net1190bu multisite networking and security with cross-vc or … · 2019-06-27 · humair ahmed,...

Humair Ahmed, VMware NSBU@Humair_Ahmed

NET1190BU

#VMworld #NET1190BU

Multisite Networking and Security with Cross-VC NSX – Part 1

VMworld 2017 Content: Not fo

r publication or distri

bution

• This presentation may contain product features that are currently under development.

• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.

• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

• Technical feasibility and market demand will affect final delivery.

• Pricing and packaging for any new technologies or features discussed or presented have not been determined.

Disclaimer

2#NET1190BU CONFIDENTIAL



bution

NSX Customer Use Cases

3

SecurityInherently secure infrastructure

Automation IT at the speed of business

Application continuityData center anywhere

MICRO-SEGMENTATION

DMZ ANYWHERE

SECURE END USER

ITAUTOMATION

DEVELOPERCLOUD

MULTI-TENANTINFRASTRUCTURE

DISASTER RECOVERY

MULTI DATA CENTER POOLING

CROSSCLOUD

Multisite Networking and Security with

Cross-VC NSX: Part 2NET1191BU

Disaster Recovery Solutions with NSXNET1188BU

#NET1190BU CONFIDENTIAL



bution

4

APP CONTINUITYAUTOMATIONSECURITY

Micro-segmentation

Secure End User

IT Automating IT

Developer Cloud

Multi-tenant Cloud

Disaster Recovery

Multi Data Center PoolingDMZ Anywhere

ArmorBuilding a security-as-a-service public cloud

Columbia$2M in saving and counting

Vallejo Sanitation and Flood NSX+AW+Horizon2 People managing all of IT– From their cell phones

University of New MexicoCentralization of IT from more than 100 disjointed departments

ShutterflySelf-service Multi-tenant environment handling 400% increase in seasonal demand

CNRAMulti-tenancy for critical state infrastructure

Baystate Health3 Data Centers Running as 1

Sugar CreekWorkload Mobility between Active-Active Data Centers

AerodataSimplified Disaster Recovery

EMC EHCDisaster Recover leveraging RP4VM / SRM

ilandLeveraging NSX for DRaaS




bution

Connectivity Between Sites

5

• NSX Solutions:

– Multi-Data Center (Active/Active):

• Separate/Stretched Cluster(s) with NSX

• Cross-VC NSX

– Public Cloud: IPSEC, L2VPN, Cross-VC NSX

– Branch Offices: IPSEC VPN

– Remote Users: SSL VPN

• Considerations:

– Bandwidth between entities

– Latency between sites

– MTU Considerations

– Administrative Domain

Internet / WAN

Data Center 1

Data Center 2

Branch OfficesRemote Users

Headquarters

Enabling the Software-Defined ROBO with

VMware NSXNET1783BU

NSX and VMware Cloud on AWS: The Path

to Hybrid CloudLHC2105BU

IBM Cloud - Automated and

Simplified Disaster RecoveryLHC2432BU

Cloud Provider X

Cloud Provider




bution

1 The Medieval Days of Multisite

2 The Multisite Revolution with NSX

3 Cross-VC NSX Use Cases

4 Cross-VC NSX Architecture

5 Multi-site Networking with Cross-VC NSX

6 Multi-site Security with Cross-VC NSX (with Demo)

7 3rd Party Services for Multisite

8 Summary / Q&A

Agenda

6

Multisite Networking and Security with

Cross-VC NSX – Part 2NET1191BU




bution

The Medieval Days of Multisite

7

ACLs

DNS

Application Dependencies

Security Policies

Load Balancer

DB

App

Web

Site 2: King’s Landing

Winter is coming.

Protect the workloads!

L2 over Dark

Fiber

VPLS Instance

VPLS Instance

VPLS Instance

MPLS Backbone

L2 over L3

OTV

Site 1: Winterfell

• Change application IP addresses• Re-configure physical network for L2-L3

connectivity requirements• Re-create security policies • Update other physical device configuration

Ex: load balancer • Additional update/re-configuration (ACLs,

DNS, Application IP Dependencies, etc.)

• Expensive (hardware based)• Complex and/or Proprietary• Not agile –changes typically require long

lead times and are are error prone• Operationally challenging• Only addresses network (not compute)• Per device configuration• Lack of flexibility and automation

Not holistic solution – only focused on the network and per-device configuration and lack automation and flexibility




bution








8 Summary / Q&A

Agenda




bution

Multisite with NSX: Active - Standby Model

9

Run apps for periods of time in a specific DC

APP

Active Stand-byActive - stand-by model

ULS - VNI 7000

ULS - VNI 8000

UDLR

APP

UDFW

ULS - VNI 9000

APP

APPC

APPA

APPB

WEB

APP

DB

APP

APP

APP




bution

Multisite with NSX: Active - Active Model

10

Application active on both sides

APP

Active ActiveActive - Active Model

ULS - VNI 7000

ULS - VNI 8000

UDLR

APP

UDFW

ULS - VNI 9000

WEB

APP

DB

APP

APP

APPAPP




bution

Traditional Networking for Multisite SolutionsNSX Platform for Multisite Solutions

#NET1190BU CONFIDENTIAL 11

Expensive, hardware-based, complex, operationally challenging, and/or long lead times required

Ex:

▪ L2 Over Dark Fiber

▪ VPLS Over MPLS Back Bone

▪ Hardware-Based Solution (OTV)

What’s needed is a software based approach which can provide:

➢ Decoupling from physical hardware➢ Ease of deployment ➢ Ease of use➢ Better security with micro-segmentation➢ Leverage higher-level security constructs➢ Flexibility➢ High degree of automation➢ Rapid deployment/recovery and productivity➢ Ease of testing apps / testing DR Plan➢ Extensive partner ecosystem for services➢ Integration with other DR & SDDC components (SRM, vSphere hypervisor, vRealize Suite, etc.)

Not holistic solutions – only focused on the network and per-device configuration and lack automation and flexibility



bution








8 Summary / Q&A

Agenda




bution

13

1.) Workload Mobility

Since logical networking and security can span multiple vCenter domains and multiple sites:

• Cross-VC NSX allows for enhanced workload mobility across Active-Active data centers• Workloads can now be moved between vCenter domains/sites on demand

(Ex: data center migration, data center upgrades/security patches, disaster avoidance, etc.)

Cross-VC NSX Use Cases



bution


14

2.) Resource Pooling / Active-Active

• Resources are no longer isolated based on vCenter boundaries• Allows for the ability to access and pool resources form multiple vCenter domains• Allows for better resource utilization

Resource Pooling and Better

Utilization of Idle Capacity



bution

Cross-VC NSX Use Cases3.) Unified Networking and Security Policy

15

• Enables a consistent security policy across vCenter boundaries and sites • Users are no longer required to manually replicate security policies across domains/sites • Ease of security automation across multiple sites (One API Call)• Can use higher-level security constructs in security policies

Synchronization

Automated Universal Security Group and Universal Security Rule Creation via Script Calling NSX REST API




bution


16

4.) Disaster Recovery

• No longer need to re-IP Application or do any manual mapping of networks• No need to manually replicate security policies• NSX also has tight product integration with VMware SRM

Application Recovery

IP Address Maintained

Consistent Security

Disaster Recovery Solutions with NSXNET1188BU




bution








8 Summary / Q&A

Agenda




bution

Cross-VC NSX – Network Architecture

18

Universal ObjectConfiguration

(NSX UI & API)

NSX Manager REST API(TLS)/TCP 443

Universal Controller

Cluster

vSphere API(TLS)/TCP 443

ESX Hosts ESX Hosts

AMQP(TLS)/TCP 5671

NSX Controller REST API(TLS)/TCP 443

NSX ControlPlane Protocol(TLS)/TCP 1234

vCenter A vCenter B vCenter H

NSX Manager A

USS

PrimaryNSX Manager B

SecondaryNSX Manager H

Secondary




bution

Universal Control Cluster (UCC): - three controller cluster that maintains information about local and

universal logical objects across multiple vCenter domains


19

• Each NSX Manager maintains a connection

to each of the controllers. The connection

status can be seen in the Status column

• Manager connects to the controller to push

relevant logical networking configuration to

the controllers

• Also, a periodic keep-alive is done to monitor

the state of the controller cluster and

measure disk latency alerts

Primary NSX Manager:

Secondary NSX Manager:




bution


20

Universal Transport Zone (UTZ): - defined from NSX Manager as the span of universal logical objects across

vSphere clusters

Universal Logical Switch (ULS): - logical switch able to span across multiple vCenter domains

- allows for logical L2 across multiple vCenter domains

Universal Distributed Logical Router (UDLR): - same as distributed logical router (DLR) but able to span

across multiple vCenter domains

- allows for L3 connectivity for universal logical switches




bution

Cross-VC NSX – Security Architecture

21

(NSX UI & API)

NSX Manager REST API(TLS)/TCP 443


ESX Hosts ESX Hosts

AMQP(TLS)/TCP 5671

vCenter A vCenter B vCenter H

NSX Manager APrimary

NSX Manager BSecondary

NSX Manager HSecondary

1. UDFW created on primary NSX Manager

2. UDFW rule stored in local database

3. UDFW rule pushed to local ESXihosts via message bus

3. USS synchronizes UDFW rule to secondary NSX Managers







AMQP(TLS)/TCP 5671

AMQP(TLS)/TCP 5671

ESX Hosts

USS




bution

Key Cross-VC NSX Concepts

22

Universal Distributed Firewall (UDFW): - distributed firewall (DFW) spanning across vCenter boundaries

- provides consistent security policies across all vCenter domains/sites

Universal Firewall Rules: - DFW rules are configured under the Universal section of the DFW

- apply across vCenter boundaries



bution








8 Summary / Q&A

Agenda




bution

Multi-site, Multi-vCenter, Active-Passive Site Egress

24

Route Updates



bution

Multi-site, Multi-vCenter, Active-Active Site Egress

25

Route Updateswith Locale ID


Peering - OSPF / BGP Peering – BGP / OSPF


Route Updates

with Locale ID




bution

Flexibility with Multi-site Deployments

26

Tenant 1: Active/Passive Site Egress via Dynamic Routing

Tenant 2: Active/Passive Site Egress via Dynamic Routing

Tenant 3: Active/Active Site Egress via Local Egress



bution

Transport Zone

Host 1 Host 2

Universal App Logical Switch: VNI 90000

Universal Controller Cluster

No CDO Mode

VDS

Cluster

Successful PingPing Fails

NSX Control Plane Resiliency: CDO Mode

27

VDS

Cluster

Site 1 Site 2

Universal Transport Zone

No CDO Mode




bution

Transport Zone

Host 1 Host 2

Universal App Logical Switch: VNI 90000

Universal Controller Cluster

CDO CDO

VDS

Cluster

Successful Ping

BUM

• No issues when powering on a VM on

Host 2 or vMotioning a VM to Host 2

NSX Control Plane Resiliency: CDO Mode

#NET1190BU CONFIDENTIAL 28

VDS

Cluster

Site 1 Site 2

Universal Transport Zone



bution








8 Summary / Q&A

Agenda




bution

Cross-VC NSX – Multi-site Security

30

Universal Distributed Firewall (UDFW)Distributed firewall (DFW) spanning across vCenter boundaries and providing consistent security policies

across all vCenter domains/sites

Universal Firewall RulesDFW rules that are configured under the Universal section of the DFW and apply across vCenter boundaries

Universal Network and Security Grouping ObjectsThe Universal section of the DFW supports the following network and security objects:

• Universal IP Sets

• Universal Mac Sets

• Universal Security Groups

• Universal Services

• Universal Service Groups

• Universal Security Tags (Static Inclusion)

• VM Name (Dynamic Inclusion)




bution

Cross-VC NSX – Multi-site Security

31

Apply UDFW Rule




bution

NSX-V 6.3: Cross-VC NSX DFW Enhancements

General Enhancements

• Multiple UDFW Sections

• ApplyTo can use Universal SGs

New Support for Active-Standby Use Cases (DR):

• Universal Security Tags

• Universal Security Groups using Universal Security Tags (Static Membership)

• Universal Security Groups using VM Name (Dynamic Membership)




bution

Multiple Universal Sections

• Prior to NSX-V 6.3, could only have one Universal DFW Section

• Starting, NSX-V 6.3, can have multiple Universal DFW Sections

Efficiency in terms of:

1. rules synchronized per universal section

2. rules can easily be organized per tenant/application




bution

Multiple Universal Sections

• All Universal DFW Sections are always on top – even on Primary NSX Manager

• Adding a DFW section above a UDFW section will automatically make it a Universal section




bution

ApplyTo

• Prior to NSX-V 6.3, ApplyTo only supported Universal Logical Switch for UDFW.

• In NSX-V 6.3, ApplyTo now also supports Universal Security Groups with new matching criteria:

35

- VM Name (Dynamic)

- Security Tag (Static)




bution

Universal Security Groups Using Security Tags and VM Name



bution

On Primary NSX Manager - configure Unique ID Selection Criteria On Primary NSX Manager - create Universal Security Tag

Synchronization of Security Tags between

Primary/Secondary NSX Managers

On Secondary NSX Manager - Security Tags attached to

respective VMs based on Unique Selection criteria

Ex: Universal Security TagsOn Primary NSX Manager – Statically

attach security tag(s) to respective VM(s)

NSX Security: Leveraging Higher-Level Security Constructs




bution

38

Demo Placeholder




bution








8 Summary / Q&A

Agenda




bution

VMware NSX + Palo Alto Network for AdvancedMultisite Security

40

4

0




bution

41

Multi-site Security Policy

Security Policy Management LayerSecurity Policy Management Layer



bution

42

Multi-site Security Policy

Security Policy Management Layer

HA

Active Standby



bution

VMware NSX + F5 Networks for Active/Active Designs




bution

44

Site1–PaloAlto,CA Site2–SanJose,CA

Site1NSXManager1

Primary

Site2NSXManager2

Secondary

vCenter1 vCenter2

Universal

Controller

Cluster

CompueCluster1 CompueCluster2 EdgeCluster

MgmtvCenter

CompueCluster1 CompueCluster2 EdgeCluster

UniversalTransportZone

UniversalDistributedFirewall(UDFW)

ComputeVDS EdgeVDS ComputeVDS EdgeVDS

UniversalDistributedLogicalRouter(UDLR)

UniversalTransit:172.39.39.0/28

.1 .2

Universal

ControlVM

.14

VLAN279

10.100.9.2/28VLAN280

10.100.11.2/28

VLAN379

10.200.9.2/28VLAN380

10.200.11.2/28

.1 .1.1 .1

ESXi1-1:10.100.0.50/24

ESXi1-2:10.100.0.51/24ESXi1-3:10.100.0.52/24 ESXi1-4:10.100.1.51/24

ESXi1-5:10.100.1.52/24

ESXi1-6:10.100.1.53/24

ESXi2-1:10.200.0.50/24

ESXi2-2:10.200.0.51/24ESX2-3:10.200.0.52/24 ESXi2-4:10.200.1.51/24

ESXi2-5:10.200.1.52/24

ESXi1-6:10.200.1.53/24

UniversalWeb2:172.20.8.0/24

.1 .2

UniversalApp2:172.20.9.0/24

UniversalDB2:172.20.10.0/24

.1

.1

UniversalWeb:172.20.1.0/24

UniversalApp:172.20.2.0/24

UniversalDB:172.20.3.0/24

.254 .254 .254.254 .254.254

.1

.1

.1

SummaryRoute:

172.20.0.0/20

10.100.1.71/2410.100.1.72/24 10.200.1.71/2410.200.1.72/24

10.100.1.73-74/24

Cluster1 Cluster2

iBGP

BGPWeight:60

iBGP

BGPWeight:30

eBGPeBGP

Mgmt:10.200.1.80 Mgmt:10.200.1.81Internal(Web):172.20.8.248 Internal(Web):172.20.8.249

HA:172.90.90.2/30

InternalFloa?ngIP(Web):

172.20.8.250

ExternalFloa?ngIP(Web):

10.200.9.14

External(Edge):10.200.9.12 External(Edge):10.200.9.13Mgmt:10.100.1.80/24 Mgmt:10.100.1.81Internal(Web):172.20.8.251 Internal(Web):172.20.8.252

HA:172.80.80.1/30 HA:172.80.80.2/30

InternalFloa?ngIP(Web):

172.20.8.253

ExternalFloa?ngIP(Web):

10.100.9.14

External(Edge):10.100.9.12 External(Edge):10.100.9.13

[BIG-IP DNS VE]

Mgmt:10.114.223.75 Dataplane:10.100.1.190

[BIG-IP DNS VE]

Mgmt:10.114.223.78 Dataplane:10.200.1.190



bution








8 Summary / Q&A

Agenda




bution



bution

net1190bu multisite networking and security with cross-vc or … · 2019-06-27 · humair ahmed,...

Documents