Upload
others
View
29
Download
0
Embed Size (px)
Citation preview
Introduction to NSX
1
Going beyond servervirtualization
Going beyond servervirtualization
IT’S TIME FOR A NEW IT APPROACH
SLOW TECHNOLOGYADOPTION RATES
HIGH USER EXPECTATIONS
SLOW REPONSES
PRIVACYISSUES
INTEGRATION PROBLEMS
SERVICE OUTAGES
SHORTAGE OF RIGHT SKILLS
DECLINING BUDGET
DIFFERENT APPLICATIONS AGING INFRASTRUCTURE
SECURITY
PROLIFERATIONOF DEVICES
FRAGMENTEDDATA CENTER
LIMITED RESOURCES
CLOUD SILOSSECURITY
PROLIFERATIONOF DEVICES
FRAGMENTEDDATA CENTER
CLOUD SILOS
It’s Time to Virtualize the WHOLE Data Center
EFFICIENT SECURE
Optimized for rapid
development and delivery
of all applications, for safe
consumption on any device
The Software Defined
Data Center
AGILE
Network Virtualization is Key
Data Center Virtualization Layer
Intelligence in SoftwareOperational Model of VM for Data CenterAutomated Configuration & Management
What is a Software Defined Data Center (SDDC)?
Intelligence in HardwareDedicated, Vendor Specific InfrastructureManual Configuration & Management
Software
Hardware Compute, Network and Storage CapacityPooled, Vendor Independent, Best Price/Performance InfrastructureSimplified Configuration & Management
Network Virtualization is at the core of an SDDC approach
Network, storage, compute
Virtualization layer
Non-Disrupting Deployment
Network, storage, compute
Virtualization layer
“Network hypervisor”
Virtual Data Centers
Network Virtualization is at the core of an SDDC approach
Non-Disrupting Deployment
The Power of Distributed Services
Switching
Routing
Firewalling/ACLs
Load Balancing
Network and security services now distributed in the hypervisor
Switching
Routing
Firewalling/ACLs
Load Balancing
High throughput rates
East-west firewalling
Native platform capability
The Power of Distributed Services
A Traditional “Virtual Switch”
Traditional Layer 3 Routing?
A Virtual Network?
A Virtual Network?
Non-Disruptive Deployment
Programmatically Provisioned
Network & Security Services Distributed to the Virtual SwitchPhysical Network becomes high-speed IP backplane
DR Today (simple view)
10.0.10/24 10.0.20/24
10.0.10.21 10.0.20.21 MajorRTOImpact
Change IP AddressReconfig Security4
Primary Site Recovery Site
Recoverthe VM
3
Replicate VM & Storage
2Physical Network Infrastructure Physical Network Infrastructure
SAN
1Snapshot VM
SAN
Step 1&2(e.g VMware SRM)
18
DR with NSX Network Virtualization (simple view)
SAN SAN
10.0.30.21 10.0.30.21
Virtual Network10.0.30/24
80%RTONSX Controller NSX Controller
Snapshot Network &
Security
2b
Primary Site Recovery Site
1Snapshot VM Network & Security
already exists
Recoverthe VM
3
Physical Network Infrastructure Physical Network Infrastructure2a
Replicate VM & Storage
10.0.10/24 10.0.20/24
Step 1&2(e.g VMware SRM)
19
Virtual Network10.0.30/24
Support for Physical Workloads and VLANs
Support for Physical Workloads and VLANs
Non-Disruptive Deployment
The Power of Distributed Network & Security Services & Policies
Problem: Data Center Network SecurityPerimeter-centric network security has proven insufficient, and micro-segmentation is operationally infeasible
Little or no
lateral controls
inside perimeter
Internet Internet
Insufficient OperationallyInfeasible
Why traditional approaches are operationally infeasible…
25
Internet
Perimeter Firewalls
• Create firewall rules before provisioning
• Update Firewall rules when move or change
• Delete firewall rules when app decommissioned
• Problem increases with more East-West traffic
How an SDDC approach makes micro-segmentation feasible
26
Internet
Security Policy
Perimeter Firewalls
CloudManagement
Platform
There is a BIG difference…
•
•
•
•
•
•
•
•
•
•
NSX Distributed Firewalling Performance
28
20Gbps Per Host of Firewall Performancewith Negligible CPU Impact
NSX Distributed Firewalling Performance
CONFIDENTIAL 29
80K CPS with 100+ Rules per Host
A Typical Virtual Appliance does ~6K CPS per VMA Physical Appliance performs 300K – 400K CPS per appliance
Align type of controls to what you are protecting
Isolation Explicit Allow Comm. Secure Communications
NGFW
IPS
IPS
NGFW
Se
rvic
e I
nse
rtio
n
Application A
Application B
App Tier
DB Tier
(e.g
TC
P,1
433)
No Communication Path
Advanced Services Insertion – Example: Palo Alto Networks NGFW
Internet
Security Policy
TrafficSteering
Intelligent groupingGroups defined by customized criteria
Operating System Machine Name
Application Tier
Services
Security PostureRegulatory
Requirements
Automated Security in a Software-Defined Data CenterData Center Micro-Segmentation
CONFIDENTIAL 33
Automated Security in a Software-Defined Data CenterData Center Micro-Segmentation
CONFIDENTIAL 34
Benefits of Taking a Software Defined Data Center Approach
35
Multi-tenant Infrastructure
IT Automating IT
Developer CloudDMZ Anywhere
Micro-segmentation
Secure End User
Metro Pooling
Hybrid Cloud Networking
Reduce infrastructure
provisioning time from
weeks to minutes
Secure infrastructure
at 1/3 the cost
Reduce RTO by 80%
Disaster Recovery
Security Speed & Agility Application Continuity
Value
NSX partner ecosystem
Physical Infrastructure
Security
Operations
Application Delivery
Thank you