Virtualized Network Services Model

with VMware NSX

Arun Goel, VMware

Serge Maskalik, VMware

NET5270

#NET5270

2

Agenda

Introduction

NSX Edge Gateway

• Routing & Firewalling

• LB

• VPN

Scale & Operations

vCloud Hybrid Service Deployment

3

Introduction

4

L2 Gateway

Firewall ADC/LB Endpoint Security L3 Gateway VPN

VMware vCD® VMware vCAC®

What is this session about?

Any Network Hardware

NSX Controller & NSX Manager

NSX API

NSX

Edge

Gateway

VMware vSphere® KVM XEN Hyper-V

VM VM VM VM VM VM

5

Drivers – Cloud Scale and Agility

• Rapidly provision at any point in network

• Self-Service with tenant isolation

Cloud requires Automation

• Build for machines – Rest APIs not CLI

• Standard Hardware – x86 not ASICs

Automation needs ability to Reproduce

• Simple feature set – cloud use cases with High Availability & Performance

• Single Management Plane – simplify operations

Replication needs Simplification

Simplify, Reproduce and Automate to achieve Cloud Scale

6

Use Cases

DB

Perimeter NSX Edge (HA, FW, NAT, VPN, LB Services)

OSPF

Web App

External

Networks

L2 Bridge

Bridged Logical

Switch

Bridged

VLAN

VM Transit

Logical Switch VM

Management

VLAN

L2 VPN

Web

App

DB

Logical Distributed Router

LB

BGP

7

The Services Journey

2010

2011

2012

2013

Science

Fiction

Innovators

Early

Adopters

Early

Majority1

Mainstream2

• Baseline

FW/Router

• LB – Scale,

Performance, SSL,

L7++

• 10G Firewall

• L2VPN

• Dynamic Routing –

OSPF, BGP, IS-IS

• IPv6

• Enterprise Grade

Firewall

• L7 LB

• SSL VPN

• Advanced NAT

• Static Routing

• Compliance

• Certifications

• IPSec VPN – H/W

Accel

• Enhanced FW

• Basic LB

• Basic VPN

• Basic NAT

1 Bundled with vCloud Suites

2 Fortune 50 in Production

8

NSX Edge Gateway

• Multi-tenant/multi-context

• Optimal placement

• Run-time re-balancing

• Perpetual redundancy

• Advanced resource isolation

• Scalable MGMT – 2500 multi-tenant instances

Best of Breed

• AES256 2Gb/s, 100k CPS FW/NAT/LB, 10Gb/s+ per tenant

• 512 Edge contexts per node maximum X nodes in rack

• 960Gb/s encryption & 300 Gb/s FW/NAT/LB per rack

• Reasonable way to get to 500M concurrent connections

• State-of-the-art resource/perf isolation via vSphere

• Best placement, dynamic balancing, 1+1 redundancy

Edge Gateway Highlights

9

NSX Edge Gateway

10

NSX Edge Gateway: Cloud ready integrated network services

….

Firewall

Load Balancer

VPN

Routing

L2/L3 Gateway L2/L3

Gateway

VM VM VM VM VM

• Integrated L3 – L7 services from VMware

• Virtual appliance model to allows cloud agility and scale-out

Overview

• Real time service instantiation

• Support for dynamic service differentiation per tenant/application

• Uses x86 compute capacity

Benefits

11

Logical Firewall/Routing

• OSPF/eBGP/iBGP/IS-IS

• Virtualization and identity context firewall

Features

• Remove hairpins and bottlenecks

• Line rate performance with distributed scale out architecture

Scale & Performance

• Create on demand networks to speed up application provisioning

Use Cases

L2

L2

Tenant A

Tenant B

L2

L2

L2 Tenant C

L2

L2

L2

Attend following sessions for more details:

• SEC – 5293

• SEC – 5294

• NET – 5266

12

Logical Firewall

VApp

WebServer AppServer DbServer

VApp Network

Deny

Allow

13

Logical Firewall

VApp

WebServer AppServer DbServer

VApp Network

Deny

Allow

14

15

Logical Load Balancing

Web 1 Web 3 Web 2

• TCP, HTTP, HTTPS with Stateful HA

• Multiple Virtual IPs each with separate server pool and configurations

• Multiple load balancing algorithms

• Multiple Session Persistence methods

• Configurable health checks

• Application Rules

• SSL Termination with Certificate Management

• Transparent/Full Proxy Mode

• IPv6

Features

• 10Gb/s throughput

• 50,000 CPS

• 1M Concurrent Connections

Scale & Performance

• Per Tenant Cloud LB

• Dynamic VIP for applications

Use Cases

16

Logical Load Balancing

vApp

WebServer-1 WebServer-2

Routed or Direct vApp Network

Request

Load Balancer

17

Logical Load Balancing

vApp

WebServer-1 WebServer-2

Isolated vApp Network

Request

Load Balancer on

regular Edge

VDC Network

18

19

Logical User (SSL) and Site 2 Site (IPSec) VPN

• Interoperable IPsec tested with major vendors

• Clients on all major OS (Win, Apple, Linux)

• Remote Authentication via Active Directory, RSA Secure ID, LDAP, Radius

• TCP Acceleration

• Encryption – 3DES, AES128, AES256

• AESNI H/W Offload

• NAT & Perimeter Firewall Traversal

Features

• High Performance – AES-NI acceleration

• 2 Gb/s throughput per tenant

Scale and Performance

• Cloud to Corporate

• Cloud On-boarding

• Remote Office/Branch Office

• Remote Management

Use Cases

Internet/

WAN

Internet/

WAN

20

Public

Cloud

Logical L2 VPN

• SSL-based

• Web-proxy Support

• L2 Bridge to Cloud

• Broadcast support

Features

• High Performance – AES-NI acceleration

• 2 Gb/s throughput per tenant

Scale & Performance

• Cloud On-boarding

• Cloud Bursting

Use Cases Internet/

WAN

VM VM VM

21

22

So What?

VM

Management

VLAN

L2 VPN BGP

External

Networks

23

So What?

External

Networks

Simplify, Replicate and Automate to achieve Cloud Scale

24

NSX Integrated Partners

NSX Controller & NSX Manager

NSX API

Partner Extensions

L2 Gateway

Firewall ADC/LB IDS/IPS AV/FIM Vulnerability Management

Security Services

VMware vCD® VMware vCAC®

25

Scale and Operations

26

NSX Edge Gateway– Line-rate Performance

Test: using HTTP1.1, 10 requests/session fetching 200KB web page @ 7000 CPS

H/W: HP DL380 G8, Intel E5-2690 2.9 Ghz 8-core x 2 sockets, Intel 82599 (Niantic)

Config: HA on, 366 NAT/FW rules, one uplink, one downlink vNIC

27

Operations

Centralized Management for 2000

appliances

CLI – for the humans

Analytics using

VCOPs

Syslog

Load Balancer

Firewall

28

Edge Operations in vCops

29

vCHS

30

About vCloud Hybrid Service (vCHS)

Goals

Support of Thousands of Tenants

Scalable Physical Hardware

Plan for capacity growth

• Traffic flows

• Data usage

Elastic Design (SDDC, SDN)

• Minimize dependencies on proprietary hardware

• Use high bandwidth connections

• Exploit Vmware’s software intelligence to deliver a

complete SDDC

Objectives

Maximize cost effectiveness

Maximize hardware utilization

Public

Clouds

Private

Clouds

Hybrid Cloud Seamlessly extend your data center to the public cloud

Virtual Workspace Manage access to services, applications and data for any

device

The New Role for IT: IT as

a Service

Software-Defined Data Center Virtualize the entire data center

Management and Automation

Storage and

Availability Compute

Network and

Security

31

vCHS Edge

Why Edge?

• Evaluated leading Hardware and Software vendors to build the service

• Edge was the only multiservice device that can be rapidly deployed, meet

scalability needs and integrate with vCD and vSphere

Features Deployed (vCNS 5.1)

Firewall

• Distributed scale of Rules

Load Balancing

• Web Server LB

• Dynamic Per Tenant

VPN

• IPSEC Tunnel

• SSL VPN

• DCE – L2 VPN

L3 Gateway

• Static Routes

• Default Gateway

32

Looking forward – NSX what are we excited about?

Performance and Scalability increases for Firewall, Load Balancer,

Router and VPN

Dynamic routing – Support for BGP

Layer 7 Load balancing – SSL Termination

33

Questions?

To get complete understanding of NSX Optimized for vSphere checkout

Network Virtualization

• NET5266 - Network Virtualization for vSphere environments with VMware NSX

Integrating 3rd Party Services in NSX

• NET5522: NSX Extensibility: Network and Security Services from 3rd-Party Vendors

NSX Operations and Troubleshooting (Advanced Technical)

• NET5790: Operational Best Practices for NSX in VMware Environments

• NET5654: Troubleshooting VXLAN and Network Services in a Virtualized Environment

THANK YOU

Virtualized Network Services Model

with VMware NSX

Arun Goel, VMware

Serge Maskalik, VMware

NET5270

#NET5270