SDDC and Network Virtualization via VCAN - rhipe.com · SDDC and Network Virtualization via VCAN...
Transcript of SDDC and Network Virtualization via VCAN - rhipe.com · SDDC and Network Virtualization via VCAN...
SDDC and Network Virtualization via VCAN
John Kuan | Senior Systems Engineer | VMware
Cloud Channel Summit 2015 | @rhipecloud #RCCS15
Enterprise business leaders want their IT
to be like Amazon
No ITOutsourced
New IT
Internal/Hybrid
or
Hardware Defined
Data Center (HDDC)
Software Defined
Data Center (SDDC)
or
Data Center Virtualization Layer
Intelligence in SoftwareOperational Model of VM for Data CenterAutomated Configuration & Management
Intelligence in HardwareDedicated, Vendor Specific InfrastructureManual Configuration & Management
Software
Hardware Compute, Network and Storage CapacityPooled, Vendor Independent, Best Price/Performance InfrastructureSimplified Configuration & Management
What is a Software Defined Data Center
(SDDC)?
Taking what we have learned . . .
Software
Hardware
Virtual
Machines
ComputeCapacity Network Storage
Applications
Server virtualization
• Intelligence in the virtualization layer
• Vendor independent x86 capacity
• Transformative operational model
• Automated configuration & management
Intelligence in hardware
Dedicated, vendor specific infrastructure
Manual configuration & management
Manual Operational Model
Automated Operational Model
Programmatically Create,Snapshot,
Store,Move,
Delete,Restore
To deliver a Software Defined Data Center
approach
Software
Hardware
Virtual
Machines
Virtual
Networks
Virtual
Storage
ComputeCapacity
NetworkCapacity
StorageCapacity
Applications
Location Independence
Data Center Virtualization
Pooled compute, network and storage capacity
Vendor independent, best price/performance
Simplified configuration & management
Automated Operational Model
Programmatically Create,Snapshot,
Store,Move,
Delete,Restore
The approach taken by the most agile &
efficient data centers is SDDC
Custom Application
Google / Facebook /
Amazon Data Centers
Custom Platform
Any x86
Any Storage
Any IP network
Software / Hardware Abstraction
Software / Hardware Abstraction
The Choice for “New IT” – SDDC or HDDC
Custom Application
Google / Facebook /
Amazon Data Centers
Custom Platform
Any x86
Any Storage
Any IP network
Software / Hardware Abstraction
Software / Hardware Abstraction
Hardware Defined
Data Center (HDDC)
Any Application
HDDC Platform
Integrated x86
Integrated Storage
Vendor Specific
Network
Vert
ical In
teg
rati
on
Software Defined
Data Center (SDDC)
Any Application
SDDC Platform
Any x86
Any Storage
Any IP network
Data Center Virtualization
8
SDDC Within, Between and Across
Data Centers
Software Defined
Data Center (SDDC)
Any Application
SDDC Platform
Any x86
Any Storage
Any IP network
Data Center Virtualization
Inter- Data Center
Any Application
Any x86
Any Storage
Any IP network
Hybrid- Data Center
Any Application
Any x86
Any Storage
Any IP network
SDDC Platform
Software Defined Data Center Deployed
Web Tier
App Tier
DB Tier
L3 Subnet
L3 Subnet
L3 Subnet
All S
oft
ware
Co
nst
ruct
Physical Network
NAT
Internet
NSX Delivers the Operational Model of a VM
for the Network
• Abstracts, pools, automates networking for the SDDC
• Faithful reproduction of L2/3 networking, L4-7 services
• Runs across existing/any networking hardware
• Scale out/distributed switching, routing, firewalling
• Seamless service insertion for application delivery, security, network security partners
53%Dec. 2013 Gartner Data Center Conference Poll
Who do you see as your primary Software Defined
Infrastructure Vendor?
VMware: 52.56%
Cisco: 21.31%
Red Hat: 6.56%
HP: 4.92%
Microsoft: 4.92%
VCE: 4.92%
IBM: 3.28%
Citrix: 1.64%
Oracle: 0%
“Cisco's ACI delivers tactical benefits,
but lacks strategic value”
Gartner Report
The New Normal
A More Secure Data Center
Cloud Channel Summit 2015 | @rhipecloud #RCCS15
Leveraging the Power of SDDC Network & Security Services
Distribution for Data Center Micro-Segmentation
Problem : Data Center Network Security
Perimeter-centric network security has proven insufficient, and
micro-segmentation is operationally infeasible
Little or no
lateral controls
inside perimeter
Internet Internet
Insufficient OperationallyInfeasible
Solution: Leverage SDDC Approach for
Micro-Segmentation• Hypervisor-based, in kernel distributed firewalling
• Platform-based automated provisioning and
workload adds/moves/changes
Internet
Security Policy
Perimeter Firewalls
CloudManagementPlatform
NSX Distributed Firewalling Performance
20Gbps Per Host of Firewall Performancewith Negligible CPU Impact
NSX Distributed Firewalling Performance
80K CPS with 100+ Rules per Host
A Typical Virtual Appliance does ~6K CPS per VMA Physical Appliance performs 300K – 400K CPS per appliance
SDDC Platform | Native Security Capabilities
Hypervisor-based, in kernel distributed firewalling
• High throughput rates on a per hypervisor basis
• Every hypervisor adds additional east-west firewalling capacity
• Native feature of the VMware NSX platform
Platform-based automation
• Automated provisioning and workload adds/moves/changes
• Accurate firewall policies follow workloads as they move
20 Gbps Firewallingthroughput per host
Data center micro-segmentationbecomes operationally feasible
Dev
Test
Production
Isolation
Web
App
DB
NoCommunication Path
ControlledCommunication Path
Web
App
DB
Advanced Services ControlledCommunication Path
SegmentationSegmentation with Advanced Services
Advanced Services Insertion – Example: Palo
Alto Networks NGFW
Internet
Security Policy
Security Admin
TrafficSteering
36
Automated Security in a Software Defined Data
Center Quarantine Vulnerable Systems until
RemediatedSecurity Group = Quarantine Zone
Members = {Tag = ‘ANTI_VIRUS.VirusFound’, L2 Isolated
Network}
Security Group = Web TierPolicy Definition
Standard Desktop VM Policy
Anti-Virus – Scan
Quarantined VM Policy
Firewall – Block all except security tools
Anti-Virus – Scan and remediate
37
SDDC Platform Enables a More Secure Data
Center
Micro segmentation now possible in
dynamic, multi-tenant environment
• High performance, in kernel distributed
firewalling
• Platform-based automation
• Integration with best-of-breed security
partners (e.g., Palo Alto Networks)
© 2014 VMware Inc. All rights reserved.@rhipecloud #RCCS15
Thank you!
www.rhipe.com