Practical Path to VMware NSX

Nimish Desai - NSBU, VMware

 Disclaimer
• This presentation may contain product features that are currently under development.

• This overview of new technology represents no commitment from VMware to deliver these
features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or
sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.

• Pricing and packaging for any new technologies or features discussed or presented have not
been determined.

2 © Copyright 2017 Dell Inc.

Session Agenda

1 NSX introduction and use cases

2 NSX security and micro-segmentation

3 Automation with VMware NSX

4 Application continuity with NSX

5 NSX operations

6 Close

3
NSX is growing in momentum

2,400+ customers
100% YoY growth

License Bookings
>50% YoY growth in Q4
Q416

Broad adoption
Small, mid- and large enterprises
across all verticals
NSX customer use cases
Security Automation Application continuity
Inherently secure infrastructure Apps at the speed of business Data center anywhere

Micro-segmentation IT Automating IT Disaster Recovery

Secure End User Developer Cloud Multi Data Center Pooling

DMZ Anywhere Multi-tenant Infrastructure Cross Cloud

NSX vision
Unified management and policy framework
with ecosystem
Connectivity Security Availability

Any Traditional Cloud-native

application applications applications

Any
compute
platform

Any
infrastructure
Converged Hyper-converged
Build-your-own
infrastructure infrastructure
6
NSX Architecture and Components
• Self-service portal
Cloud • vRealize Automation, OpenStack,
consumptio vCloud Director, Custom CMP
n

Management • Single configuration portal

vCenter Server NSX Manager • REST API entry-point
plane

NSX Controller • Manages logical networks

network
Logical

• Control plane protocol

Control plane NSX Edge • Separation of control and data plane
• Controller is not in the data path

Distributed Services
VDS • High-performance data plane
Data plane • Scale-out distributed forwarding model
HW VTEP • Flexibility for connecting logical networks
Logical Distributed Firewall
Switch Logical Router
to physical
Hypervisor
HV Kernel Modules
Physical
network

7
How do I get started with NSX ?

1 Learn about 2 Start small 3 Leverage best

NSX and grow practices and validated
designs

12
Start Small with Specific Use Case
WAN
Internet

WAN Management
L3
L2
Internet &
L3 Edge Clusters
L2

Host 1
Host 1
Host 2
Host 2
Host 3
Host 3
Host x
Host x
Compute
Cluster Host y
Host y
Host 32
Host 32

Single Cluster with NSX Separate Compute. Common Edge and Management Cluster
VDI microsegmentation –Security only - NSX Mgr Multi-workload & VDI
DEV/QA  Services/Security– ESG – LB/Security Multi-rack QA/DEV
Satellite/ROBO  one or two rack Grow to large DC
13
 Flexible, Scalable, Secure & Multi-use
• Flexibility – DLR, Stand-alone, Services & • Secure
Isolation • DFW and Edge FW
• DLR for production workload External • Multi-vendor integration
• DevOps & QA isolation Networks • Automation – Blueprints and Security
• Per app services • Multi-use topology
• Automated DevOps segments
Dynamic Routing
• Scalability (OSPF, BGP) • VDI Segments
• ECMP BW as needed • Enterprise work load
• Edge-HA based on use case
• In line routed LB segment ECMP
• In line NAT & private segment Edges

In-line In-line LB
LB NAT &
Distributed Logical Routed Private
Router
DB Logical Web Logical Web Logical
Web Logical App LS
Switch Switch (Routed) App LS (Routed) DB LS (Routed) Switch (NAT) App LS (Private) DB LS (Private)
Switch (Routed)
(Routed)
(Routed)

172.16.10.0/29 172.16.10.8/29 172.16.10.16/2 172.16.20.0/29 172.16.20.8/29 172.16.20.16/2 172.16.100.0/2 172.16.101.0/2 172.16.102.0/2

9 9 4 4 4

NSX Reference Design 3.0 https://communities.vmware.com/docs/DOC-27683

Session Agenda

1 NSX introduction and use cases

2 NSX security and micro-segmentation

3 Automation with VMware NSX

4 Application continuity with NSX

5 NSX operations

6 Close

15
NSX customer use cases – Security
Security Automation Application continuity
Inherently secure infrastructure Apps at the speed of business Data center anywhere

Micro-segmentation IT Automating IT Disaster Recovery

Secure End User Developer Cloud Multi Data Center Pooling

DMZ Anywhere Multi-tenant Infrastructure Cross Cloud

 NSX Security Architecture Overview
Any App,
Any VM,
• Design and Architectural Benefits Anywhere
 Built-in and not bolt on
 On demand and dynamic security Eco
DFW
enforcement System

 Follow life cycle of resources

 Run time redirection and insertion
 Topology Independent, Not tied to
physical
Service
 DR and multi-site capable Policy
Composer
 Platform eco-systems
 Protect, detect, inoculate - Any Security
application, any time, anywhere Groups

17
NSX Micro-segmentation
Isolation
No communication path between
unrelated networks
Segmentation
Controlled communication path within
a single network
Each VM can now be its own
perimeter
Policies align with logical groups
Prevents threats from spreading
Advanced Services
Addition of third-party security from
NSX Ecosystem, as needed by
policy
Compliance (PCI, HIPPA)
18
Securing east-west traffic within VDI environments
With VDI your data center has a much larger security surface area

VDI

High cost of physical

VDI security environment
West East
Internet
Hard to implement
VDI
Complex to manage

Data center
perimeter

19
NSX for VDI environments
VDI VDI

VDI VDI

• Desktop-to-desktop control • Load balancing • Elasticity to spin new pools

• Desktop-to-enterprise control • Edge firewall
• Capacity expansion
• Security services • NAT
agentless AV, NGFW, IPS • VPN

20
Secure DMZ
Delivering inherently secure infrastructure Secure user
environments

Business value

More secure and 1/3 the cost

of less secure infrastructure
Internet

Security policies simplified

DMZ Logical groups enabled

Threats contained

Data center
perimeter 21
Micro-segmentation simplifies network security
Finance HR Engineering

Perimeter
firewall
DMZ

Inside
firewall
• Each VM can now be its own perimeter
App
• Policies align with logical groups
• Prevents threats from spreading

DB

Services

AD NTP DHCP DNS CERT

22
Security Evaluation Workflow
Identify
Group/Ap
1. Prepare Infrastructure for NSX ps/Zone
2. Create Default Rules to allow all and log traffic Decide
E-W Intra- Default
3. Create Shared Services Rules App Allow or
Rules Deny &
4. On-board new application or start with an existing Log
application
5. Use NSX toolset to dynamically determine
required ruleset
a) Syslog Shared
On-Board
Services
b) IPFIX New Apps
Rules
c) vRealize Network Insight
Monitor
6. Create E-W Intra-Application or Intra-Zone Rules Logs to
R/Define
7. Continue for other applications or workloads Rules

23
Customer Story: Secure Datacenter connectivity
• The problem statement

CHALLENGES

Data center 2
Perimeter 1. Need to provide
Internet
granular segmentation
and reduce risk

2. Simplify access to
Production shared services for new
apps
Non-production
3. Automate app
PCI deployment with security

Shared services
Data center 1
Perimeter

24
Customer Story: Secure Datacenter connectivity
• NSX solution

IMPLEMENTATION

Data center 2
Perimeter 1. Start on existing
Internet
brownfield network

PCI 2. Map environments to

security groups
Shared services

Non-production 3. Security group for

Shared Services
Production
4. Leverage NSX Security
tagging to classify
workloads

5. Simplify and automate

Data center 1 by leveraging NSX
Perimeter Security Policy

25
Security partners
NSX Customer References –
Security

Tackle The Security Challenge Of Endpoints Without End

Learn How To Put Security At the Very Core of Your

Organization With Secure Infrastructure

Hands on Labs: HOL-1703-SDC (NSX), 1723(Palo Alto),

1724(Check Point) and 1741(Horizon VDI)
https://HOL.VMWARE.COM
Session Agenda

1 NSX introduction and use cases

2 NSX security and micro-segmentation

3 Automation with VMware NSX

4 Application continuity with NSX

5 NSX operations

6 Close

28
NSX customer use cases – Automation
Security Automation Application continuity
Inherently secure infrastructure Apps at the speed of business Data center anywhere

Micro-segmentation IT Automating IT Disaster Recovery

Secure End User Developer Cloud Multi Data Center Pooling

DMZ Anywhere Multi-tenant Infrastructure Cross Cloud

Automating IT processes
Delivering IT at the speed of business IT automating IT
Connectivity to
physical networks

Load balancing Multi-tenant

Infrastructure

Routing/NAT
Activity
monitoring Developer cloud
Switching
Data security

VPN
Management Business value
APIs, UI
Firewalling
Reduce infrastructure
provisioning time from
weeks to minutes

Policies,
groups, tags

30
Traditional infrastructure provisioning with networking
Days - weeks Infrastructure
service

Wait Wait Wait Work

Manual efforts
Network

Switch Router Firewall Load balancer

Connect Ethernet Connect networks to Connect networks to load

Configure router
cables, configure firewall appliances, balancer appliances,
interface to
switch port, VLANs, configure firewall rules create and populate load
connect to switch
access control lists, based on physical balancer pool, assign
ports. Configure
assign IP addresses constructs e.g. IP Virtual IP address to
routing protocols.
address and VLANs external interface

NETOPS SECOPS LOAD BALANCER ADMIN

31
NSX IT automation capabilities
GUI API Cloud management
platform

• UI and workflow-based • Programmatic consumption • Networking and security

consumption of networking • Enables easy automation of deployment as a part of
and security both installation and application deployment
deployment processes

32
Github Repo - https://powernsx.github.io/ & https://github.com/vmware/powernsx
Customer Story: Automate IT Delivery
The problem statement
Cloud
Line of
Business
CHALLENGES

Manual and labor intensive

deployment of IT services

Inconsistent results

Dissatisfied LoB users

Internal IT
Slow Day 2 Operations

Business works around IT

with cloud services

Physical Devices
Data center
33
 Customer Story: Automate IT Delivery
NSX solution

VMware ESX VMware NSX vRealize “Zero Touch”

Compute Network BENEFITS
Automation deployment
virtualization virtualization

OS Automated delivery of multi-

Minutes tier applications

Security and consistency

built into the provisioning
process

Improved service level for

business users avoiding
Wait Wait Work Shadow IT

Automated Manual
application network
deployment configuration

Weeks or days
34
 Automation Topology • QA/DevOps Topology
• Pre-created Construct • Provider Edge HA
• Provider ECMP for scale • Common transit VXLAN segment
• DLR e.g. production traffic • Allows provider Edge in Edge Cluster
• All app segments can be dynamically created • QA/DevOps Tenant Edge/Segments
and attached to DLR with security group • Resides in compute for growth and agility
• NAT with In line LB
• Create as many Edge with NAT
ToR • No need to advertise subnets of each
NATed QA segments
ToR
ECM
P
Edge Edge - HA
s
Distributed Logical Router
In-line LB
DB Logical NAT
In-line NAT
Web Logical App LS DB Logical
Switch Web Logical App LS
Switch (Routed) Switch
(Routed) Switch (Routed)
(Routed) (Routed)
(Routed)

Web Logical Web Logical

DB LS (Private) Switch (NAT) App LS (Private) DB LS (Private)
Switch (NAT) App LS (Private)
172.16.10.0/2 172.16.10.8/2 172.16.10.16/
172.16.11.0/2 172.16.11.8/2 172.16.11.16/
9 9 29
9 9 29

172.16.100.0/2 172.16.101.0/2 172.16.102.0/2 172.16.100.0/2 172.16.101.0/2 172.16.102.0/2

4 4 4 4 4 4

vRealize Automation and NSX Extensibility Kit https://communities.vmware.com/docs/DOC-30791

NSX Customer References –
Automation
Enterprise Hybrid Cloud – Dell/ECM Converged Solution

Hands on Labs: HOL-1720-SDC and 1721

https://HOL.VMWARE.COM
Session Agenda

1 NSX introduction and use cases

2 NSX security and micro-segmentation

3 Automation with VMware NSX

4 Application continuity with NSX

5 NSX operations

6 Close

37
NSX customer use cases – Application Continuity
Security Automation Application continuity
Inherently secure infrastructure Apps at the speed of business Data center anywhere

Micro-segmentation IT Automating IT Disaster Recovery

Secure End User Developer Cloud Multi Data Center Pooling

DMZ Anywhere Multi-tenant Infrastructure Cross Cloud

Application continuity
Delivering data center anywhere Disaster recovery

Active Active

Hybrid cloud
networking

Business value

Reduce RTO
new availability
model
Data center #1 Data center #2 Cloud
Multisite networking and security (Cross-vCenter NSX)
Site-A Site-B

Secure, high availability, distributed, virtualized resource pool

Universal distributed logical router

vCenter-A vCenter-B

NSX Primary < 150 ms NSX Secondary

Local storage Local storage

NSX-V Multi-site Options and Cross-VC NSX Design Guide 40

https://communities.vmware.com/docs/DOC-32552
Cross Cloud Connectivity
Private cloud Cloud provider

VMw are

Connect at
layer 2 or layer 3

VMw are

Secure L2/L3 connectivity between on-premises and providers enabling hybrid cloud

41
 Customer Story: Simplified Disaster Recovery
The problem statement

CHALLENGES
Primary Site Recovery Site

Protect VM Overprovisioned capacity

1 Complex DR processes with
manual, error prone steps

Lengthy RTO to recover

applications
10.0.10.21 10.0.20.21
No granularity for DR, all or
Recover nothing only
3 the VM
vSphere vSphere
SAN SAN
Change IP Address
(or stretch L2)
Step 1&2 4 Reconfigure Security and
(eg VMware SRM)
Network Services

Major
10.0.20/24 RTO
10.0.10/24 2 Impact
Physical Network Infrastructure Replicate Physical Network Infrastructure
VM & Storage

42
 Customer Story: Simplified Disaster Recovery
NSX solution
BENEFITS
Primary site Recovery site
Virtual network Virtual network
10.0.10/24 10.0.10/24
Protect VM VM mobility and granular
Disaster Recovery
1 2b
Consistent Networking and
Synchronize Network & security Security across sites
already exists
network &
security
3 Integration with Site
10.0.10.21 Recover 10.0.10.21 Recovery Manager
NSX Manager NSX Manager the VM
(Primary) (Secondary) Significantly reduced
complexity
vSphere vSphere
SAN SAN

Step 1&2
(e.g VMware SRM)

Reduce
10.0.20.0/24 10.0.30.0/24 RTO

Physical network infrastructure 2a Physical network infrastructure

Replicate
VM & Storage
43
Disaster Recovery with NSX and SRM https://communities.vmware.com/docs/DOC-31692
Dell EMC Enterprise Hybrid Cloud 4.1.1 platform
Integrations Engineered Modular Add-ons Professional
Pre-packaged options maintained and supported with the platform Services
Customized extensions
implemented in the field Pre-packaged
Microsoft Apps Oracle DBaaS SAP / SAP HANA services portfolio

Backup Protection Disaster Recovery Continuous Availability Prepare

Future Encryption Services Multi-Site Management Deploy

More coming…

Extend
Co-existing
Solutions Cloud Management & Operations
Manage
Engineered Self-service portal with a catalog, orchestration engine,
Automation operations management & cost transparency
VMware
Public Cloud
Integrated IaaS Providers
OpenStack
Software-Defined Infrastructure
VMware vRealize
Code Stream Elastic, automated & software-controlled infrastructure

Dell EMC Converged & Hyper-Converged Infrastructure Future

Factory-integrated data center building blocks

44 of Y Required components Customizable options

NSX References –
App Continuity

Hands on Labs: HOL-SDC-1705 and 1725

https://HOL.VMWARE.COM
Session Agenda

1 NSX introduction and use cases

2 NSX security and micro-segmentation

3 Automation with VMware NSX

4 Application continuity with NSX

5 NSX operations

6 Close

46
More than 850+ enterprises have
operationalized NSX

Best practices and guidance

based on production customers

Not complicated, minimal changes,

and clear path for success
47
The maturity model: the path to the vision

Cross-domain Leaf-spine
Blended Automated Modern Virtual
and discipline fabric

People
Organization
(Roles & Processes Tooling Architecture Infrastructure
(Structure)
Responsibilities)

Siloed Specialization Manual Legacy 3-tier Physical

People Process Architecture

48
Networking and Security Operations Requirements

Change And Capacity

Monitoring Troubleshooting Audit Management Management

NSX Operation Guide https://communities.vmware.com/docs/DOC-30079

NSX Provides Highest Level of Visibility

Native
Capabilities NSX API IPFIX SNMP And more…

Syslog Port Mirroring Traceflow

Integration with vRealize Network Insight

Formally ARKIN Log Insight
VMware Tools NSX Content Pack
SDDC Event Correlation Centralized Logging
Alerting Per Service Dashboards

• P+V Topologies
Integration with Impact Analysis
Partner Ecosystem • Tunnel Visibility
Bandwidth Utilization
• Distributed Monitoring
Application Performance Monitoring
• Log Monitoring and Analytics
Session Agenda

1 NSX introduction and use cases

2 NSX security and micro-segmentation

3 Automation with VMware NSX

4 Application continuity with NSX

5 NSX operations

6 Close

51
NSX is Mainstream

Security IT Automation Application Continuity

Micro-segmentation Private Cloud Disaster Recovery

Secure infrastructure at 1/3 of Reduce infrastructure Reduce RTO by 50%
the cost provisioning time from weeks
to minutes

1 2 3

52
Next steps on the path to NSX

1 Learn about 2 Start small 3 Leverage validated

NSX and grow designs

Understand your key Start with a small project NSX Design Guides
challenges and how and add functionality in
NSX can help phases VVD

Define requirements Brownfield vs Greenfield EHC

for your solution
NSX implementation can Partners
Try NSX out with begin at an Environment
Engage the VMUG
HOL or Cluster level
NSX community
Define operational
model 53
NSX Vision
Managing Security and Connectivity for many Heterogeneous End Points

vCloud Air
Network

Cloud

Branch offices/Edge
Computing/IOT
New app frameworks

BARE METAL

End Users
On-prem

54
Where to get started
Learn
Join the NSX VMUG Community
vmug.com/nsx
NSX Product Page & Technical
Resources
vmware.com/products/nsx
Network Virtualization Blog
blogs.vmware.com/networkvirtualization
VMware NSX on YouTube
youtube.com/user/vmwarensx
Use
NSX Proactive Support Service
Optimize performance based on data monitoring
and analytics to help resolve problems, mitigate
risk and improve operational efficiency.
vmware.com/consulting
Experience
Visit the VMware Booth
Use case demos, chat with SDDC Expert
Test Drive NSX with free Hands-on Labs
Expert-led or Self-paced. labs.hol.vmware.com
Join the VMUG Advantage Program access a 1-
year NSX Eval and exclusive trainings and certs
vmug.com/VMUG-Join/VMUG-Advantage
Take
Training and Certification
Several paths to professional certifications. Learn
more at the Education & Certification Lounge.
vmware.com/go/nsxtraining
55
Questions?

56