmt

Finance HR

Perimeter firewall

Inside firewall

Perimeter firewall

DMZ/Web

App

DB

HR Group

App

DMZ/Web

DB

Finance Group

Services Mgmt

Services/Management Group

Traditional Data Center NSX Data Center

§ Each VM can now be its own perimeter § Policies align with logical groups

§ Control communication within a single VLAN

NSX segmentation simplifies network security

Service Insertion Example – Palo Alto Networks Next Gen Firewall

Internet

Security Policy

Security Admin

Traffic Steering

19

Automated Security in a Software Defined Data Center Quarantine Vulnerable Systems until Remediated

Security Group = Quarantine Zone!Members = {Tag = ‘ANTI_VIRUS.VirusFound’, L2 Isolated Network} !

Security Group = Web Tier!Policy Definition Standard Desktop VM Policy þ Anti-Virus – Scan Quarantined VM Policy þ Firewall – Block all except security tools þ Anti-Virus – Scan and remediate

20

NSX Controller

NSX API

Partner Extensions Network

Security Platform

Network Gateway Services

Application Delivery Services

Security Services

+

Cloud Mgmt Platforms

NSX Extensibility – Partner Integration

21

More on NSX Technology Partners: http://www.vmware.com/products/nsx/resources.html

Questions

22

More information

23

Description Link

VMware NSX web site http://www.vmware.com/products/nsx/

NSX and SDDC dedicated web site http://virtualizeyournetwork.com/

VMware NSX Twitter https://twitter.com/vmwarensx

Hands-on-Labs Networking http://labs.hol.vmware.com/HOL/catalogs/catalog/130

VMware NSX customer case – WestJet http://www.youtube.com/watch?v=3OsXGuZjxxY

VMware NSX customer case – Colt http://blogs.vmware.com/networkvirtualization/2014/08/vmware-nsx-customer-story-colt-decreases-data-center-networking-complexity.html

VMware NSX customer case – NTT http://www.vmware.com/company/news/releases/vmw-ntt-netvirt-061013

Brad Hedlund on end-to-end visibility in VMware NSX http://www.youtube.com/watch?v=wRL47AmFAUU

VMware NSX and Splunk - Operational Visibility Across Virtual and Physical Domains http://www.youtube.com/watch?v=PzMvQFeojCk

Thank you