Vmware tt.08 gallagher-vmwarett.08 - intro to nsx (1)

2 © Copyright 2015 EMC Corporation. All rights reserved.

INTRODUCTION TO VMWARE NSX VIRTUALIZE YOUR NETWORK



AGENDA

1 NSX & Software Defined Data Center

2 NSX Use Cases: Micro-Segmentation

3 NSX Use Cases: Self-Service IT

4 NSX Use Cases: Disaster Recovery

5 NSX & Converged Infrastructure


AGENDA







Data Center Virtualization Layer

Intelligence in Software Operational Model of VM for Data Center Automated Configuration & Management

WHAT IS A SOFTWARE DEFINED DATA CENTER ?

Intelligence in Hardware Dedicated, Vendor Specific Infrastructure Manual Configuration & Management

Software

Hardware Compute, Network and Storage Capacity Pooled, Vendor Independent, Best Price/Performance Infrastructure Simplified Configuration & Management


THE ANATOMY OF THE MOST AGILE AND EFFICIENT DATA CENTERS IS SDDC

Custom Application

Google / Facebook / Amazon Data Centers

Custom Platform

Any x86

Any Storage

Any IP network

Software / Hardware Abstraction



THE CHOICE FOR “NEW IT” FOR “ALL APPLICATIONS”

Software Defined Data Center (SDDC)

Any Application

SDDC Platform

Any x86

Any Storage

Any IP network

With NSX

Custom Application

Google / Facebook / Amazon Data Centers

Custom Platform

Any x86

Any Storage

Any IP network




TAKING WHAT WE HAVE LEARNED….

Software

Hardware

Virtual Machines

Compute Capacity Network Storage

Applications

Server Virtualization

• Intelligence in the virtualization layer • Vendor independent x86 capacity • Transformative operational model • Automated configuration & management

Intelligence in hardware Dedicated, vendor specific infrastructure Manual configuration & management

Manual Operational Model

Automated Operational Model

Programmatically Create, Snapshot,

Store, Move,

Delete, Restore


TO DELIVER A SDDC APPROACH

Software

Hardware

Virtual Machines

Virtual Networks

Virtual Storage

Compute Capacity

Network Capacity

Storage Capacity

Applications

Location Independence

Data Center Virtualization

Pooled compute, network and storage capacity Vendor independent, best price/performance Simplified configuration & management



Store, Move,

Delete, Restore


NETWORK VIRTUALIZATION IS AT THE CORE OF AN SDDC APPROACH

Software Hardware

Virtual Machines

Virtual Storage

Compute Capacity

Network Capacity

Storage Capacity

Applications

Data Center Virtualization



Store, Move,

Delete, Restore

Virtual Networks


Provides A Faithful Reproduction of Network & Security Services in Software

Management APIs, UI

Switching Routing

Firewalling

Load Balancing

VPN

Connectivity to Physical Networks

Policies, Groups, Tags

Data Security Activity Monitoring


VMWARE NSX: VIRTUALIZE THE NETWORK



Logical Switching

Logical Routing

Load Balancing

Physical to Virtual

Firewalling & Security



Logical Switching

Logical Routing

Load Balancing

Physical to Virtual

Firewalling & Security

One-Click Deployment via Cloud Management Platform


NSX | THE STRATEGIC PLATFORM FOR THE NEXT GENERATION DATA CENTER

Micro- Segmentation

Security Automation

Beyond the Datacenter

NSX

NSX makes network security inside data center perimeter operationally feasible

Reduce RTO by 80%

Reduce infrastructure provisioning time from weeks to minutes

Self service Cloud (vRealize Automation or Openstack)

Live migrate workloads to new data center without changing IP addresses.

Provision or repurpose generic physical capacity on demand


AGENDA







WHY DO BREACHES STILL OCCUR?

Data Center Perimeter

Today’s data centers are protected by strong perimeter defense…

But threats and exploits still infect servers. Low-priority systems are often the target.

Threats can lie dormant, waiting for the right moment to strike.

Server-server traffic growth has outpaced client-server traffic. The attack spreads and goes unnoticed.

Possibly after months of reconnaissance, the infiltration relays secret data to the attacker.

Attacks spread inside the data center, where internal controls are often weak. Critical systems are targeted.

10110100110 101001010000010 1001110010100


SECURITY IN A TRADITIONAL NETWORKING MODEL Traditional Networking Model

Layer 2 Sprawl Everywhere

Security Enforcement & Segmentation is Complex

Open E-W Communication

Enforcement via Stateless ACLs

Expensive Hardware-based Firewalls

Static Security Model


DistributedFirewalling

SECURE MICRO-SEGMENTATION WITH NSX

Web Tier

App Tier

DB Tier

Logical Switching


NSX DELIVERING BETTER SECURITY AND MAKING MICRO-SEGMENTATION OPERATIONALLY FEASIBLE

Reduce attack surface for every application/VM Security Policy aligned to the application/project lifecycle Each Hypervisor acts as a firewall providing line rate performance


MICRO-SEGMENTATION IN DETAIL Segmentation Isolation Advanced services

Controlled communication path within a single network

• Fine-grained enforcement of security

• Security policies based on logical groupings of VMs

Advanced services: addition of 3rd party security, as needed by policy

• Platform for including leading security solutions

• Dynamic addition of advanced security to adapt to changing security conditions

No communication path between unrelated networks

• No cross-talk between networks

• Overlay technology assures networks are separated by default


MICRO-SEGMENTATION DEPLOYMENT EXAMPLES

Perimeter firewall

DMZ/Web

App

DB

HR Group

App

DMZ/Web

DB

Finance Group

Services Mgmt

Services/Management Group

Perimeter firewall

DMZ/Web

App

DB

HR Group

App

DMZ/Web

DB

Finance Group

Services

Mgmt


Perimeter firewall

DMZ/Web

App

DB

HR Group

App

DMZ/Web

DB

Finance Group

Services

Mgmt


Network Segmentation / DMZ Multi-Tenancy with Adv. Service

Isolation

Tenant 1 Tenant 2


A CONVERGED INFRASTRUCTURE MEANS VIRTUAL DESKTOPS RUN ON THE SAME INFRASTRUCTURE AS SERVERS…

SECURITY CHALLENGES IN A VDI ENVIRONMENT

Bringing desktops into the data center opens up new risks for attack.

And a matrix of policies is needed on centralized, choke-point firewalls for the correct security posture.

VDI to VDI Desktop-to-desktop hacking inside the DC

VDI to VM Desktop-to-server hacking inside the DC

Finance

HR

Engineering


SOLVING VDI SECURITY WITH NSX MICRO-SEGMENTATION

Ente

rpri

se

App

licat

ions

Vir

tual

D

eskt

ops

Sha

red

Infr

astr

uctu

re

Firewall based on Logical Grouping

BENEFITS

Distributed Firewall provides Isolation & Segmentation

3rd Party Integration for AV, IPS/IDS, NGFW, etc.

Programmable & Automated Application of Networking

& Security


AGENDA







SOLUTIONS FOR EVERY LEVEL OF IT AUTOMATION

IT Admin End User (Pre-Defined)

Community Cloud User (Pre-Defined or Custom)

End User (Custom)

Templates

Internal IT / Cloud External Cloud

NSX Manager vRealize Automation Openstack


Logical Switch

Logical Router

NSX

Logical Firewall

Logical Load Balancer

NSX WITH VREALIZE AUTOMATION

On Demand Application Delivery vRealize Automation

Resource Reservation

Multi-Machine Blueprint

Service Catalog

Cloud Management

Platform

Network Profiles

Security Policies

Security Groups

Web

App

Database

VM VM

VM VM VM

VM


NSX USE CASE – SELF SERVICE IT

Multi-Machine

Blueprints

Cloud Consumer

Cloud Admin

SLA

Cost Profile

Security

Networking

Service Catalog

Service Request

Network Profiles Security Groups Security Policies

Network Admin

Load Balancer Admin

Standardized Templates

Logical Load Balancer

Security Admin

AVAILABILITY SECURITY CONNECTIVITY

Security Tags External Networks


NSX USE CASE – ON DEMAND MICRO-SEGMENTATION

Web

App

Database

PRIVATE

No external connectivity

VM

VM VM

VM VM VM

Isolation

Controlled Communication Path

Advanced Services Communication Path

Segmentation Advanced Services

No Communication Path


AGENDA







CHALLENGES WITH DC EXTENSIONS Workload Mobility & Disaster Recovery Solutions Require Layer 2 Extensions across Data Centers

Technologies Required today: Cisco OTV MPLS / VPLS Dark Fiber

Challenges: Expensive, mostly hardware-based Manual Configuration Model

L2 Connection

Data Center 1 Data Center 2


NSX FOR DATA CENTER MULTI-SITE EXTENSIONS

L2 Extensions

Data Center 2 Data Center 1 Logical Switch Extension L2 VPN

Data Center 2

Software-based solution with support for Logical Switching, Distributed Routing, Distributed Firewall

vCloud Air


NSX FOR DATA CENTER MULTI-SITE EXTENSIONS

Data Center 2 Data Center 1

SRM-based Disaster Recovery

No Re-IPing, Instantaneous Availability of Apps upon Disaster Failover of Logical Switching, Routing & Firewall Rules


DR TODAY (SIMPLE VIEW)

10.0.10/24 10.0.20/24

10.0.10.21 10.0.20.21 Major RTO Impact

Change IP Address 4

Primary Site Recovery Site

Recover the VM 3

Replicate VM & Storage

2 Physical Network Infrastructure Physical Network Infrastructure

SAN

1 Snapshot VM

SAN

Step 1&2 (e.g VMware SRM)


DR WITH NSX NETWORK VIRTUALIZATION (SIMPLE VIEW)

SAN SAN

10.0.30.21 10.0.30.21

Virtual Network 10.0.30/24

80% RTO


NSX Controller NSX Controller

Snapshot Network & Security

2b


1 Snapshot VM Network & Security

already exists

Recover the VM

3

Physical Network Infrastructure Physical Network Infrastructure 2a Replicate

VM & Storage

10.0.10/24 10.0.20/24



DR WITH NSX NETWORK VIRTUALIZATION (SIMPLE VIEW)

SAN SAN

10.0.30.21 10.0.30.21


80% RTO


NSX Controller NSX Controller

Snapshot Network & Security

2b


1 Snapshot VM Network & Security

already exists

Recover the VM

3

Physical Network Infrastructure Physical Network Infrastructure 2a Replicate

VM & Storage

10.0.10/24 10.0.20/24



AGENDA







SDDC APPROACH WITH NSX ENABLES CHOICE AND FLEXIBILITY

“Build Your Own” Converged Infrastructure Hyper-Converged Infrastructure

Hyper-Converged Infrastructure

Software-Defined Data Center

Today’s Application PAAS Containers


• NSX Pre-installed on VxBlock Systems from VCE

• Complete Validated architecture based on Cisco UCS, Nexus 9K, EMC Storage, VMware vSphere and NSX

• Supported by VCE

• Availability Early Q3 2015

• NSX Deployments on VBlock systems supported by VMware – Reference Designs Here

VCE VXBLOCK WITH NSX

https://communities.vmware.com/docs/DOC-29373


• NSX Validated as part of Federation Enterprise Hybrid Cloud

• NSX Integrated with vRealize for Self-Service IT

• NSX in DR

FEDERATION ENTERPRISE HYBRID CLOUD WITH NSX


• NSX is a Foundational Part of the SDDC

• NSX is being deployed for solving key customer challenges – Security, Agility & Availability

• NSX is available as a part of Validated Architectures

KEY TAKEAWAYS

Vmware tt.08 gallagher-vmwarett.08 - intro to nsx (1)

Documents

Transcript of Vmware tt.08 gallagher-vmwarett.08 - intro to nsx (1)