MMC1532BU Using VMware NSX Cloud for AWS … Wadia Amol Tipnis MMC1532BU Using VMware NSX Cloud for...

Percy WadiaAmol Tipnis

MMC1532BU

Using VMware NSX Cloud for AWS Native Workloads: Part 2

#VMworld #MMC1532BU

VMworld 2017 Content: Not fo

r publication or distri

bution

• This presentation may contain product features that are currently under development.

• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.

• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

• Technical feasibility and market demand will affect final delivery.

• Pricing and packaging for any new technologies or features discussed or presented have not been determined.

Disclaimer

2#MMC1532BU CONFIDENTIAL



bution

Agenda

1 VMware Cloud Services

2 Quick recap of Session 1

3 Solution Architecture And Components

4 Deployment Topology

5 End User Flow

3#MMC1532BU CONFIDENTIAL



bution

Existing Apps Cloud Native Apps

VMware Cloud on AWSCloud Foundation

Cloud Providers

VMware Cross-Cloud Architecture Public Cloud IaaS

Discovery Network Insight NSX Cloud AppDefense Wavefront Cost Insight Workspace ONE Log Insight

Virtualized Apps Containers SaaS PaaS Microservices

for VMware

Cloud Management

VMware Cloud Services

VISIBILITY OPERATIONS AUTOMATION SECURITY GOVERNANCE

Cloud Providers

VMware Cloud

#MMC1532BU CONFIDENTIAL 4

Run, manage, connect, secure any app onany cloud to any device



bution

ON PREMISES DATA

CENTER

APPS APPS APPS APPS

Discovery Cost InsightNetwork

InsightNSX Cloud AppDefense Wavefront

ON PREMISES DATA

CENTER


MANAGE SECUREGOVERN

➔ Built ground up to deliver unbiased

solutions for all Public and Private clouds

➔ Set of SaaS delivery

➔ Seamless usage through integrated

access, billing and support

➔ Manage, govern and secure cloud native

and existing apps





bution

Discovery

Visibility into apps and resources they

consume

Analyze usage and utilization across clouds

Cost Insight

Accounting and cost optimization for multiple

clouds

Track and analyze your costs and trends

NSX Cloud

Consistent networking and security for

applications running natively in public clouds

Network Insight

Operational visibility, control, and compliance

across clouds. Optimize performance, health,

and availability

AppDefense

Governance for running workloads

Wavefront

Metrics-driven monitoring and real-time

analytics

VMware Cloud ServicesManage, Govern and Secure Public and Private Cloud Infrastructure and Applications




bution

VMware NSX Cloud

7

Visibility across clouds

Unified security policy

Network Portability

Consistent Operations VPC

AppWeb DB AppWeb DB

VNET

VMware NSX Cloud

ConsistencyVisibility Security Networking

AppWeb DB

VPC

Consistent networking and security for applications running natively in public clouds

#MMC1532BU CONFIDENTIAL



bution

Architecture OverviewComponents



bution

VMware NSX Cloud – Under the Covers Architecture

9

Customer AWS Account

CONTROLPLANE

DATAPLANE

MANAGEMENT PLANE

CLOUDGATEWAY

Linux VM Windows VM

NSX Cloud Gateway

NSX CLOUDDASHBOARD

Public cloud infrastructure

with hypervisor (ex: AWS)

VMware AWS Account

NSX Controller Cluster

NSX Manager Cloud Service Manager




bution

NSX Cloud Service Customer Dashboard

10

Cloud IT




bution

• Key Purpose:

- Provide Unified View between NSX and Public Cloud (AWS) Inventory

- Onboard new VPCs by Automating the Cloud Gateway Deployment

- Configure Default Quarantine policy

• Footprint:

- Deployed One per NSX Cloud deployment, alongside NSX Manager

Cloud Service Manager

11





bution

NSX Cloud Gateway

12

NSX Cloud Gateway

• Key Purpose:

- A Local NSX Control Plane within each VPC

- A Edge Gateway for North-South traffic

- Inventory Discovery within VPC (enables Always-on security)

- Enforces Default Quarantine Policy

• Footprint:

- Appliance footprint, deployed One (logical) per Managed VPC

- Deployed in each Managed VPC

- Supports HA (Active-Standby) deployment for higher resiliency #MMC1532BU CONFIDENTIAL



bution

NSX Public Cloud Agent

13

• Key Purpose:

- Distributed Data-path running inside each NSX managed instance

- Enforces NSX Cloud Distributed Firewall

- Performs Logical Switching/ Routing on NSX Cloud overlay network

- A zero-trust security architectural approach at time of VM onboarding

• Footprint:

- Required on each NSX Cloud managed instance

- Embedded in your Cloud templates for zero-touch deployment

- Based on Open vSwitch (OVS) with Linux and Windows OS support

NSX Public Cloud Agent




bution

Deployment Topology



bution

A Dedicated NSX instance for your Cloud Environment

15

CUSTOMER NSX MANAGERS

NSX CLOUDDASHBOARD


VPC -N VPC -1

NSX cloud gateway NSX cloud gateway

...

VPC -N VPC -1

NSX cloud gateway NSX cloud gateway

...

CUSTOMER COMPUTE VPCs


CUSTOMER 1 CUSTOMER 2




bution

NSX Cloud Gateway Not in Datapath for Micro-segmentation

• NSX Cloud Gateway acts as Local Control

Plane, is not in Datapath

• Micro-segmentation and Application

Isolation

• Dynamic Policy enforcement based on

Instance Attributes

• All other networking services consumed

from AWS natively

16

Compute VPC-1

Downlink Subnet

Mgmt Subnet

igw

X




bution

NSX Cloud Gateway controls North / South traffic for Overlays

• NSX Agent performs

– Stateful Distributed Firewall enforcement

– Logical Switching “Encap-Decap”

– Distributed Logical Routing

• Cloud Gateway provides Edge Gateway services

– Between Overlay and Underlay (VPC)

– DNAT / SNAT service

– DHCP service on Logical Switches

17

Compute VPC-1

Downlink Subnet(Transport)

Mgmt Subnet

igw

Uplink Subnet

GENEVE GENEVE

NAT/

DHCP




bution

End User Flow



bution

User Flow - Cloud Admin

Subscribe To Service And Request

Deployment

Performed once per Organization1 >

Add AWS Accounts Performed per AWS account2 >

Prepare VPC Performed per VPC3 >

Deploy Public Cloud Gateway Performed per VPC4 >

Build Application Instance And

Automation TemplatesPerformed per Application5 >




bution

User Flow - App Developer/DevOps

Develop and Deploy Applications Performed once per Application1 >




bution

Subscribe To VMware NSX Cloud

• Request Access via VMware Cloud Services Portal:

cloud.vmware.com/nsx-cloud

• Once Approved, select your AWS region for NSX Cloud

– N. Virginia (us-east-1)

– Ohio (us-east-2)

– N. California (us-west-1)

– Oregon (us-west-2)

• Access NSX Cloud Dashboard once deployment is ready

Performed once per Organization




bution

https://cloud.vmware.com/nsx-cloud

Configure AWS ARN details• Create AWS Cross-Account Role ARN

and NSX Cloud Gateway Role.

– Generated using Cloud Formation template (from Dashboard)

• Provide the ARN and role details to Cloud Service Manager

22

Performed once per AWS Account

AWS CloudFormation

AWS IAM

NSX CSM




bution

Demo: Adding AWS account



bution

IAM Roles: Cloud Service Manager and Cloud Gateway


• Role Name: nsx_csm_external

• Role Type: AWS Cross-Account Access

• Permissions:

– EC2 Describe

– EC2 Create/Run/Start/Delete Instance (For Public Cloud Gateway)

– EC2 Assign Public IP (Assigned to Gateway for SNAT/DNAT/Mgmt)

– EC2 Create/Delete Security Groups (NSX defined security groups for Gateway/Quarantine/Overlay/Underlay)

– Route53 Create/Delete Private Zone (vmware.local)

Public Cloud Gateway

• Role Name: nsx_pcg_service

• Role Type: Instance Service Role

• Permissions:

– EC2 Describe

– EC2 Modify Instance Network Attributes (Enforce Quarantine)

– EC2 Modify/Release IP Assignment (SNAT/DNAT secondary IPs, Elastic IP association)

– Route53 Add/Change Resource Record Sets (nsx-gw.vmware.local entry)

24

Reference




bution

Prepare VPC for NSX Cloud Onboarding• Three VPC Subnets (need six for HA)

• Deploy IGW and Default Route for Management and Uplink Subnets

• Add Default Route for Downlink subnet for non-overlay deployments - if the VMs are to be reached directly from Internet.

25

Performed once per Managed VPC

Production VPC-1

igw

Downlink Subnetprd1_dn_snet_2a

Mgmt Subnetprd1_mgmt_snet_2a

Uplink Subnetprd1_up_snet_2a

AZ-2a

Downlink Subnetprd1_dn_snet_2b

Mgmt Subnetprd1_mgmt_snet_2b

Uplink Subnetprd1_up_snet_2b

AZ-2b

0.0

.0.0

/0

igw




bution

Deploy Public Cloud Gateway

• Deployed in each “Managed” VPC

• Deployed in HA across Availability Zones

• Provisioned using Cloud Service Manager

• VPC Quarantine Policy set during Public Cloud Gateway deployment

26

Performed once per Managed VPC

Production VPC-1

igw

Downlink Subnetprd1_dn_snet_2a

Mg

mtS

ubnet

prd

1_

mg

mt_

sne

t_2a

Uplink Subnetprd1_up_snet_2a

AZ-2a

Downlink Subnetprd1_dn_snet_2b

Mg

mtS

ubnet

prd

1_

mg

mt_

sne

t_2b

Uplink Subnetprd1_up_snet_2b

AZ-2b

Primary Secondary




bution

Demo: Deploy Gateway



bution

Create Network and Security Policies in NSX Cloud

Micro-segmentation

• Create NSX Security Groups based on

– AWS Instance Attributes (Names, VPC-ID, AZ)

– NSX tags

– IP Sets

Overlay

• Create Logical Topology using

– New Logical Switches

– New Logical Routers

– Attaching Logical Switches to Logical Router

• Configure DHCP for Logical Switches

28

Ongoing as needed

WEB-TIER APP-TIER DB-TIERX X

X

HTTP MYSQL

WEB-LS DB-LSAPP-LS

UPLINK VPC SUBNET

Tier-0 LR

DHCP

• Create Firewall Policy using NSX Security Groups




bution

Demo: Creating NSX Policies



bution

Embed NSX Cloud Agent into Cloud Templates

• Agent hosted inside NSX Public Cloud Gateway

• Download and Install

• Create Golden Template (AMI) from running instance using AWS EC2 menu

30

Performed once per Template VM

Staging VPC

Downlink Subnet

Mgmt Subnet

igw

Uplink Subnet




bution

Dev-Ops Continues to use existing deployment tools

• Deploy App Instances using existing Automation framework

• Apply NSX tags to AWS Instances using existing tools.

– Very little changes to your existing automation script

• Can be deployed with AWS Elastic Load-balancing and Auto Scaling Groups

31

Ongoing as New Apps Are deployed

Excerpt: CloudFormation Template

Auto Scaling




bution

Demo: Managing Instances with NSX Cloud



bution

Summary

33

Cloud Network Admin Cloud Security Admin

DevOps / Developer

Defines Network Topology And IP Addressing

Focuses on App Development and Deployment

Mandates Security Policies and Ensures Compliance

Decoupling maintains Agility Control Cloud Networking & Security




bution

#MMC1532BU CONFIDENTIAL 34Request Access @ cloud.vmware.com



bution

35

MMC1464QU How to Use Cloud Formations in vRealize Automation to Build Hybrid Applications That Span and Reside On-Premises & on VMware Cloud on AWS and AWS Cloud Quick Talk Vijay Raghavan, Manu Prasanna

MMC1532BU Using VMware NSX for Enhanced Networking and Security for AWS Native Workloads: Part 2 Breakout Session Amol Tipnis, Percy Wadia

MMC2046BU Using VMware NSX for Enhanced Networking and Security for AWS Native Workloads: Part 1 Breakout Session Amol Tipnis, Percy Wadia

MMC2210BU Best Practices: How the City of New York Has Configured AWS for the Best vRealize Automation Integration Breakout Session Stefan Andrieux

MMC2256BU Watching the Clouds: Challenges with Monitoring Hybrid Cloud Environments Breakout Session Craig Lee, John Dias

MMC2455BU On-Demand Disaster Recovery for Enterprise Applications with the VMware Cloud on AWS Breakout Session GS Khalsa, Mohan Potheri, Potheri Mohan

MMC2623BU Integrated Multicloud Management for Automating Standardized Security and Governance in Federal Agencies Breakout Session Kris Ostergard, Sean VanDruff, Douglas Bourgeois

MMC2820BU Deploying Applications into AWS EC2 with VMware Cross-Cloud Services Breakout Session Bahubali Shetti, Bill shetti

MMC2877BU Deep Dive into Cost Insight: Understand, Analyze, and Optimize Your Cloud Expenses (Cross-Cloud Service) Breakout Session Kumar Gaurav, Kameswaran Subramanian

MMC2884GU Manage Cross-Cloud Applications Using vRealize Operations Insight Group Discussion Karl Fultz, Manish Bhaskar

MMC2888GU How We’ve Accelerated Innovation While Keeping Our Cloud Spending in Check Group Discussion Burt Toma

MMC3062BU How Customer XYZ Secures and Monitors On-Premises Software-Defined Data Center Virtual and Physical Networks Using Network Insight SaaS Breakout Session Sean O'Dell, Manish Bhaskar

MMC3066BU How Do You Use Network Insights' SaaS to Secure Multitier Hybrid Apps Running on vSphere, VMware Cloud on AWS, and AWS Native? Breakout Session Sean O'Dell, Anuj Jaiswal

MMC3074BU 3 ways to use VMware’s new Cross-Cloud SaaS Services to efficiently run workloads across AWS, Azure and vSphere: VMware and Customer technical session Breakout Session Jason Walker, Burt Toma

MMC3110PU How IT Can Enable Development Teams to Build Apps on AWS, Azure, and VMware Without Compromising on Costs and Security Panel Discussion Mark Leake, Ben Mitchell

MMC3112BU Customer Story: Monitoring Costs and Rightsizing Workloads in AWS, Azure, and VMware-Based Clouds Breakout Session Nikhil Girdhar

MMC3164BU How Data Science is Transforming Operations: The Wavefront Story Breakout Session Dev Nag

MMC3165BU Becoming a DevOps Superhero: Introduction to Wavefront for Optimizing Cloud-Native Applications Breakout Session Stela Udovicic, Demetri Mouratis

MMC3321BUS Move, Manage, Use: The New Hybrid IT Breakout Session Donald Foster, Don Foster, Deepak Verma

MMC3406BUS Cloudy Days Ahead!! Leverage F5 to provide application continuity and consistent security policy provisioning and enforcement in an intercloud world. Breakout Session Kent Munson

MMC3424SU VMware Cloud Services and how you can leverage SaaS for your vSphere data center or the public cloud. Spotlight Session Guido Appenzeller

Sessions, Booth and Theatre Presentations for VMware Cloud Services




bution



bution

MMC1532BU Using VMware NSX Cloud for AWS … Wadia Amol Tipnis MMC1532BU Using VMware NSX Cloud for...

Documents

Transcript of MMC1532BU Using VMware NSX Cloud for AWS … Wadia Amol Tipnis MMC1532BU Using VMware NSX Cloud for...