VMworld 2016: Advanced Network Services with NSX

Advanced Network Services with NSXRomain Decker, VMware, IncDimitri Desmidt, Vmware, Inc

NET7907

#NET7907

CONFIDENTIAL

Growing NSX MomentumA rapid journey of customer adoption across industries

1700+ Customers

8 out of VMware’s top 10 deals in Q216included NSX

100% YoY growthConsistent year-to-year Q216Q215Q214Q213

CONFIDENTIAL

SecurityInherently secure infrastructure

Automation IT at the speed of business

Application continuityData center anywhere

NSX customer use cases

Micro-segmentation

DMZ anywhere

Secure end user

IT automating IT

Multi-tenant infrastructure

Developer cloud

Disaster recovery

Cross cloud

Multi data center pooling

CONFIDENTIAL 4

• This presentation may contain product features that are currently under development.

• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.

• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

• Technical feasibility and market demand will affect final delivery.

• Pricing and packaging for any new technologies or features discussed or presented have not been determined.

Disclaimer

CONFIDENTIAL 5

Agenda

1 Set the Scene

2 Firewall / Security Services

3 Load Balancing Services

4 VPN Services

5 Key Takeaways

6 Q & A

CONFIDENTIAL 6

What is NSX overall goal• NSX goal is to reproduce all Network and Security services in logical space:

SwitchingDHCP Server or Relay, DNS

Routing / NATDistributed or centralized

FirewallDistributed or centralized

Load BalancingInline or OneArm

L2 & L3 VPNL2VPN, Site to Site, SSL VPN

Application XYZ

VMWEB APP DB

WEB APP

CONFIDENTIAL 7

Why services in logical space is key!• Services in logical space (hypervisor) versus "appliances" bring the following benefits:

– Speed• Faster to deploy

– Agility• Networks can be placed anywhere in your data center

– Security• Deeper security with micro-segmentation

– Performance• Power of distribution

– Management and Troubleshooting• Central Management and Visibility of the entire Network & Security stack• Backup/Restore/Upgrade• Advanced tools like Traceflow (allow simulation of specific traffic and highlight if traffic is dropped in

logical/physical space)

CONFIDENTIAL 8

Let's focus now on the Advanced Network & Security Services

SwitchingDHCP Server or Relay, DNS

Routing / NATDistributed or centralized

FirewallDistributed or centralized

Load BalancingInline or OneArm

L2 & L3 VPNL2VPN, Site to Site, SSL VPN

Application XYZ

VMWEB APP DB

WEB APP

CONFIDENTIAL 9

Agenda

1 Set the Scene



4 VPN Services

5 Key Takeaways

6 Q & A

Firewall / Security Services

i. NSX Security Services

ii. Benefits

iii. Performance

iv. What's New

v. Integration with 3rd party services

More info on Security in VMworld 2016 session:SEC7836R - Introduction to Security with VMware NSX

CONFIDENTIAL 11

What do we offer?

Intra-Subnet Security Security Attached to the VMStateful L4 FirewallNative NSX Security Services

Enhanced Security Services with 3rd party eco-system L7 Firewall

Agentless Anti-Virus

Malware ProtectionIPS/IDS



ii. Benefits

iii. Performance

iv. What's New


CONFIDENTIAL 13

Pros

Distributed, High Performance

Security with NSX• Unified configuration for central and distributed

firewalling

• Hypervisor-based, in-kernel distributed firewalling

• Independent of transport network– VXLAN or VLAN

• Policy independent of location

Web-LS1

App-LS1

Micro-segmentationSecurity between VMs in the same subnet

CONFIDENTIAL 14

Firewall – Configuration• L2 MAC addresses and L3 IP addresses can be used

• In addition any vCenter and NSX object names can be used

• Port numbers and protocol namesNote: ALG (Application-Level Gateway) support for TFTP, FTP, CIFS, ORACLE TNS, MS-RPC, and SUNRPC

Pros

Easy / Fast Learning Curve

Simplicity, Ease-of-use

Virtual Machine Datacenter Cluster Distributed Portgroup Logical Switch …

IP Subnets IP Range

CONFIDENTIAL 15

Service Composer

Distributed Firewall Rules

Guest Introspection Rules

Network Introspection Rules

Security Policy Anti-Malware / Anti-Virus Data Security Vulnerability Management File Integrity Monitoring

L3 / L4 Firewall Rules

IDS / IPS Services Firewall Services (L7)

Security Group

Dynamic Inclusion

Static Inclusion

Static Exclusion

VM-Centric

Infrastructure-Centric

HOW youwant to protect

WHAT youwant to protect

Pros Agility, Service Compliance



ii. Benefits

iii. Performance

iv. What's New


CONFIDENTIAL 17

Firewalling/Security – PerformanceThe Power of Distribution

20Gbps Per Host of Firewall Performancewith Negligible CPU Impact

Throughput Measurement

10G 10G 10G 10G

VM3 VM4VM1 VM2

10G Switch

Two Hypervisors with two VMs each Two 10G Physical NICs per server VM1 talks to VM3 & VM2 talks to VM4

PERFORMANCE TEST SCENARIO

Check the NSX Performance Deep Dive (NET8030) session to learn more about NSX performances



ii. Benefits

iii. Performance

iv. What's New


CONFIDENTIAL 19

Security with NSX – What’s New?

Enhanced security

SYN Flood Protection

Serviceability Improvements

TFTP ALG

Increased Application Visibility

Copy Packet Support for Network

Introspection

Simplified Operations & Troubleshooting

Distributed Firewall Granular Rule Filtering

Increased Compatibility

Windows 10 support for Guest

Introspection



ii. Benefits

iii. Performance

iv. What's New


CONFIDENTIAL 21

Advanced Firewall Integration with Partners

Next-generation IPS Malware Protection

Vulnerability ManagementMalware ProtectionNext-Generation Firewall

NSX is the platform for integrating advanced

security services.

Next-Generation Firewall Next-Generation Firewall

CONFIDENTIAL 22

Demo – Distributed Firewall

Source Destination Service ActionAny SG - Web HTTP Allow

SG - Web SG - App HTTP Allow

SG - App SG - DB MySQL Allow

Any Any Any BlockWeb-LS1

App-LS1

SSH

DB-LS1

Source Destination Service ActionAdmin-Laptop Cluster A SSH Allow

Any SG - Web HTTP Allow

SG - Web SG - App HTTP Allow

SG - App SG - DB MySQL Allow

Any Any Any Block

SG-WEB

SG-APP

SG-DB

CONFIDENTIAL 23

Agenda

1 Set the Scene



4 VPN Services

5 Key Takeaways

6 Q & A

Load Balancing Services

i. NSX Load Balancing Services

ii. Benefits

iii. Performance

iv. What's New


More info on LB in VMworld 2016 session:NET9029 - NSX Logical Load Balancing: From Basics to Fine Art

CONFIDENTIAL 25

NSX Load Balancing Services• From Basic Load Balancing

– Offers scale up of any UDP/TCP applications

– Offers high-availability of applications

CONFIDENTIAL 26

NSX Load Balancing Services• To Advanced Load Balancing

– L7 Manipulation• HTTP/S request header• HTTP/S response header• Actions: Block, Rewrite, Add/Update/Remove headers

app1.xyz.com = VIP1@

Pool1 Pool2 Pool3

app2.xyz.com = [email protected] = VIP1@

VIP1:443 using Application Rule:• If Host="app1.xyz.com" Use_Pool "Pool1"• If Host="app2.xyz.com" Use_Pool "Pool2"• If Host="app3.xyz.com" Use_Pool "Pool3"

CONFIDENTIAL 27

NSX Load Balancing Services• To Advanced Load Balancing

– Multiple SSL options• SSL Offload• SSL Passthrough• SSL End-to-End

ExternalNetworks

SSL Offload:• Edge terminates Client HTTPS (SSL

sessions)• Edge load balances the clients on

HTTP to the serversNote: L7 Application Rules can be applied.

EdgeServiceRouter

https

http

SSL Passthrough:• Edge do NOT terminates Clients

HTTPS (SSL sessions)• Edge load balances TCP sessions

to the serversNote: Client SSL sessions are terminated to the servers (not the Edge).Note2: L7 Application Rules can NOT be applied.

EdgeServiceRouter

https

https

SSL End-to-End:• Edge terminates Client HTTPS (SSL

sessions)• Edge load balances the clients on

NEW HTTPS to the serversNote: L7 Application Rules can be applied.

EdgeServiceRouter

https

https



ii. Benefits

iii. Performance

iv. What's New


CONFIDENTIAL 29

Benefits• NSX offers that service with the following benefits

– Same place to configure all needed Networks & Security services– Very simple learning curve

• Create a Pool, Healthchecks, VIP

– Simpler configuration• Ability to use NSX and vCenter objects

– Cost-effective



ii. Benefits

iii. Performance

iv. What's New


CONFIDENTIAL 31

Performance• NSX Load Balancing performance replies to most Enterprise needs

L4

Throughput 9.2 Gbps

# conc. sessions 1M

# sessions/sec 88k cps

HTTP

Throughput 8.5 Gbps

# conc. sessions 60k

# sessions/sec 35.8k cps

Reqs/sec 55.9k rps

HTTPS

Throughput 2.2 Gbps

# conc. sessions 60k

# sessions/sec 576 cps

For higher scale, different VIP can be installed on different Logical LB.



ii. Benefits

iii. Performance

iv. What's New


CONFIDENTIAL 33

What’s New?

Increase number of supported LB applications

LB Port Range

Increase the number of VIP per logical load balancers

Up to 1024 Virtual IP

Increase security

Support of FIPS

Distributed Load Balancing (Tech Preview)

CONFIDENTIAL 34

Goal of Distributed Load Balancing• Goal

– Offer a very scalable and distributed load balancing service– Optimized packet flow

Load Balancer

.1

.1

.1

.1

web-01 web-02 app-01 db-01app-02

Web-Tier-0110.0.1.0/24

App-Tier-0110.0.2.0/24

DB -Tier-0110.0.3.0/24

Logical ViewClassical View

Web App DBWeb App

CONFIDENTIAL 35

Goal of Distributed Load Balancing• Goal

– Offer a very scalable and distributed load balancing service– Optimized packet flow

Load Balancer

.1

.1

.1

.1

web-01 web-02 app-01 db-01app-02

Web-Tier-0110.0.1.0/24

App-Tier-0110.0.2.0/24

DB -Tier-0110.0.3.0/24

Logical ViewView Option2

Web App DBWeb App

Service-Group_Web Service-Group_App

CONFIDENTIAL 36

Demo – Distributed Load Balancing



ii. Benefits

iii. Performance

iv. What's New


CONFIDENTIAL 38

Enhancements with 3rd party LB vendors• Why supporting 3rd party LB vendors

– Customers want to go to Network Virtualization in baby-steps– Customers has a specific load balancing requirement not currently supported by NSX LB

CONFIDENTIAL 39

Agenda

1 Set the Scene



4 VPN Services

5 Key Takeaways

6 Q & A

CONFIDENTIAL 40

VPN Site-to-Site (IPSEC)

CORPORATE NETWORK

CRMFILE

SERVER

ROBOVPNVPN

PARTNER

Pros

Interoperability

Cost-effectiveHardware independent, Software-only solution

Features Interoperable IPsec tested with major vendors AES-NI H/W Offload ESP Tunnel Mode, NAT Traversal, Dead Peer Detection

Use Cases Connect different entities (ROBO, etc.) Cloud to Corporate

CONFIDENTIAL 41

L2VPN

CORPORATE NETWORK

172.16.10.0/24

172.16.20.0/24

CLOUDVPNVPN

ProsFeatures No specialized hardware required Independent of vCenter Server boundaries

Use Cases Brownfield NSX deployments Data Center Migrations Cloud Bursting & Onboarding

L2 EXTENSIONS

172.16.10.0/24

172.16.20.0/24

Cost-effectiveHardware independent, Software-only solution

SSL Secured L2 ExtensionsOver any IP network

CONFIDENTIAL 42

Pros

Secure & Cost-Effective Remote User Access over HTTPS

NSX User Access VPN (SSL-VPN)

Flexible, Software-only SolutionHardware independent

VPN VPN

CORPORATE NETWORK

CRMFILE

SERVER

Features Client based & Web based Access Mode Support for Major OS (Windows, Mac OS, Linux) Multiple Authentication Options (AD, Radius, LDAP, RSA) AES-NI Acceleration (Hardware Offload) Configuration via UI and API

Use Cases Access to servers running in private environment

over VPN. Remote access for administrators

CONFIDENTIAL 43

Agenda

1 Set the Scene



4 VPN Services

5 Key Takeaways

6 Q & A

CONFIDENTIAL 44

Key Takeaways

NSX reproduce all Network and Security services of Data Centers.

All services are available in logical space for best speed, agility and deeper security.

(Almost) NSX services are available in distributed mode for massive scale.

A rich eco-system is available to enhance native services with partners.

CONFIDENTIAL 45

Find Out More• Hands on Labs:

– HOL-SDC-1603 – VMware NSX Introduction– HOL-SDC-1625 – VMware NSX Advanced– HOL-PRT-1672 – Deploying Palo Alto Networks Next-Generation Security Platform with VMware NSX– Check if others make sense

• Other Sessions– Security: “Introduction to Security with VMware NSX”, [SEC7836R] / “Deploying Security in a

Brownfield Environment”, [SEC8348]– Load Balancing: “NSX Logical Load Balancing: From Basics to Fine Art”, [NET9029]– Automation: “How to Easily Become a Cool Automation NSX Cloud Network Engineer”, [NET7701]

• VMware Communities NSX:– https://communities.vmware.com/community/vmtn/nsx

https://communities.vmware.com/community/vmtn/nsx

CONFIDENTIAL 46

Agenda

1 Set the Scene



4 VPN Services

5 Key Takeaways

6 Q & A

Questions

CONFIDENTIAL 48

NSX partner ecosystem

Physical Infrastructure

Security

Application Delivery

Operations and Visibility

DYNAMIC INSERTION OFPARTNER SERVICES

CONFIDENTIAL 49

LearnConnect & Engagecommunities.vmware.com

NSX Product Page & Technical Resourcesvmware.com/products/nsx

Network Virtualization Blogblogs.vmware.com/networkvirtualization

VMware NSX on YouTubeyoutube.com/user/vmwarensx

Where to get startedExperience

70+ Unique NSX SessionsSpotlights, breakouts, quick talks & group discussions

Visit the VMware BoothUse case demos, chat with NSX experts

Visit NSX Technical Partner BoothsIntegration demos – EPSec & NetX, Hardware VTEP, Ops & Visibility

Test Drive NSX with free Hands-on LabsExpert-led or Self-paced. labs.hol.vmware.com

UseNSX Proactive Support ServiceOptimize performance based on data monitoring and analytics to help resolve problems, mitigate risk and improve operational efficiency. vmware.com/consulting

TakeTraining and CertificationSeveral paths to professional certifications. Learn more at the Education & Certification Lounge.vmware.com/go/nsxtraining

https://communities.vmware.com/community/vmtn/nsx

http://vmware.com/products/nsx

http://blogs.vmware.com/networkvirtualization

http://www.youtube.com/user/vmwarensx

http://labs.hol.vmware.com/

http://www.vmware.com/consulting

http://www.vmware.com/go/nsxtraining

VMworld 2016: Advanced Network Services with NSX

Technology

Transcript of VMworld 2016: Advanced Network Services with NSX