Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Humair Ahmed, VMware NSBU@Humair_Ahmed
NET1190BU
#VMworld #NET1190BU
Multisite Networking and Security with Cross-VC NSX – Part 1
VMworld 2017 Content: Not fo
r publication or distri
bution
• This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not been determined.
Disclaimer
2#NET1190BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX Customer Use Cases
3
SecurityInherently secure infrastructure
Automation IT at the speed of business
Application continuityData center anywhere
MICRO-SEGMENTATION
DMZ ANYWHERE
SECURE END USER
ITAUTOMATION
DEVELOPERCLOUD
MULTI-TENANTINFRASTRUCTURE
DISASTER RECOVERY
MULTI DATA CENTER POOLING
CROSSCLOUD
Multisite Networking and Security with
Cross-VC NSX: Part 2NET1191BU
Disaster Recovery Solutions with NSXNET1188BU
#NET1190BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
4
APP CONTINUITYAUTOMATIONSECURITY
Micro-segmentation
Secure End User
IT Automating IT
Developer Cloud
Multi-tenant Cloud
Disaster Recovery
Multi Data Center PoolingDMZ Anywhere
ArmorBuilding a security-as-a-service public cloud
Columbia$2M in saving and counting
Vallejo Sanitation and Flood NSX+AW+Horizon2 People managing all of IT– From their cell phones
University of New MexicoCentralization of IT from more than 100 disjointed departments
ShutterflySelf-service Multi-tenant environment handling 400% increase in seasonal demand
CNRAMulti-tenancy for critical state infrastructure
Baystate Health3 Data Centers Running as 1
Sugar CreekWorkload Mobility between Active-Active Data Centers
AerodataSimplified Disaster Recovery
EMC EHCDisaster Recover leveraging RP4VM / SRM
ilandLeveraging NSX for DRaaS
#NET1190BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Connectivity Between Sites
5
• NSX Solutions:
– Multi-Data Center (Active/Active):
• Separate/Stretched Cluster(s) with NSX
• Cross-VC NSX
– Public Cloud: IPSEC, L2VPN, Cross-VC NSX
– Branch Offices: IPSEC VPN
– Remote Users: SSL VPN
• Considerations:
– Bandwidth between entities
– Latency between sites
– MTU Considerations
– Administrative Domain
Internet / WAN
Data Center 1
Data Center 2
Branch OfficesRemote Users
Headquarters
Enabling the Software-Defined ROBO with
VMware NSXNET1783BU
NSX and VMware Cloud on AWS: The Path
to Hybrid CloudLHC2105BU
IBM Cloud - Automated and
Simplified Disaster RecoveryLHC2432BU
Cloud Provider X
Cloud Provider
#NET1190BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
1 The Medieval Days of Multisite
2 The Multisite Revolution with NSX
3 Cross-VC NSX Use Cases
4 Cross-VC NSX Architecture
5 Multi-site Networking with Cross-VC NSX
6 Multi-site Security with Cross-VC NSX (with Demo)
7 3rd Party Services for Multisite
8 Summary / Q&A
Agenda
6
Multisite Networking and Security with
Cross-VC NSX – Part 2NET1191BU
#NET1190BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
The Medieval Days of Multisite
7
ACLs
DNS
Application Dependencies
Security Policies
Load Balancer
DB
App
Web
Site 2: King’s Landing
Winter is coming.
Protect the workloads!
L2 over Dark
Fiber
VPLS Instance
VPLS Instance
VPLS Instance
MPLS Backbone
L2 over L3
OTV
Site 1: Winterfell
• Change application IP addresses• Re-configure physical network for L2-L3
connectivity requirements• Re-create security policies • Update other physical device configuration
Ex: load balancer • Additional update/re-configuration (ACLs,
DNS, Application IP Dependencies, etc.)
• Expensive (hardware based)• Complex and/or Proprietary• Not agile –changes typically require long
lead times and are are error prone• Operationally challenging• Only addresses network (not compute)• Per device configuration• Lack of flexibility and automation
Not holistic solution – only focused on the network and per-device configuration and lack automation and flexibility
#NET1190BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
1 The Medieval Days of Multisite
2 The Multisite Revolution with NSX
3 Cross-VC NSX Use Cases
4 Cross-VC NSX Architecture
5 Multi-site Networking with Cross-VC NSX
6 Multi-site Security with Cross-VC NSX (with Demo)
7 3rd Party Services for Multisite
8 Summary / Q&A
Agenda
8#NET1190BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Multisite with NSX: Active - Standby Model
9
Run apps for periods of time in a specific DC
APP
Active Stand-byActive - stand-by model
ULS - VNI 7000
ULS - VNI 8000
UDLR
APP
UDFW
ULS - VNI 9000
APP
APPC
APPA
APPB
WEB
APP
DB
APP
APP
APP
#NET1190BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Multisite with NSX: Active - Active Model
10
Application active on both sides
APP
Active ActiveActive - Active Model
ULS - VNI 7000
ULS - VNI 8000
UDLR
APP
UDFW
ULS - VNI 9000
WEB
APP
DB
APP
APP
APPAPP
#NET1190BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Traditional Networking for Multisite SolutionsNSX Platform for Multisite Solutions
#NET1190BU CONFIDENTIAL 11
Expensive, hardware-based, complex, operationally challenging, and/or long lead times required
Ex:
▪ L2 Over Dark Fiber
▪ VPLS Over MPLS Back Bone
▪ Hardware-Based Solution (OTV)
What’s needed is a software based approach which can provide:
➢ Decoupling from physical hardware➢ Ease of deployment ➢ Ease of use➢ Better security with micro-segmentation➢ Leverage higher-level security constructs➢ Flexibility➢ High degree of automation➢ Rapid deployment/recovery and productivity➢ Ease of testing apps / testing DR Plan➢ Extensive partner ecosystem for services➢ Integration with other DR & SDDC components (SRM, vSphere hypervisor, vRealize Suite, etc.)
Not holistic solutions – only focused on the network and per-device configuration and lack automation and flexibility
VMworld 2017 Content: Not fo
r publication or distri
bution
1 The Medieval Days of Multisite
2 The Multisite Revolution with NSX
3 Cross-VC NSX Use Cases
4 Cross-VC NSX Architecture
5 Multi-site Networking with Cross-VC NSX
6 Multi-site Security with Cross-VC NSX (with Demo)
7 3rd Party Services for Multisite
8 Summary / Q&A
Agenda
12#NET1190BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
13
1.) Workload Mobility
Since logical networking and security can span multiple vCenter domains and multiple sites:
• Cross-VC NSX allows for enhanced workload mobility across Active-Active data centers• Workloads can now be moved between vCenter domains/sites on demand
(Ex: data center migration, data center upgrades/security patches, disaster avoidance, etc.)
Cross-VC NSX Use Cases
VMworld 2017 Content: Not fo
r publication or distri
bution
Cross-VC NSX Use Cases
14
2.) Resource Pooling / Active-Active
• Resources are no longer isolated based on vCenter boundaries• Allows for the ability to access and pool resources form multiple vCenter domains• Allows for better resource utilization
Resource Pooling and Better
Utilization of Idle Capacity
VMworld 2017 Content: Not fo
r publication or distri
bution
Cross-VC NSX Use Cases3.) Unified Networking and Security Policy
15
• Enables a consistent security policy across vCenter boundaries and sites • Users are no longer required to manually replicate security policies across domains/sites • Ease of security automation across multiple sites (One API Call)• Can use higher-level security constructs in security policies
Synchronization
Automated Universal Security Group and Universal Security Rule Creation via Script Calling NSX REST API
#NET1190BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Cross-VC NSX Use Cases
16
4.) Disaster Recovery
• No longer need to re-IP Application or do any manual mapping of networks• No need to manually replicate security policies• NSX also has tight product integration with VMware SRM
Application Recovery
IP Address Maintained
Consistent Security
Disaster Recovery Solutions with NSXNET1188BU
#NET1190BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
1 The Medieval Days of Multisite
2 The Multisite Revolution with NSX
3 Cross-VC NSX Use Cases
4 Cross-VC NSX Architecture
5 Multi-site Networking with Cross-VC NSX
6 Multi-site Security with Cross-VC NSX (with Demo)
7 3rd Party Services for Multisite
8 Summary / Q&A
Agenda
17#NET1190BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Cross-VC NSX – Network Architecture
18
Universal ObjectConfiguration
(NSX UI & API)
NSX Manager REST API(TLS)/TCP 443
Universal Controller
Cluster
vSphere API(TLS)/TCP 443
ESX Hosts ESX Hosts
AMQP(TLS)/TCP 5671
NSX Controller REST API(TLS)/TCP 443
NSX ControlPlane Protocol(TLS)/TCP 1234
vCenter A vCenter B vCenter H
NSX Manager A
USS
PrimaryNSX Manager B
SecondaryNSX Manager H
Secondary
#NET1190BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Universal Control Cluster (UCC): - three controller cluster that maintains information about local and
universal logical objects across multiple vCenter domains
Cross-VC NSX – Network Architecture
19
• Each NSX Manager maintains a connection
to each of the controllers. The connection
status can be seen in the Status column
• Manager connects to the controller to push
relevant logical networking configuration to
the controllers
• Also, a periodic keep-alive is done to monitor
the state of the controller cluster and
measure disk latency alerts
Primary NSX Manager:
Secondary NSX Manager:
#NET1190BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Cross-VC NSX – Network Architecture
20
Universal Transport Zone (UTZ): - defined from NSX Manager as the span of universal logical objects across
vSphere clusters
Universal Logical Switch (ULS): - logical switch able to span across multiple vCenter domains
- allows for logical L2 across multiple vCenter domains
Universal Distributed Logical Router (UDLR): - same as distributed logical router (DLR) but able to span
across multiple vCenter domains
- allows for L3 connectivity for universal logical switches
#NET1190BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Cross-VC NSX – Security Architecture
21
(NSX UI & API)
NSX Manager REST API(TLS)/TCP 443
vSphere API(TLS)/TCP 443
ESX Hosts ESX Hosts
AMQP(TLS)/TCP 5671
vCenter A vCenter B vCenter H
NSX Manager APrimary
NSX Manager BSecondary
NSX Manager HSecondary
1. UDFW created on primary NSX Manager
2. UDFW rule stored in local database
3. UDFW rule pushed to local ESXihosts via message bus
3. USS synchronizes UDFW rule to secondary NSX Managers
4. UDFW rule stored in local database
4. UDFW rule stored in local database
5. UDFW rule pushed to local ESXihosts via message bus
5. UDFW rule pushed to local ESXihosts via message bus
vSphere API(TLS)/TCP 443
vSphere API(TLS)/TCP 443
AMQP(TLS)/TCP 5671
AMQP(TLS)/TCP 5671
ESX Hosts
USS
#NET1190BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Key Cross-VC NSX Concepts
22
Universal Distributed Firewall (UDFW): - distributed firewall (DFW) spanning across vCenter boundaries
- provides consistent security policies across all vCenter domains/sites
Universal Firewall Rules: - DFW rules are configured under the Universal section of the DFW
- apply across vCenter boundaries
VMworld 2017 Content: Not fo
r publication or distri
bution
1 The Medieval Days of Multisite
2 The Multisite Revolution with NSX
3 Cross-VC NSX Use Cases
4 Cross-VC NSX Architecture
5 Multi-site Networking with Cross-VC NSX
6 Multi-site Security with Cross-VC NSX (with Demo)
7 3rd Party Services for Multisite
8 Summary / Q&A
Agenda
23#NET1190BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Multi-site, Multi-vCenter, Active-Passive Site Egress
24
Route Updates
VMworld 2017 Content: Not fo
r publication or distri
bution
Multi-site, Multi-vCenter, Active-Active Site Egress
25
Route Updateswith Locale ID
Route Updateswith Locale ID
Peering - OSPF / BGP Peering – BGP / OSPF
Route Updateswith Locale ID
Route Updates
with Locale ID
#NET1190BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Flexibility with Multi-site Deployments
26
Tenant 1: Active/Passive Site Egress via Dynamic Routing
Tenant 2: Active/Passive Site Egress via Dynamic Routing
Tenant 3: Active/Active Site Egress via Local Egress
VMworld 2017 Content: Not fo
r publication or distri
bution
Transport Zone
Host 1 Host 2
Universal App Logical Switch: VNI 90000
Universal Controller Cluster
No CDO Mode
VDS
Cluster
Successful PingPing Fails
NSX Control Plane Resiliency: CDO Mode
27
VDS
Cluster
Site 1 Site 2
Universal Transport Zone
No CDO Mode
#NET1190BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Transport Zone
Host 1 Host 2
Universal App Logical Switch: VNI 90000
Universal Controller Cluster
CDO CDO
VDS
Cluster
Successful Ping
BUM
• No issues when powering on a VM on
Host 2 or vMotioning a VM to Host 2
NSX Control Plane Resiliency: CDO Mode
#NET1190BU CONFIDENTIAL 28
VDS
Cluster
Site 1 Site 2
Universal Transport Zone
VMworld 2017 Content: Not fo
r publication or distri
bution
1 The Medieval Days of Multisite
2 The Multisite Revolution with NSX
3 Cross-VC NSX Use Cases
4 Cross-VC NSX Architecture
5 Multi-site Networking with Cross-VC NSX
6 Multi-site Security with Cross-VC NSX (with Demo)
7 3rd Party Services for Multisite
8 Summary / Q&A
Agenda
29#NET1190BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Cross-VC NSX – Multi-site Security
30
Universal Distributed Firewall (UDFW)Distributed firewall (DFW) spanning across vCenter boundaries and providing consistent security policies
across all vCenter domains/sites
Universal Firewall RulesDFW rules that are configured under the Universal section of the DFW and apply across vCenter boundaries
Universal Network and Security Grouping ObjectsThe Universal section of the DFW supports the following network and security objects:
• Universal IP Sets
• Universal Mac Sets
• Universal Security Groups
• Universal Services
• Universal Service Groups
• Universal Security Tags (Static Inclusion)
• VM Name (Dynamic Inclusion)
#NET1190BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Cross-VC NSX – Multi-site Security
31
Apply UDFW Rule
#NET1190BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX-V 6.3: Cross-VC NSX DFW Enhancements
General Enhancements
• Multiple UDFW Sections
• ApplyTo can use Universal SGs
New Support for Active-Standby Use Cases (DR):
• Universal Security Tags
• Universal Security Groups using Universal Security Tags (Static Membership)
• Universal Security Groups using VM Name (Dynamic Membership)
32#NET1190BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Multiple Universal Sections
• Prior to NSX-V 6.3, could only have one Universal DFW Section
• Starting, NSX-V 6.3, can have multiple Universal DFW Sections
Efficiency in terms of:
1. rules synchronized per universal section
2. rules can easily be organized per tenant/application
33#NET1190BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Multiple Universal Sections
• All Universal DFW Sections are always on top – even on Primary NSX Manager
• Adding a DFW section above a UDFW section will automatically make it a Universal section
34#NET1190BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
ApplyTo
• Prior to NSX-V 6.3, ApplyTo only supported Universal Logical Switch for UDFW.
• In NSX-V 6.3, ApplyTo now also supports Universal Security Groups with new matching criteria:
35
- VM Name (Dynamic)
- Security Tag (Static)
#NET1190BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Universal Security Groups Using Security Tags and VM Name
VMworld 2017 Content: Not fo
r publication or distri
bution
On Primary NSX Manager - configure Unique ID Selection Criteria On Primary NSX Manager - create Universal Security Tag
Synchronization of Security Tags between
Primary/Secondary NSX Managers
On Secondary NSX Manager - Security Tags attached to
respective VMs based on Unique Selection criteria
Ex: Universal Security TagsOn Primary NSX Manager – Statically
attach security tag(s) to respective VM(s)
NSX Security: Leveraging Higher-Level Security Constructs
37#NET1190BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
38
Demo Placeholder
#NET1190BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
1 The Medieval Days of Multisite
2 The Multisite Revolution with NSX
3 Cross-VC NSX Use Cases
4 Cross-VC NSX Architecture
5 Multi-site Networking with Cross-VC NSX
6 Multi-site Security with Cross-VC NSX (with Demo)
7 3rd Party Services for Multisite
8 Summary / Q&A
Agenda
39#NET1190BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
VMware NSX + Palo Alto Network for AdvancedMultisite Security
40
4
0
#NET1190BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
41
Multi-site Security Policy
Security Policy Management LayerSecurity Policy Management Layer
VMworld 2017 Content: Not fo
r publication or distri
bution
42
Multi-site Security Policy
Security Policy Management Layer
HA
Active Standby
VMworld 2017 Content: Not fo
r publication or distri
bution
VMware NSX + F5 Networks for Active/Active Designs
43#NET1190BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
44
Site1–PaloAlto,CA Site2–SanJose,CA
Site1NSXManager1
Primary
Site2NSXManager2
Secondary
vCenter1 vCenter2
Universal
Controller
Cluster
CompueCluster1 CompueCluster2 EdgeCluster
MgmtvCenter
CompueCluster1 CompueCluster2 EdgeCluster
UniversalTransportZone
UniversalDistributedFirewall(UDFW)
ComputeVDS EdgeVDS ComputeVDS EdgeVDS
UniversalDistributedLogicalRouter(UDLR)
UniversalTransit:172.39.39.0/28
.1 .2
Universal
ControlVM
.14
VLAN279
10.100.9.2/28VLAN280
10.100.11.2/28
VLAN379
10.200.9.2/28VLAN380
10.200.11.2/28
.1 .1.1 .1
ESXi1-1:10.100.0.50/24
ESXi1-2:10.100.0.51/24ESXi1-3:10.100.0.52/24 ESXi1-4:10.100.1.51/24
ESXi1-5:10.100.1.52/24
ESXi1-6:10.100.1.53/24
ESXi2-1:10.200.0.50/24
ESXi2-2:10.200.0.51/24ESX2-3:10.200.0.52/24 ESXi2-4:10.200.1.51/24
ESXi2-5:10.200.1.52/24
ESXi1-6:10.200.1.53/24
UniversalWeb2:172.20.8.0/24
.1 .2
UniversalApp2:172.20.9.0/24
UniversalDB2:172.20.10.0/24
.1
.1
UniversalWeb:172.20.1.0/24
UniversalApp:172.20.2.0/24
UniversalDB:172.20.3.0/24
.254 .254 .254.254 .254.254
.1
.1
.1
SummaryRoute:
172.20.0.0/20
10.100.1.71/2410.100.1.72/24 10.200.1.71/2410.200.1.72/24
10.100.1.73-74/24
Cluster1 Cluster2
iBGP
BGPWeight:60
iBGP
BGPWeight:30
eBGPeBGP
Mgmt:10.200.1.80 Mgmt:10.200.1.81Internal(Web):172.20.8.248 Internal(Web):172.20.8.249
HA:172.90.90.2/30
InternalFloa?ngIP(Web):
172.20.8.250
ExternalFloa?ngIP(Web):
10.200.9.14
External(Edge):10.200.9.12 External(Edge):10.200.9.13Mgmt:10.100.1.80/24 Mgmt:10.100.1.81Internal(Web):172.20.8.251 Internal(Web):172.20.8.252
HA:172.80.80.1/30 HA:172.80.80.2/30
InternalFloa?ngIP(Web):
172.20.8.253
ExternalFloa?ngIP(Web):
10.100.9.14
External(Edge):10.100.9.12 External(Edge):10.100.9.13
[BIG-IP DNS VE]
Mgmt:10.114.223.75 Dataplane:10.100.1.190
[BIG-IP DNS VE]
Mgmt:10.114.223.78 Dataplane:10.200.1.190
VMworld 2017 Content: Not fo
r publication or distri
bution
1 The Medieval Days of Multisite
2 The Multisite Revolution with NSX
3 Cross-VC NSX Use Cases
4 Cross-VC NSX Architecture
5 Multi-site Networking with Cross-VC NSX
6 Multi-site Security with Cross-VC NSX (with Demo)
7 3rd Party Services for Multisite
8 Summary / Q&A
Agenda
45#NET1190BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution