MMC2046BU Using VMware NSX Cloud for Enhanced or …...Percy Wadia Amol Tipnis MMC2046BU #VMworld...
Transcript of MMC2046BU Using VMware NSX Cloud for Enhanced or …...Percy Wadia Amol Tipnis MMC2046BU #VMworld...
Percy WadiaAmol Tipnis
MMC2046BU
#VMworld #MMC2046BU
Using VMware NSX Cloud for Enhanced Networking and Security for AWS Native Workloads: Part 1
VMworld 2017 Content: Not fo
r publication or distri
bution
• This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not been determined.
Disclaimer
#MMC2046BU CONFIDENTIAL 2
VMworld 2017 Content: Not fo
r publication or distri
bution
Agenda
1 VMware Cloud Services
2 Introducing NSX Cloud
3 Key Customer Challenges
4 NSX Cloud Service Approach
5 Next Steps
3#MMC2046BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Consistent InfrastructureVM Infrastructure • Container Infrastructure
Consistent OperationsManagement and Operations • Across Clouds
VMware Cloud Infrastructure Public Cloud IaaS
VISIBILITY OPERATIONS AUTOMATION SECURITY GOVERNANCE
Cloud Management
VMware Cloud Services
Cloud Native AppsTime to market • Innovation • Scale • Differentiation
Existing AppsReduce Costs • Security • Reliability • Control
CONTAINERSVIRTUAL MACHINES
VMware CloudRun, Manage, Connect, Secure Any App on Any Cloud to Any Device
VMware Cloud on AWSfor VMware
VMworld 2017 Content: Not fo
r publication or distri
bution
VMware Cloud ServicesManage, Govern and Secure Public and Private Cloud Apps
Discovery
Cost Insight
NSX Cloud
Network Insight
AppDefense
Wavefront
ON PREMISES DATA CENTER
Visibility into apps and resources they consume. Analyze usage and utilization across clouds.
Accounting and cost optimization for multiple clouds. Track and analyze your costs and trends.
Secure networks with micro-segmentationCreate private networks within or across clouds.
Operational visibility, control, and compliance across clouds. Optimize performance, health, and availability.
Metrics-driven monitoring and real-time analytics.
Governance for running workloads.VMworld 2017 Content: Not fo
r publication or distri
bution
Key Challenges In Public Clouds
6
AWS Account 1
Cloud Network Admin Cloud Security Admin
DevOps / Developer
Extending enterprise network to cloud
Lack of visibility in cloud traffic flows
Remain focused on Application development and deployment
Security policy consistency across hybrid
Dev-ops compliance to enterprise security policies
Leverage enterprise operational tools
VMworld 2017 Content: Not fo
r publication or distri
bution
VMware NSX Cloud
7
Visibility across clouds
Unified security policy
Network Portability
Consistent Operations VPC
AppWeb DB AppWeb DB
VNET
VMware NSX Cloud
ConsistencyVisibility Security Networking
AppWeb DB
VPC
Consistent networking and security for applications running natively in public clouds
VMworld 2017 Content: Not fo
r publication or distri
bution
Visibility into your cloud environment becomes challenging ...
8
DevOps – 1
Cloud Admin
AWS Account 1
How do I consistently know what I am managing and securing...
Within my VPC?
Web App DB Web App DB
...
Web App DB Web App DB
...
VPC
VMworld 2017 Content: Not fo
r publication or distri
bution
... With VPC Sprawl increasing the complexity ...
9
DevOps – 1
How do I consistently know what I am managing and securing...
Across VPCs within an Account?
Web App DB Web App DB
...
Web App DB Web App DB
...
VPC C
Web App DB Web App DB
...
Web App DB Web App DB
...
VPC B
AWS Account 1
Web App DB Web App DB
...
Web App DB Web App DB
...
VPC A
Cloud Admin
VMworld 2017 Content: Not fo
r publication or distri
bution
... Adding the multiple cloud accounts exacerbates the challenge
10
DevOps – 1
DevOps – 2
DevOps – 3
How do I consistently know what I am managing and securing...
Across multiple Accounts?
Web App DB Web App DB
...
Web App DB Web App DB
...
VPC C
Web App DB Web App DB
...
Web App DB Web App DB
...
VPC B
AWS Account 3
Web App DB Web App DB
...
Web App DB Web App DB
...
VPC A Web App DB Web App DB
...
Web App DB Web App DB
...
VPC C
Web App DB Web App DB
...
Web App DB Web App DB
...
VPC B
AWS Account 2
Web App DB Web App DB
...
Web App DB Web App DB
...
VPC A Web App DB Web App DB
...
Web App DB Web App DB
...
VPC C
Web App DB Web App DB
...
Web App DB Web App DB
...
VPC B
AWS Account 1
Web App DB Web App DB
...
Web App DB Web App DB
...
VPC A
VMworld 2017 Content: Not fo
r publication or distri
bution
Demo: Visibility through VMware NSX Cloud Service Manager
11
VMworld 2017 Content: Not fo
r publication or distri
bution
12
Single Inventory View across all
accounts and all VPCs
Operational network / security status of
every VM enables Rapid Response
1: A Single Pane of Glass across all VPCs, all accounts ...
VMworld 2017 Content: Not fo
r publication or distri
bution
... And eventually, across all clouds
13
FUTURES
Manage and Monitor your cloud across AWS and Azure from a
single, consolidated inventory view in NSX Cloud
VMworld 2017 Content: Not fo
r publication or distri
bution
AWS VPC 3 Security Groups
AWS VPC 2 Security Groups
Web App DB Web App DB
VPC 3
...Web App DB Web App DB
VPC 2
...
Cloud Security controls are different... with their own limitations
14
• Multiple VPCs create multiple security touch-points
• Cloud Security Resource Limitations inhibit consolidation
• Static Group membership and IP-address rules require coordination at deployment
• Cloud Operational framework Inconsistent from On-premise
AWS Account 1
Cloud Admin
Web App DB Web App DB
VPC 1
...
AWS VPC 1 Security Groups
VMworld 2017 Content: Not fo
r publication or distri
bution
2: A Single Security Posture Across your hybrid cloud
15
✓ Single Security Policy
✓ Rich set of abstractions
✓ Dynamic security group membership
✓ No cloud-resource limitations
VPC 1 VPC 2
Security Group 2
Security Policy
VNET 1
Security Group 3
Security Group 1
Cloud Admin
VMworld 2017 Content: Not fo
r publication or distri
bution
3: Real Time Operational Visibility Into Firewall Rule Invocations
16
SYSLOG
• Route firewall logs to industry-standard syslog, leverage SIEM tool of your choice
• Real-time Operational visibility into your cloud security posture
• Operationally consistency with your on-premise security environment
AWS Account 1
Web App DB
VPC
VMworld 2017 Content: Not fo
r publication or distri
bution
Demo: Decoupling Application Deployment and Security
17
VMworld 2017 Content: Not fo
r publication or distri
bution
4: Defense in Depth through Default Quarantine
18
• Multi-layered security through NSX and AWS security groups managed by NSX
• Fully Configurable to each VPC with exclusion lists
• Best of Both Worlds – Greater agility for test&dev, higher structural integrity for production
Test and Dev
NSX Managed
...
NSX Unmanaged
...
Production
✘QuarantinedNSX Managed
...
+
VMworld 2017 Content: Not fo
r publication or distri
bution
Demo: Multi-layered Security through Default Quarantine
19
VMworld 2017 Content: Not fo
r publication or distri
bution
5: Extend Enterprise Network Policy to Cloud
20
✓ Single network policy, deploy anywhere
✓ Full control of IP addresses
✓ Stretch subnets across public cloud availability zones
Static VPC Network Topology
...
VPC A
NSX Logical Network Topology
Web App DB Web App DB
...
...
VPC N
...
VMworld 2017 Content: Not fo
r publication or distri
bution
6: Network Trace and Visibility
21
✓ East-west traffic visibility within VPCs
✓ Trouble-shooting ease in cloud environments
✓ Consistency with on-prem operational toolsVMworld 2017 Content: N
ot for publicatio
n or distribution
Demo: Troubleshooting through NSX Traceflow
22
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX on - premise and in the cloud
23
NSX on-premises NSX Cloud
We give you bits
You install
You patch, upgrade
Perpetual license (usually)
Features are (mostly) the same
On your servers / In your network
Just log in and use
No installation
We take care of patches/ upgrades
Pay per use
Runs in cloud
VMworld 2017 Content: Not fo
r publication or distri
bution
A Dedicated NSX instance for your Cloud Environment
24
CUSTOMER NSX MANAGERS
NSX CLOUDDASHBOARD
NSX Manager Cloud Service Manager
VPC -N VPC -1
NSX cloud gateway NSX cloud gateway
...
VPC -N VPC -1
NSX cloud gateway NSX cloud gateway
...
CUSTOMER COMPUTE VPCs
NSX Manager Cloud Service Manager
CUSTOMER 1 CUSTOMER 2
VMworld 2017 Content: Not fo
r publication or distri
bution
VMware NSX Cloud – Under the Covers Architecture
25
Customer AWS Account
CONTROLPLANE
DATAPLANE
MANAGEMENT PLANE
CLOUDGATEWAY
Linux VM Windows VM
NSX Cloud Gateway
NSX CLOUDDASHBOARD
Public cloud infrastructure
with hypervisor (ex: AWS)
VMware AWS Account
NSX Controller Cluster
NSX Manager Cloud Service Manager
VMworld 2017 Content: Not fo
r publication or distri
bution
Operational Control Without Infrastructure Management
26
NSX Operations VMware Customer
NSX Cloud Deployment ✓
Onboard Compute VPCs ✓
Manage Security, Network policies ✓
NSX Maintenance / Upgrades ✓
VMworld 2017 Content: Not fo
r publication or distri
bution
Getting Started with VMware NSX Cloud is Easy
27Request Access @ cloud.vmware.com
VMworld 2017 Content: Not fo
r publication or distri
bution
28
MMC1464QU How to Use Cloud Formations in vRealize Automation to Build Hybrid Applications That Span and Reside On-Premises & on VMware Cloud on AWS and AWS Cloud Quick Talk Vijay Raghavan, Manu Prasanna
MMC1532BU Using VMware NSX for Enhanced Networking and Security for AWS Native Workloads: Part 2 Breakout Session Amol Tipnis, Percy Wadia
MMC2046BU Using VMware NSX for Enhanced Networking and Security for AWS Native Workloads: Part 1 Breakout Session Amol Tipnis, Percy Wadia
MMC2210BU Best Practices: How the City of New York Has Configured AWS for the Best vRealize Automation Integration Breakout Session Stefan Andrieux
MMC2256BU Watching the Clouds: Challenges with Monitoring Hybrid Cloud Environments Breakout Session Craig Lee, John Dias
MMC2455BU On-Demand Disaster Recovery for Enterprise Applications with the VMware Cloud on AWS Breakout Session GS Khalsa, Mohan Potheri, Potheri Mohan
MMC2623BU Integrated Multicloud Management for Automating Standardized Security and Governance in Federal Agencies Breakout Session Kris Ostergard, Sean VanDruff, Douglas Bourgeois
MMC2820BU Deploying Applications into AWS EC2 with VMware Cross-Cloud Services Breakout Session Bahubali Shetti, Bill shetti
MMC2877BU Deep Dive into Cost Insight: Understand, Analyze, and Optimize Your Cloud Expenses (Cross-Cloud Service) Breakout Session Kumar Gaurav, Kameswaran Subramanian
MMC2884GU Manage Cross-Cloud Applications Using vRealize Operations Insight Group Discussion Karl Fultz, Manish Bhaskar
MMC2888GU How We’ve Accelerated Innovation While Keeping Our Cloud Spending in Check Group Discussion Burt Toma
MMC3062BU How Customer XYZ Secures and Monitors On-Premises Software-Defined Data Center Virtual and Physical Networks Using Network Insight SaaS Breakout Session Sean O'Dell, Manish Bhaskar
MMC3066BU How Do You Use Network Insights' SaaS to Secure Multitier Hybrid Apps Running on vSphere, VMware Cloud on AWS, and AWS Native? Breakout Session Sean O'Dell, Anuj Jaiswal
MMC3074BU 3 ways to use VMware’s new Cross-Cloud SaaS Services to efficiently run workloads across AWS, Azure and vSphere: VMware and Customer technical session Breakout Session Jason Walker, Burt Toma
MMC3110PU How IT Can Enable Development Teams to Build Apps on AWS, Azure, and VMware Without Compromising on Costs and Security Panel Discussion Mark Leake, Ben Mitchell
MMC3112BU Customer Story: Monitoring Costs and Rightsizing Workloads in AWS, Azure, and VMware-Based Clouds Breakout Session Nikhil Girdhar
MMC3164BU How Data Science is Transforming Operations: The Wavefront Story Breakout Session Dev Nag
MMC3165BU Becoming a DevOps Superhero: Introduction to Wavefront for Optimizing Cloud-Native Applications Breakout Session Stela Udovicic, Demetri Mouratis
MMC3321BUS Move, Manage, Use: The New Hybrid IT Breakout Session Donald Foster, Don Foster, Deepak Verma
MMC3406BUS Cloudy Days Ahead!! Leverage F5 to provide application continuity and consistent security policy provisioning and enforcement in an intercloud world. Breakout Session Kent Munson
MMC3424SU VMware Cloud Services and how you can leverage SaaS for your vSphere data center or the public cloud. Spotlight Session Guido Appenzeller
Continue the NSX Cloud journey!
Learn more about NSX Cloud in Part 2, MMC1532BU tomorrow!
Tuesday 5.00pm, Oceanside G, Level 2
Learn more about VMware Cloud Services
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution