Upload
vmworld
View
185
Download
2
Embed Size (px)
DESCRIPTION
VMworld 2013 Arun Goel, VMware Serge Maskalik, VMware Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshare
Citation preview
Virtualized Network Services Model
with VMware NSX
Arun Goel, VMware
Serge Maskalik, VMware
NET5270
#NET5270
2
Agenda
Introduction
NSX Edge Gateway
• Routing & Firewalling
• LB
• VPN
Scale & Operations
vCloud Hybrid Service Deployment
3
Introduction
4
L2 Gateway
Firewall ADC/LB Endpoint Security L3 Gateway VPN
VMware vCD® VMware vCAC®
What is this session about?
Any Network Hardware
NSX Controller & NSX Manager
NSX API
NSX
Edge
Gateway
VMware vSphere® KVM XEN Hyper-V
VM VM VM VM VM VM
5
Drivers – Cloud Scale and Agility
• Rapidly provision at any point in network
• Self-Service with tenant isolation
Cloud requires Automation
• Build for machines – Rest APIs not CLI
• Standard Hardware – x86 not ASICs
Automation needs ability to Reproduce
• Simple feature set – cloud use cases with High Availability & Performance
• Single Management Plane – simplify operations
Replication needs Simplification
Simplify, Reproduce and Automate to achieve Cloud Scale
6
Use Cases
DB
Perimeter NSX Edge (HA, FW, NAT, VPN, LB Services)
OSPF
Web App
External
Networks
L2 Bridge
Bridged Logical
Switch
Bridged
VLAN
VM Transit
Logical Switch VM
Management
VLAN
L2 VPN
Web
App
DB
Logical Distributed Router
LB
BGP
7
The Services Journey
2010
2011
2012
2013
Science
Fiction
Innovators
Early
Adopters
Early
Majority1
Mainstream2
• Baseline
FW/Router
• LB – Scale,
Performance, SSL,
L7++
• 10G Firewall
• L2VPN
• Dynamic Routing –
OSPF, BGP, IS-IS
• IPv6
• Enterprise Grade
Firewall
• L7 LB
• SSL VPN
• Advanced NAT
• Static Routing
• Compliance
• Certifications
• IPSec VPN – H/W
Accel
• Enhanced FW
• Basic LB
• Basic VPN
• Basic NAT
1 Bundled with vCloud Suites
2 Fortune 50 in Production
8
NSX Edge Gateway
• Multi-tenant/multi-context
• Optimal placement
• Run-time re-balancing
• Perpetual redundancy
• Advanced resource isolation
• Scalable MGMT – 2500 multi-tenant instances
Best of Breed
• AES256 2Gb/s, 100k CPS FW/NAT/LB, 10Gb/s+ per tenant
• 512 Edge contexts per node maximum X nodes in rack
• 960Gb/s encryption & 300 Gb/s FW/NAT/LB per rack
• Reasonable way to get to 500M concurrent connections
• State-of-the-art resource/perf isolation via vSphere
• Best placement, dynamic balancing, 1+1 redundancy
Edge Gateway Highlights
9
NSX Edge Gateway
10
NSX Edge Gateway: Cloud ready integrated network services
….
Firewall
Load Balancer
VPN
Routing
L2/L3 Gateway L2/L3
Gateway
VM VM VM VM VM
• Integrated L3 – L7 services from VMware
• Virtual appliance model to allows cloud agility and scale-out
Overview
• Real time service instantiation
• Support for dynamic service differentiation per tenant/application
• Uses x86 compute capacity
Benefits
11
Logical Firewall/Routing
• OSPF/eBGP/iBGP/IS-IS
• Virtualization and identity context firewall
Features
• Remove hairpins and bottlenecks
• Line rate performance with distributed scale out architecture
Scale & Performance
• Create on demand networks to speed up application provisioning
Use Cases
L2
L2
Tenant A
Tenant B
L2
L2
L2 Tenant C
L2
L2
L2
Attend following sessions for more details:
• SEC – 5293
• SEC – 5294
• NET – 5266
12
Logical Firewall
VApp
WebServer AppServer DbServer
VApp Network
Deny
Allow
13
Logical Firewall
VApp
WebServer AppServer DbServer
VApp Network
Deny
Allow
14
15
Logical Load Balancing
Web 1 Web 3 Web 2
• TCP, HTTP, HTTPS with Stateful HA
• Multiple Virtual IPs each with separate server pool and configurations
• Multiple load balancing algorithms
• Multiple Session Persistence methods
• Configurable health checks
• Application Rules
• SSL Termination with Certificate Management
• Transparent/Full Proxy Mode
• IPv6
Features
• 10Gb/s throughput
• 50,000 CPS
• 1M Concurrent Connections
Scale & Performance
• Per Tenant Cloud LB
• Dynamic VIP for applications
Use Cases
16
Logical Load Balancing
vApp
WebServer-1 WebServer-2
Routed or Direct vApp Network
Request
Load Balancer
17
Logical Load Balancing
vApp
WebServer-1 WebServer-2
Isolated vApp Network
Request
Load Balancer on
regular Edge
VDC Network
18
19
Logical User (SSL) and Site 2 Site (IPSec) VPN
• Interoperable IPsec tested with major vendors
• Clients on all major OS (Win, Apple, Linux)
• Remote Authentication via Active Directory, RSA Secure ID, LDAP, Radius
• TCP Acceleration
• Encryption – 3DES, AES128, AES256
• AESNI H/W Offload
• NAT & Perimeter Firewall Traversal
Features
• High Performance – AES-NI acceleration
• 2 Gb/s throughput per tenant
Scale and Performance
• Cloud to Corporate
• Cloud On-boarding
• Remote Office/Branch Office
• Remote Management
Use Cases
Internet/
WAN
Internet/
WAN
20
Public
Cloud
Logical L2 VPN
• SSL-based
• Web-proxy Support
• L2 Bridge to Cloud
• Broadcast support
Features
• High Performance – AES-NI acceleration
• 2 Gb/s throughput per tenant
Scale & Performance
• Cloud On-boarding
• Cloud Bursting
Use Cases Internet/
WAN
VM VM VM
21
22
So What?
VM
Management
VLAN
L2 VPN BGP
External
Networks
23
So What?
External
Networks
Simplify, Replicate and Automate to achieve Cloud Scale
24
NSX Integrated Partners
NSX Controller & NSX Manager
NSX API
Partner Extensions
L2 Gateway
Firewall ADC/LB IDS/IPS AV/FIM Vulnerability Management
Security Services
VMware vCD® VMware vCAC®
25
Scale and Operations
26
NSX Edge Gateway– Line-rate Performance
Test: using HTTP1.1, 10 requests/session fetching 200KB web page @ 7000 CPS
H/W: HP DL380 G8, Intel E5-2690 2.9 Ghz 8-core x 2 sockets, Intel 82599 (Niantic)
Config: HA on, 366 NAT/FW rules, one uplink, one downlink vNIC
27
Operations
Centralized Management for 2000
appliances
CLI – for the humans
Analytics using
VCOPs
Syslog
Load Balancer
Firewall
28
Edge Operations in vCops
29
vCHS
30
About vCloud Hybrid Service (vCHS)
Goals
Support of Thousands of Tenants
Scalable Physical Hardware
Plan for capacity growth
• Traffic flows
• Data usage
Elastic Design (SDDC, SDN)
• Minimize dependencies on proprietary hardware
• Use high bandwidth connections
• Exploit Vmware’s software intelligence to deliver a
complete SDDC
Objectives
Maximize cost effectiveness
Maximize hardware utilization
Public
Clouds
Private
Clouds
Hybrid Cloud Seamlessly extend your data center to the public cloud
Virtual Workspace Manage access to services, applications and data for any
device
The New Role for IT: IT as
a Service
Software-Defined Data Center Virtualize the entire data center
Management and Automation
Storage and
Availability Compute
Network and
Security
31
vCHS Edge
Why Edge?
• Evaluated leading Hardware and Software vendors to build the service
• Edge was the only multiservice device that can be rapidly deployed, meet
scalability needs and integrate with vCD and vSphere
Features Deployed (vCNS 5.1)
Firewall
• Distributed scale of Rules
Load Balancing
• Web Server LB
• Dynamic Per Tenant
VPN
• IPSEC Tunnel
• SSL VPN
• DCE – L2 VPN
L3 Gateway
• Static Routes
• Default Gateway
32
Looking forward – NSX what are we excited about?
Performance and Scalability increases for Firewall, Load Balancer,
Router and VPN
Dynamic routing – Support for BGP
Layer 7 Load balancing – SSL Termination
33
Questions?
To get complete understanding of NSX Optimized for vSphere checkout
Network Virtualization
• NET5266 - Network Virtualization for vSphere environments with VMware NSX
Integrating 3rd Party Services in NSX
• NET5522: NSX Extensibility: Network and Security Services from 3rd-Party Vendors
NSX Operations and Troubleshooting (Advanced Technical)
• NET5790: Operational Best Practices for NSX in VMware Environments
• NET5654: Troubleshooting VXLAN and Network Services in a Virtualized Environment
THANK YOU
Virtualized Network Services Model
with VMware NSX
Arun Goel, VMware
Serge Maskalik, VMware
NET5270
#NET5270