#vmworld
Accelerate App Security and Availability with vRealize
Network InsightMartijn Smit, VMware, Inc.Sajan Liyon, VMware, Inc.
SAI2555BE
#SAI2555BE
VMworld 2018 Content: Not for publication or distribution
Disclaimer
2©2018 VMware, Inc.
This presentation may contain product features orfunctionality that are currently under development.
This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
Technical feasibility and market demand will affect final delivery.
Pricing and packaging for any new features/functionality/technology discussed or presented, have not been determined.
VMworld 2018 Content: Not for publication or distribution
Agenda
3©2018 VMware, Inc.
Network & Security Model for Digital Era: Application Centricity
The Micro Segmentation Journey with vRealize Network Insight
Demos
“The Network is the Computer” (John Gage 1984, Sun Micro Systems)Exciting time when this is becoming a reality.
VMworld 2018 Content: Not for publication or distribution
4©2018 VMware, Inc.
BRANCH
BRANCH
BRANCH
BRANCH
BRANCH
BRANCH
BRANCH
BRANCH
TELCO/NFV
TELCO/NFV
EDGE/IOT
TELCO/NFV
BRANCH
BRANCH
EDGE/IOT
EDGE/IOTThe picture can't be displayed.
The picture can't be displayed.
The picture can't be displayed.
The picture can't be displayed.
The picture can't be displayed.
The picture can't be displayed.
The picture can't be displayed.
The picture can't be displayed.
The picture can't be displayed.
The picture can't be displayed.
The picture can't be displayed.
Network Model for Digital EraVMworld 2018 Content: Not for publication or distribution
5©2018 VMware, Inc.
The Application is a Network
“The Application Is a Network” “Any Device, Any Cloud, Any Application”
The Big Quandary for IT & Network Professional: I am still responsible for application and application network performance, but I don’t control or have access to any of the Infrastructure that deliver it.
Change in computing Paradigms
VMworld 2018 Content: Not for publication or distribution
6©2018 VMware, Inc.
A new approach is needed to secure the hyper distribution of apps and data
6
Data center Cloud IOT / Branch
SaaS
PaaS IaaS
Software + (Hyper)Connectivity are Fueling a Shift From Data Centers to Centers of Data
6
Security and control everywhereVMworld 2018 Content: Not for publication or distribution
7©2018 VMware, Inc.
1001010101001100101001010101010110100101010100110010100101010101011010010101010011001010010101010101101001010101001100101001010101010110100101010100110010100101010101011010010101010011001010010101010101101001010101001100101001010101010110100101010100110010100101010101011010010101010011001010010101010101101001010101001100101001010101010110100101010100110010100101010101011010010101010011001010010010101011010010101010011001010010101010101101001010101001100101001010101010110100101010100110010100101010101011010010101010011001010010101010101010010101010011001010010101010101101
Ap
p
Ap
p
Ap
p
OS75,000,000 75
Chasing Bad Ensuring Good
Changing the Application Security ModelFrom chasing bad to ensuring good
DevicesUsers AccessCompute Network DataVMworld 2018 Content: Not for publication or distribution
8©2018 VMware, Inc.
Mobility
The picture can't be displayed. The picture can't be displayed. The picture can't be displayed.
Context
Control
Secure Infrastructure
SDDC User Access Layer
Compute DataNetwork AccessUsers Devices
Apps Data
VMware is in a Unique Position to Deliver & Operationalize Next-gen Security
NSXAppDefenseTM Workspace ONETM
Network Insight
VMworld 2018 Content: Not for publication or distribution
9©2018 VMware, Inc.
Users
VMs, Containers, Microservices
Branch Offices
Public Clouds
Telco Networks
Private Data
Centers Things
Security Planning & Network Visibility Across the Virtual Cloud Network
vRealizeNetwork Insight
Applications
Discovery Connectivity Security
Visibility, Analytics, Insights
Network Troubleshooting
Closed Loop Security
Planning & Enforcement
Self-Driving Operations
VMworld 2018 Content: Not for publication or distribution
10©2018 VMware, Inc.
5 Steps to Application-Centric Micro-segmentation
Download the complete guide at vmware.com/nsx/security
Assess current environment
1
FREE Virtual Network Assessment Available!
Deploy NSX Data Center
2
NO changes to your current physical network!
Identify Application Boundaries
3
Discover services, applications and their boundaries!
Get Recommended Firewall Rules
4
Application Rules Manager in NSX helps provide application level rules!
Repeat, Monitor, Troubleshoot
5
Deploy micro-segmentation starting with most critical apps first!
NSX Data Center and vRealize Network Insight for Micro-segmentation Nirvana!
VMworld 2018 Content: Not for publication or distribution
11©2018 VMware, Inc.
Your Application Model
• Network Flows
• In-Guest Processes
• User Groups (Ex: Active Directory)
• CMDB (Ex: ServiceNow)
• Blueprints and Manifests
Understanding Your EnvironmentApplications across Virtual, Physical and Cloud
Process
Flows
Blueprints
UserGroups
CMDB
VMworld 2018 Content: Not for publication or distribution
12©2018 VMware, Inc.
• Identifying Workloads with Common Network Behavior (Your Applications and App Tiers)
• Grouping - Workload Characteristics, Ports, Common Services
• Recommended Security Policies and Firewall Rules for a Zero-Trust Model
• Enforcement Points (with NSX Data Center, Physical, Cloud)
The “Deny Everything Else” StateGetting to the right security groups and policies
VMworld 2018 Content: Not for publication or distribution
13©2018 VMware, Inc.
Ensuring App Availability with more VCN MetricsThrough Network latency and Streaming Telemetry
• Why are my apps slow?(MY Network & Business SLA’s)
• Identify Latency of flows associated with APP Tiers(RTT of Flow)
• Latency in accessing the APP?• Is there latency in my virtual
infrastructure?• Is it in the Host?
(vnic to vnic, vnic to pnic)• Is it in the path? (vtep to vtep)
• Is there any latency in my underlay ?• Microburst detection (Q depths)• Hop by Hop Latency
Network Telemetry: Streaming Telemetry,
Real-time data collection.
VCN Latency metrics
Metadata Analysis
Business IntentVCN Intent
Policy/Workload Optimization
Analytics: Looking for patterns in the
latency w.r.t events in the network..Intent: Policy & business outcome from Analytics
.
VMworld 2018 Content: Not for publication or distribution
14©2018 VMware, Inc.
Virtual Cloud Network LatencyWhat does network latency means in virtualization?
vmxnet3
VM1
vmxnet3
VM1
Port1 Port2
Dispatch and Mirroring
Port3 Teaming Port4
Uplink Layer
vmnic0 vmnic1
pNIC pNIC
vNIC to PNIC
pNIC to vNIC
vNIC to vNIC
In the context of virtualization, it includes following :-
• Latency in the sender guest (VM)• Latency in the host
(hypervisor) where the sender VM runs
• Physical network latency • Latency in the host where the
receiver VM runs, and receiver guest latency.
vtep to vtep
VMworld 2018 Content: Not for publication or distribution
15©2018 VMware, Inc.
Operationalizing Micro-segmentationGetting to the right security groups and policies
3rd Party Virtual Firewall
VXLAN
VLAN
Physical Firewall
NSX Firewall
VMworld 2018 Content: Not for publication or distribution
16©2018 VMware, Inc.
Demo:Accelerate your Micro-segmentation Journey
VMworld 2018 Content: Not for publication or distribution
17©2018 VMware, Inc.
5 Steps to Application-Centric Micro-segmentation
Download the complete guide at vmware.com/nsx/security
Assess current environment
1
FREE Virtual Network Assessment Available!
Deploy NSX Data Center
2
NO changes to your current physical network!
Identify Application Boundaries
3
Discover services, applications and their boundaries!
Get Recommended Firewall Rules
4
Application Rules Manager in NSX helps provide application level rules!
Repeat, Monitor, Troubleshoot
5
Deploy micro-segmentation starting with most critical apps first!
NSX Data Center and vRealize Network Insight for Micro-segmentation Nirvana!
VMworld 2018 Content: Not for publication or distribution
18©2018 VMware, Inc.
Operationalizing Micro-segmentationDay 2 readiness for monitoring and troubleshooting is as critical as securing your apps
Intent vs. Realized
Overlay-Underlay
Troubleshooting
Change, Audit & Compliance
Continuous Analytics
VMworld 2018 Content: Not for publication or distribution
19©2018 VMware, Inc. 19
Operations with ACI Underlay
EPG, Bridge Domain, ANP, EPG to VM, EPG to DVPG association
Layer 2 Path from VM to Leaf Nodes
VM to VM Path Visibility (ACI VRF in VM-VM Path)
ACI Leaf Nodes and their ports in path. Spine Fabric.
ACI Leaf
ACI Spine
VMworld 2018 Content: Not for publication or distribution
20©2018 VMware, Inc.
Operations with BGP-EVPN Underlay
Show vm to vm path through an BGP-EVPN underlay
Leaf, Spine, Uplinks , VRFs
EVPN (overlay visualization)
Expand the underlay topology in context to VM
Show all the leaf's where the default gateway of the VM is present.
VMworld 2018 Content: Not for publication or distribution
21©2018 VMware, Inc.
• VMware Cloud or native public cloud (AWS, Azure, ..)
• Hybrid Network Path Troubleshooting (cloud-to-On premises, Gateways, VPN)
• Traffic Analysis & Micro-segmentation Planning for cloud workloads
• Migration planning from on-premises to cloud
Hybrid Applications - Extending to Public Cloud
VMworld 2018 Content: Not for publication or distribution
22©2018 VMware, Inc.
Apps can land anywhere, can be deployed anywhere, can span beyond DC to Edge to cloud. vRealize Network Insight brings it all together with end to end Visibility, Security and Control
Any App, Any Cloud
VMworld 2018 Content: Not for publication or distribution
Learn More
Try the Hands-on LabLabs.hol.vmware.com
HOL-1829-01-NET
Hol.vmware.com
23
vmware.com/go/vrni
Available for evaluationas part of VMUG
Advantage.
https://www.vmug.com/Join/EVALExperience
Request a free 30 day Evaluation for the Network
Insight service.
Cloud.vmware.com/network-insight/request-access
VMworld 2018 Content: Not for publication or distribution
DON’T FORGET TO FILL OUT YOUR SURVEY.
#vmworld #SAI2555BE
VMworld 2018 Content: Not for publication or distribution
THANK YOU!
#vmworld #SAI2555BE
VMworld 2018 Content: Not for publication or distribution