© 2014 vmware inc. all rights reserved. nsx – introduzione e casi d’uso luca morelli – sr...
TRANSCRIPT
© 2014 VMware Inc. All rights reserved.
NSX – Introduzione e casi d’Uso
Luca Morelli – Sr Sales Engineer - NSX
2
Agenda
1 Il Software Defined Data Center
2 Introduzione alla Virtualizzazione di Rete con NSX
3 Il Paradigma della Micro-Segmentazione
4 Principali Casi d’Uso
Taking what we have learned….
Software
Hardware
VirtualMachines
ComputeCapacity Network Storage
Applications
Server Virtualization
• Intelligence in the virtualization layer• Vendor independent x86 capacity• Transformative operational model• Automated configuration & management
Intelligence in hardwareDedicated, vendor specific infrastructureManual configuration & management
Manual Operational Model
Automated Operational Model
Programmatically Create,Snapshot,
Store,Move,
Delete,Restore
To deliver a Software Defined Data Center approach
Software
Hardware
VirtualMachines
VirtualNetworks
VirtualStorage
ComputeCapacity
NetworkCapacity
StorageCapacity
Applications
Location Independence
Data Center Virtualization
Pooled compute, network and storage capacityVendor independent, best price/performanceSimplified configuration & management
Automated Operational Model
Programmatically Create,Snapshot,
Store,Move,
Delete,Restore
Why SDDC is the only model for Hybrid Cloud
5
Compatibility of networking and security policies independent of location
Private Cloud
Any Application
SDDC Platform
Any x86
Any Storage
Any IP network
Data Center Virtualization
Inter- Data Center
Any Application
Any x86
Any Storage
Any IP network
Hybrid- Data Center
Any Application
Any x86
Any Storage
Any IP network
SDDC Platform
Compute Virtualization Abstraction Layer
The Network Is a Barrier to Software Defined Data Center!!
Physical Network
Software Defined Data Center
• Provisioning is slow• Mobility is limited• Hardware dependent• Operationally intensive
6
Servers
NSX - Distributed Services in the Hypervisor
Applications
Virtual Machines
Virtual Networks
Virtual Storage
Data Center Virtualization
Location Independence
Software
Hardware
L2 Switching
L3 Routing
Firewalling/ACLs
Load Balancing
Automated operational model of the SDDC
Network & Security Services Now in the Hypervisor
Pooled compute, network and storage capacity; Vendor independent, best price/perf; Simplified config and mgt.
ComputeCapacity
NetworkCapacity
Storage Capacity
Softw
are
VS
WITC
H
OS
Hypervisor
Non-Disruptive Deployment
NSX vSwitchHypervisor
VM
VM
Existing Physical Network
Virtual Network
NSX vSwitchHypervisor
VM
User Space
VMVM
Services Distributed to the Virtual Switch
Physical Host
NSX vSwitch
VM VMVM
NSX vSwitch
VM
User Space
VMVM
Hypervisor
User Space
Hypervisor
Existing Physical Network
Virtual Network
Simplified IP Backplane No VLANs, No ACLs, No Firewall Rules
Physical Workloads and Legacy VLANs
VLAN
Physical Host
NSX vSwitch
VM VMVM
NSX vSwitch
VM
User Space
VMVM
Hypervisor
User Space
Hypervisor
Virtual Network
Physical Workload
L2 Bridging Service VM, ToR,x86 Appliance
NSX vSwitch
With NSXBefore NSX
Default Gateway
UCS Fabric A UCS Fabric B
UCS Blade 1
vswitch
6 wire hops 6 wire hops
UCS Fabric A UCS Fabric B
UCS Blade 1 UCS Blade 2
vswitch vswitch
UCS Fabric A UCS Fabric B
0 wire hops
UCS Fabric A UCS Fabric B
UCS Blade 1 UCS Blade 2
With NSXBefore NSX
East-West Routing / Same host East-West Routing / Host to host
2 wire hops
NSX vSwitch
UCS Blade 1
The 3 Advantages of Distributing Services1. Routing - more efficient networking, fewer hops
Default Gateway Default Gateway Default Gateway
Internet
Hypervisor
Physical Host
VM VMVM
vSwitchHypervisor
Physical Host
vSwitch
VM VM
VM
Security Policy
Perimeter Firewalls
VM
CloudManagementPlatform
The 3 Advantages of Distributing Services2. Operational Model of a VM
• Accurate firewall policies follow workloads as they move
NS
X vS
witch
VM
VMVM
VM
Hypervisor N
SX
vSw
itch
VM
VMVM
VM
Hypervisor N
SX
vSw
itch
VM
VMVM
VM
Hypervisor N
SX
vSw
itch
VM
VMVM
VM
Hypervisor
CONFIDENTIAL 13
Platform-based automation• Automated provisioning and workload
adds/moves/changes
Hypervisor-based, in kernel distributed firewalling• High throughput rates on a per
hypervisor basis
• Every hypervisor adds additional east-west firewalling capacity
The 3 Advantages of Distributing Services3. Provisioning Automation with Scale-Out Performance
Network Virtualization – Market Analysis
Primary Drivers of growth:
Need for flexible networks and improve provisioning times
CapEx Savings
Improved Network Management
Recoverability from Failure and Disaster Recovery
Swift response to changing business requirements
Agility
1 Source - IDC
SDN (Network Virtualization, Automated Provisioning and Network Programmability) will grow annually by 89% from $960 million in 2014 to more than $8 billion in 20181
15
Gartner Magic Quadrant Data Center Networking 2015
Gartner Data Center Networking Magic Quadrant, May 11, 2015
“Due to its pricing models, VMware's NSX allows
organizations to incrementally adopt SDN without requiring large
upfront capital investments.”
“VMware NSX can run on top of any appropriately
provisioned IP-based Ethernet network”
“VMware should be considered for organizations looking to increase networking agility
or security within highly virtualized data centers”
“We believe VMware has the largest installed base
of any SDN solution in the market today”
“NSX microsegmentation is an innovative mechanism
to provide intra-data-center security (east-west) in a cost-effective manner
compared with traditional appliance-based
approaches.”
16
Organizations face multiple issues with security
Source NSX Security Infographic: http://vmw.re/1AdyTEA
Problem: Data Center Network SecurityPerimeter-centric network security has proven insufficient, and micro-segmentation is operationally infeasible
Little or nolateral controls
inside perimeter
Internet Internet
Insufficient OperationallyInfeasible
18
Companies hacked from inside
http://www.xataka.com/seguridad/las-aventuras-amorosas-de-37-millones-de-usuarios-al-descubierto-hackean-ashley-madison
http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/
VMware NSX Micro-Segmentation
19
Isolation and segmentation
Unit-level trust / least privilege
Ubiquity and centralized control
Zero-Trust security model that follows the VM
1
2
3
VM
VM VM
VM
VM VM VM VM VM
Hypervisor
Physical Host
NSX vSwitch
VM VM
VM
Microsegmentation is now possible in dynamic, multi-tenant environments:
• High performance, in kernel distributed stateful firewall• Security between VMs on same IP Subnet• Integration with best-of-breed security partners
VMware NSX Ecosystem: http://www.vmware.com/products/nsx/resourcesDeveloping a Framework to Improve Critical Infrastructure Cybersecurity: http://csrc.nist.gov/cyberframework/rfi_comments/040813_forrester_research.pdf
20
HypervisorHypervisorHypervisor
OS
Application
OS
Application
OS
Application
NSX Distributed Firewall
• Delivers Micro-Segmentation• Efficient rule management• Dynamic Policy (e.g: AV, DLP, Vulnerability Scan)• No choke points with scale out performance (Near Line Rate)• Enabled for cloud automation
Src Dst
ANY Shared Service
Desktop WEB_GROUP
Rules based on logical containers
Platform for Distributed Services
WEB_ GROUP
“Web Policy” Firewall – allow inbound HTTP/S, allow outbound ANY
Firewall policies are pre-approved, used repeatedly by cloud automationWeb
App
DBVM
NSX Distributed Firewall is Optimized for SDDC
CONFIDENTIAL
NSX vSwitch
With NSX
Distributed Virtual Firewall
Before NSX
UCS Fabric A UCS Fabric B
UCS Blade 1
vswitch
6 wire hops 6 wire hops
UCS Fabric A UCS Fabric B
UCS Blade 1 UCS Blade 2
vswitch vswitch
UCS Fabric A UCS Fabric B
0 wire hops
UCS Fabric A UCS Fabric B
UCS Blade 1 UCS Blade 2
With NSX
Distributed Virtual Firewall
Before NSX
East-West Firewalling / Same host East-West Firewalling / Host to host
2 wire hops
NSX vSwitch
UCS Blade 1
The 3 Advantages of Distributing ServicesFirewalling – much simpler operations
Default Gateway Default Gateway Default Gateway Default Gateway
22CONFIDENTIAL
NSX DFW Policy Objects
• Policy rules construct:
• Rich dynamic container based rules apart from just IP addresses:
VC containers• Clusters• datacenters• Portgroups• VXLAN
VM containers• VM names• VM tags• VM attributes
Identity• AD Groups
IPv6 compliant• IPv6 address• IPv6 sets
Services• Protocol• Ports• Custom
IPv6 Services
Choice of PEP (Policy Enforcement Point)
• Clusters• VXLAN• vNICs• …
Rule ID Rule Name Source Destination Service Action Applied To
Action• Allow• Block• Reject
23
Configure policy with Security Groups
Select elements to uniquely identify application workloads
Use attributes to create Security Groups Apply policies to security groups1 2 3
Hypervisor
NSX vSwitch
VM
ABC
DEF
GroupXYZ
App 1
OS: Windows 8
TAG: “Production”
Enforce policy based on logical constructs
Reduce configuration errors
Policy follows VM, not IP
Reduce rule sprawl and complexity
Use security groups to abstract policy from application workloads.
GroupXYZ
Policy 1“IPS for Desktops”“FW for Desktops”
Policy 2“AV for Production”“FW for Production”
Element typeStatic Dynamic
Data centerVirtual net
Virtual machinevNIC
VM nameOS typeUser ID
Security tag
Micro-segmentation simplifies network security
Each VM can now be its own perimeter Policies align with logical groups Prevents threats from spreading
App
DMZ
Services
DB
Perimeterfirewall
AD NTP DHCP DNS CERT
Insidefirewall
Finance Engineering
VM
VM
VM
VM
VM
VM
HR
VM
VM
VM
VM VM VM VM VM
Without Network Virtualization 60% Asset Utilization
With Network Virtualization 90% Asset Utilization
Improved Server Utilization – less overprovisioning of servers
25
CONFIDENTIAL 26
WANInternet
Compute Cluster Compute Cluster
Perimeter Firewall(Physical)
NSX EDGE Service Gateway
Compute Cluster
SDDC (Software Defined DC)
VM
Hypervisor
VM VM
VM
VM
Hypervisor
VM VM
VM
VM
Hypervisor
VM VM
VM
DFW DFW DFW
DFW: E-W
NSX EDGE Service Gateway positioned to protect border of the
SDDC:EDGE: North – South
traffic protection
NSX DFW positioned for internal SDDC traffic
protection:DFW: East – West
traffic protection
Physical
Virtual
Compute Cluster
VM
Hypervisor
VM VM
VM
ED
GE
: N
-S
NSX Security in SDDC
Micro-segmentation in detail
SegmentationIsolation Advanced services
Production
Test
Dev N
etwork
Controlled communication path within a single network
• Fine-grained enforcement of security
• Security policies based on logical groupings of VMs
Advanced services: addition of 3rd party security, as needed by policy
• Platform for including leading security solutions
• Dynamic addition of advanced security to adapt to changing security conditions
No communication path between unrelated networks
• No cross-talk between networks
• Overlay technology assures networks are separated by default
DB
App
Web
DB
App
Web
NSX Partners and Service Categories
Application Delivery Services
Physical-to-VirtualServices Operations and Visibility Security
NSX Partner Extensions
http://www.vmware.com/products/nsx/resources.html
VMware NSX –Use Cases
Self-Service IT
Dev X
Dev A
Test XAcquisition A
DevOps CloudOn-boarding M&A
Application specific networkingFlexible IP Address MgmtSimplified consumption
Key Capabilities
Examples
Data CenterAutomation
Micro-segmentation of AppSimplifying Compute SilosDMZ Deployments
Programmatic Consumption Full featured stackVisibility and ops
Key Capabilities
Examples
Public Clouds
XaaS CloudsVertical Clouds
Multi-tenant DeploymentProgrammatic L2, L3, SecurityOverlapping IP AddressingAny Hypervisor, Any CMP
Key Capabilities
Examples
Use case: Multi-tenancy with segmentation and advanced services
isolation
Tenant 1 Tenant 2
Perimeterfirewall
DMZ/Web
VM VM
App
VM VM
DB
VM VM
HR Group
VM VM
App
VM VM
DMZ/Web
VM VM
DB
Finance Group
Services
VMVM
Mgmt
Services/Management Group
Perimeterfirewall
DMZ/Web
VM VM
App
VM VM
DB
VM VM
HR Group
VM VM
App
VM VM
DMZ/Web
VM VM
DB
Finance Group
Services
VMVM
Mgmt
Services/Management Group
30
No traffic between networks
Completely separate unrelated networks
Add advanced services based on virtual network, network segment, or Security Group
31
Use case: Networking and Security for VDI
Eliminate complex policy sets and topologies for different VDI users
Align policies to logical grouping
Decouple network topology from VDI security
Simplify VDI deployments
APP1
VM VM
Web 1 App 1
APP2
VM VM
Web 2 App 2
Engineering External Contractor 1
External Contractor 2
Eng Eng net 4
“External 1*” Web 1 4
“External 2*” Web 2 4APP1
VM VM
Web 1 App 1
APP2
VM VM
Web 2 App 2
Engineering External Contractor 1
External Contractor 2
Traditional Data Center NSX Data Center
VLANs
Engineering
External Contractor 1
External Contractor 2
Eng Web 1 4
Eng App 1 4
Eng Web 2 4
Eng App 2 4
Ext1 Web 1 4
Ext1 App 1 5
Ext2 Web 2 4
Ext2 App 2 5
…
Use Case: Infrastructure Management with vRealize Automation
New Features Simplified Multi-Tier App Deployment
Improved Connectivity− Deployment of logical switches and networks
Enhanced Security− Intelligent placement of workloads in security groups
protected by firewalls
Increased Availability− Via deployment of NSX distributed
firewalls and load balancers
Benefits Deliver secure, scalable, performing
application-specific infrastructure on-demand
Dynamically Provision and DecommissionNSX Logical Services
“Protected” Site “Recovery” Site
StorageStorageVMFS/NFS VMFS/NFS
StorageVMFS/NFS VMFS/NFS
Replication
Use Case: Disaster Recovery Scenarios with NSX+SRM
NSX Manager
NSX Controller Cluster
vCenter + SRM vRA
NSX Manager
NSX Controller Cluster
vCenter + SRM vCRA
Firewall Rules & Security Groups
Use Case: A True Hybrid Cloud powered by VMware NSX
Local Data Center
InternetIPSec VPN
SSL VPN
(vCloud Air Network)(vCloud Air Network)
vCloud AirL2 VPN
Some Benefits:
• L2VPN for DC Extension• Granular Network Security with Trust Groups• Bi-directional workload migration using
vSphere web client
34
Some Benefits:
• Today with vCloud AIR• Tomorrow with Amazon AWS,
Azure, Google and other Public Cloud Providers
35
What You’ve Done with NSX
NSX Customers
900+
Production Deployments(adding 25-50 per quarter)
100+
Organizations invested US$1M+ in NSX
65+
What You’re Doing Next
EXPANDED SECURITY
New security partners, integrations, and projects and applications of NSX.
DEEPER INTEGRATION
New infrastructure and operations partners, integrations, and frameworks for IT organizations
√
APPLICATION CONTINUITY
New functionality to scale deployments across vCenter instances, with the ability to:
• Pool resources from multiple data centers• Recover from disasters faster• Deploy a hybrid cloud architecture
• NSX 6.2 contains over 20 new features• Tested against over 1000 new scenarios
36
VMware NSX Momentum
4 of 5Top investment banks Enterprises, public & service providers
Leading global
VMware NSX Value Prop
VMware NSX Transforms the Operational Model of the Network
Innovative Speed &Business Velocity
Network provisioning time reduced from 7 days to 30 sec.
Reduce networkprovisioning time from days to seconds
Cost Savings
Reduce operational costs by 80%Increase compute asset utilization to 90%, reduce hardware costs by 40-50%
Operational automation
Simplified IP hardware
Choice
Any Hypervisor: vSphere, KVM, Xen, HyperV (future)Any Network HardwareAny CMP: vRealize, OpenStackPartner Ecosystem.
Any hypervisorAny CMPwith Partners
38
What’s Next…
VMware NSX Hands-on Labs
labs.hol.vmware.com
Explore, Engage, Evolvevirtualizeyournetwork.com
Network Virtualization Blogblogs.vmware.com/networkvirtualization
NSX Product Pagevmware.com/go/nsx
NSX Training & Certification www.vmware.com/go/NVtraining
NSX Technical ResourcesReference Designs
vmware.com/products/nsx/resources
VMware NSX YouTube Channelyoutube.com/user/vmwarensx
VMware NSX Communitycommunities.vmware.com/community/vmtn/nsx
Play Learn Deploy
39
Q&A
Thank you. Luca Morelli
Network Virtualization Platform Sr System Engineer