Advanced Network Services with NSXRomain Decker, VMware, IncDimitri Desmidt, Vmware, Inc
NET7907
#NET7907
CONFIDENTIAL
Growing NSX MomentumA rapid journey of customer adoption across industries
1700+ Customers
8 out of VMware’s top 10 deals in Q216included NSX
100% YoY growthConsistent year-to-year Q216Q215Q214Q213
CONFIDENTIAL
SecurityInherently secure infrastructure
Automation IT at the speed of business
Application continuityData center anywhere
NSX customer use cases
Micro-segmentation
DMZ anywhere
Secure end user
IT automating IT
Multi-tenant infrastructure
Developer cloud
Disaster recovery
Cross cloud
Multi data center pooling
CONFIDENTIAL 4
• This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not been determined.
Disclaimer
CONFIDENTIAL 5
Agenda
1 Set the Scene
2 Firewall / Security Services
3 Load Balancing Services
4 VPN Services
5 Key Takeaways
6 Q & A
CONFIDENTIAL 6
What is NSX overall goal• NSX goal is to reproduce all Network and Security services in logical space:
SwitchingDHCP Server or Relay, DNS
Routing / NATDistributed or centralized
FirewallDistributed or centralized
Load BalancingInline or OneArm
L2 & L3 VPNL2VPN, Site to Site, SSL VPN
Application XYZ
VMWEB APP DB
WEB APP
CONFIDENTIAL 7
Why services in logical space is key!• Services in logical space (hypervisor) versus "appliances" bring the following benefits:
– Speed• Faster to deploy
– Agility• Networks can be placed anywhere in your data center
– Security• Deeper security with micro-segmentation
– Performance• Power of distribution
– Management and Troubleshooting• Central Management and Visibility of the entire Network & Security stack• Backup/Restore/Upgrade• Advanced tools like Traceflow (allow simulation of specific traffic and highlight if traffic is dropped in
logical/physical space)
CONFIDENTIAL 8
Let's focus now on the Advanced Network & Security Services
SwitchingDHCP Server or Relay, DNS
Routing / NATDistributed or centralized
FirewallDistributed or centralized
Load BalancingInline or OneArm
L2 & L3 VPNL2VPN, Site to Site, SSL VPN
Application XYZ
VMWEB APP DB
WEB APP
CONFIDENTIAL 9
Agenda
1 Set the Scene
2 Firewall / Security Services
3 Load Balancing Services
4 VPN Services
5 Key Takeaways
6 Q & A
Firewall / Security Services
i. NSX Security Services
ii. Benefits
iii. Performance
iv. What's New
v. Integration with 3rd party services
More info on Security in VMworld 2016 session:SEC7836R - Introduction to Security with VMware NSX
CONFIDENTIAL 11
What do we offer?
Intra-Subnet Security Security Attached to the VMStateful L4 FirewallNative NSX Security Services
Enhanced Security Services with 3rd party eco-system L7 Firewall
Agentless Anti-Virus
Malware ProtectionIPS/IDS
Firewall / Security Services
i. NSX Security Services
ii. Benefits
iii. Performance
iv. What's New
v. Integration with 3rd party services
CONFIDENTIAL 13
Pros
Distributed, High Performance
Security with NSX• Unified configuration for central and distributed
firewalling
• Hypervisor-based, in-kernel distributed firewalling
• Independent of transport network– VXLAN or VLAN
• Policy independent of location
Web-LS1
App-LS1
Micro-segmentationSecurity between VMs in the same subnet
CONFIDENTIAL 14
Firewall – Configuration• L2 MAC addresses and L3 IP addresses can be used
• In addition any vCenter and NSX object names can be used
• Port numbers and protocol namesNote: ALG (Application-Level Gateway) support for TFTP, FTP, CIFS, ORACLE TNS, MS-RPC, and SUNRPC
Pros
Easy / Fast Learning Curve
Simplicity, Ease-of-use
Virtual Machine Datacenter Cluster Distributed Portgroup Logical Switch …
IP Subnets IP Range
CONFIDENTIAL 15
Service Composer
Distributed Firewall Rules
Guest Introspection Rules
Network Introspection Rules
Security Policy Anti-Malware / Anti-Virus Data Security Vulnerability Management File Integrity Monitoring
L3 / L4 Firewall Rules
IDS / IPS Services Firewall Services (L7)
Security Group
Dynamic Inclusion
Static Inclusion
Static Exclusion
VM-Centric
Infrastructure-Centric
HOW youwant to protect
WHAT youwant to protect
Pros Agility, Service Compliance
Firewall / Security Services
i. NSX Security Services
ii. Benefits
iii. Performance
iv. What's New
v. Integration with 3rd party services
CONFIDENTIAL 17
Firewalling/Security – PerformanceThe Power of Distribution
20Gbps Per Host of Firewall Performancewith Negligible CPU Impact
Throughput Measurement
10G 10G 10G 10G
VM3 VM4VM1 VM2
10G Switch
Two Hypervisors with two VMs each Two 10G Physical NICs per server VM1 talks to VM3 & VM2 talks to VM4
PERFORMANCE TEST SCENARIO
Check the NSX Performance Deep Dive (NET8030) session to learn more about NSX performances
Firewall / Security Services
i. NSX Security Services
ii. Benefits
iii. Performance
iv. What's New
v. Integration with 3rd party services
CONFIDENTIAL 19
Security with NSX – What’s New?
Enhanced security
SYN Flood Protection
Serviceability Improvements
TFTP ALG
Increased Application Visibility
Copy Packet Support for Network
Introspection
Simplified Operations & Troubleshooting
Distributed Firewall Granular Rule Filtering
Increased Compatibility
Windows 10 support for Guest
Introspection
Firewall / Security Services
i. NSX Security Services
ii. Benefits
iii. Performance
iv. What's New
v. Integration with 3rd party services
CONFIDENTIAL 21
Advanced Firewall Integration with Partners
Next-generation IPS Malware Protection
Vulnerability ManagementMalware ProtectionNext-Generation Firewall
NSX is the platform for integrating advanced
security services.
Next-Generation Firewall Next-Generation Firewall
CONFIDENTIAL 22
Demo – Distributed Firewall
Source Destination Service ActionAny SG - Web HTTP Allow
SG - Web SG - App HTTP Allow
SG - App SG - DB MySQL Allow
Any Any Any BlockWeb-LS1
App-LS1
SSH
DB-LS1
Source Destination Service ActionAdmin-Laptop Cluster A SSH Allow
Any SG - Web HTTP Allow
SG - Web SG - App HTTP Allow
SG - App SG - DB MySQL Allow
Any Any Any Block
SG-WEB
SG-APP
SG-DB
CONFIDENTIAL 23
Agenda
1 Set the Scene
2 Firewall / Security Services
3 Load Balancing Services
4 VPN Services
5 Key Takeaways
6 Q & A
Load Balancing Services
i. NSX Load Balancing Services
ii. Benefits
iii. Performance
iv. What's New
v. Integration with 3rd party services
More info on LB in VMworld 2016 session:NET9029 - NSX Logical Load Balancing: From Basics to Fine Art
CONFIDENTIAL 25
NSX Load Balancing Services• From Basic Load Balancing
– Offers scale up of any UDP/TCP applications
– Offers high-availability of applications
CONFIDENTIAL 26
NSX Load Balancing Services• To Advanced Load Balancing
– L7 Manipulation• HTTP/S request header• HTTP/S response header• Actions: Block, Rewrite, Add/Update/Remove headers
app1.xyz.com = VIP1@
Pool1 Pool2 Pool3
app2.xyz.com = [email protected] = VIP1@
VIP1:443 using Application Rule:• If Host="app1.xyz.com" Use_Pool "Pool1"• If Host="app2.xyz.com" Use_Pool "Pool2"• If Host="app3.xyz.com" Use_Pool "Pool3"
CONFIDENTIAL 27
NSX Load Balancing Services• To Advanced Load Balancing
– Multiple SSL options• SSL Offload• SSL Passthrough• SSL End-to-End
ExternalNetworks
SSL Offload:• Edge terminates Client HTTPS (SSL
sessions)• Edge load balances the clients on
HTTP to the serversNote: L7 Application Rules can be applied.
EdgeServiceRouter
https
http
SSL Passthrough:• Edge do NOT terminates Clients
HTTPS (SSL sessions)• Edge load balances TCP sessions
to the serversNote: Client SSL sessions are terminated to the servers (not the Edge).Note2: L7 Application Rules can NOT be applied.
EdgeServiceRouter
https
https
SSL End-to-End:• Edge terminates Client HTTPS (SSL
sessions)• Edge load balances the clients on
NEW HTTPS to the serversNote: L7 Application Rules can be applied.
EdgeServiceRouter
https
https
Load Balancing Services
i. NSX Load Balancing Services
ii. Benefits
iii. Performance
iv. What's New
v. Integration with 3rd party services
CONFIDENTIAL 29
Benefits• NSX offers that service with the following benefits
– Same place to configure all needed Networks & Security services– Very simple learning curve
• Create a Pool, Healthchecks, VIP
– Simpler configuration• Ability to use NSX and vCenter objects
– Cost-effective
Load Balancing Services
i. NSX Load Balancing Services
ii. Benefits
iii. Performance
iv. What's New
v. Integration with 3rd party services
CONFIDENTIAL 31
Performance• NSX Load Balancing performance replies to most Enterprise needs
L4
Throughput 9.2 Gbps
# conc. sessions 1M
# sessions/sec 88k cps
HTTP
Throughput 8.5 Gbps
# conc. sessions 60k
# sessions/sec 35.8k cps
Reqs/sec 55.9k rps
HTTPS
Throughput 2.2 Gbps
# conc. sessions 60k
# sessions/sec 576 cps
For higher scale, different VIP can be installed on different Logical LB.
Load Balancing Services
i. NSX Load Balancing Services
ii. Benefits
iii. Performance
iv. What's New
v. Integration with 3rd party services
CONFIDENTIAL 33
What’s New?
Increase number of supported LB applications
LB Port Range
Increase the number of VIP per logical load balancers
Up to 1024 Virtual IP
Increase security
Support of FIPS
Distributed Load Balancing (Tech Preview)
CONFIDENTIAL 34
Goal of Distributed Load Balancing• Goal
– Offer a very scalable and distributed load balancing service– Optimized packet flow
Load Balancer
.1
.1
.1
.1
web-01 web-02 app-01 db-01app-02
Web-Tier-0110.0.1.0/24
App-Tier-0110.0.2.0/24
DB -Tier-0110.0.3.0/24
Logical ViewClassical View
Web App DBWeb App
CONFIDENTIAL 35
Goal of Distributed Load Balancing• Goal
– Offer a very scalable and distributed load balancing service– Optimized packet flow
Load Balancer
.1
.1
.1
.1
web-01 web-02 app-01 db-01app-02
Web-Tier-0110.0.1.0/24
App-Tier-0110.0.2.0/24
DB -Tier-0110.0.3.0/24
Logical ViewView Option2
Web App DBWeb App
Service-Group_Web Service-Group_App
CONFIDENTIAL 36
Demo – Distributed Load Balancing
Load Balancing Services
i. NSX Load Balancing Services
ii. Benefits
iii. Performance
iv. What's New
v. Integration with 3rd party services
CONFIDENTIAL 38
Enhancements with 3rd party LB vendors• Why supporting 3rd party LB vendors
– Customers want to go to Network Virtualization in baby-steps– Customers has a specific load balancing requirement not currently supported by NSX LB
CONFIDENTIAL 39
Agenda
1 Set the Scene
2 Firewall / Security Services
3 Load Balancing Services
4 VPN Services
5 Key Takeaways
6 Q & A
CONFIDENTIAL 40
VPN Site-to-Site (IPSEC)
CORPORATE NETWORK
CRMFILE
SERVER
ROBOVPNVPN
PARTNER
Pros
Interoperability
Cost-effectiveHardware independent, Software-only solution
Features Interoperable IPsec tested with major vendors AES-NI H/W Offload ESP Tunnel Mode, NAT Traversal, Dead Peer Detection
Use Cases Connect different entities (ROBO, etc.) Cloud to Corporate
CONFIDENTIAL 41
L2VPN
CORPORATE NETWORK
172.16.10.0/24
172.16.20.0/24
CLOUDVPNVPN
ProsFeatures No specialized hardware required Independent of vCenter Server boundaries
Use Cases Brownfield NSX deployments Data Center Migrations Cloud Bursting & Onboarding
L2 EXTENSIONS
172.16.10.0/24
172.16.20.0/24
Cost-effectiveHardware independent, Software-only solution
SSL Secured L2 ExtensionsOver any IP network
CONFIDENTIAL 42
Pros
Secure & Cost-Effective Remote User Access over HTTPS
NSX User Access VPN (SSL-VPN)
Flexible, Software-only SolutionHardware independent
VPN VPN
CORPORATE NETWORK
CRMFILE
SERVER
Features Client based & Web based Access Mode Support for Major OS (Windows, Mac OS, Linux) Multiple Authentication Options (AD, Radius, LDAP, RSA) AES-NI Acceleration (Hardware Offload) Configuration via UI and API
Use Cases Access to servers running in private environment
over VPN. Remote access for administrators
CONFIDENTIAL 43
Agenda
1 Set the Scene
2 Firewall / Security Services
3 Load Balancing Services
4 VPN Services
5 Key Takeaways
6 Q & A
CONFIDENTIAL 44
Key Takeaways
NSX reproduce all Network and Security services of Data Centers.
All services are available in logical space for best speed, agility and deeper security.
(Almost) NSX services are available in distributed mode for massive scale.
A rich eco-system is available to enhance native services with partners.
CONFIDENTIAL 45
Find Out More• Hands on Labs:
– HOL-SDC-1603 – VMware NSX Introduction– HOL-SDC-1625 – VMware NSX Advanced– HOL-PRT-1672 – Deploying Palo Alto Networks Next-Generation Security Platform with VMware NSX– Check if others make sense
• Other Sessions– Security: “Introduction to Security with VMware NSX”, [SEC7836R] / “Deploying Security in a
Brownfield Environment”, [SEC8348]– Load Balancing: “NSX Logical Load Balancing: From Basics to Fine Art”, [NET9029]– Automation: “How to Easily Become a Cool Automation NSX Cloud Network Engineer”, [NET7701]
• VMware Communities NSX:– https://communities.vmware.com/community/vmtn/nsx
CONFIDENTIAL 46
Agenda
1 Set the Scene
2 Firewall / Security Services
3 Load Balancing Services
4 VPN Services
5 Key Takeaways
6 Q & A
Questions
CONFIDENTIAL 48
NSX partner ecosystem
Physical Infrastructure
Security
Application Delivery
Operations and Visibility
DYNAMIC INSERTION OFPARTNER SERVICES
CONFIDENTIAL 49
LearnConnect & Engagecommunities.vmware.com
NSX Product Page & Technical Resourcesvmware.com/products/nsx
Network Virtualization Blogblogs.vmware.com/networkvirtualization
VMware NSX on YouTubeyoutube.com/user/vmwarensx
Where to get startedExperience
70+ Unique NSX SessionsSpotlights, breakouts, quick talks & group discussions
Visit the VMware BoothUse case demos, chat with NSX experts
Visit NSX Technical Partner BoothsIntegration demos – EPSec & NetX, Hardware VTEP, Ops & Visibility
Test Drive NSX with free Hands-on LabsExpert-led or Self-paced. labs.hol.vmware.com
UseNSX Proactive Support ServiceOptimize performance based on data monitoring and analytics to help resolve problems, mitigate risk and improve operational efficiency. vmware.com/consulting
TakeTraining and CertificationSeveral paths to professional certifications. Learn more at the Education & Certification Lounge.vmware.com/go/nsxtraining