Pivotal Cloud Foundry + NSX
15
CONFIDENTIAL NSX Use-Cases for Pivotal 1 • Agility Provision new networks and services without touching the physical infrastructure. • Repeatability Automate once, use multiple times to stand up multiple installations • Availability Built-in NSX as well as VMware HA/anti-affinity features can be used • Network Services LB, NAT, Centralized Routing, Perimeter firewalling available on the same VM appliance. • Co-existence Each Pivotal installation can co-exist as a tenant with legacy/other workloads using NSX. • Security Edge Firewalling, DFW, Security Groups(BOSH integration) • BOSH integration Dynamic inclusion of BOSH provisioned VMs into NSX Security Groups • Monitoring Tools & vSphere ecosystem
-
Upload
pooja-patel -
Category
Technology
-
view
424 -
download
0
Transcript of Pivotal Cloud Foundry + NSX
CONFIDENTIAL
NSX Use-Cases for Pivotal
1
• Agility Provision new networks and services without touching the physical infrastructure. • Repeatability Automate once, use multiple times to stand up multiple installations
• Availability Built-in NSX as well as VMware HA/anti-affinity features can be used
• Network Services LB, NAT, Centralized Routing, Perimeter firewalling available on the same VM appliance.
• Co-existence Each Pivotal installation can co-exist as a tenant with legacy/other workloads using NSX.
• Security Edge Firewalling, DFW, Security Groups(BOSH integration)
• BOSH integration Dynamic inclusion of BOSH provisioned VMs into NSX Security Groups
• Monitoring Tools & vSphere ecosystem VRNI, vRealize Operations with Blue Medora content pack.
2
Network Automation
“I need to carve out networks for my Pivotal foundation.”
Programmatic network provisioning without touching the physical infra.
PCF_Infra Logical
Switch
PCF Foundation
Define VXLAN logical switches and run Pivotal foundations on overlay networks.
PCF_ERTLogical Switch
PCF_Tiles Logical Switch
PCF_Services
Logical Switch
PCF Go Router VM Pool
NSX ESG
Network Services : Load Balancing
3
Software Load Balancer L4, L7, Health Check
SSL Certificate Offload GoRouter VM
GoRouter VM
GoRouter VM
Built-in High Availability
“I need to frontend my PCF installation with a highly
available feature-rich Load Balancer”
PCF Foundation
4
Network Services : NAT”Pivotal Elastic Runtime requires a lot of IP addresses I want to preserve my routable IP space addresses and only expose CF endpoints which need exposure using SNAT/DNAT”
Programmatic network provisioning of additional PCF foundations using overlapping IP space
ESG Deployed in HA mode Edge Load Balancing Perimeter Firewall NAT
PCF Foundation
VPN
Use of non-routed networks with DNAT/SNAT to limit exposure to CF endpoints.
Security: Edge Firewall
5
“I would like to use NSX’s Perimeter firewall
capabilities to protect ingress inside my PCF
Installation”
PCF Go Router VM Pool
NSX ESG
GoRouter VM
GoRouter VM
GoRouter VM
Allow Ingress Ops Manager 80/443/25555/22Allow Ingress -> Elastic Runtime 80/443/22Allow Egress -> DNS, LDAP, Syslog……………….
53,389,636
6
Network Services: Routing
PCF Foundation
VPN
External Network
”Distributed Routing can be used to optimize E-W traffic”“N/S Routing from the ESG to NorthBound”App-to-App traffic trombones thru the LB and is always N-S.
DLR can be used to optimize E-W traffic
PCF_Infra
Logical Switch
PCF_ERT
Logical Switch
PCF_Tiles Logical
Switch
PCF_Services
Logical Switch
Routing can be enabled for N-S traffic
ESG deployed in HA mode LB Edge Firewall N/S Routing
Co-existence with legacy workloads: 2 tier NSX+PCF Design
Transit LS
E1 E2 E3 E4 ECMP NSX Edges
Physical Network
PCF Dev
Non PCF Tenants
VPN
2 Tier Design
Each Pivotal Installation is a tenant in existing DC
Tenant ESG(A/S) per PCF Foundation connect to the 2nd Tier of Provider ECMP Edges
ESG deployed in HA mode LB NAT Edge Firewall N/S Routing
VPN
ESG deployed in HA mode LB NAT Edge Firewall N/S Routing
VPN
PCF Prod
With NAT (Overlapping IP addresses)
Co-existence with legacy workloads: Routed Topology
Transit LS
E1 E2 E3 E4 ECMP NSX Edges
Physical Network
PCF Dev
Non PCF Tenants
VPN
2 Tier Design
Each Pivotal Installation is a tenant in existing DC
Tenant ESG(A/S) per PCF Foundation connect to the 2nd Tier of Provider ECMP Edges
ESG deployed in HA mode LB Edge Firewall N/S RoutingVPN
ESG deployed in HA mode LB Edge Firewall N/S RoutingVPN
PCF Prod
Routed topology (No overlapping IP addresses)
9
Security Tools:
Use vRealize Network Insight or NSX Application Rule Manager to understand E-W traffic flows within the PCF Installation
Use Edge firewall to secure any ingress/egress to the PCF Installation
Use DFW and dynamic member inclusion to secure elastic PCF Environment
10
NSX Application Rule Manager : Flow Analysis
Diego Cell accessing the Load Balancer VIP on Port 443
11
vRealize Network Insight: PCF ERT Security Recommendations
12
Visibility: vRealize Operations + BlueMedora Content Pack
Dashboards to monitor health of various Pivotal Cloud foundry Components
Reference Slides
Pivotal + NSX Reference Design
https://github.com/pivotal-cf/landingpage/blob/master/vsphere/PCF-NSX-Cookbook.md
Diego Cell
VM
web-app Container
Guest vSwitch
192.168.100.100
Cloud Foundry Networking Recap: Inbound access to App
Edge Services Gateway
web-app.pcf-apps.corp.local
PCF Go Router Pool
VM IP Address 172.16.90.18/24App A : Port 60012
web-app.pcf-apps.corp.local
*.pcf-apps.corp.local App domain*.pcf-sys.corp.local -> System Domain
port mapping
172.16.90.18:60012
Go Router1
Go Router2
Go Router3
App2 Container
