Objective 1.1 – Compare and Contrast the Benefits of a VMware NSX Implementation

Principles

  • Determine challenges with physical network implementations
  • Understand common VMware NSX terms
  • Differentiate NSX network and security functions and services
  • Differentiate common use cases for VMware NSX

References

Determine challenges with physical network implementations

Legacy Approach

Perimeter

  • Legacy network and security architectures rely on the premise that securing the datacenter perimeter sufficiently protects against threats
  • Does not work because traffic inside the perimeter is not secured

Server Virtualisation

  • Applications no longer tied to a single datacenter
  • Applications can be replicated to a remote location
  • Move between Datacenters or hybrid cloud

  • Legacy network configurations tied to hardware and therefore location
  • Networks vary greatly from site to site
  • Requires a lot of application customisation
  • Barrier to Application mobility

Challenges due to lack of Network Virtualisation

Complexity in Service Deployment

  • 90% of companies surveyed say they are limited by network complexity when deploying services or applications
  • Businesses wait 270 days on average per-annum waiting for IT

Manual and Risk Prone Configuration

  • Manual configuration for new services or applications
  • Add VLANS, configure multiple switches etc.
  • 1/3 of network outages caused by configuration errors

Capital and Operational Costs

  • High Capital and Operations costs
  • Manual processes for managing physical networks
  • High costs for standalone solutions for Routing, Firewall, Load Balancing
  • Over-provision to meet peaks in demand
  • Periodic forklift upgrades

Insufficient and Weak Security

  • Once Perimeter Firewall is breached threats spread easily inside Datacenter
  • Too expensive to deploy Firewalls inside the datacenter between networks (East-West)

Common Complaints

  • Too much time spent deploying Lab environments
  • VLANS limited to specific pods
  • Concerns about Virus and Malware inside the Datacenter
  • Network must be updated every time a new application is needed
  • VPN solution overwhelmed – does not scale
  • Load Balancer saturated

Network Virtualization

  • NSX provides network virtualization
  • Abstraction moves intelligence from Physical to Software layer
  • Software based services easily distributed e.g.
    • Routing
    • Switching
    • Firewalling
    • Load Balancing

Abstraction

Network is:

  • Simplified
  • Stable
  • Reliable

  • Apply Operational Model of Virtual Machines to Networks
  • Programmatically do the following to applications in the same way as VMs:
    • Create
    • Snapshot
    • Store
    • Move
    • Delete
    • Restore

Understand common VMware NSX Terms

Physical Network

Any type of IP network that provides data transport

Data Plane

The Data Plane is where actual traffic flows.

NSX Virtual Switch

  • Based on vSphere DVS with additional components
  • Abstracts the physical network
  • Provides access level switching in the hypervisor
  • Enable logical networks that are independent of physical constructs

Distributed Logical Router

  • Routing function at hypervisor level
  • Bridges VXLAN to VLAN traffic

Security Services

  • Distributed Firewall:
    • Kernel and Nic Level
    • Minimal CPU overhead
    • Line rate performance
  • Edge Firewall
  • Spoof Guard

Extensibility

  • Extensible Framework
  • Security Vendors provide umbrella of services
    • Anti-virus/Anti-malware/Anti-Bot Solutions
    • Layer 7 Firewall
    • Host and Network Based IPS/IDS Services
    • File Integrity Monitoring
    • Guest Vulnerability Management

NSX Edge Services Gateway

  • L2 and L3 Services
  • Firewall
  • Load Balancing
  • SSL VPN
  • DHCP
  • NAT

Control Plane

  • Runs in the NSX Controller Cluster
  • Advanced Distributed State Management System
  • Provides Control Plane functions for NSX Logical Routing and Switching services
  • Responsible for managing the distributed switching and routing modules in the hypervisor
  • Distribute network information to hosts
  • Maintains information for all Hosts, DLRs and Logical Switches
  • No Data Pane traffic passes through them

Logical Router Control VM

Provides routing control plane that allows

  • Local Forwarding within an ESXi Host
  • Dynamic Routing between ESXi Hosts
  • North South routing provided at the Edge

User World Agent (UWA)

  • The UWA is composed of netcpad + vsfwd daemons on ESXi hosts
  • Uses SSL to communicate with NSX Manager
  • Mediates between NSX Controller and Hypervisor Kernel Modules except DFW
  • Retrieves information from NSX Manager through Message Bus Agent

Management Plane

  • Built by NSX Manager
  • Single Point of configuration
  • REST API entry points

Consumption Model

  • Driven through NSX Manager UI through vSphere plugin
  • NSX can be configured through:
    • vSphere Web Client
    • CLI
    • REST API
  • Out of the box integration with:
    • vRealize Automation
    • vCloud Director
    • VMware Integrated OpenStack with Neutron plugin

Differentiate common use cases for VMware NSX

Main Use Cases:

  • Security
  • Automation
  • Application Continuity

Security

Micro-Segmentation

Micro-Segmentation Basics

  • At most basic level, it’s the ability to segment elements of a system into granular components
  • Security policies can be applied at different level from cluster level to single VMs
  • MS targets lateral (East-West) traffic
  • Permits “Zero-Trust” model

Micro-Segmentation Detail

  • Traffic patterns changed from North/South to East/West

  • Micro Segmentation has not been possible at scale -> too many firewalls difficult to administer (operationally infeasible)
  • NSX enables parallel virtual networks fully isolated from the underlying physical network

  • NSX secure communication within a network with flexible security policies that reflect business logic
  • NSX is a platform for advanced services => ecosystem of leading security vendors

Benefits of NSX and Micro-Segmentation

  • Uses power of hypervisor based DFW for EW traffic control
  • Inherent security and automation capabilities of NSX make Micro Segmentation Operationally feasible
  • Cost effective: Improves ratio of security to level of effort and is much cheaper than hardware

Micro-Segmentation Simplifies Network Security

  • Security Policies at Object Level
  • Each VM has its own Security Parameters
  • Policies are portable i.e. they move with the machine

  1. Create Security Groups
  2. Create Security Policies
  3. Apply Security Policies to Security Groups

DMZ Anywhere

  • Normally DMZ is a restricted network with specific security policies and services
  • Complicates new applications deployment and involved negotiations between stakeholders:
    • Application Owner
    • Network Team
    • Security Team
    • Slows things down significantly

  • NSX allows specific security policies to be applied to workloads anywhere in the network topology
  • Securing User environments in a VDI Infrastructure is complex
  • Multiple user groups must be mapped to various resources
  • NSX makes thing simpler by allowing Security Groups to be ties to users based on individual attributes

Advanced Services Insertion

NSX Integrates with 3rd party network solutions e.g. Palo Alto

  1. Solution management tool registers with Controller
  2. Controller distributes security VM to each hypervisor
  3. Security Policies created in management tool are distributed to each ESXi Host via the Controllers
  4. Traffic is then steered from the VM to the 3rd party security VM
  5. Security Policies move with VMs

Security: Secure End-User

VMware Horizon

Security Concerns:

  1. Securing user desktops from one another
  2. Securing user desktops from servers

  1. Horizon View Virtual Desktop

The VM running in vSphere containing all application and user data

  1. View Composer

Create desktop images based on a golden image

  1. View Connection Server

Provides authentication and handles incoming connection requests – aka View Manager

  1. View Security Server

Extra layer of security deployed in DMZ. Provides secure connection and helps authenticate external users

  1. View Administrator

Manage View environment, desktops and policy

  1. View Client

Runs on desktop, laptop, tablet, thin client or mobile device.

Connects to connection or security server

VDI Challenges

  • VDI runs on same infrastructure as server
  • Must protect:
    • vDesktop -> vDesktop
    • vDesktop -> Server
  • Need to provide vDesktops necessary access to applications deployed in the datacenter

  • Much larger security surface area with VDI

Enterprise Mobility Management (EMM)

  • EMM every End-Point, Use-Case and OS
  • VMware Airwatch can manage all access devices from a single console

  • Airwatch manages:
    • Applications
    • Content
    • Email
    • Browsing
    • Workspace

  • Aware of device posture
  • EMM:
    • Enforce restrictions:
      • Jail Break
      • Password Strength
      • Lost
    • Mobile Apps Compliance
    • Enterprise Application Awareness
  • VPN:
    • Secure Communications
    • Full Device Access
  • Network Access Control (NAC)
    • Device Posture & Quarantine
    • No micro-segmentation

VPN:

  • Once a device has DC access, how do you control access resources inside it?
  • Mobile devices introduce potential access to corporate resources from untrusted sources
  • No device, user or application profile data once connected

AirWatch Encrypted Tunnel

  • Traffic is encrypted over the tunnel
  • Supports Micro-Segmentation

AirWatch Strategic Features

AirWatch can provide information for DFW security policies

  • Helps create a matrix of policies that define the firewall policies to protect the data centre from east-west traffic
  • Provides micro-segmentation as part of desktop and application deliver services in an enterprise environment

Automation

IT Automating IT

  • Faster project on-boarding
  • Multitenant Infrastructure
  • Developer Cloud
  • Faster Application Development
  • Business Value: Reduce Infrastructure-provisioning time from months to weeks
  • NSX can help automation in a variety of ways

  • vRA can use the NSX API to create topologies on demand
  • vRA supports the dynamic configuration and deployment to their reservations and blueprints

vRA on-demand Multi-Machine Blueprints

  • If a DLR is used as Routed Gateway in Reservation then it must exist already (pre-created)
  • If an ESG is used as Routed Gateway in Reservation then ESGs are created on demand

vRA pre-created Multi-Machine Blueprints

  • DLR must exist

Developer Cloud

  • Use VMware Integrated OpenStack

Multi-Tenant Infrastructure

Use NSX to create multi-tenant topologies

Application Continuity

  1. Disaster Recovery
  2. Metro Pooling
  3. Hybrid Cloud Networking
  • Application Continuity is about delivering the Data Center anywhere
  • NSX supports up to 8 x vCenter
    • 1 x vCenter per site
    • 1:1 relationship between vCenter and NSX Manager
  • Challenge: Multisite Infrastructure is too siloed
    • Cross site connectivity complex and expensive
    • Security Policies are local to a site => policies must be replicated which is error prone
  • vSphere 6 Cross-vCenter vMotion + Metro Storage Cluster (vMSC) address the storage challenge
  • Cross Site NSX:
    • 3 x Universal Controllers supported

Cross-vCenter

  • <= 150ms latency

Multi-vCenter NSX

  • 1 x Primary and up to 7 Secondary NSX Managers
  • 3 x Universal Controllers

Cross-vCenter NSX Benefits

Disaster Recovery with NSX

Workload Mobility

Data Center Consolidation