Networking Architecture
Transcript of Networking Architecture
![Page 1: Networking Architecture](https://reader036.fdocuments.in/reader036/viewer/2022081614/62c932b8d41bd2221f2f87d4/html5/thumbnails/1.jpg)
Confidential │ ©2021 VMware, Inc.
Networking Architecture
VMC on AWS
November 2021
![Page 2: Networking Architecture](https://reader036.fdocuments.in/reader036/viewer/2022081614/62c932b8d41bd2221f2f87d4/html5/thumbnails/2.jpg)
Confidential │ ©2021 VMware, Inc. 2
Agenda VMC on AWS Networking Design
NSX-T Overview
VMC on AWS SDDC and NSX-T
L3 & L2 in the SDDC
Gateway Services
Intrinsic Security in the SDDC
Visibility & Troubleshooting
![Page 3: Networking Architecture](https://reader036.fdocuments.in/reader036/viewer/2022081614/62c932b8d41bd2221f2f87d4/html5/thumbnails/3.jpg)
Confidential │ ©2021 VMware, Inc. 3
VMC on AWS Networking DesignOverview
![Page 4: Networking Architecture](https://reader036.fdocuments.in/reader036/viewer/2022081614/62c932b8d41bd2221f2f87d4/html5/thumbnails/4.jpg)
Confidential │ ©2021 VMware, Inc. 4
Partition Placement Groups (PPG) Ensure Resiliency
• AWS provides PPGs to control physical host rack placement
• Clusters automatically use these underlying constructs
• Hosts from different clusters may reside in the same rack
• Supports max cluster size (16)
Each physical host is placed in a separate PPG to reduce impact of rack failure
Rack Rack Rack Rack
Cluster-1 Cluster-2
![Page 5: Networking Architecture](https://reader036.fdocuments.in/reader036/viewer/2022081614/62c932b8d41bd2221f2f87d4/html5/thumbnails/5.jpg)
Confidential │ ©2021 VMware, Inc. 5
How are the Hosts connected
VMC on AWS Physical Networking
With VMware Cloud on AWS, Amazon directly administers the physical network that each ESXi host connects to.
AWS network hardware is configured with a minimum maximum transmission unit (MTU) of 1600+ and VLAN trunks.
VMware and AWS engineers work together to optimize the network.
![Page 6: Networking Architecture](https://reader036.fdocuments.in/reader036/viewer/2022081614/62c932b8d41bd2221f2f87d4/html5/thumbnails/6.jpg)
Confidential │ ©2021 VMware, Inc. 6
Host Adapters
VMC on AWS Physical Networking
Amazon provides each host with one Elastic Network Adapter (ENA), instead of the traditional NIC. Each ENA provides 25 or 100 Gbps of bandwidth through multiple physical network connections.
![Page 7: Networking Architecture](https://reader036.fdocuments.in/reader036/viewer/2022081614/62c932b8d41bd2221f2f87d4/html5/thumbnails/7.jpg)
Confidential │ ©2021 VMware, Inc. 7
VMware Cloud on AWS Physical Networking (2)Host Adapters
Amazon provides each host with one Elastic Network Adapter (ENA), instead of the traditional NIC. Each ENA provides 25 Gbps of bandwidth through multiple physical network connections.
![Page 8: Networking Architecture](https://reader036.fdocuments.in/reader036/viewer/2022081614/62c932b8d41bd2221f2f87d4/html5/thumbnails/8.jpg)
Confidential │ ©2021 VMware, Inc. 8
Isolation
VMC on AWS VPC
When a VMware Cloud on AWS SDDC is created, an AWS Virtual Private Cloud (VPC) is created.
Managed by VMware, this VPC is not configurable by administrators.
The VPC enforces logical isolation between VMware Cloud on AWS SDDCs and other AWS resources managed by the administrator.
.
![Page 9: Networking Architecture](https://reader036.fdocuments.in/reader036/viewer/2022081614/62c932b8d41bd2221f2f87d4/html5/thumbnails/9.jpg)
Confidential │ ©2021 VMware, Inc. 9
Reserved IP RangesVMC on AWS
Reserved IPs Description
• 10.0.0.0/15• 172.31.0.0/16
These ranges are reserved within the SDDC management subnet, but can be used in your on-premises networks or SDDC compute network segments
• 100.64.0.0/16 Reserved for carrier-grade NAT per RFC 6598. Avoid using addresses in this range in SDDC networks and others. They are not likely to be reachable within the SDDC or from outside it. See VMware Knowledge Base article 76022 for a detailed breakdown of how SDDC networks use this address range
• 169.254.0.0/19 • 169.254.64.0/24 • 169.254.101.0/30• 169.254.105.0/24• 169.254.106.0/24
Per RFC 3927, all of 169.254.0.0/16 is a link-local range that cannot be routed beyond a single subnet. However, with the exception of these CIDR blocks, you can use 169.254.0.0/16 addresses for your virtual tunnel interfaces.
• 192.168.1.0/24 This the default compute segment CIDR for a single-host starterSDDC and is not reserved in other configurations.
![Page 10: Networking Architecture](https://reader036.fdocuments.in/reader036/viewer/2022081614/62c932b8d41bd2221f2f87d4/html5/thumbnails/10.jpg)
Confidential │ ©2021 VMware, Inc. 10
Local connectivity via ENI
Connected VPC
![Page 11: Networking Architecture](https://reader036.fdocuments.in/reader036/viewer/2022081614/62c932b8d41bd2221f2f87d4/html5/thumbnails/11.jpg)
Confidential │ ©2021 VMware, Inc. 11
How does it work?High-bandwidth, low latency ENI connection between VPC and SDDC
• Traffic flows between VMware SDDC and AWS VPC through ENI
• There are firewalls on both ends of this connection
• By default, no traffic allowed for either direction
• No egress charges across the ENI within the same AZ
![Page 12: Networking Architecture](https://reader036.fdocuments.in/reader036/viewer/2022081614/62c932b8d41bd2221f2f87d4/html5/thumbnails/12.jpg)
Confidential │ ©2021 VMware, Inc. 12
Consuming Native AWS ServicesUse case – Using AWS Application Load balancer to load balance Web server VMs
SDDC
Edge
CGW
MGW
NSX</> HCXvCenter
Connected
VPC
![Page 13: Networking Architecture](https://reader036.fdocuments.in/reader036/viewer/2022081614/62c932b8d41bd2221f2f87d4/html5/thumbnails/13.jpg)
Confidential │ ©2021 VMware, Inc. 13
Consuming Native AWS ServicesEconomical and high throughput service consumption
SDDC
Edge
CGW
MGW
NSX</> HCXvCenter
Connected VPC
![Page 14: Networking Architecture](https://reader036.fdocuments.in/reader036/viewer/2022081614/62c932b8d41bd2221f2f87d4/html5/thumbnails/14.jpg)
14Confidential │ ©2020 VMware, Inc.
NSX-TOverview
![Page 15: Networking Architecture](https://reader036.fdocuments.in/reader036/viewer/2022081614/62c932b8d41bd2221f2f87d4/html5/thumbnails/15.jpg)
Confidential │ ©2021 VMware, Inc. 15
Networking Inside the SDDCPowered by VMware NSX-T
▪ Key features from on-premises brought to the cloud
▪ Networking
▪ Security
▪ Scalable and easy to consume networking
▪ Simplified Interface
▪ API access available
▪ Multiple connectivity options
![Page 16: Networking Architecture](https://reader036.fdocuments.in/reader036/viewer/2022081614/62c932b8d41bd2221f2f87d4/html5/thumbnails/16.jpg)
Confidential │ ©2021 VMware, Inc. 16
Connectivity to physical
Switching
Gateway Firewalling
VPN
NSX-T Networking and Security ServicesComplete Networking and security services in software
RoutingDHCPNAT
URL Filtering
L4 – L7 Firewall
Distributed IDS/IPS
User ID Firewall
![Page 17: Networking Architecture](https://reader036.fdocuments.in/reader036/viewer/2022081614/62c932b8d41bd2221f2f87d4/html5/thumbnails/17.jpg)
Confidential │ ©2021 VMware, Inc.
NSX-T Data Center Architecture View (1)
NSX-T Data Center components provide internal networking to the VMware Cloud on AWS SDDC.
![Page 18: Networking Architecture](https://reader036.fdocuments.in/reader036/viewer/2022081614/62c932b8d41bd2221f2f87d4/html5/thumbnails/18.jpg)
Confidential │ ©2021 VMware, Inc.
NSX-T Data Center Architecture View (2)
NSX-T Data Center uses Tier 0 router to provide external networking to VMware Cloud on AWS SDDC.
![Page 19: Networking Architecture](https://reader036.fdocuments.in/reader036/viewer/2022081614/62c932b8d41bd2221f2f87d4/html5/thumbnails/19.jpg)
Confidential │ ©2021 VMware, Inc.
NSX-T Data Center Architecture View (3)
NSX-T Data Center uses Tier 0 router to provide connectivity between VMware Cloud on AWS SDDC and other AWS services through ENIs.
![Page 20: Networking Architecture](https://reader036.fdocuments.in/reader036/viewer/2022081614/62c932b8d41bd2221f2f87d4/html5/thumbnails/20.jpg)
Confidential │ ©2021 VMware, Inc. 20
NSX-T Distributed Firewall
Enforces FW rules for all VMC on AWS workloads
Static & Dynamic grouping based on Compute object, Tags and User
Stateful enforcement based on 5-tuple
Micro-Segmentation for Overlay-backed workloads
Context-aware firewall
User ID Firewall Policies
FQDN Filtering
Stateful Distributed L2-L7 Services for all workloads
ESXi ESXi
Virtual Distributed Switch
Distributed Firewall
![Page 21: Networking Architecture](https://reader036.fdocuments.in/reader036/viewer/2022081614/62c932b8d41bd2221f2f87d4/html5/thumbnails/21.jpg)
Confidential │ ©2021 VMware, Inc. 21
NSX-T Distributed Firewall
App
DMZ
Services
DB
Perimeterfirewall
AD NTP DHCP DNS CERT
Insidefirewall
Finance EngineeringHR
Zero Trust/Least Privilege Model
Each VM can now be its own perimeter
Policies align with logical groups
Prevents threats from spreading
Network Topology Agnostic
Micro-segmentation Simplifies Network Security
![Page 22: Networking Architecture](https://reader036.fdocuments.in/reader036/viewer/2022081614/62c932b8d41bd2221f2f87d4/html5/thumbnails/22.jpg)
Confidential │ ©2021 VMware, Inc. 22
VMC on AWS and NSX-TOverview
![Page 23: Networking Architecture](https://reader036.fdocuments.in/reader036/viewer/2022081614/62c932b8d41bd2221f2f87d4/html5/thumbnails/23.jpg)
Confidential │ ©2021 VMware, Inc. 23
Agenda VMC on AWS Networking Design
NSX-T Overview
VMC on AWS SDDC and NSX-T
L3 & L2 in the SDDC
Gateway Services
Intrinsic Security in the SDDC
Visibility & Troubleshooting
![Page 24: Networking Architecture](https://reader036.fdocuments.in/reader036/viewer/2022081614/62c932b8d41bd2221f2f87d4/html5/thumbnails/24.jpg)
Confidential │ ©2021 VMware, Inc. 24
Quick & Simple Connectivity
Default Network Logical Topology
Default Network & Security Topology for every SDDC
• 1x Edge Router (HA Pair) - T0
• 1x Management Gateway (MGW) (HA Pair) – T1
• 1x Compute Gateway (CGW) (HA Pair) – T1
• Firewall policy created automatically based on the default topology and blocked to the outside world
• i.e. vCenter access only after firewall policy is created
MGW
CGW
Edge
SDDC
NSX</>vCenter
192.168.1.0/24
Connected VPC
S3 EP RDS EC2
Internet
FSx ELB
![Page 25: Networking Architecture](https://reader036.fdocuments.in/reader036/viewer/2022081614/62c932b8d41bd2221f2f87d4/html5/thumbnails/25.jpg)
Confidential │ ©2021 VMware, Inc. 25
Networking Inside the SDDC A Closer Look
MGW
CGW
Edge
SDDC
NSX</>
vCenter
Edge Router
• All connectivity to workloads flows through the Edge
• Configured for Active/Standby to provide High Availability (HA)
Management Gateway
• Management traffic for vCenter, NSX, ESXi hosts, etc.
Compute Gateway
• Workload traffic, including network to network
Programmatic route configuration
• No routing protocol overhead
Pervasive security
• Edge firewall
• Distributed firewall
![Page 26: Networking Architecture](https://reader036.fdocuments.in/reader036/viewer/2022081614/62c932b8d41bd2221f2f87d4/html5/thumbnails/26.jpg)
Confidential │ ©2021 VMware, Inc. 26
NSX User InterfaceOverview
Simplified, easy to use interface
No need to be a network guru
![Page 27: Networking Architecture](https://reader036.fdocuments.in/reader036/viewer/2022081614/62c932b8d41bd2221f2f87d4/html5/thumbnails/27.jpg)
Confidential │ ©2021 VMware, Inc. 27
Segments Inside the SDDCOverlay Networks
![Page 28: Networking Architecture](https://reader036.fdocuments.in/reader036/viewer/2022081614/62c932b8d41bd2221f2f87d4/html5/thumbnails/28.jpg)
Confidential │ ©2021 VMware, Inc. 28
DHCP Server
Networking & Security – DHCP Server Profiles
![Page 29: Networking Architecture](https://reader036.fdocuments.in/reader036/viewer/2022081614/62c932b8d41bd2221f2f87d4/html5/thumbnails/29.jpg)
Confidential │ ©2021 VMware, Inc. 29
DHCP Relay
Networking & Security – DHCP Server Profiles
![Page 30: Networking Architecture](https://reader036.fdocuments.in/reader036/viewer/2022081614/62c932b8d41bd2221f2f87d4/html5/thumbnails/30.jpg)
Confidential │ ©2021 VMware, Inc. 30
Networking & Security – Segments - Set DHCP Config
![Page 31: Networking Architecture](https://reader036.fdocuments.in/reader036/viewer/2022081614/62c932b8d41bd2221f2f87d4/html5/thumbnails/31.jpg)
Confidential │ ©2021 VMware, Inc. 31
Networking and Security – Segment Statistics
![Page 32: Networking Architecture](https://reader036.fdocuments.in/reader036/viewer/2022081614/62c932b8d41bd2221f2f87d4/html5/thumbnails/32.jpg)
Confidential │ ©2021 VMware, Inc. 32
Agenda VMC on AWS Networking Design
NSX-T Overview
VMC on AWS SDDC and NSX-T
L3 & L2 in the SDDC
Gateway Services
Intrinsic Security in the SDDC
Visibility & Troubleshooting
![Page 33: Networking Architecture](https://reader036.fdocuments.in/reader036/viewer/2022081614/62c932b8d41bd2221f2f87d4/html5/thumbnails/33.jpg)
Confidential │ ©2020 VMware, Inc. 33
Management Gateway Compute Gateway
Gateway ServicesFirewall
![Page 34: Networking Architecture](https://reader036.fdocuments.in/reader036/viewer/2022081614/62c932b8d41bd2221f2f87d4/html5/thumbnails/34.jpg)
Confidential │ ©2021 VMware, Inc. 34
Firewall – Predefined & User Defined Groups
Gateway Services
![Page 35: Networking Architecture](https://reader036.fdocuments.in/reader036/viewer/2022081614/62c932b8d41bd2221f2f87d4/html5/thumbnails/35.jpg)
Confidential │ ©2021 VMware, Inc. 35
Firewall – vCenter Access Policy
Gateway Services
![Page 36: Networking Architecture](https://reader036.fdocuments.in/reader036/viewer/2022081614/62c932b8d41bd2221f2f87d4/html5/thumbnails/36.jpg)
Confidential │ ©2021 VMware, Inc. 36
Quick & Simple Connectivity
Accessing vCenter
![Page 37: Networking Architecture](https://reader036.fdocuments.in/reader036/viewer/2022081614/62c932b8d41bd2221f2f87d4/html5/thumbnails/37.jpg)
Confidential │ ©2021 VMware, Inc. 37
Gateway ServicesRoute-based IPSec VPN
Route-Based is the recommended L3 VPN in VMC on AWS
Uses BGP (Dynamic routing Protocol)
We will discuss further in Module 4
![Page 38: Networking Architecture](https://reader036.fdocuments.in/reader036/viewer/2022081614/62c932b8d41bd2221f2f87d4/html5/thumbnails/38.jpg)
Confidential │ ©2021 VMware, Inc. 38
Gateway ServicesPolicy-Based IPSec VPN
Policy-Based IPsec is favored when BGP isn’t an option due to:
• Hardware
• Corporate policy
• Technical proficiency
• Etc…
We will discuss this further in Module 4
![Page 39: Networking Architecture](https://reader036.fdocuments.in/reader036/viewer/2022081614/62c932b8d41bd2221f2f87d4/html5/thumbnails/39.jpg)
Confidential │ ©2021 VMware, Inc. 39
NAT
Gateway Services
![Page 40: Networking Architecture](https://reader036.fdocuments.in/reader036/viewer/2022081614/62c932b8d41bd2221f2f87d4/html5/thumbnails/40.jpg)
Confidential │ ©2021 VMware, Inc. 40
Agenda VMC on AWS Networking Design
NSX-T Overview
VMC on AWS SDDC and NSX-T
L3 & L2 in the SDDC
Gateway Services
Intrinsic Security in the SDDC
Visibility & Troubleshooting
![Page 41: Networking Architecture](https://reader036.fdocuments.in/reader036/viewer/2022081614/62c932b8d41bd2221f2f87d4/html5/thumbnails/41.jpg)
Confidential │ ©2021 VMware, Inc. 41
Intrinsic SecurityGateway Firewall (N/S Security)
Multiple layers of native security within the SDDC
Two levels of firewalling
• Gateway (perimeter) firewalls
• One for management
• One for compute
• Distributed firewalling
![Page 42: Networking Architecture](https://reader036.fdocuments.in/reader036/viewer/2022081614/62c932b8d41bd2221f2f87d4/html5/thumbnails/42.jpg)
Confidential │ ©2021 VMware, Inc. 42
Establishing a Security Baseline
Distributed Firewall Design Topology
Internet
CGW
Edge
SDDC
172.16.10.10
172.16.10.11
172.16.10.12
Web Tier App Tier DB Tier
Micro-Segmentation - DFW
172.16.10.13
![Page 43: Networking Architecture](https://reader036.fdocuments.in/reader036/viewer/2022081614/62c932b8d41bd2221f2f87d4/html5/thumbnails/43.jpg)
Confidential │ ©2021 VMware, Inc. 43
Establishing a Security Baseline
Group Definition
Group Options
![Page 44: Networking Architecture](https://reader036.fdocuments.in/reader036/viewer/2022081614/62c932b8d41bd2221f2f87d4/html5/thumbnails/44.jpg)
Confidential │ ©2021 VMware, Inc. 44
Establishing a Security Baseline
Dynamic Membership in Distributed Firewall
Where do tags come from?
![Page 45: Networking Architecture](https://reader036.fdocuments.in/reader036/viewer/2022081614/62c932b8d41bd2221f2f87d4/html5/thumbnails/45.jpg)
Confidential │ ©2021 VMware, Inc. 45
Establishing a Security Baseline
Distributed Firewall Rule
Internet
CGW
Edge
SDDC
Development Production
![Page 46: Networking Architecture](https://reader036.fdocuments.in/reader036/viewer/2022081614/62c932b8d41bd2221f2f87d4/html5/thumbnails/46.jpg)
Confidential │ ©2021 VMware, Inc. 46
Networking and Security – DFW Time Based Policy
![Page 47: Networking Architecture](https://reader036.fdocuments.in/reader036/viewer/2022081614/62c932b8d41bd2221f2f87d4/html5/thumbnails/47.jpg)
Confidential │ ©2021 VMware, Inc. 47
Agenda VMC on AWS Networking Design
NSX-T Overview
VMC on AWS SDDC and NSX-T
L3 & L2 in the SDDC
Gateway Services
Intrinsic Security in the SDDC
Visibility & Troubleshooting
![Page 48: Networking Architecture](https://reader036.fdocuments.in/reader036/viewer/2022081614/62c932b8d41bd2221f2f87d4/html5/thumbnails/48.jpg)
Confidential │ ©2021 VMware, Inc. 48
Operations – IPFIX
Collect stats on network traffic
![Page 49: Networking Architecture](https://reader036.fdocuments.in/reader036/viewer/2022081614/62c932b8d41bd2221f2f87d4/html5/thumbnails/49.jpg)
Confidential │ ©2021 VMware, Inc. 49
Tools for Better Visibility
Firewall Logging in VMware Cloud on AWS
Configuration of logging can be done per-rule by clicking the gear icon to the right of the rule
Compute Gateway Rule
Distributed Firewall Rule
![Page 50: Networking Architecture](https://reader036.fdocuments.in/reader036/viewer/2022081614/62c932b8d41bd2221f2f87d4/html5/thumbnails/50.jpg)
Confidential │ ©2021 VMware, Inc. 50
vRealize Log Insight Cloud for VMware Cloud on AWSTools for Better Visibility
vRealize Log Insight Cloud(Firewall Logs)
• Identify Traffic Patterns – Monitor traffic being allowed or dropped
• Maintain Security – Identify, monitor and tune the firewall policies being serviced from the traffic patterns
![Page 51: Networking Architecture](https://reader036.fdocuments.in/reader036/viewer/2022081614/62c932b8d41bd2221f2f87d4/html5/thumbnails/51.jpg)
Confidential │ ©2021 VMware, Inc. 51
LABLab 3: SDDC Networking & Native AWS Integration
1. Enable Photo App access to Native AWS Services
2. Enable Public (internet) access to Photo App
3. Configure Photo App to Consume AWS RDS
4. Test the Photo App Application
5. Configure Photo App consumption of AWS EFS (Shared File System) ***OPTIONAL
6. Configure AWS ApplicationLoad Balancer (ALB) to Loadbalance Photo App VMs ***OPTIONAL
SDDC
Edge
CGW
MGW
Connected VPC
NSX</> HCXvCenter
Desktop-Net
Demo-Net
![Page 52: Networking Architecture](https://reader036.fdocuments.in/reader036/viewer/2022081614/62c932b8d41bd2221f2f87d4/html5/thumbnails/52.jpg)
Thank You
Confidential │ ©2021 VMware, Inc.