MMC1532BU Using VMware NSX Cloud for AWS … Wadia Amol Tipnis MMC1532BU Using VMware NSX Cloud for...
Transcript of MMC1532BU Using VMware NSX Cloud for AWS … Wadia Amol Tipnis MMC1532BU Using VMware NSX Cloud for...
Percy WadiaAmol Tipnis
MMC1532BU
Using VMware NSX Cloud for AWS Native Workloads: Part 2
#VMworld #MMC1532BU
VMworld 2017 Content: Not fo
r publication or distri
bution
• This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not been determined.
Disclaimer
2#MMC1532BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Agenda
1 VMware Cloud Services
2 Quick recap of Session 1
3 Solution Architecture And Components
4 Deployment Topology
5 End User Flow
3#MMC1532BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Existing Apps Cloud Native Apps
VMware Cloud on AWSCloud Foundation
Cloud Providers
VMware Cross-Cloud Architecture Public Cloud IaaS
Discovery Network Insight NSX Cloud AppDefense Wavefront Cost Insight Workspace ONE Log Insight
Virtualized Apps Containers SaaS PaaS Microservices
for VMware
Cloud Management
VMware Cloud Services
VISIBILITY OPERATIONS AUTOMATION SECURITY GOVERNANCE
Cloud Providers
VMware Cloud
#MMC1532BU CONFIDENTIAL 4
Run, manage, connect, secure any app onany cloud to any device
VMworld 2017 Content: Not fo
r publication or distri
bution
ON PREMISES DATA
CENTER
APPS APPS APPS APPS
Discovery Cost InsightNetwork
InsightNSX Cloud AppDefense Wavefront
ON PREMISES DATA
CENTER
VMware Cloud Services
MANAGE SECUREGOVERN
➔ Built ground up to deliver unbiased
solutions for all Public and Private clouds
➔ Set of SaaS delivery
➔ Seamless usage through integrated
access, billing and support
➔ Manage, govern and secure cloud native
and existing apps
VMware Cloud Services
#MMC1532BU CONFIDENTIAL 5
VMworld 2017 Content: Not fo
r publication or distri
bution
Discovery
Visibility into apps and resources they
consume
Analyze usage and utilization across clouds
Cost Insight
Accounting and cost optimization for multiple
clouds
Track and analyze your costs and trends
NSX Cloud
Consistent networking and security for
applications running natively in public clouds
Network Insight
Operational visibility, control, and compliance
across clouds. Optimize performance, health,
and availability
AppDefense
Governance for running workloads
Wavefront
Metrics-driven monitoring and real-time
analytics
VMware Cloud ServicesManage, Govern and Secure Public and Private Cloud Infrastructure and Applications
#MMC1532BU CONFIDENTIAL 6
VMworld 2017 Content: Not fo
r publication or distri
bution
VMware NSX Cloud
7
Visibility across clouds
Unified security policy
Network Portability
Consistent Operations VPC
AppWeb DB AppWeb DB
VNET
VMware NSX Cloud
ConsistencyVisibility Security Networking
AppWeb DB
VPC
Consistent networking and security for applications running natively in public clouds
#MMC1532BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
VMware NSX Cloud – Under the Covers Architecture
9
Customer AWS Account
CONTROLPLANE
DATAPLANE
MANAGEMENT PLANE
CLOUDGATEWAY
Linux VM Windows VM
NSX Cloud Gateway
NSX CLOUDDASHBOARD
Public cloud infrastructure
with hypervisor (ex: AWS)
VMware AWS Account
NSX Controller Cluster
NSX Manager Cloud Service Manager
#MMC1532BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX Cloud Service Customer Dashboard
10
Cloud IT
#MMC1532BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
• Key Purpose:
- Provide Unified View between NSX and Public Cloud (AWS) Inventory
- Onboard new VPCs by Automating the Cloud Gateway Deployment
- Configure Default Quarantine policy
• Footprint:
- Deployed One per NSX Cloud deployment, alongside NSX Manager
Cloud Service Manager
11
Cloud Service Manager
#MMC1532BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX Cloud Gateway
12
NSX Cloud Gateway
• Key Purpose:
- A Local NSX Control Plane within each VPC
- A Edge Gateway for North-South traffic
- Inventory Discovery within VPC (enables Always-on security)
- Enforces Default Quarantine Policy
• Footprint:
- Appliance footprint, deployed One (logical) per Managed VPC
- Deployed in each Managed VPC
- Supports HA (Active-Standby) deployment for higher resiliency #MMC1532BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX Public Cloud Agent
13
• Key Purpose:
- Distributed Data-path running inside each NSX managed instance
- Enforces NSX Cloud Distributed Firewall
- Performs Logical Switching/ Routing on NSX Cloud overlay network
- A zero-trust security architectural approach at time of VM onboarding
• Footprint:
- Required on each NSX Cloud managed instance
- Embedded in your Cloud templates for zero-touch deployment
- Based on Open vSwitch (OVS) with Linux and Windows OS support
NSX Public Cloud Agent
#MMC1532BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
A Dedicated NSX instance for your Cloud Environment
15
CUSTOMER NSX MANAGERS
NSX CLOUDDASHBOARD
NSX Manager Cloud Service Manager
VPC -N VPC -1
NSX cloud gateway NSX cloud gateway
...
VPC -N VPC -1
NSX cloud gateway NSX cloud gateway
...
CUSTOMER COMPUTE VPCs
NSX Manager Cloud Service Manager
CUSTOMER 1 CUSTOMER 2
#MMC1532BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX Cloud Gateway Not in Datapath for Micro-segmentation
• NSX Cloud Gateway acts as Local Control
Plane, is not in Datapath
• Micro-segmentation and Application
Isolation
• Dynamic Policy enforcement based on
Instance Attributes
• All other networking services consumed
from AWS natively
16
Compute VPC-1
Downlink Subnet
Mgmt Subnet
igw
X
#MMC1532BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX Cloud Gateway controls North / South traffic for Overlays
• NSX Agent performs
– Stateful Distributed Firewall enforcement
– Logical Switching “Encap-Decap”
– Distributed Logical Routing
• Cloud Gateway provides Edge Gateway services
– Between Overlay and Underlay (VPC)
– DNAT / SNAT service
– DHCP service on Logical Switches
17
Compute VPC-1
Downlink Subnet(Transport)
Mgmt Subnet
igw
Uplink Subnet
GENEVE GENEVE
NAT/
DHCP
#MMC1532BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
User Flow - Cloud Admin
Subscribe To Service And Request
Deployment
Performed once per Organization1 >
Add AWS Accounts Performed per AWS account2 >
Prepare VPC Performed per VPC3 >
Deploy Public Cloud Gateway Performed per VPC4 >
Build Application Instance And
Automation TemplatesPerformed per Application5 >
#MMC1532BU CONFIDENTIAL 19
VMworld 2017 Content: Not fo
r publication or distri
bution
User Flow - App Developer/DevOps
Develop and Deploy Applications Performed once per Application1 >
#MMC1532BU CONFIDENTIAL 20
VMworld 2017 Content: Not fo
r publication or distri
bution
Subscribe To VMware NSX Cloud
• Request Access via VMware Cloud Services Portal:
cloud.vmware.com/nsx-cloud
• Once Approved, select your AWS region for NSX Cloud
– N. Virginia (us-east-1)
– Ohio (us-east-2)
– N. California (us-west-1)
– Oregon (us-west-2)
• Access NSX Cloud Dashboard once deployment is ready
Performed once per Organization
#MMC1532BU CONFIDENTIAL 21
VMworld 2017 Content: Not fo
r publication or distri
bution
Configure AWS ARN details• Create AWS Cross-Account Role ARN
and NSX Cloud Gateway Role.
– Generated using Cloud Formation template (from Dashboard)
• Provide the ARN and role details to Cloud Service Manager
22
Performed once per AWS Account
AWS CloudFormation
AWS IAM
NSX CSM
#MMC1532BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
IAM Roles: Cloud Service Manager and Cloud Gateway
Cloud Service Manager
• Role Name: nsx_csm_external
• Role Type: AWS Cross-Account Access
• Permissions:
– EC2 Describe
– EC2 Create/Run/Start/Delete Instance (For Public Cloud Gateway)
– EC2 Assign Public IP (Assigned to Gateway for SNAT/DNAT/Mgmt)
– EC2 Create/Delete Security Groups (NSX defined security groups for Gateway/Quarantine/Overlay/Underlay)
– Route53 Create/Delete Private Zone (vmware.local)
Public Cloud Gateway
• Role Name: nsx_pcg_service
• Role Type: Instance Service Role
• Permissions:
– EC2 Describe
– EC2 Modify Instance Network Attributes (Enforce Quarantine)
– EC2 Modify/Release IP Assignment (SNAT/DNAT secondary IPs, Elastic IP association)
– Route53 Add/Change Resource Record Sets (nsx-gw.vmware.local entry)
24
Reference
#MMC1532BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Prepare VPC for NSX Cloud Onboarding• Three VPC Subnets (need six for HA)
• Deploy IGW and Default Route for Management and Uplink Subnets
• Add Default Route for Downlink subnet for non-overlay deployments - if the VMs are to be reached directly from Internet.
25
Performed once per Managed VPC
Production VPC-1
igw
Downlink Subnetprd1_dn_snet_2a
Mgmt Subnetprd1_mgmt_snet_2a
Uplink Subnetprd1_up_snet_2a
AZ-2a
Downlink Subnetprd1_dn_snet_2b
Mgmt Subnetprd1_mgmt_snet_2b
Uplink Subnetprd1_up_snet_2b
AZ-2b
0.0
.0.0
/0
igw
#MMC1532BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Deploy Public Cloud Gateway
• Deployed in each “Managed” VPC
• Deployed in HA across Availability Zones
• Provisioned using Cloud Service Manager
• VPC Quarantine Policy set during Public Cloud Gateway deployment
26
Performed once per Managed VPC
Production VPC-1
igw
Downlink Subnetprd1_dn_snet_2a
Mg
mtS
ubnet
prd
1_
mg
mt_
sne
t_2a
Uplink Subnetprd1_up_snet_2a
AZ-2a
Downlink Subnetprd1_dn_snet_2b
Mg
mtS
ubnet
prd
1_
mg
mt_
sne
t_2b
Uplink Subnetprd1_up_snet_2b
AZ-2b
Primary Secondary
#MMC1532BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Create Network and Security Policies in NSX Cloud
Micro-segmentation
• Create NSX Security Groups based on
– AWS Instance Attributes (Names, VPC-ID, AZ)
– NSX tags
– IP Sets
Overlay
• Create Logical Topology using
– New Logical Switches
– New Logical Routers
– Attaching Logical Switches to Logical Router
• Configure DHCP for Logical Switches
28
Ongoing as needed
WEB-TIER APP-TIER DB-TIERX X
X
HTTP MYSQL
WEB-LS DB-LSAPP-LS
UPLINK VPC SUBNET
Tier-0 LR
DHCP
• Create Firewall Policy using NSX Security Groups
#MMC1532BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Embed NSX Cloud Agent into Cloud Templates
• Agent hosted inside NSX Public Cloud Gateway
• Download and Install
• Create Golden Template (AMI) from running instance using AWS EC2 menu
30
Performed once per Template VM
Staging VPC
Downlink Subnet
Mgmt Subnet
igw
Uplink Subnet
#MMC1532BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Dev-Ops Continues to use existing deployment tools
• Deploy App Instances using existing Automation framework
• Apply NSX tags to AWS Instances using existing tools.
– Very little changes to your existing automation script
• Can be deployed with AWS Elastic Load-balancing and Auto Scaling Groups
31
Ongoing as New Apps Are deployed
Excerpt: CloudFormation Template
Auto Scaling
#MMC1532BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Summary
33
Cloud Network Admin Cloud Security Admin
DevOps / Developer
Defines Network Topology And IP Addressing
Focuses on App Development and Deployment
Mandates Security Policies and Ensures Compliance
Decoupling maintains Agility Control Cloud Networking & Security
#MMC1532BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
#MMC1532BU CONFIDENTIAL 34Request Access @ cloud.vmware.com
VMworld 2017 Content: Not fo
r publication or distri
bution
35
MMC1464QU How to Use Cloud Formations in vRealize Automation to Build Hybrid Applications That Span and Reside On-Premises & on VMware Cloud on AWS and AWS Cloud Quick Talk Vijay Raghavan, Manu Prasanna
MMC1532BU Using VMware NSX for Enhanced Networking and Security for AWS Native Workloads: Part 2 Breakout Session Amol Tipnis, Percy Wadia
MMC2046BU Using VMware NSX for Enhanced Networking and Security for AWS Native Workloads: Part 1 Breakout Session Amol Tipnis, Percy Wadia
MMC2210BU Best Practices: How the City of New York Has Configured AWS for the Best vRealize Automation Integration Breakout Session Stefan Andrieux
MMC2256BU Watching the Clouds: Challenges with Monitoring Hybrid Cloud Environments Breakout Session Craig Lee, John Dias
MMC2455BU On-Demand Disaster Recovery for Enterprise Applications with the VMware Cloud on AWS Breakout Session GS Khalsa, Mohan Potheri, Potheri Mohan
MMC2623BU Integrated Multicloud Management for Automating Standardized Security and Governance in Federal Agencies Breakout Session Kris Ostergard, Sean VanDruff, Douglas Bourgeois
MMC2820BU Deploying Applications into AWS EC2 with VMware Cross-Cloud Services Breakout Session Bahubali Shetti, Bill shetti
MMC2877BU Deep Dive into Cost Insight: Understand, Analyze, and Optimize Your Cloud Expenses (Cross-Cloud Service) Breakout Session Kumar Gaurav, Kameswaran Subramanian
MMC2884GU Manage Cross-Cloud Applications Using vRealize Operations Insight Group Discussion Karl Fultz, Manish Bhaskar
MMC2888GU How We’ve Accelerated Innovation While Keeping Our Cloud Spending in Check Group Discussion Burt Toma
MMC3062BU How Customer XYZ Secures and Monitors On-Premises Software-Defined Data Center Virtual and Physical Networks Using Network Insight SaaS Breakout Session Sean O'Dell, Manish Bhaskar
MMC3066BU How Do You Use Network Insights' SaaS to Secure Multitier Hybrid Apps Running on vSphere, VMware Cloud on AWS, and AWS Native? Breakout Session Sean O'Dell, Anuj Jaiswal
MMC3074BU 3 ways to use VMware’s new Cross-Cloud SaaS Services to efficiently run workloads across AWS, Azure and vSphere: VMware and Customer technical session Breakout Session Jason Walker, Burt Toma
MMC3110PU How IT Can Enable Development Teams to Build Apps on AWS, Azure, and VMware Without Compromising on Costs and Security Panel Discussion Mark Leake, Ben Mitchell
MMC3112BU Customer Story: Monitoring Costs and Rightsizing Workloads in AWS, Azure, and VMware-Based Clouds Breakout Session Nikhil Girdhar
MMC3164BU How Data Science is Transforming Operations: The Wavefront Story Breakout Session Dev Nag
MMC3165BU Becoming a DevOps Superhero: Introduction to Wavefront for Optimizing Cloud-Native Applications Breakout Session Stela Udovicic, Demetri Mouratis
MMC3321BUS Move, Manage, Use: The New Hybrid IT Breakout Session Donald Foster, Don Foster, Deepak Verma
MMC3406BUS Cloudy Days Ahead!! Leverage F5 to provide application continuity and consistent security policy provisioning and enforcement in an intercloud world. Breakout Session Kent Munson
MMC3424SU VMware Cloud Services and how you can leverage SaaS for your vSphere data center or the public cloud. Spotlight Session Guido Appenzeller
Sessions, Booth and Theatre Presentations for VMware Cloud Services
#MMC1532BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution