NET1338BE VMware Integrated OpenStack and NSX Integration ... · Andrew Pearce - NSX Technology...
Transcript of NET1338BE VMware Integrated OpenStack and NSX Integration ... · Andrew Pearce - NSX Technology...
Andrew Pearce - NSX Technology PracticeGary Kotton - Lead Developer for Neutron
NET1338BE
#VMworld #NET1338BE
VMware Integrated OpenStack and NSX Integration Deep Dive
VMworld 2017 Content: Not fo
r publication or distri
bution
• This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not been determined.
Disclaimer
2#NET1338BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Outline of presentation (TBC - Thursday @ 1:30pm)What do we want to cover and what order do we want to do it in ?
Session IDNET1338BE
Title VMware Integrated OpenStack and NSX Integration Deep Dive
Abstract OpenStack offers a very comprehensive set of Network and Security workflows provided by a core project called Neutron. Neutron can leverage VMware NSX as a backend to bring advanced services to the applications owned by OpenStack. In this session we will cover the use cases for Neutron, and the various topologies available in OpenStack with NSX, with a focus on security. We will walk you through a number of design considerations leveraging Neutron Security Groups and the NSX Stateful Distributed Firewall Integration, along with Service Chaining in NSX for Next Generation Security Integration, all available today.
Content to include
NSXv Neutron support for policy, admin rules and better service isolation
Session Type Breakout Session
Track Modernize the Data Center
Subtrack Networking and Security
Product and Topics Integrated OpenStack,NSX, OpenStack, vCenter, vSphere
Market Segment No Specific Segment
Session Audience IT – Telecom
Speaker Info Gary Kotton, VMware; Andrew Pearce, VMware
3#NET1338BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
20 Min Review with Malery Lassen
4
Objectives for your session; what will the audience learn?
That NSX can Integrate with VIO and other Openstack Distro’s
Content outline
What can be achieve through the Neutron integration,
Micro segmentation
Policy
Admin rules
FWaaS
Future work – policy engine…
Demos – how many? Which ones?
A pre-recorded video, highlighting, the openstack api being used to to create, Network and Security
functions/features in NSX-V
Customer inclusion – do you have any customers? If not, are you looking for any (we can help ☺)?
No customer
We know that your time is valuable so we’re going to make these review sessions as impactful as possible.
By joining you help ensure that messaging to customers at VMworld is cohesive across all sessions and that
we are presenting the strongest message possible.
#NET1338BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Andrew
• You can use HOL 1820 – Tom Schwaller is doing the HOL
6#NET1338BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Consistent
Virtual
Infrastructure
IaaS Options From VMware
Virtual
Infrastructure
vRealize Automation
vSphere NSX VSAN
Basic IaaS &
Virtual Infra Consumption
Compliance & Governance
Service Catalog
Chargeback
Configuration and Change
Management
App Lifecycle Management
Policies
Orc
he
str
ati
on
Exte
rnal
Clo
ud
Co
nn
ec
tor
AWS
Cloud
▪ vRealize Suite is a complete Cloud Management
Platform
▪ OpenStack delivers APIs to consume infrastructure
▪ Additional CMP components needed for Governance
Developer Owned Toolsets-or-
3rd Party Tool
Nova Neutron Cinder
Vendor Neutral APIs
“Restrictions with Quotas”Simple IaaS
7#NET1338BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX OpenStack EcoSystem
10
The NSX Networking and Security Platform
Open Source
VIO HPE Mirantis Redhat Suse
ESXi 6ESXi 6.5
RHEL 7.1RHEL 7.2
Ubuntu 14.04Ubuntu 16.04
#NET1338BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
OpenStack + NSX - High Level Architecture
Cloud Consumption ▪ OpenStack Neutron
Data Plane
ESXi Hypervisor Kernel Modules
Distributed Services
▪ High – Performance Data Plane
▪ Scale-out Distributed Forwarding Model
▪ Physical integration with NSX Edge
and/or 3rd party ToR switch
Management Plane
NSX Manager▪ Single configuration portal
▪ REST API entry-point
▪ Stateless
Control Plane
NSX Controller
▪ Manages Logical networks
▪ Control-Plane Protocol
▪ Separation of Control and Data Plane
▪ Stateful
…
…
FirewallDistributed
Logical RouterLogical
SwitchEdge
11#NET1338BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
VIO – VMware’s OpenStack Distro
12
Simplify OpenStack
Operations
VMware SDDC(vSphere, NSX, VSAN, vROps, LI…)
OpenStack Value
Battle-testedInfrastructure & Operations
Differentiated
Features
Standard, Production Ready &
Fully Supported OpenStack
#NET1338BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
What is Neutron
• OpenStack Networking (neutron) manages all networking facets for the Virtual Networking Infrastructure (VNI) and the access layer aspects of the Physical Networking Infrastructure (PNI) in your OpenStack environment. OpenStack Networking enables projects to create advanced virtual network topologies which may include services such as a firewall, a load balancer, and a virtual private network (VPN).
• Networking provides networks, subnets, and routers as object abstractions. Each abstraction has functionality that mimics its physical counterpart: networks contain subnets, and routers route traffic between different subnets and networks.
13#NET1338BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX OpenStack Security Integrations
#NET1338BE CONFIDENTIAL 15
NSX Openstack
Security Integration
Micro-segmentation
Admin Rules
PolicyFWaaS
Port Security / Spoof Guard
Scale out control plane
Scale out Edge Cluster
Virtual Machine and Container Hosts
Distributed L3 at scale
Scale decoupled of
vCenter
Intel DPDK Edge
Line Rate Packet
Performance
L2 and L3 Redundancy
Redundant control plane and
data plane
ESXi & KVM (RHEL & Ubuntu)
Independent NSX GUI
Multi-vCenter
Anim
ate
d s
lide
VMworld 2017 Content: Not fo
r publication or distri
bution
What is NSX Microsegmentation?
#NET1338BE CONFIDENTIAL 17
Web App DB
Alignment of Policy ControlsSecurity and networking policy that travels with the workload independent of physical network topology
Granular Policy EnforcementEnabling least privilege security with policy enforced at every workload
VMworld 2017 Content: Not fo
r publication or distri
bution
Microsegmentation with Provider Networks using NSX
▪ Traditionally, network security has been enforced at the network perimeter, where a layer 3 boundary exists (firewall, router).
▪ Neutron Security Groups and Neutron Port Security provide vNIC-level security protection.
▪ Perimeter firewall cannot protect what it cannot see
▪ Traffic must be steered to security appliance
▪ Firewall policy controlled by security admin
▪ No traffic steering required
▪ vNIC-level stateful FW protection
▪ If using NSX, global security policy is controlled by security admin (Neutron Admin Rules):
▪ https://review.openstack.org/#/c/200847
Neutron
Security
Group 1
Neutron
Security
Group 2
Neutron
Security
Group 3
Controlled Path
Controlled Path
Controlled Path
18#NET1338BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
NSXv Policy“As a NSX Admin I want the ability to define security policy in NSX which is then consumed by the Cloud User so that the Cloud User can secure their application. However, I don’t want the Cloud User to be able to set their own security policy or security rules as it is my firm’s policy to have only administrative staff set security policy and security rules.”
VMworld 2017 Content: Not fo
r publication or distri
bution
User Story
• The NSX admin creates a security policies (under nsx->service composer->security policies) with firewall rules, service insertion, etc for each tenant (or group of tenants)
• The cloud admin defines one of those policies as the default for new tenants (in the nsx.ini file)
• In addition the cloud admin can define some policies as mandatory for some tenants, and other policies as optional for some tenants
• New VMs of this tenant will belong to the default policy automatically, and also get all the mandatory policies
• Each policy can be used for multiple tenants, and also for multiple security groups of the same tenant
• In addition, there will be an option (disabled by default) to allow the tenants to add their own rules in their security groups (which will be evaluated after the policies)
20#NET1338BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Workflow
• The NSX admin user will create some NSX policies
• The cloud admin user updates the nsx.ini file to enable this feature, and choose one of the policies as a default, and set it in the nsx.ini file, and restart neutron:[nsxv]
• use_nsx_policies = Truedefault_policy_id = policy-6allow_tenant_rules_with_policy = True / False
21#NET1338BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Workflow cont.
• Now there will be 4 types of security groups for each tenant:
– Default security group using the policy id from nsx.ini (cloud admin can change it to another policy or multiple policies)
– Provider security group with a policy, added automatically to each compute ports (and the tenant cannot remove it from the port)
– Optional Security group with a policy, added manually to each compute ports (the tenant can choose which groups to use for each port)
– If Allow_tenant_rules_with_policy is True - The tenant can also create Regular security groups with rules, and attach them to ports in addition.
• The cloud admin user will use openstack (or VIO) to create/update the policy security groups per tenant, to use a specific policy:
• neutron security-group-create/update --policy=<nsx-policy-id> <neutron-sec-group-id>
22#NET1338BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Workflow cont.
• When this is done - the plugin will create an nsx security group which is applied to this policy, and save it in the db security group mapping (like a regular security group). Looking at the vsphere you can see it on the policy security groups tab:
23#NET1338BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Workflow cont.
• When a VM is booted, the default security group (which now uses the policy) or a specific security-group will be used as usual. In addition - the provider security groups of this tenant will also be used [=mandatory. Cannot be removed]
• In the openstack api, the user can see that a specific VM port is assigned to security group/s, and he can see that a specific security group is assigned to a policy
24#NET1338BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Admin Rules“As a NSX Admin I want my tenants to configure their security groups but I want the ability to override their rules.”
VMworld 2017 Content: Not fo
r publication or distri
bution
VIO 3.1 NSX Admin Policy
#NET1338BE CONFIDENTIAL 26
VM
• NSX administrators define security policies
• OpenStack Cloud Admin enforces the policy with cloud users
• Enables enhanced security insertion
• Assurance all workloads are developed and deployed based on standard IT security policies.
VMworld 2017 Content: Not fo
r publication or distri
bution
User Story
• Use security groups to explicitly block unwanted traffic.
• Create a new securoty group where the action is ‘Deny’ By default in Neutron the action is ‘Allow’ (Imagine a dark piece of paper and the tenant pricks holes in it to enable traffic in). Admin can now close unwanted holes.
• Api is restricted to Admin
27#NET1338BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
FWaaS:
• Neutron extension that provides a firewall feature set
• Tenant can create and manage firewall policies and rules
• The NSX plugin will invoke these on the edge routers
• Currently only support V1
28#NET1338BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Port security / Spoof guard
• Port level security
• Anti spoofing
• NSX leverage spoofguard to implement and enforce this
• Allow address pairs – enables us to register additional ports with the same IP/Mac Piar
29#NET1338BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Enterprises, Service Providers & Public Sector Organizations
#NET1338BE CONFIDENTIAL 30
EMEA Customer Momentum for VMware NSX
VMworld 2017 Content: Not fo
r publication or distri
bution