vra + nsx technical deep-dive
TRANSCRIPT
© 2015 VMware Inc. All rights reserved.
vRealize Automation 7.0vRA + NSX Deep-Dive
Jad El-ZeinPrincipal Architect, CMBU
@virtualjad | virtualjad.com
#VMUGIT
1 About me
2 NSX + vRA Use Cases
3 Unified Service Delivery in CBP
4 Extensibility
5 Q&A
Agenda
2
About me…
3
Washington, DC
Napoli, IT
My time in Napoli….
4
My time in Napoli (so far)….
5
Simplified Application Centric Network and Security
Web
App
Database
VM VM
VM VM VM
VM6
• Applications configured with dedicated or shared virtual switches and routers depending on needs
• Application level micro-segmentation security
• Dynamic configuration of application specific load balancers without expensive physical hardware
VM
• Networks configured to meet unique performance needs of each application
VM VM
VM VM
VM VM VM
Dynamically Configure NSX Network and Micro-segmentation unique for each application
Application Deployment with On-Demand Networking & Security
• Logical switches and routers are created on demand by NSX when the user creates an application
• Single machine, single-tier or multi-tier topologies• Supports NAT and routed topologies• Automated IP addressing of both VMs and
subnets• On-demand security groups built per app and per
tier with VMs placed into groups• App isolation option• Security policies applied to dynamically created
groups• Load-balancer configuration dynamically
deployed and dedicated to application7
Web/App
Database
VM VM
VM
Application Deployment with On-Demand Micro-Segmentation
• Networking is pre-created by NSX admin• VMs placed on pre-created logical
switches• On-demand security groups created when
application is deployed • Security policies applied to dynamically
created groups• Micro-segmentation on larger L2 networks• Load-balancer configuration dynamically
deployed• VMs and security groups removed when
app destroyed but networking remains
8
Web/AppDatabase
VM VMVM
Application Deployment into Existing Network and Security Services
• Pre-created logical switches and routers defined by the NSX admin - VMs are wired to pre-created switches
• Security Groups pre-defined to match security tags for each tier of application
• When a cloud user selects a catalog item VMs are wired to NSX switches and tagged with appropriate security tags
• Enforcement is based on combining the tag with the rules in the security group
• Applications can be single tier or multi-tier –typically routed topologies
9
Web/App
Database
VM VM
VM
Application-Centric Service DesignNSX and the Converged Blueprint Designer
Unified Service Delivery – Converged Blueprint Desinger
11
• Micro-segmentation for Application stack via automated security policy enforcement• NSX on-demand and existing security groups and tags• Automated connectivity to existing or on-demand dynamically created NSX networks• On-demand dedicated NSX load balancer for application
App-Centric Service Design
12
Infrastructure as Code
• Ability to read and create blueprints with a text editor of choice.
• Save it in source control (e.g. Git)
• Machine blueprint in YAML format
• Application & Software blue prints currently in JSON format (for beta), moving to YAML by GA
• Import/Export in same or multiple vRA instances
• Complete Blueprint is exported into a zip compressed format similar to the current ASD export
Import / Export Complete Blueprints as YAML
LifeCycle Extensibility – Centralized Policy Management
• Enable OTB extensibility for IaaS and Application Services dynamically by leveraging the Event Broker Service (EBS)
• Invoke NSX-specific workflows based on a policy-based trigger configured for a specific event
“Invoke vRO Workflow to build a custom NSX service based on the NAME of a blueprint, Custom Property Value, Requestor ID, or machine and platform type….GO!”
NSX and vRA Extensibility
• The NSX vRealize Orchestrator Plugin covers many common networking & security operations
• vRO also includes a HTTP-REST Plugin which allows the NSX vSphere API to be directly consumed– Allows creation of custom workflows to perform
advanced NSX operations, eg:• Enable Edge HA• Modify Edge sizing• Configure additional LB features• Create NSX Security Groups, Policies or Tags
• vRA 7.0 LifeCycle Extensibility and the Event Broker provide a centralized, policy-driven method of invoking workflows based on any number of trigger events.
• Event Broker Allows for additional NSX operations to be inserted transparently within the requests
Networking-as-a-Service | XaaS Designer
• vRealize Automation XaaSDesigner (previously ASD) can be leveraged to quickly deliver standalone workflows, Day 2 operations, and other complex services as-a-service.
• This provides a method of leveraging vRO workflows and plugins via the vRA Self-Service Portal
• XaaS components can also be dragged and dropped directly onto a Blueprint Canvas!
Networking-as-a-Service | XaaS Designer
17
vRA on NSXHA Deployment Architecture with NSX
vRA HA Deployment on NSXNSX Load Balancing Policies
19
NSXEdgeServicesGateway(ESG)
NSXDistributedLogicalRouter(DLR)
LBVIP
vrava02
• CoreServices• vPostgres(P)• vIDM• vRO
vraiaas04
• ManagerService(P)• vCenterAgent
vraiaas02
• WebService(A)• DEM02
vraiaas01
• WebService(A)• DEM01
vraiaas03
• ManagerService(A)• vCenterAgent
vrava01
• CoreServices• vPostgres(A)• vIDM• vRO
AppNetwork10.10.50.0/24
10.10.50.1
10.10.50.21
10.10.50.20
10.10.50.22
MgmtNetwork192.168.1.0/24
192.168.1.30192.168.1.1
Pool ID vraiaasweb-443
DNS CNAME vraiaasweb.elzein.local
Virtual Server(vip) vraiaasweb-vip
Algorithm Round-Robin
SessionPersistence SourceIP
Health /wapi/api/status/web =“registered”
Pool ID vraiaasmgr-443
DNSCNAME vraiaasmgr.elzein.local
Virtual Server(vip) vraiaasmgr-vip
Algorithm NONE
SessionPersistence NONE
Health /VMPSProvision– “ProvisionService”
Pool ID vrava-443vrava-8444(console)
DNSCNAME vra.elzein.local
Virtual Server(vip) vrava-vip
Algorithm Round-Robin
SessionPersistence SourceIP
Health /vcac/services/api/health= 200or204
AD/DNS
MSSQL
vCenter
NSXMgr
vRAVA(OVA)
vRAIaaS(Windows)
ExternalSystem
(A)
(P)
ActiveNode
PassiveNode
LastUpdated03/31/16byJadEl-Zein
vRA 7.0.1 and NSX Integration - Product Compatibility Matrix
20
Product VersionvRealize Automation 7.0.x
vRealize Orchestrator 7.0.x
NSX-vRO Plugin 1.0.3
NSX for vSphere 6.2.2
vRealize Orchestrator is a required component for the vRA & NSX Integration:• The vRO server embedded with vRA VA includes the NSX vRO plugin by default• The NSX vRO Plugin is available from the
My VMware support portal with NSX underDrivers & Tools
NSX 6.0.x not supported with vRA 6.2 or later
vRA-NSX Extensibility Kit (6.x)
https://communities.vmware.com/docs/DOC-30791
• For the initial release the documentation is in draft format, and assumes you have experience with vRA extensibility (WF stubs and ASD).
• An updated installation guide will be available shortly with more detail
• Additional functionality to the extensibility kit will be added over time
• In addition we are also planning a TOI/Webinar that covers NSX and vRA Extensibility and guidelines for use of the kit.
21
Thank YouQ & A
Jad El-ZeinPrincipal Architect, CMBU
@virtualjad | virtualjad.com