VMworld 2013: NSX PCI Reference Architecture Workshop Session 3 - Operational Efficiencies
VMWorld 2013 - VMware NSX Extensibility Network and Security Services From 3rd-Party Vendors
-
Upload
kinankazuki104 -
Category
Documents
-
view
218 -
download
0
Transcript of VMWorld 2013 - VMware NSX Extensibility Network and Security Services From 3rd-Party Vendors
-
7/26/2019 VMWorld 2013 - VMware NSX Extensibility Network and Security Services From 3rd-Party Vendors
1/47
VMware NSX Extensibility: Network and Security
Services from 3rd-Party Vendors
Anirban Sengupta, VMware
Adina Simu, VMware
NET55
#NET5522
-
7/26/2019 VMWorld 2013 - VMware NSX Extensibility Network and Security Services From 3rd-Party Vendors
2/47
2
Session Objectives
Discuss the main use cases of extending NSX with services
from technology partners
Security services
Connectivity between virtual and physical workloads
Application delivery services
Present an example of NSX in action: NSX Partner Lab
Review the architecture of NSX Extensibility
-
7/26/2019 VMWorld 2013 - VMware NSX Extensibility Network and Security Services From 3rd-Party Vendors
3/47
3
Recommended Sessions & Labs
NET5716Advanced NSX Architecture
NET5266Bringing Network Virtualization to VMware
Environments with NSX
NET5270Virtualized Network Services Model with NSX
Hands on labs on NSX: HOL-SDC-1303 and HOL-SDC-1319
Group Discussion: SEC1003-GD
-
7/26/2019 VMWorld 2013 - VMware NSX Extensibility Network and Security Services From 3rd-Party Vendors
4/47
4
Agenda
Introduction to NSX
NSX Extensibility use cases
Security services
Connectivity between virtual and physical workloads
Application delivery services
How we collaborate with Partners: NSX Partner Cloud Lab
Architectural considerations for NSX ExtensibilityFramework
-
7/26/2019 VMWorld 2013 - VMware NSX Extensibility Network and Security Services From 3rd-Party Vendors
5/47
5
VMware Solutions
Public CloudsPrivate Clouds
Hybrid CloudSeamlessly extend your data center to the public cloud
Virtual WorkspaceManage access to services, applications and data for any device
The New Role for IT: IT as a Service
Software-Defined Data CenterVirtualize the entire data center
Management and Automation
Storage and Availability Compute Network and Security
-
7/26/2019 VMWorld 2013 - VMware NSX Extensibility Network and Security Services From 3rd-Party Vendors
6/47
6
VMware NSXNetworking & Security Capabilities
Any Application
(without modification)
Virtual Networks
VMware NSX Network Virtualization Platform
Logical L2
Any Network Hardware
Any Cloud Management Platform
LogicalFirewall
LogicalLoad Balancer
Logical L3
LogicalVPN
Any Hypervisor
Logical SwitchingLayer 2 over Layer 3,
decoupled from the physical network
Logical RoutingRouting between
virtual networks without exiting the
software container
Logical FirewallDistributed Firewall,
Kernel Integrated, High Performance
Logical Load BalancerApplication Load
Balancing in software
Logical VPNSite-to-Site & Remote
Access VPN in software
NSX APIRESTful API for integration into
any Cloud Management Platform
Partner Eco-System
-
7/26/2019 VMWorld 2013 - VMware NSX Extensibility Network and Security Services From 3rd-Party Vendors
7/47
7
Virtual NetworksVirtual Networks
VMware NSX System Architecture
Any Cloud Management Platform
Overlay Transport
NSX vSwitch
NSX Controller
NSX API
NSX
Gateway
Any Network Hardware
Any Hypervisor
HW PartnerExtensions
PhysicaltoVirtual
Physical or Virtual Workloads
Any Application
SW PartnerExtensions
NSX Manager
-
7/26/2019 VMWorld 2013 - VMware NSX Extensibility Network and Security Services From 3rd-Party Vendors
8/47
8
Agenda
Introduction to NSX
NSX Extensibility use cases
Security services
Connectivity between virtual and physical workloads
Application delivery services
How we collaborate with Partners: NSX Partner Cloud Lab
Architectural considerations for NSX ExtensibilityFramework
-
7/26/2019 VMWorld 2013 - VMware NSX Extensibility Network and Security Services From 3rd-Party Vendors
9/47
9
Use Case: Securing the Software Defined Data Center
My compute is pooled
and virtualized.
How do i secure it?
-
7/26/2019 VMWorld 2013 - VMware NSX Extensibility Network and Security Services From 3rd-Party Vendors
10/47
10
How to Secure Applications with NSX Logical Containers
VM
VM
VM VM
VMVM
VM
VM
VMVM
VM
VM
VM
VM
VM VM VM
VMVMVMVM
VM VM
VM VM VM
VM
VM
VM
VM
VM
VM
VM VM
VMVM
VM
VM
VMVM
VM
VM
VM
VM
VM VM VM
VMVMVMVM
VM VM
VM VM VM
VM
VM
VM
VM
Simplify application management boundaries
-
7/26/2019 VMWorld 2013 - VMware NSX Extensibility Network and Security Services From 3rd-Party Vendors
11/47
11
NSX Partner Solutions are Programmable Through Lifecycle
Install NSXExtension from
3rd party vendor
Configureservice
Create servicepolicy templates
Consumeservice
Monitor service
Uninstall NSXExtension from
3rd party vendor
-
7/26/2019 VMWorld 2013 - VMware NSX Extensibility Network and Security Services From 3rd-Party Vendors
12/47
12
How to Install NSX Partner Solutions
1Register the 3rd party solutionwith NSX Manager
2Deploy partner appliances
3Consume service!
-
7/26/2019 VMWorld 2013 - VMware NSX Extensibility Network and Security Services From 3rd-Party Vendors
13/47
13
Automated deployment of NSX and Partner appliances
VM
VM
VM VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
Cloud Admin
Security Admin
-
7/26/2019 VMWorld 2013 - VMware NSX Extensibility Network and Security Services From 3rd-Party Vendors
14/47
14
DEMORegister and Deploy NSX Partner Service
-
7/26/2019 VMWorld 2013 - VMware NSX Extensibility Network and Security Services From 3rd-Party Vendors
15/47
-
7/26/2019 VMWorld 2013 - VMware NSX Extensibility Network and Security Services From 3rd-Party Vendors
16/47
16
Distributed Filtering and Redirection
Scale-out architecture
Embedded in the Hypervisor
Line rate performance
10Gbps+ per host
Flexible access control
architecture
NSX Logical Containers
VM Tags
User Identity and Active
Directory support
No VM can circumventthe redirection filters
Rules follow the VMs
VM
VM
VM VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
-
7/26/2019 VMWorld 2013 - VMware NSX Extensibility Network and Security Services From 3rd-Party Vendors
17/47
17
Service Consumption Using Traditional Operational Experience
NSX UI
NSX Partner Services areintegrated with NSX servicescreens (Load Balancer,Gateways, Firewall)
NSX API
NSX Partner Services areintegrated with NSX APIs
NSX operational model now extended to partner services
-
7/26/2019 VMWorld 2013 - VMware NSX Extensibility Network and Security Services From 3rd-Party Vendors
18/47
18
Cloud admin view: Consuming security services
+ NGFW
-
7/26/2019 VMWorld 2013 - VMware NSX Extensibility Network and Security Services From 3rd-Party Vendors
19/47
19
Service Consumption Using NSX Service Composer
NSX Service Composerunifies and integratesservice consumptionacross NSX native and3rd party services
NSX operational model now extended to partner services
-
7/26/2019 VMWorld 2013 - VMware NSX Extensibility Network and Security Services From 3rd-Party Vendors
20/47
20
NSX Service Composer UI
-
7/26/2019 VMWorld 2013 - VMware NSX Extensibility Network and Security Services From 3rd-Party Vendors
21/47
21
Use Case: Using a 3rd Party Load Balancer from NSX
How do I use my
preferred ADC
appliances with NSX?
-
7/26/2019 VMWorld 2013 - VMware NSX Extensibility Network and Security Services From 3rd-Party Vendors
22/47
22
NSX seamlessly extends with ADC capabilities from partners
Any Application(without modification)
Virtual Networks
VMware NSX Network Virtualization Platform
Logical L2
Any Network Hardware
Any Cloud Management Platform
Logical
FirewallLogical
Load Balancer
Logical L3
Logical
VPN
Any Hypervisor
Logical
Load Balancer
Virtual IP: 172.168.1.1
Member pool: 10.0.0.1, 10.0.0.2
[OPTIONAL
Partner ADC template: Web Gold]
-
7/26/2019 VMWorld 2013 - VMware NSX Extensibility Network and Security Services From 3rd-Party Vendors
23/47
23
Use Case: Connecting the Virtual and Physical Workloads
How do I connect my
physical workloads to
virtual networks?
-
7/26/2019 VMWorld 2013 - VMware NSX Extensibility Network and Security Services From 3rd-Party Vendors
24/47
24
2013: The Majority of Access Ports are Virtual
Half of all Server Access Ports are already virtual
and are on track be ~67% years in 2 years
*40% of vAdmins managing virtual switching
0
20
40
60
2010 2011 2012 2013 2014 2015
Por
tsinMillions
Virtual Server Access Ports
32% CAGR
CREHAN RESEARCH Inc.
Physical Server Access Ports15 % CAGR
-
7/26/2019 VMWorld 2013 - VMware NSX Extensibility Network and Security Services From 3rd-Party Vendors
25/47
25
NSX Logical Networks Can Extend to Physical Servers
Physical network (port, or VLAN)
NSX L2 Gateway
Logical network (VNI)
-
7/26/2019 VMWorld 2013 - VMware NSX Extensibility Network and Security Services From 3rd-Party Vendors
26/47
26
L2
L3
Logical Network
L2
vSwitch
NSX L2 Gateway
NSX Operational Model Now Available for Physical Ports
Physical Network (Arista, Cisco, HP, Juniper, Cumulus,)
VMVM
vSphere Hyper-V* XenServer KVM
vSwitch vSwitch vSwitch vSwitch
Hardware
Software
Controller Cluster
API
VLAN
NSX Manager
NSX L2 Gateway
HW Partner
Neutron API
VLAN
VLAN
CMP
-
7/26/2019 VMWorld 2013 - VMware NSX Extensibility Network and Security Services From 3rd-Party Vendors
27/47
27
L2 Gateways from 3rd Party Hardware Vendors
Benefits:
Granular access: can pull a single physical port into the virtual world
Connect bare metal workloads with higher performance/throughput
Same operational model (provisioning, monitoring)
as virtual networks
Consistent provisioning and operations for entire Data Center,regardless of workloads, over a simple IP fabric
-
7/26/2019 VMWorld 2013 - VMware NSX Extensibility Network and Security Services From 3rd-Party Vendors
28/47
28
Agenda
Introduction to NSX
NSX Extensibility use cases
Security services Connectivity between virtual and physical workloads
Application delivery services
How we collaborate with Partners: NSX Partner Cloud Lab
Architectural considerations for NSX ExtensibilityFramework
-
7/26/2019 VMWorld 2013 - VMware NSX Extensibility Network and Security Services From 3rd-Party Vendors
29/47
29
Lets Do a Mind Bending Exercise
-
7/26/2019 VMWorld 2013 - VMware NSX Extensibility Network and Security Services From 3rd-Party Vendors
30/47
30
NSX Nested Environments
NSX Manager
NSX Controller
NSX vSwitch
NSX Gateway
A hi f M l i i P d D l L b
-
7/26/2019 VMWorld 2013 - VMware NSX Extensibility Network and Security Services From 3rd-Party Vendors
31/47
31
Site A
L2
VLAN
VLAN
L3
Logical Network
L2
Site B
WAN Infrastructure
Architecture for a Multi-site Product Development Lab
NSX I E bli th I d t L d t I t F t
-
7/26/2019 VMWorld 2013 - VMware NSX Extensibility Network and Security Services From 3rd-Party Vendors
32/47
32
Site A Site B
NSX Is Enabling the Industry Leaders to Innovate Fast
-
7/26/2019 VMWorld 2013 - VMware NSX Extensibility Network and Security Services From 3rd-Party Vendors
33/47
33
Agenda
Introduction to NSX
NSX Extensibility use cases
Security services Connectivity between virtual and physical workloads
Application delivery services
How we collaborate with Partners: NSX Partner Cloud Lab
Architectural considerations for NSX ExtensibilityFramework
VM NSX S t E t ibilit A hit t
-
7/26/2019 VMWorld 2013 - VMware NSX Extensibility Network and Security Services From 3rd-Party Vendors
34/47
34
Any Cloud Management Platform
Overlay Transport
NSX vSwitch
NSX Controller
NSX API with Partner extensions
NSX
Gateway
Any Network Hardware
Any Hypervisor
Data plane HW PartnerExtensions
PhysicaltoVirtual
NSX ManagerPartner Service
Manager
Data plane
Data plane
VMware NSX System Extensibility Architecture
Management plane
N t M t Pl
-
7/26/2019 VMWorld 2013 - VMware NSX Extensibility Network and Security Services From 3rd-Party Vendors
35/47
35
Netx Management Plane
Comprehensive RESTful apis for integration withCMS
Services catalogService definition andregistration
Ability for partner management plane to registerfor callbacks.
Automatic and on-demand deployment for
multiple scenario and configuration of Service
instances.
Extensibilty for partners to register and makeavailable configuration templates for
consumption. Profiles for consumption of the Service with
control over the perimeter of where it is applied to
Status reporting and statistics.
vCNS Server
Partner
Management Server
VirtualCenter
REST
E l C t l M t f it i
-
7/26/2019 VMWorld 2013 - VMware NSX Extensibility Network and Security Services From 3rd-Party Vendors
36/47
36
Example: Central Management for security services
Centralized management with single pane of glass on vSphere Client
Rich dynamic container based rules apart from just IP addresses.
VC containers
- Clusters
- datacenters
- Portgroups
- VXLAN
VM containers
- VM names
- VM tags
- VM attributes
Identity
- User identity
- Groups
IPv6 compliant
- IPv6 address
- IPv6 sets
Services
- Protocol
- Ports
- Custom
IPv6 Services
Choice of PEP-Clusters
- VXLAN
- vNICs
Control Plane Integration ith NSX
-
7/26/2019 VMWorld 2013 - VMware NSX Extensibility Network and Security Services From 3rd-Party Vendors
37/47
37
Control Plane Integration with NSX
NSX Controller communicates with 3rd party hardware appliances
to create on demand overlay tunnels, extending virtual networks
Dynamic connection to logical networks using OVSDB
Connecting the Physical to the Virtual
-
7/26/2019 VMWorld 2013 - VMware NSX Extensibility Network and Security Services From 3rd-Party Vendors
38/47
38
API (OVSDB)
Tunnels (VXLAN)
Physical
Workloads
VM
Controller Cluster
Hypervisor
vSwitch
Hypervisor
vSwitch
Hypervisor
vSwitch
Hypervisor
vSwitchVMVM
Logical network (VNI)
Connecting the Physical to the Virtual
Scalable Control Plane
-
7/26/2019 VMWorld 2013 - VMware NSX Extensibility Network and Security Services From 3rd-Party Vendors
39/47
39
Hypervisor
Local Controller
VM VM VM VM
Scalable Control Plane
Central controller sends the rules to the pertinent hosts.
Each local controller evaluates the rules and sends the right rules to the right VMs.
Any Cloud Management Platform
NSX Controller (Runtime State)
NSX API
Any Network Hardware
Physica
ltoVirtual
NSX Manager (Desired State)
Hypervisor
Local Controller
VM VM VM VM
Services Data Plane Integration with NSX
-
7/26/2019 VMWorld 2013 - VMware NSX Extensibility Network and Security Services From 3rd-Party Vendors
40/47
40
Services Data Plane Integration with NSX
Filtering at each vNIC
based on IP, VM containers, Identity, etc.
at line rate
Support for stateful and stateless redirection to virtual or physical
appliances.
Partner can program the redirection filters in real time
Programmability of rules and connection/context tracker
Context tracking on a micro-flow level
Flows that need redirection can be sent to:
host resident virtual appliances (using VMCI)
appliances on the same L2 network (MAC redirect) any IP address (GRE encapsulation)
Can chain any number of redirections
Service chaining order is controlled by admin
Virtual Network A Complete Network in Software
-
7/26/2019 VMWorld 2013 - VMware NSX Extensibility Network and Security Services From 3rd-Party Vendors
41/47
41
Virtual NetworkA Complete Network in Software
Service Chaining with NSX
-
7/26/2019 VMWorld 2013 - VMware NSX Extensibility Network and Security Services From 3rd-Party Vendors
42/47
42
Service Chaining with NSX
Multiple Services can beplaced in any point of thelogical pipeline
Partner services are agnosticof the other servicesin the chain
Each partner service canmanipulate rules and
connection/context informationfor their own filter in asecure sandbox
No dependency on the orderingfor different service
encapsulations in the chain Admin has the control to setup
services and can dynamicallyadd/delete/modify filters withminimal packet drops
Extending with 3rd party security solutions
-
7/26/2019 VMWorld 2013 - VMware NSX Extensibility Network and Security Services From 3rd-Party Vendors
43/47
43 43 | 2012, Palo Alto Networks. Confidential and Proprietary.
Extending with 3rdparty security solutions
External Network
vSwitch
Guest VMIDS/IPS
DFW
NGFW
NSX Manager Panorama NSM
Recommended Sessions & Labs
-
7/26/2019 VMWorld 2013 - VMware NSX Extensibility Network and Security Services From 3rd-Party Vendors
44/47
44
Recommended Sessions & Labs
NET5716Advanced NSX Architecture
NET5266Bringing Network Virtualization to VMware
Environments with NSX
NET5270Virtualized Network Services Model with NSX
Hands on labs on NSX: HOL-SDC-1303 and HOL-SDC-1319
Group Discussion: SEC1003-GD
-
7/26/2019 VMWorld 2013 - VMware NSX Extensibility Network and Security Services From 3rd-Party Vendors
45/47
THANK YOU
-
7/26/2019 VMWorld 2013 - VMware NSX Extensibility Network and Security Services From 3rd-Party Vendors
46/47
-
7/26/2019 VMWorld 2013 - VMware NSX Extensibility Network and Security Services From 3rd-Party Vendors
47/47
VMware NSX Extensibility: Network and Security
Services from 3rd-Party Vendors
Anirban Sengupta, VMware
Adina Simu, VMware
NET55