practical path to nsx nimish desai, nsbu, vmware virtualization: minutes “zero touch”...

Practical Path to VMware NSXNimish Desai - NSBU, VMware

© Copyright 2017 Dell Inc.2

• This presentation may contain product features that are currently under development.

• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.

• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

• Technical feasibility and market demand will affect final delivery.

• Pricing and packaging for any new technologies or features discussed or presented have not been determined.

Disclaimer• This presentation may contain product features that are currently under development.

• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.

• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

• Technical feasibility and market demand will affect final delivery.

• Pricing and packaging for any new technologies or features discussed or presented have not been determined.

Disclaimer

2

Session Agenda

3

1 NSX introduction and use cases

2 NSX security and micro-segmentation

3 Automation with VMware NSX

4 Application continuity with NSX

5 NSX operations

6 Close

2,400+ customers100% YoY growth

Broad adoptionSmall, mid- and large enterprisesacross all verticals

NSX is growing in momentum

License Bookings >50% YoY growth in Q4

Q416

NSX customer use casesSecurity

Inherently secure infrastructureAutomation

Apps at the speed of businessApplication continuityData center anywhere

Micro-segmentation

DMZ Anywhere

Secure End User

IT Automating IT

Multi-tenant Infrastructure

Developer Cloud

Disaster Recovery

Cross Cloud

Multi Data Center Pooling

NSX vision

6

Traditionalapplications

Cloud-nativeapplications

Anyapplication

Anycomputeplatform

Build-your-own Converged infrastructure

Hyper-convergedinfrastructure

Anyinfrastructure

Security AvailabilityConnectivity

Unified management and policy framework with ecosystem

Logi

cal

netw

ork

NSX Architecture and Components

7

• Self-service portal• vRealize Automation, OpenStack,

vCloud Director, Custom CMP

NSX Edge

• High-performance data plane• Scale-out distributed forwarding model• Flexibility for connecting logical networks

to physical

NSX Manager• Single configuration portal• REST API entry-point

NSX Controller • Manages logical networks• Control plane protocol• Separation of control and data plane• Controller is not in the data path

Phys

ical

netw

ork

HW VTEP

HV Kernel Modules

FirewallDistributed Logical Router

LogicalSwitch

vCenter ServerManagement plane

Control plane

Cloud consumptio

n

Data plane

Hypervisor

Distributed Services

VDS

How do I get started with NSX ?

Learn about NSX1 Start small

and grow2 Leverage best practices and validated designs

3

12

Start Small with Specific Use Case

13

Single Cluster with NSXVDI microsegmentation –Security only - NSX MgrDEV/QA Services/Security– ESG – LB/Security

Satellite/ROBO one or two rack

Host 32

WANInternet

L3

L2

Host 1

Host 3

Host 2

Host y

Host x

Separate Compute. Common Edge and Management ClusterMulti-workload & VDIMulti-rack QA/DEVGrow to large DC

Management&

Edge Clusters

ComputeCluster

WANInternet

L3

L2

Host 1

Host 3

Host 2

Host 32

Host y

Host x

Flexible, Scalable, Secure & Multi-use

ExternalNetworks

Dynamic Routing(OSPF, BGP)

ECMP Edges

Web Logical Switch (Routed) App LS (Routed) DB LS (Routed)

In-line LB

Routed

172.16.20.0/29 172.16.20.8/29 172.16.20.16/29

Web Logical Switch (NAT) App LS (Private) DB LS (Private)

In-line LBNAT & Private

172.16.100.0/24

172.16.101.0/24

172.16.102.0/24

Web Logical Switch (Routed)

DB Logical Switch(Routed)

App LS (Routed)

172.16.10.0/29 172.16.10.8/29 172.16.10.16/29

Distributed Logical Router

• Flexibility – DLR, Stand-alone, Services & Isolation

• DLR for production workload• DevOps & QA isolation• Per app services

• Scalability• ECMP BW as needed• Edge-HA based on use case• In line routed LB segment• In line NAT & private segment

• Secure• DFW and Edge FW• Multi-vendor integration

• Automation – Blueprints and Security• Multi-use topology

• Automated DevOps segments• VDI Segments• Enterprise work load

NSX Reference Design 3.0 https://communities.vmware.com/docs/DOC-27683

https://communities.vmware.com/docs/DOC-27683

Session Agenda

15





5 NSX operations

6 Close

NSX customer use cases – SecuritySecurity



Micro-segmentation

DMZ Anywhere

Secure End User

IT Automating IT


Developer Cloud

Disaster Recovery

Cross Cloud


NSX Security Architecture Overview

17

Any App, Any VM,

Anywhere

DFW

Service Composer

Security Groups

Policy

Eco System

• Design and Architectural Benefits Built-in and not bolt on On demand and dynamic security

enforcement Follow life cycle of resources Run time redirection and insertion Topology Independent, Not tied to

physical DR and multi-site capable Platform eco-systems Protect, detect, inoculate - Any

application, any time, anywhere

NSX Micro-segmentationSegmentationIsolation

Controlled communication path within a single networkEach VM can now be its own perimeterPolicies align with logical groups Prevents threats from spreading

Addition of third-party security from NSX Ecosystem, as needed by policy

Compliance (PCI, HIPPA)

No communication path between unrelated networks

Advanced Services

18

Securing east-west traffic within VDI environments

19

With VDI your data center has a much larger security surface area

Internet

Data center perimeter

West East

VDI

VDI

VDI

High cost of physical security environment

Hard to implement

Complex to manage

NSX for VDI environments

20

• Desktop-to-desktop control

• Desktop-to-enterprise control

• Security servicesagentless AV, NGFW, IPS

• Load balancing

• Edge firewall

• NAT

• VPN

• Elasticity to spin new pools

• Capacity expansion

VDI VDI

VDI VDI

Secure DMZ

21

Delivering inherently secure infrastructure

Business value

More secure and 1/3 the cost of less secure infrastructure

Data center perimeter

DMZ

Secure user environments

Security policies simplified

Logical groups enabled

Threats contained

Internet

Micro-segmentation simplifies network security

22

• Each VM can now be its own perimeter• Policies align with logical groups • Prevents threats from spreading

App

DMZ

Services

DB

Perimeterfirewall

AD NTP DHCP DNS CERT

Insidefirewall

Finance EngineeringHR

Security Evaluation Workflow

23

Identify Group/Apps/Zone

Decide Default Allow or Deny &

Log

On-Board New Apps

Monitor Logs to R/Define

Rules

Shared Services

Rules

E-W Intra-App

Rules

1. Prepare Infrastructure for NSX

2. Create Default Rules to allow all and log traffic

3. Create Shared Services Rules

4. On-board new application or start with an existing application

5. Use NSX toolset to dynamically determine required ruleset

a) Syslogb) IPFIXc) vRealize Network Insight

6. Create E-W Intra-Application or Intra-Zone Rules

7. Continue for other applications or workloads

Data center 2 Perimeter

Customer Story: Secure Datacenter connectivity

24

• The problem statement

Internet


Production

PCI

Non-production

Shared services

1. Need to provide granular segmentation and reduce risk

2. Simplify access to shared services for new apps

3. Automate app deployment with security

CHALLENGES

25

• NSX solution

InternetInternet



Production

PCI

Non-production

Shared services

1. Start on existing brownfield network

2. Map environments to security groups

4. Leverage NSX Security tagging to classify workloads

IMPLEMENTATION

3. Security group for Shared Services

5. Simplify and automate by leveraging NSX Security Policy

Customer Story: Secure Datacenter connectivity

Security partners

NSX Customer References –Security

Tackle The Security Challenge Of Endpoints Without End

Learn How To Put Security At the Very Core of Your Organization With Secure Infrastructure

Hands on Labs: HOL-1703-SDC (NSX), 1723(Palo Alto), 1724(Check Point) and 1741(Horizon VDI)https://HOL.VMWARE.COM

Session Agenda

28





5 NSX operations

6 Close

NSX customer use cases – AutomationSecurity



Micro-segmentation

DMZ Anywhere

Secure End User

IT Automating IT


Developer Cloud

Disaster Recovery

Cross Cloud


Automating IT processes

30

Delivering IT at the speed of business

Management APIs, UI

Policies, groups, tags

Switching

Routing/NAT

Load balancing

Connectivity to physical networks

Firewalling

VPN

Data security

Activity monitoring

IT automating IT


Business value

Reduce infrastructure provisioning time from weeks to minutes

Developer cloud

Traditional infrastructure provisioning with networking

31

Days - weeks

Wait WorkWaitWait

Manual efforts

Network

Infrastructure service

FirewallSwitch Router Load balancer

Connect Ethernet cables, configure

switch port, VLANs, access control lists, assign IP addresses

Configure router interface to

connect to switch ports. Configure routing protocols.

Connect networks to firewall appliances,

configure firewall rules based on physical constructs e.g. IP

address and VLANs

Connect networks to load balancer appliances,

create and populate load balancer pool, assign Virtual IP address to

external interface

NETOPS SECOPS LOAD BALANCER ADMIN

NSX IT automation capabilities

GUI API Cloud managementplatform

• UI and workflow-based consumption of networking and security

• Programmatic consumption

• Enables easy automation of both installation and deployment processes

• Networking and security deployment as a part of application deployment

32Github Repo - https://powernsx.github.io/ & https://github.com/vmware/powernsx

https://powernsx.github.io/

https://github.com/vmware/powernsx

Customer Story: Automate IT Delivery

33

The problem statement

Manual and labor intensive deployment of IT services

Slow Day 2 Operations

Business works around IT with cloud services

CHALLENGES

Data center

CloudLine of

Business

Inconsistent results

Internal IT

Physical Devices

Dissatisfied LoB users

Customer Story: Automate IT Delivery

34

NSX solution

Wait WorkWait

Automatedapplicationdeployment

Manualnetwork

configuration

VMware NSXNetwork

virtualization

Minutes

“Zero Touch”deployment

VMware ESXCompute

virtualization

Weeks or days

vRealize Automation

OS Automated delivery of multi-tier applications

Security and consistency built into the provisioning process

Improved service level for business users avoiding Shadow IT

BENEFITS

Automation Topology

ToR

• Pre-created Construct • Provider ECMP for scale• DLR e.g. production traffic

• All app segments can be dynamically created and attached to DLR with security group

• QA/DevOps Topology• Provider Edge HA

• Common transit VXLAN segment • Allows provider Edge in Edge Cluster

• QA/DevOps Tenant Edge/Segments • Resides in compute for growth and agility• NAT with In line LB• Create as many Edge with NAT• No need to advertise subnets of each

NATed QA segments


In-line LBNAT

172.16.100.0/24

172.16.101.0/24

172.16.102.0/24

ToR


In-line NAT

172.16.100.0/24

172.16.101.0/24

172.16.102.0/24

Edge - HA



App LS (Routed)

172.16.11.0/29

172.16.11.8/29

172.16.11.16/29

ECMP

Edges



App LS (Routed)

172.16.10.0/29

172.16.10.8/29

172.16.10.16/29

Distributed Logical Router

vRealize Automation and NSX Extensibility Kit https://communities.vmware.com/docs/DOC-30791


NSX Customer References –Automation

Enterprise Hybrid Cloud – Dell/ECM Converged Solution

Hands on Labs: HOL-1720-SDC and 1721https://HOL.VMWARE.COM

Session Agenda

37





5 NSX operations

6 Close

NSX customer use cases – Application ContinuitySecurity



Micro-segmentation

DMZ Anywhere

Secure End User

IT Automating IT


Developer Cloud

Disaster Recovery

Cross Cloud


Application continuityDelivering data center anywhere

Data center #1

Disaster recovery

Active Active

Hybrid cloud networking

Business value

Reduce RTOnew availability modelData center #2 Cloud

Multisite networking and security (Cross-vCenter NSX)

vCenter-A

< 150 msLocal storage Local storage

Site-A Site-B

vCenter-B

Universal distributed logical router

Secure, high availability, distributed, virtualized resource pool

NSX Primary NSX Secondary

40NSX-V Multi-site Options and Cross-VC NSX Design Guide



Cross Cloud Connectivity

Connect at layer 2 or layer 3

Secure L2/L3 connectivity between on-premises and providers enabling hybrid cloud

Private cloud Cloud provider

VMware

VMware

41

Customer Story: Simplified Disaster Recovery

10.0.10/24 10.0.20/24

10.0.10.21 10.0.20.21

Change IP Address (or stretch L2)Reconfigure Security andNetwork Services

4

Recoverthe VM3

Replicate VM & Storage

2Physical Network Infrastructure Physical Network Infrastructure

SAN

1Protect VM

Step 1&2(eg VMware SRM)

vSphere

Primary Site Recovery Site

MajorRTOImpact

SAN vSphere

The problem statement

Complex DR processes with manual, error prone steps

Overprovisioned capacity

Lengthy RTO to recover applications

CHALLENGES

No granularity for DR, all or nothing only

42

Customer Story: Simplified Disaster Recovery

10.0.20.0/24 10.0.30.0/24

10.0.10.21 10.0.10.21

Physical network infrastructure Physical network infrastructure

SAN

1Protect VM

Step 1&2(e.g VMware SRM)

vSphere

Primary site Recovery site

SAN vSphere

Synchronize network &security

2b

Recoverthe VM

3

2aReplicate

VM & Storage

ReduceRTO

Virtual network10.0.10/24

NSX Manager(Primary)

NSX Manager(Secondary)

Network & securityalready exists

Virtual network10.0.10/24

Consistent Networking and Security across sites

VM mobility and granular Disaster Recovery

Integration with Site Recovery Manager

BENEFITSNSX solution

Significantly reduced complexity

43Disaster Recovery with NSX and SRM https://communities.vmware.com/docs/DOC-31692


44 of Y

Dell EMC Enterprise Hybrid Cloud 4.1.1 platformEngineered Modular Add-ons

Pre-packaged options maintained and supported with the platformProfessional

ServicesPre-packaged

services portfolio

Public CloudIaaS Providers

Software-Defined InfrastructureElastic, automated & software-controlled infrastructure

Dell EMC Converged & Hyper-Converged InfrastructureFactory-integrated data center building blocks

Cloud Management & OperationsSelf-service portal with a catalog, orchestration engine,

operations management & cost transparency

Prepare

Required components Customizable options

Co-existingSolutions

Engineered Automation

IntegrationsCustomized extensions implemented in the field

More coming… Deploy

Extend

Manage

Backup Protection Continuous AvailabilityDisaster Recovery

VMware IntegratedOpenStack

Future

VMware vRealize Code Stream

Microsoft Apps Oracle DBaaS SAP / SAP HANA

Encryption Services Multi-Site ManagementFuture

NSX References –App Continuity

Hands on Labs: HOL-SDC-1705 and 1725https://HOL.VMWARE.COM

Session Agenda

46





5 NSX operations

6 Close

47

Best practices and guidance based on production customers

Not complicated, minimal changes, and clear path for success

More than 850+ enterprises have operationalized NSX

The maturity model: the path to the vision

48

Blended Cross-domain and discipline

Siloed Specialization

Organization(Structure)

People(Roles &

Responsibilities)

People

Automated Modern

Manual Legacy

Processes Tooling

Process

Leaf-spine fabric Virtual

3-tier Physical

Architecture Infrastructure

Architecture

Networking and Security Operations Requirements

Monitoring Troubleshooting Change And Audit Management

Capacity Management

NSX Operation Guide https://communities.vmware.com/docs/DOC-30079


NSX Provides Highest Level of Visibility

vRealize Network InsightFormally ARKIN Log Insight

NSX Content Pack

SDDC Event CorrelationAlerting

Centralized LoggingPer Service Dashboards

• P+V TopologiesImpact Analysis

• Tunnel VisibilityBandwidth Utilization

• Distributed MonitoringApplication Performance Monitoring

Native Capabilities

Integration withVMware Tools

Integration withPartner Ecosystem

NSX API

Syslog

IPFIX

Port Mirroring

SNMP

Traceflow

And more…

• Log Monitoring and Analytics

Session Agenda

51





5 NSX operations

6 Close

IT Automation

Private CloudReduce infrastructure provisioning time from weeks to minutes

Security

Micro-segmentationSecure infrastructure at 1/3 of the cost

Application Continuity

Disaster Recovery

Reduce RTO by 50%

NSX is Mainstream

52

1 2 3

Next steps on the path to NSX

Understand your key challenges and how NSX can help

Define requirements for your solution

Try NSX out with HOL

Learn about NSX1 Start small

and grow

Start with a small project and add functionality in phases

Brownfield vs Greenfield

NSX implementation can begin at an Environment or Cluster level

Define operational model

2 Leverage validated designs

NSX Design Guides

VVD

EHC

Partners

Engage the VMUG NSX community

3

53

NSX Vision

54

Managing Security and Connectivity for many Heterogeneous End Points

New app frameworks

Branch offices/Edge Computing/IOT

End UsersOn-prem

BARE METAL

Cloud

vCloud AirNetwork

LearnJoin the NSX VMUG Communityvmug.com/nsx

NSX Product Page & Technical Resourcesvmware.com/products/nsx

Network Virtualization Blogblogs.vmware.com/networkvirtualization

VMware NSX on YouTubeyoutube.com/user/vmwarensx

Where to get startedExperience

Visit the VMware BoothUse case demos, chat with SDDC Expert

Test Drive NSX with free Hands-on LabsExpert-led or Self-paced. labs.hol.vmware.com

Join the VMUG Advantage Program access a 1-year NSX Eval and exclusive trainings and certsvmug.com/VMUG-Join/VMUG-Advantage

UseNSX Proactive Support ServiceOptimize performance based on data monitoring and analytics to help resolve problems, mitigate risk and improve operational efficiency. vmware.com/consulting

TakeTraining and CertificationSeveral paths to professional certifications. Learn more at the Education & Certification Lounge.vmware.com/go/nsxtraining

55

https://www.vmug.com/nsx

http://vmware.com/products/nsx

http://blogs.vmware.com/networkvirtualization

http://www.youtube.com/user/vmwarensx

http://labs.hol.vmware.com/

https://www.vmug.com/VMUG-Join/VMUG-Advantage

http://www.vmware.com/consulting

http://www.vmware.com/go/nsxtraining

Questions?

56

practical path to nsx nimish desai, nsbu, vmware virtualization: minutes “zero touch”...

Documents