VMWorld 2013 - VMware NSX Extensibility Network and Security Services From 3rd-Party Vendors

7/26/2019 VMWorld 2013 - VMware NSX Extensibility Network and Security Services From 3rd-Party Vendors

1/47

VMware NSX Extensibility: Network and Security

Services from 3rd-Party Vendors

Anirban Sengupta, VMware

Adina Simu, VMware

NET55

#NET5522


2/47

2

Session Objectives

Discuss the main use cases of extending NSX with services

from technology partners

Security services

Connectivity between virtual and physical workloads

Application delivery services

Present an example of NSX in action: NSX Partner Lab

Review the architecture of NSX Extensibility


3/47

3

Recommended Sessions & Labs

NET5716Advanced NSX Architecture

NET5266Bringing Network Virtualization to VMware

Environments with NSX

NET5270Virtualized Network Services Model with NSX

Hands on labs on NSX: HOL-SDC-1303 and HOL-SDC-1319

Group Discussion: SEC1003-GD


4/47

4

Agenda

Introduction to NSX

NSX Extensibility use cases

Security services



How we collaborate with Partners: NSX Partner Cloud Lab

Architectural considerations for NSX ExtensibilityFramework


5/47

5

VMware Solutions

Public CloudsPrivate Clouds

Hybrid CloudSeamlessly extend your data center to the public cloud

Virtual WorkspaceManage access to services, applications and data for any device

The New Role for IT: IT as a Service

Software-Defined Data CenterVirtualize the entire data center

Management and Automation

Storage and Availability Compute Network and Security


6/47

6

VMware NSXNetworking & Security Capabilities

Any Application

(without modification)

Virtual Networks

VMware NSX Network Virtualization Platform

Logical L2

Any Network Hardware

Any Cloud Management Platform

LogicalFirewall

LogicalLoad Balancer

Logical L3

LogicalVPN

Any Hypervisor

Logical SwitchingLayer 2 over Layer 3,

decoupled from the physical network

Logical RoutingRouting between

virtual networks without exiting the

software container

Logical FirewallDistributed Firewall,

Kernel Integrated, High Performance

Logical Load BalancerApplication Load

Balancing in software

Logical VPNSite-to-Site & Remote

Access VPN in software

NSX APIRESTful API for integration into

any Cloud Management Platform

Partner Eco-System


7/47

7

Virtual NetworksVirtual Networks

VMware NSX System Architecture


Overlay Transport

NSX vSwitch

NSX Controller

NSX API

NSX

Gateway


Any Hypervisor

HW PartnerExtensions

PhysicaltoVirtual

Physical or Virtual Workloads

Any Application

SW PartnerExtensions

NSX Manager


8/47

8

Agenda

Introduction to NSX


Security services






9/47

9

Use Case: Securing the Software Defined Data Center

My compute is pooled

and virtualized.

How do i secure it?


10/47

10

How to Secure Applications with NSX Logical Containers

VM

VM

VM VM

VMVM

VM

VM

VMVM

VM

VM

VM

VM

VM VM VM

VMVMVMVM

VM VM

VM VM VM

VM

VM

VM

VM

VM

VM

VM VM

VMVM

VM

VM

VMVM

VM

VM

VM

VM

VM VM VM

VMVMVMVM

VM VM

VM VM VM

VM

VM

VM

VM

Simplify application management boundaries


11/47

11

NSX Partner Solutions are Programmable Through Lifecycle

Install NSXExtension from

3rd party vendor

Configureservice

Create servicepolicy templates

Consumeservice

Monitor service

Uninstall NSXExtension from

3rd party vendor


12/47

12

How to Install NSX Partner Solutions

1Register the 3rd party solutionwith NSX Manager

2Deploy partner appliances

3Consume service!


13/47

13

Automated deployment of NSX and Partner appliances

VM

VM

VM VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

Cloud Admin

Security Admin


14/47

14

DEMORegister and Deploy NSX Partner Service


15/47


16/47

16

Distributed Filtering and Redirection

Scale-out architecture

Embedded in the Hypervisor

Line rate performance

10Gbps+ per host

Flexible access control

architecture

NSX Logical Containers

VM Tags

User Identity and Active

Directory support

No VM can circumventthe redirection filters

Rules follow the VMs

VM

VM

VM VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM


17/47

17

Service Consumption Using Traditional Operational Experience

NSX UI

NSX Partner Services areintegrated with NSX servicescreens (Load Balancer,Gateways, Firewall)

NSX API

NSX Partner Services areintegrated with NSX APIs

NSX operational model now extended to partner services


18/47

18

Cloud admin view: Consuming security services

+ NGFW


19/47

19

Service Consumption Using NSX Service Composer

NSX Service Composerunifies and integratesservice consumptionacross NSX native and3rd party services

NSX operational model now extended to partner services


20/47

20

NSX Service Composer UI


21/47

21

Use Case: Using a 3rd Party Load Balancer from NSX

How do I use my

preferred ADC

appliances with NSX?


22/47

22

NSX seamlessly extends with ADC capabilities from partners

Any Application(without modification)

Virtual Networks

VMware NSX Network Virtualization Platform

Logical L2



Logical

FirewallLogical

Load Balancer

Logical L3

Logical

VPN

Any Hypervisor

Logical

Load Balancer

Virtual IP: 172.168.1.1

Member pool: 10.0.0.1, 10.0.0.2

[OPTIONAL

Partner ADC template: Web Gold]


23/47

23

Use Case: Connecting the Virtual and Physical Workloads

How do I connect my

physical workloads to

virtual networks?


24/47

24

2013: The Majority of Access Ports are Virtual

Half of all Server Access Ports are already virtual

and are on track be ~67% years in 2 years

*40% of vAdmins managing virtual switching

0

20

40

60

2010 2011 2012 2013 2014 2015

Por

tsinMillions

Virtual Server Access Ports

32% CAGR

CREHAN RESEARCH Inc.

Physical Server Access Ports15 % CAGR


25/47

25

NSX Logical Networks Can Extend to Physical Servers

Physical network (port, or VLAN)

NSX L2 Gateway

Logical network (VNI)


26/47

26

L2

L3

Logical Network

L2

vSwitch

NSX L2 Gateway

NSX Operational Model Now Available for Physical Ports

Physical Network (Arista, Cisco, HP, Juniper, Cumulus,)

VMVM

vSphere Hyper-V* XenServer KVM

vSwitch vSwitch vSwitch vSwitch

Hardware

Software

Controller Cluster

API

VLAN

NSX Manager

NSX L2 Gateway

HW Partner

Neutron API

VLAN

VLAN

CMP


27/47

27

L2 Gateways from 3rd Party Hardware Vendors

Benefits:

Granular access: can pull a single physical port into the virtual world

Connect bare metal workloads with higher performance/throughput

Same operational model (provisioning, monitoring)

as virtual networks

Consistent provisioning and operations for entire Data Center,regardless of workloads, over a simple IP fabric


28/47

28

Agenda

Introduction to NSX


Security services Connectivity between virtual and physical workloads





29/47

29

Lets Do a Mind Bending Exercise


30/47

30

NSX Nested Environments

NSX Manager

NSX Controller

NSX vSwitch

NSX Gateway

A hi f M l i i P d D l L b


31/47

31

Site A

L2

VLAN

VLAN

L3

Logical Network

L2

Site B

WAN Infrastructure

Architecture for a Multi-site Product Development Lab

NSX I E bli th I d t L d t I t F t


32/47

32

Site A Site B

NSX Is Enabling the Industry Leaders to Innovate Fast


33/47

33

Agenda

Introduction to NSX


Security services Connectivity between virtual and physical workloads




VM NSX S t E t ibilit A hit t


34/47

34


Overlay Transport

NSX vSwitch

NSX Controller

NSX API with Partner extensions

NSX

Gateway


Any Hypervisor

Data plane HW PartnerExtensions

PhysicaltoVirtual

NSX ManagerPartner Service

Manager

Data plane

Data plane

VMware NSX System Extensibility Architecture

Management plane

N t M t Pl


35/47

35

Netx Management Plane

Comprehensive RESTful apis for integration withCMS

Services catalogService definition andregistration

Ability for partner management plane to registerfor callbacks.

Automatic and on-demand deployment for

multiple scenario and configuration of Service

instances.

Extensibilty for partners to register and makeavailable configuration templates for

consumption. Profiles for consumption of the Service with

control over the perimeter of where it is applied to

Status reporting and statistics.

vCNS Server

Partner

Management Server

VirtualCenter

REST

E l C t l M t f it i


36/47

36

Example: Central Management for security services

Centralized management with single pane of glass on vSphere Client

Rich dynamic container based rules apart from just IP addresses.

VC containers

- Clusters

- datacenters

- Portgroups

- VXLAN

VM containers

- VM names

- VM tags

- VM attributes

Identity

- User identity

- Groups

IPv6 compliant

- IPv6 address

- IPv6 sets

Services

- Protocol

- Ports

- Custom

IPv6 Services

Choice of PEP-Clusters

- VXLAN

- vNICs

Control Plane Integration ith NSX


37/47

37

Control Plane Integration with NSX

NSX Controller communicates with 3rd party hardware appliances

to create on demand overlay tunnels, extending virtual networks

Dynamic connection to logical networks using OVSDB

Connecting the Physical to the Virtual


38/47

38

API (OVSDB)

Tunnels (VXLAN)

Physical

Workloads

VM

Controller Cluster

Hypervisor

vSwitch

Hypervisor

vSwitch

Hypervisor

vSwitch

Hypervisor

vSwitchVMVM

Logical network (VNI)

Connecting the Physical to the Virtual

Scalable Control Plane


39/47

39

Hypervisor

Local Controller

VM VM VM VM

Scalable Control Plane

Central controller sends the rules to the pertinent hosts.

Each local controller evaluates the rules and sends the right rules to the right VMs.


NSX Controller (Runtime State)

NSX API


Physica

ltoVirtual

NSX Manager (Desired State)

Hypervisor

Local Controller

VM VM VM VM

Services Data Plane Integration with NSX


40/47

40

Services Data Plane Integration with NSX

Filtering at each vNIC

based on IP, VM containers, Identity, etc.

at line rate

Support for stateful and stateless redirection to virtual or physical

appliances.

Partner can program the redirection filters in real time

Programmability of rules and connection/context tracker

Context tracking on a micro-flow level

Flows that need redirection can be sent to:

host resident virtual appliances (using VMCI)

appliances on the same L2 network (MAC redirect) any IP address (GRE encapsulation)

Can chain any number of redirections

Service chaining order is controlled by admin

Virtual Network A Complete Network in Software


41/47

41

Virtual NetworkA Complete Network in Software

Service Chaining with NSX


42/47

42

Service Chaining with NSX

Multiple Services can beplaced in any point of thelogical pipeline

Partner services are agnosticof the other servicesin the chain

Each partner service canmanipulate rules and

connection/context informationfor their own filter in asecure sandbox

No dependency on the orderingfor different service

encapsulations in the chain Admin has the control to setup

services and can dynamicallyadd/delete/modify filters withminimal packet drops

Extending with 3rd party security solutions


43/47

43 43 | 2012, Palo Alto Networks. Confidential and Proprietary.

Extending with 3rdparty security solutions

External Network

vSwitch

Guest VMIDS/IPS

DFW

NGFW

NSX Manager Panorama NSM



44/47

44


NET5716Advanced NSX Architecture

NET5266Bringing Network Virtualization to VMware

Environments with NSX

NET5270Virtualized Network Services Model with NSX

Hands on labs on NSX: HOL-SDC-1303 and HOL-SDC-1319

Group Discussion: SEC1003-GD


45/47

THANK YOU


46/47


47/47

VMware NSX Extensibility: Network and Security

Services from 3rd-Party Vendors

Anirban Sengupta, VMware

Adina Simu, VMware

NET55

VMWorld 2013 - VMware NSX Extensibility Network and Security Services From 3rd-Party Vendors

Documents

Transcript of VMWorld 2013 - VMware NSX Extensibility Network and Security Services From 3rd-Party Vendors