LHC2103BU NSX and VMware Cloud on AWS: Deep Dive … · Session Objectives –NSX and VMware Cloud...
Transcript of LHC2103BU NSX and VMware Cloud on AWS: Deep Dive … · Session Objectives –NSX and VMware Cloud...
Ray Budavari,Senior Staff Technical Product Manager NSX@rbudavari
LHC2103BU
#VMworld #LHC2103BU
NSX and VMware Cloud on AWS: Deep Dive
VMworld 2017 Content: Not fo
r publication or distri
bution
• This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not been determined.
Disclaimer
#LHC2103BU CONFIDENTIAL 2
VMworld 2017 Content: Not fo
r publication or distri
bution
Session Objectives – NSX and VMware Cloud on AWS:Deep Dive
• Cover technical details on how networking and security are implemented in VMware Cloud on AWS
– Including all the gory details ☺
• Learn about how NSX is foundational in enabling the VMC service
– Because everything interesting happens in networking and security ☺
• Allow me to share what I’ve been working on ☺
• Complement other VMC on AWS VMworld sessions:
– LHC2384BU: VMware Cloud on AWS A Technical Deep Dive
– LHC2105BU: NSX and VMware Cloud on AWS: The Path to Hybrid Cloud
3#LHC2103BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Agenda – NSX and VMware Cloud on AWS: Deep Dive
1 VMware Cloud on AWS Overview
2 NSX in VMware Cloud on AWS
3 User Experience Walkthrough
4 Technical Deep Dive: Initial Availability
5 Technical Deep Dive: Future Releases
6 Q&A
4#LHC2103BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
VMware Cloud on AWS – Enabling Hybrid Cloud
6
Leading compute, storage and
network virtualization capabilities
Support for broad range of
workloads
De-facto standard for the
enterprise DC
Flexible consumption economics
Broadest set of cloud services
Global scale and reach
#LHC2103BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
AWS Global Infrastructure
VMware Cloud™ on AWS
VMware Cloud on AWS
#LHC2103BU CONFIDENTIAL 7
AWS Global InfrastructureCustomer Data Center
vSphere vSAN NSX
Operational
ManagementNative AWS Services
Amazon
EC2
Amazon
S3
Amazon
RDS
AWS
Direct
Connect
AWS IAMAWS IoT
…
…
…
…
vRealize Suite, vSphere Integrated Containers, ISV Ecosystem
VMware vSphere-based service running on the AWS Cloud
vCentervCenter
• ESXi on Dedicated Hardware
• Support for VMs and Containers
• vSAN on Flash and EBS Storage
• Replication and DR Orchestration
• Advanced Networking & Security Services
• NSX Spanning on-premises and Cloud VMworld 2017 Content: N
ot for publicatio
n or distribution
Key Use Cases for VMware Cloud on AWS
8
NSX is essential for all these use cases
Scenario 1:
Maintain and Expand
ExpandMaintain
Private Cloud Public Cloud
Scenario 2:
Consolidate and Migrate
MigrateConsolidate
Private Cloud Public Cloud Private Cloud
Scenario 3:
Workload Flexibility
Flex as needed
#LHC2103BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX in VMware Cloud on AWSNetworking and Security Details
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX ENABLES ALL NETWORKING IN VMC
10
NSX Services
Logicalswitching
Logicalrouting
Firewallingand security
EC2 &VPC Networking
VMware NSX
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX in VMC on AWS Introduction
▪ All VM networking in VMware Cloud on AWS is provided by NSX
▪ Provides compatibility with NSX and vSphere products used on-premises
▪ Jointly engineered solution between VMware and Amazon
▪ Delivered using an ‘as a service’ cloud model
11#LHC2103BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
VMC Consumption Models for Networking and Security
12
• Networking Consumption with vSphere Web Client and
VMC Console
• Customers who may not be using full VMware Stack
(vSphere only)
• Public Cloud like consumption experience
• Basic Networking and Security: NAT, Firewall, VPN,
Gateway Management
Simplified Mode (IA)
• VMC Networking Consumption via NSX
• Full VMware Stack
• Multiple Admin Roles in the Org
• Flexibility of Public Cloud with familiarity and
consistency of VMware SDDC
• Advanced Networking and Security: Distributed FW,
Load Balancing, Service Insertion, Cross-VC
Advanced Mode (Future Release)
NSX Manager vSphere Web Client
VMware Cloud on AWS does not have a dependency on NSX in the on-premises
environment, but NSX in both sites will provide enhanced capabilities
vSphere Web ClientVMC Web Console
#LHC2103BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Simplified Mode Consumption – Initial Availability
13
• Auto-deploy and provision the VMC infrastructure
resources via predefined VMC Portal workflows
• Setup of initial networks and admin access granted
to vCenter
• Deploy a prescriptive network topology
• Establish predefined VPN connectivity
• Provide inbound access to workload VMs
• Control firewall access to workload VMs
• Consume pre-created VMC network services
• Deploy workload VMs
• Attach workload VMs to networks
• Create new networks
• Manage IP addressing for workload VMs
Cloud
Networking
Admin
VMC Web Console
VI Admin
vSphere
Web Client
VMware Cloud on AWS
vSAN NSXvSphere
vCenter
#LHC2103BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Advanced Mode Consumption – Future Release
14
• Provision network and security for custom data
centers
• Define and establish VPN connectivity with on-
premises locations
• Define security groups and policies for workload
VMs
• Add, modify, or delete network topologies
• Advanced NSX use cases: Distributed firewalls, load
balancing, routing, etc.
• Deploy workload VMs
• Attach workload VMs to networks created by
NSX admins
• Manage IP addressing for workload VMs
Networking
Admin
NSX Manager
Full NSX UI
VI Admin /
Cloud Admin
vSphere Web Client
vSphere API
VMware Cloud on AWS
vSAN NSXvSphere
vCenter
#LHC2103BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
VMC Networking and Security Access Model
▪ VMC is a VMware Managed Service
▪ VMware manages hypervisor and management components
▪ Customer manages VMs
▪ NSX access in Simplified consumption mode provides:
▪ Networking and Security workflows available in the VMC Console
▪ Ability to create, update, delete logical networks via vCenter Server
▪ Advanced mode will provide full NSX access in a future release
▪ There will still restrictions to admin/infrastructure level operations
▪ All VMC users will start in Simplified Mode
15#LHC2103BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
User ExperienceVMware Cloud on AWS Networking and Security Walkthrough
VMworld 2017 Content: Not fo
r publication or distri
bution
Initial AvailabilityVMware Cloud on AWS Networking and Security
VMworld 2017 Content: Not fo
r publication or distri
bution
DLR
Default 192.168.1.0/24
Compute GW
(NAT, FW, VPN, DHCP, DNS)
AWS Network
Internet GW
VMware Cloud on AWS – Default Networking Topology
18
N-S External Traffic
VMware Cloud on AWS
Networking (NSX)Workloads on
logical networks
Management Infrastructure
Management GW
(NAT, FW, VPN, DNS)
Custom 10.1.2.0/24Custom 10.1.1.0/24 Custom 10.1.3.0/24
Blue = N-S
Red = E-W
VMC SDDC
#LHC2103BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX Implementation Details
• vSphere Distributed Switch provides connectivity to the AWS physical network
• NSX components such as Manager, Controller and Edges are deployed into the Management resource pool
• Management Gateway (MGW) = NSX Edge for Management components
• Compute Gateway (CGW) = NSX Edge and DLR for customer VMs
– A default logical network with SNAT and DHCP enabled is provisioned
– Single CGW supported in Simplified Mode
• Firewall Rules are set to Default Deny
• NSX Edge High Availability is enabled
• NSX Edges are size Large by default
19#LHC2103BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
AWS Network
Internet GW
VMware Cloud on AWS – Management Networking Overview
20
Management
Infrastructure
Management Gateway
AWS VPC Router
VMkernel Management (VLAN)
VMkernel vMotion (VLAN)
VMC on AWS ESXi Cluster
VM Management (VLAN)
vCenter Server NSX Manager NSX Controller 1 NSX Controller 2 NSX Controller 3
VMkernel VXLAN (VLAN)
VMkernel VSAN (VLAN)
External Traffic
#LHC2103BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
vSphere Networking on AWS Infrastructure
21
ESXi
ESXi Hosts
(bare metal)
VM VM
VMware
Networks ESXi
ESXi Hosts
(bare metal)
VM VM VM
VMware
Networks
MTU1600+
VMware Cloud on AWS Networking setup is
automated as part of infrastructure provisioning
Multiple Subnets
VSAN vMotion MgmtVXLAN
(VTEP)
vmk3
...
VLAN1, ENI2 VLAN Native, ENI1
10.103.1.0/24 10.100.1.0/2410.101.1.0/2410.102.1.0/24
VLAN Trunk onENA
vmk2 vmk1 vmk0
MgmtPublic
VLAN2, ENI3VLAN3, ENI4VLAN4, ENI5VLAN5, ENI6
Multiple ENIs/VLANs
21#LHC2103BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
VMC Connectivity Details
▪ Workload VMs
▪ Use NSX for all networking and security and are decoupled from VPC Networking
▪ ESXi VMkernel interfaces use ENIs (Elastic Network Interfaces)on VPC network
▪ However there are limitations with connecting Management & Edge VMs directly to VPC networks
▪ Solution is to use NSX (of course ☺)
▪ AWS VPC Networking is used provide external connectivity only:
▪ Internet Gateway
▪ Customer VPC access
▪ Direct Connect in future releases
22#LHC2103BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
ESXi Host(Repeated on each host in Cluster)
VD
S
VTEP
VMC Connectivity Deep Dive
23
VMC on AWS VPC
vmk3
10.0.152.5/17
GW .128.1
vmk2
10.0.144.5/17
GW .128.1
vmk1
10.0.136.5/17
GW .128.1
vmk0
10.0.128.5/17
GW .128.1
VSAN
dvportgroup
(VLAN 2)
vMotion
dvportgroup
(VLAN 1)
VTEP
dvportgroup
(VLAN 3)
10.0.152.5/21
ENI-nsx
(device id:3)
10.0.144.5/21
ENI-vsan
(device id:2)
10.0.136.5/21
ENI-vmotion
(device id:1)
10.0.128.5/21
default ENI
(device id:0)
Host Mgmt
dvportgroup
(VLAN 0)
10.0.0.5/20
ENI-p
(device id:5)
vCenter
10.0.224.8
NSX Mgr
10.0.224.9
Management dvportgroup
(VLAN 101)10.0.224.0/19 – GW .224.1
10.0.160.5/21
ENI-m
(device id:4)
Management
Gateway
public dvportgroup
(VLAN 100)10.0.192.0/19 – GW .192.1
.218.2
Public Subnet
(10.0.0.0/20 - Router: 10.0.0.1)AWS Network
0/0 route
Internet or
VPN GW
LIF2 10.0.224.1 LIF2 10.0.192.1
LIF1 10.0.0.5
(VLAN 5)Add/Move
Secondary IP
(AWS API)
Add/Remove
routes on DLR
Mgt VM Add/Move
(VMCI callout).224.2
10.0.224.2 10.0.218.2
pnic
ENA device
VMC Agent
LIF1 10.0.160.5
(VLAN 4)
Management Subnet
(10.0.128.0/17 - Router: 10.0.128.1)
hDLR-m hDLR-p
Compute
Gateway
.218.3
#LHC2103BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
IA – Internet and L3VPN Connectivity
24
On-PremGateway
Existing VMs and Management on-premises
VPN Connectivity using NSX ESG(Route selected networks or all traffic
to on-premises over VPN tunnel)
Customer DC
Software Defined Data Center (SDDC)
On-Prem Management
On-Prem
Workloads
Management
Network
Management GW
(NAT, FW, VPN)
VMware Cloud
on AWS
Compute GW
(NAT, FW, VPN, DHCP)
192.168.20.0/24192.168.10.0/24
DLR
Management Traffic
Compute Traffic
InternetInternet GW
IPSec VPN – L3 - Compute
#LHC2103BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
VMC VPN Connectivity Details
25
▪ VMC Console provides streamlined VPN configuration
▪ Policy Based VPN from NSX Edge
▪ IPsec VPN – standards based interoperable with all compliant devices
▪ Enables choice of on-premises gateway
#LHC2103BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
VPN Connectivity Details
26
▪ VMC Supported IPsec VPN Parameters at IA
▪ Settings in Bold are configurable, while others are hard coded
Phase 1 Settings Phase 2 Settings
IKEv1 AES-256
Main mode Diffie-Hellman Group 2
AES-256 SHA-1
Diffie-Hellman Group 2 SA lifetime of 3600 seconds (one
hour)
SHA-1 Perfect forward secrecy (PFS)
Enabled
Pre-shared secret
SA lifetime of 28800 seconds (eight
hours)
#LHC2103BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
VMC and AWS Services
▪ VMware Cloud on AWS provides access to AWS serviceswithin the region of deployment
▪ By default access to AWS Services from VMC VMs will be via the Internet (using AWS IGW)
▪ Provides a base level of capability
▪ Bandwidth limits for IGW do apply
▪ Customer VPC access (using VMware Cloud Endpoint)
▪ Provides higher bandwidth connectivity to selected AWS Services
▪ Requires an existing customer VPC
▪ Direct Connect is planned in Future Releases
27
Access to AWS Services
Amazon
EC2
Amazon
S3
Amazon
RDS
AWS Direct
Connect
AWS IAMAWS IoT
…
…
…
…
#LHC2103BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
IA – Optimized Connectivity to Native AWS Services
28
Compute Gateway
EC2 Instances, Private AWS services
or VPC Endpoints in customers existing VPCs
Direct Connectivity from VMC to Customer VPCs(without VPC Peering)
Customer VPC
Optimized Traffic Flow
AWS Networking
VMware Cloud
on AWS
VPC Endpoints
VPC subnets
Amazon
S3 Distributed Router
VNI 5001
VNI 5000
DLR
EC2 Instances
ENI fromCustomer VPC
VPC route
table
NSX route
table
Software Defined Data Center (SDDC)
Internet GWInternet GW
East-WestConnection
192.168.0.0
192.168.1.0
192.168.2.0
172.16.0.0
172.16.1.0
172.16.2.0
#LHC2103BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
VMC and AWS Services Details
29
▪ What actually happens during the Account Connection Process ?
▪ Step 1 – At SDDC Deployment time, connect to your AWS account
#LHC2103BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
VMC and AWS Services Details
30
▪ Step 2 – Run VMC Cloud Formation Template
#LHC2103BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
VMC and AWS Services Details
31
▪ Step 3 – Select Discovered VPC and Subnet
▪ Create ENIs to enable the optimized connectivity
#LHC2103BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
VMC and AWS Services Details
32
▪ Step 4 – SDDC is provisioned and connected to your VPC
▪ Details of connected VPC are available under CGW
#LHC2103BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
VMC and AWS Services Details
33
▪ Step 5 – Routing Tables are updated to enable connectivity
▪ Step 6 – Firewalling for traffic to/from Customer VPC within VMC
#LHC2103BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Future ReleasesVMware Cloud on AWS Networking and Security
VMworld 2017 Content: Not fo
r publication or distri
bution
Management
Network
Management GW
(NAT, FW, VPN)
Compute GW
(NAT, FW, VPN, DHCP)
192.168.20.0/24192.168.10.0/24
DLR
Future – L2VPN Connectivity
35
L2VPN for Hybrid use cases (with or without NSX on premises)
Customer VPC
EdgeL2VPN
VLAN 10
VLAN 20
Existing VMs and Management on-premises
L2 Extension
On-Prem Management
VMware Cloud
on AWS
Management Traffic
L2VPN – Compute
Internet GWInternet
On-PremGateway
ComputeTraffic
Software Defined Data Center (SDDC)
#LHC2103BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Future – AWS Direct Connect
36
Direct Connect for high bandwidth connectivity to on-premises from
Customers VMC CDC
Distributed Router
Customer DC
AWSVGW
On-PremGateway
VLAN VXLAN
EdgeGateway
Up to 10Gbps
VMware Cloud
on AWS
On-Prem Management
Amazon
RDS
AWS Services
AWS
Lambda
Amazon
S3
CloudFront Etc…
Private
VIF
Public
VIF
VNI 5001
VNI 5000
DLR
VLAN 10
VLAN 20
AWS Direct Connect (L3)
ComputeTraffic
AWS
AWSVGW
EC2 & RDS Instances
Customer VPC
Private
VIF
Software Defined Data Center (SDDC)
#LHC2103BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Future – Advanced Network and Security features
37
Advanced NSX feature set available for in VMC
- DFW (FW Ruleset and Service composer)
- Load Balancing (one arm and inline)
- Flexible Network Topologies
Distributed Router
Customer Data Center
AWSGWOn-Prem
Gateway
VLAN
VXLAN
DefaultCGW
VMware Cloud
on AWS
On-Prem Management
VLAN 10
VLAN 20
Existing VMs and Management components on-premises
VXLAN
CustomCGW
DFW
LB
NSXServices
Internet
Software Defined Data Center (SDDC)
#LHC2103BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Future – Partner Service Integration
38
Partner Service Integration through NetX and EPSec
• Partner components on overlay network
• Connectivity to vCenter and NSX Manager
• Re-direct rules to partner SVMs
Distributed Router
Customer Data Center
AWSGWOn-Prem
Gateway
VLAN VXLAN
CGW
VMware Cloud
on AWS
On-Prem Management
VLAN 10
VLAN 20
Existing VMs and Management components on-premises
MGW
Service Insertion
VMKNICs
Partner Management
Console
Partner SVM on each host
Mgt/vMotion/VXLAN/VSAN
ESXi Network and Host components
Internet
Management Traffic
Compute N-STraffic
Default LS
3rd Party LS
Software Defined Data Center (SDDC)
#LHC2103BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Future – Cross-VC NSX
39
Customer DC
• NSX both on-premises and in VMCenabling Cross-VC NSX services
• All Local and Universal NSX capabilitiesavailable
• VM Mobility
• Full Multi-Site and DR
• Centralized Management
Internet GW(or DX)
Internet GW(or DX)
EdgeGateway
NSXServices
VMware Cloud
on AWS
NSXServices
Sec-Group-1VNI 5001
Sec-Group-2VNI 6002
EdgeGateway
VNI 9001VNI 9001
Universal Distributed Logical Router
UDLR
Sec-Group-3 Sec-Group-3Universal Logical Switch
Software Defined Data Center (SDDC)
#LHC2103BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
VMware Cloud on AWS and NSX – Summary
• VMware Cloud on AWS is a major initiative for VMware
• VMC is designed to support all of VMware’s existing customers
• Extends key SDDC capabilities to Public Cloud:
– Centralized Management
– Enterprise grade Security
– Consistent operational model
– Cross-VC vMotion for VM Mobility
– DR/Multi-Site as a Service
– Compatibility with Automation tools
40#LHC2103BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
VMware Cloud on AWS User Experience
▪ NSX is front and center in VMware Cloud on AWS Portal
▪ Network Dashboard provides a view of NSX components and connectivity
46#LHC2103BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution