NET1338BE VMware Integrated OpenStack and NSX Integration ... · Andrew Pearce - NSX Technology...

Andrew Pearce - NSX Technology PracticeGary Kotton - Lead Developer for Neutron

NET1338BE

#VMworld #NET1338BE

VMware Integrated OpenStack and NSX Integration Deep Dive

VMworld 2017 Content: Not fo

r publication or distri

bution

• This presentation may contain product features that are currently under development.

• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.

• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

• Technical feasibility and market demand will affect final delivery.

• Pricing and packaging for any new technologies or features discussed or presented have not been determined.

Disclaimer

2#NET1338BE CONFIDENTIAL



bution

Outline of presentation (TBC - Thursday @ 1:30pm)What do we want to cover and what order do we want to do it in ?

Session IDNET1338BE

Title VMware Integrated OpenStack and NSX Integration Deep Dive

Abstract OpenStack offers a very comprehensive set of Network and Security workflows provided by a core project called Neutron. Neutron can leverage VMware NSX as a backend to bring advanced services to the applications owned by OpenStack. In this session we will cover the use cases for Neutron, and the various topologies available in OpenStack with NSX, with a focus on security. We will walk you through a number of design considerations leveraging Neutron Security Groups and the NSX Stateful Distributed Firewall Integration, along with Service Chaining in NSX for Next Generation Security Integration, all available today.

Content to include

NSXv Neutron support for policy, admin rules and better service isolation

Session Type Breakout Session

Track Modernize the Data Center

Subtrack Networking and Security

Product and Topics Integrated OpenStack,NSX, OpenStack, vCenter, vSphere

Market Segment No Specific Segment

Session Audience IT – Telecom

Speaker Info Gary Kotton, VMware; Andrew Pearce, VMware




bution

20 Min Review with Malery Lassen

4

Objectives for your session; what will the audience learn?

That NSX can Integrate with VIO and other Openstack Distro’s

Content outline

What can be achieve through the Neutron integration,

Micro segmentation

Policy

Admin rules

FWaaS

Future work – policy engine…

Demos – how many? Which ones?

A pre-recorded video, highlighting, the openstack api being used to to create, Network and Security

functions/features in NSX-V

Customer inclusion – do you have any customers? If not, are you looking for any (we can help ☺)?

No customer

We know that your time is valuable so we’re going to make these review sessions as impactful as possible.

By joining you help ensure that messaging to customers at VMworld is cohesive across all sessions and that

we are presenting the strongest message possible.

#NET1338BE CONFIDENTIAL



bution

What is OpenStack?



bution

Andrew

• You can use HOL 1820 – Tom Schwaller is doing the HOL




bution

Consistent

Virtual

Infrastructure

IaaS Options From VMware

Virtual

Infrastructure

vRealize Automation

vSphere NSX VSAN

Basic IaaS &

Virtual Infra Consumption

Compliance & Governance

Service Catalog

Chargeback

Configuration and Change

Management

App Lifecycle Management

Policies

Orc

he

str

ati

on

Exte

rnal

Clo

ud

Co

nn

ec

tor

AWS

Google

Cloud

▪ vRealize Suite is a complete Cloud Management

Platform

▪ OpenStack delivers APIs to consume infrastructure

▪ Additional CMP components needed for Governance

Developer Owned Toolsets-or-

3rd Party Tool

Nova Neutron Cinder

Vendor Neutral APIs

“Restrictions with Quotas”Simple IaaS




bution

NSX OpenStack EcoSystem

10

The NSX Networking and Security Platform

Open Source

VIO HPE Mirantis Redhat Suse

ESXi 6ESXi 6.5

RHEL 7.1RHEL 7.2

Ubuntu 14.04Ubuntu 16.04




bution

OpenStack + NSX - High Level Architecture

Cloud Consumption ▪ OpenStack Neutron

Data Plane

ESXi Hypervisor Kernel Modules

Distributed Services

▪ High – Performance Data Plane

▪ Scale-out Distributed Forwarding Model

▪ Physical integration with NSX Edge

and/or 3rd party ToR switch

Management Plane

NSX Manager▪ Single configuration portal

▪ REST API entry-point

▪ Stateless

Control Plane

NSX Controller

▪ Manages Logical networks

▪ Control-Plane Protocol

▪ Separation of Control and Data Plane

▪ Stateful

…

…

FirewallDistributed

Logical RouterLogical

SwitchEdge




bution

VIO – VMware’s OpenStack Distro

12

Simplify OpenStack

Operations

VMware SDDC(vSphere, NSX, VSAN, vROps, LI…)

OpenStack Value

Battle-testedInfrastructure & Operations

Differentiated

Features

Standard, Production Ready &

Fully Supported OpenStack




bution

What is Neutron

• OpenStack Networking (neutron) manages all networking facets for the Virtual Networking Infrastructure (VNI) and the access layer aspects of the Physical Networking Infrastructure (PNI) in your OpenStack environment. OpenStack Networking enables projects to create advanced virtual network topologies which may include services such as a firewall, a load balancer, and a virtual private network (VPN).

• Networking provides networks, subnets, and routers as object abstractions. Each abstraction has functionality that mimics its physical counterpart: networks contain subnets, and routers route traffic between different subnets and networks.




bution

NSX Integrations With Neutron



bution

NSX OpenStack Security Integrations

#NET1338BE CONFIDENTIAL 15

NSX Openstack

Security Integration

Micro-segmentation

Admin Rules

PolicyFWaaS

Port Security / Spoof Guard

Scale out control plane

Scale out Edge Cluster

Virtual Machine and Container Hosts

Distributed L3 at scale

Scale decoupled of

vCenter

Intel DPDK Edge

Line Rate Packet

Performance

L2 and L3 Redundancy

Redundant control plane and

data plane

ESXi & KVM (RHEL & Ubuntu)

Independent NSX GUI

Multi-vCenter

Anim

ate

d s

lide



bution

NSXv Micro Segmentation and OpenStack



bution

What is NSX Microsegmentation?


Web App DB

Alignment of Policy ControlsSecurity and networking policy that travels with the workload independent of physical network topology

Granular Policy EnforcementEnabling least privilege security with policy enforced at every workload



bution

Microsegmentation with Provider Networks using NSX

▪ Traditionally, network security has been enforced at the network perimeter, where a layer 3 boundary exists (firewall, router).

▪ Neutron Security Groups and Neutron Port Security provide vNIC-level security protection.

▪ Perimeter firewall cannot protect what it cannot see

▪ Traffic must be steered to security appliance

▪ Firewall policy controlled by security admin

▪ No traffic steering required

▪ vNIC-level stateful FW protection

▪ If using NSX, global security policy is controlled by security admin (Neutron Admin Rules):

▪ https://review.openstack.org/#/c/200847

Neutron

Security

Group 1

Neutron

Security

Group 2

Neutron

Security

Group 3

Controlled Path

Controlled Path

Controlled Path




bution

https://review.openstack.org/#/c/200847/

NSXv Policy“As a NSX Admin I want the ability to define security policy in NSX which is then consumed by the Cloud User so that the Cloud User can secure their application. However, I don’t want the Cloud User to be able to set their own security policy or security rules as it is my firm’s policy to have only administrative staff set security policy and security rules.”



bution

User Story

• The NSX admin creates a security policies (under nsx->service composer->security policies) with firewall rules, service insertion, etc for each tenant (or group of tenants)

• The cloud admin defines one of those policies as the default for new tenants (in the nsx.ini file)

• In addition the cloud admin can define some policies as mandatory for some tenants, and other policies as optional for some tenants

• New VMs of this tenant will belong to the default policy automatically, and also get all the mandatory policies

• Each policy can be used for multiple tenants, and also for multiple security groups of the same tenant

• In addition, there will be an option (disabled by default) to allow the tenants to add their own rules in their security groups (which will be evaluated after the policies)




bution

Workflow

• The NSX admin user will create some NSX policies

• The cloud admin user updates the nsx.ini file to enable this feature, and choose one of the policies as a default, and set it in the nsx.ini file, and restart neutron:[nsxv]

• use_nsx_policies = Truedefault_policy_id = policy-6allow_tenant_rules_with_policy = True / False




bution

Workflow cont.

• Now there will be 4 types of security groups for each tenant:

– Default security group using the policy id from nsx.ini (cloud admin can change it to another policy or multiple policies)

– Provider security group with a policy, added automatically to each compute ports (and the tenant cannot remove it from the port)

– Optional Security group with a policy, added manually to each compute ports (the tenant can choose which groups to use for each port)

– If Allow_tenant_rules_with_policy is True - The tenant can also create Regular security groups with rules, and attach them to ports in addition.

• The cloud admin user will use openstack (or VIO) to create/update the policy security groups per tenant, to use a specific policy:

• neutron security-group-create/update --policy=<nsx-policy-id> <neutron-sec-group-id>




bution

Workflow cont.

• When this is done - the plugin will create an nsx security group which is applied to this policy, and save it in the db security group mapping (like a regular security group). Looking at the vsphere you can see it on the policy security groups tab:




bution

Workflow cont.

• When a VM is booted, the default security group (which now uses the policy) or a specific security-group will be used as usual. In addition - the provider security groups of this tenant will also be used [=mandatory. Cannot be removed]

• In the openstack api, the user can see that a specific VM port is assigned to security group/s, and he can see that a specific security group is assigned to a policy




bution

Admin Rules“As a NSX Admin I want my tenants to configure their security groups but I want the ability to override their rules.”



bution

VIO 3.1 NSX Admin Policy


VM

• NSX administrators define security policies

• OpenStack Cloud Admin enforces the policy with cloud users

• Enables enhanced security insertion

• Assurance all workloads are developed and deployed based on standard IT security policies.



bution

User Story

• Use security groups to explicitly block unwanted traffic.

• Create a new securoty group where the action is ‘Deny’ By default in Neutron the action is ‘Allow’ (Imagine a dark piece of paper and the tenant pricks holes in it to enable traffic in). Admin can now close unwanted holes.

• Api is restricted to Admin




bution

FWaaS:

• Neutron extension that provides a firewall feature set

• Tenant can create and manage firewall policies and rules

• The NSX plugin will invoke these on the edge routers

• Currently only support V1




bution

Port security / Spoof guard

• Port level security

• Anti spoofing

• NSX leverage spoofguard to implement and enforce this

• Allow address pairs – enables us to register additional ports with the same IP/Mac Piar




bution

Enterprises, Service Providers & Public Sector Organizations


EMEA Customer Momentum for VMware NSX



bution



bution

NET1338BE VMware Integrated OpenStack and NSX Integration ... · Andrew Pearce - NSX Technology...

Documents

Transcript of NET1338BE VMware Integrated OpenStack and NSX Integration ... · Andrew Pearce - NSX Technology...