Justin Jones, Niran Evan Chen, Mitesh Pancholy
2211 BU
# Vmworld #2211
Automating NSX for Virtual Machines and Containerized Applications
VMworld 2017 Content: Not fo
r publication or distri
bution
• This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not been determined.
Disclaimer
2
VMworld 2017 Content: Not fo
r publication or distri
bution
Agenda
Overview
• DemoAutomating
NSX with vRA
• Walkthrough and DetailsAutomating PCF & NSX
• Q & ASummary
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX & CMP Overview
VMworld 2017 Content: Not fo
r publication or distri
bution
Se
cu
rity
/ M
icro
-se
gm
en
tatio
nR
egis
try
Se
cu
rity
Ma
na
ge
ment
NSX
Virtual Container Hosts
Docker Container Hosts Kubernetes Clusters
Physical Infrastructure
NSX & PCF Overview
5
C
Docker Engine
Linux Kernel
POD POD POD
Docker Engine
Linux Kernel
POD POD POD
Docker Engine
Linux Kernel
C C
Linux
Kernel
C
Linux
Kernel
C
Linux
Kernel
C
VIC BOSH
Containers
Pivotal Cloud Foundry
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX & SDDC Overview
6
vCenter Server
• Single pane of glass and API across on-prem and cloud
• ESXi on dedicated hardware
• Support for containers and VMs
• VSAN on flash storage and EBS
• Replication and DR orchestration
• NSX spanning on-prem and cloud
• Advanced network/security services
Virtual SAN NSXvSphere
VMworld 2017 Content: Not fo
r publication or distri
bution
vRealize Automation + NSX
7
• Unified Service Design and Delivery
• App-Centric Networking and Security
• Incorporate External Services
• Achieve greater control and visibility
• Reduce wait times for siloed IT services
• Manage Infrastructure as Code
• Lifecycle Manage Everything
• Standardized and repeatable processConverged
Blueprint
Cloud
Consumers
Cloud Admin
Applications
Extensibility
Security
Networking
Unified Service
Catalog
Network ProfilesSecurity Groups Security Policies
Network Admin Security Admin
On-Demand Load Balancer
AVAILABILITY SECURITYCONNECTIVITY
Security TagsOn-Demand
Networks
Benefits
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX Automation Use Cases
8
Automation for IT & Developers
Network Admins
Security Admins
Developers
Virtual Network Infrastructure
Physical Network Infrastructure
Application Workloads
vRealize AutomationVMworld 2017 Content: Not fo
r publication or distri
bution
Application-centric Network And Security Services
9
Deployed & Managed in the Application Context
Support for Multi-tier Apps on Multiple
Networks or Single Flat Network
App-specific Networking Configuration
Connectivity
App-specific Security Policies
Security
Dynamic App Availability Configuration
Availability
App-specific Networking Performance
Performance
Web
App
Database VMworld 2017 Content: Not fo
r publication or distri
bution
Automation for Security Operations ( Demo coming up )
10
NSX + vRealize Automation (vRA)
By:
Infrastructure
Operations
Approach:
Unified
Blueprint +
Service Catalog
Service:
App + Security
For:
Security
Admins
VMworld 2017 Content: Not fo
r publication or distri
bution
vRA + NSX – Cloud Operational Model• Network Admin defines:
– Initial network configuration in NSX
– External Networks and Network Profiles in vRA
• Security Admin defines in NSX:
– Distributed Firewall Rules
– Security Groups / Policies / Tags
• Cloud architect builds Blueprints:
– Blueprints include NSX Networks, Security components, Load Balancers, VMs and Apps
• Cloud Architect publishes Blueprints
• Cloud Consumer deploy applications:
– End-to-end provisioning: networks, NAT rules, security and LB configured at deployment
11
Network Admin
Security Admin
Cloud
Architect
Cloud
Consumer
Network ProfilesExternal Networks
Security Groups Security PoliciesSecurity Tags
Converged
Blueprints
NSX Load Balancer
1
2
Service Catalog
Publish
34
5
Defines
Defines
Builds
Deploys
6 N
Applications
…
One T
ime
Recurr
ing
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX Automation Use Cases
12
Automation for IT & Developers
Network Admins
Security Admins
Developers
Virtual Network Infrastructure
Physical Network Infrastructure
Application
Workloads
vRealize Automation
Containerized
Workloads
PCF
Workloads
VMworld 2017 Content: Not fo
r publication or distri
bution
Demo
VMworld 2017 Content: Not fo
r publication or distri
bution
Se
cu
rity
/ M
icro
-se
gm
en
tatio
nR
egis
try
Se
cu
rity
Ma
na
ge
ment
NSX
Virtual Container Hosts
Docker Container Hosts Kubernetes Clusters
Physical Infrastructure
NSX & PCF Overview
14
C
Docker Engine
Linux Kernel
POD POD POD
Docker Engine
Linux Kernel
POD POD POD
Docker Engine
Linux Kernel
C C
Linux
Kernel
C
Linux
Kernel
C
Linux
Kernel
C
VIC BOSH
Containers
Pivotal Cloud Foundry
VMworld 2017 Content: Not fo
r publication or distri
bution
Pivotal Cloud Foundry 101
15
war
Availability Zone 1 Availability Zone 2 Availability Zone 3
Staging
Root
FS
Build
Pack
war
`cf push`
Drop
let
A
I
A
Imyapp.foo.com
*.foo.com = NSX Edge Vip
NSX Edge
PCF Routing PCF Routing PCF Routing
LB Pool Members
“Here is my source code
Run it on the cloud for me
I do not care how”
URL Request:
myapp.foo.com
Developer
VMworld 2017 Content: Not fo
r publication or distri
bution
PCF & NSX High Level Architecture
16
PCF ‘Foundation’
PCF
Elastic Runtime
** *
LS: Services #
LS: Infra
NSX Edge
LS: ERTLS: Services #
LS: Services #
CF Control
Plane
OpsMgr(PCF)
BOSH GORTR
DiegoBrain
TCPRTR
/26 /22
/24(s)
PCF
…
PCF
Rabbit
PCF
Mysql
* * *
Logical Routing (DLR)
IaaS: vSphere Security Zone A (Hub)
Cell
Cell
AI
A
IInternal Apps
LS: OSPF
CF ASG
PCF Isolation Segment
Rgo
rtrCELL CELL
LS: Isolation_A /22
• BOSH unifies release engineering, deployment and life cycle management of PCF platform. It supports multiple IaaS providers via its Cloud Provider Interface (CPI)
• Ops Manager is a graphical user
interface built by Pivotal on top of
BOSH for deploying and managing
PCF.
• Elastic Run Time runs Applications stacks all components needed to support it like Routers, Authentication, App Life Cycle, Service Brokers, Messaging and Metrics and Logging
• Services tiers allows users to provision and consume marketplace services or build custom services as needed.
Isolation segments is a set of resources deployed in isolation, without its own control-plane. Provides routing and compute isolation
NSX provides
L2 services – networks for the different componentsL3 services – routing between the network using a DLR and the edgeEdge services - on/off, NAT, LB, FWDFW – Distributed firewall
VMworld 2017 Content: Not fo
r publication or distri
bution
Day 1 Automation – Concourse pipeline
17Opsman BOSH Opsman BOSH OpsmanBOSH
VMworld 2017 Content: Not fo
r publication or distri
bution
DNS:
*.sys.pcf.foo.com
*.default-apps.foo.com
Single PCF ‘Foundation’
PCF
Elastic Runtime
** *
LS: Services #
LS: Infra
NSX Edge
LS: ERTLS: Services #
LS: Services #
CF Control
Plane
Ops
Mgr
(PCF)
BOSH GO
RTR
Diego
Brain
TCP
RTR
/26 /22/24(s)
PCF
…
PCF
Rabbit
PCF
Mysql
* * *
LS: Isolation_A
PCF
PCF Isolation Segment
GO
RTRCELL CELL CELL
/22
Public Apps
AP
PS
DNS:
*.public-apps.foo.com
Logical Routing (DLR)
IaaS: vSphere Security Zone A (Hub) IaaS: vSphere Security Zone B (Spoke)
Cell
Cell
SS
HTC
P
ISO
ISO
TC
P
SS
H
AP
PS
A
I
A
I
CF
ASG
External Services
Internal Apps
LS: OSPF
NSX Day 2 Automation – BOSH
18
• Use NSX Security Groups for dynamic security principals
– BOSH Integrated NSX (Dynamic Membership)
– Ingress & Egress PCF Org/Space Specific FW
– Dynamic LB Pool Membership
vSAN/NFS/VMFS
Resource Pool
ESX Cluster
vSAN/NFS/VMFS
Resource Pool
ESX Cluster
vSAN/NFS/VMFS
Resource Pool
ESX Cluster
VCFBOSH
VMworld 2017 Content: Not fo
r publication or distri
bution
DNS:
*.sys.pcf.foo.com
*.default-apps.foo.com
Single PCF ‘Foundation’
PCF
Elastic Runtime
** *
LS: Services #
LS: Infra
NSX Edge
LS: ERTLS: Services #
LS: Services #
CF Control
Plane
Ops
Mgr
(PCF)
BOSH GO
RTR
Diego
Brain
TCP
RTR
/26 /22/24(s)
PCF
…
PCF
Rabbit
PCF
Mysql
* * *
LS: Isolation_A
PCF
PCF Isolation Segment
GO
RTRCELL CELL CELL
/22
Public Apps
AP
PS
DNS:
*.public-apps.foo.com
Logical Routing (DLR)
IaaS: vSphere Security Zone A (Hub) IaaS: vSphere Security Zone B (Spoke)
Cell
Cell
SS
HTC
P
ISO
ISO
TC
P
SS
H
AP
PS
A
I
A
I
CF
ASG
External Services
Internal Apps
LS: OSPF
Network Security & Controls
19
• Use NSX Security Groups for dynamic security principals
– BOSH Integrated NSX (Dynamic Membership)
– Ingress & Egress PCF Org/Space Specific FW
– Dynamic LB Pool Membership
• Use Distributed Firewall Policy
– Leverage PCF Integrated Dynamic Security Groups
– Control East+West from single policy engine
– Control App to App at the Org/Space level with Isolation Segments
vSAN/NFS/VMFS
Resource Pool
ESX Cluster
vSAN/NFS/VMFS
Resource Pool
ESX Cluster
vSAN/NFS/VMFS
Resource Pool
ESX Cluster
VCFBOSH
{}
VMworld 2017 Content: Not fo
r publication or distri
bution
Summary
VMworld 2017 Content: Not fo
r publication or distri
bution
Questions?VMworld 2017 Content: N
ot for publicatio
n or distribution
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
Appendix
VMworld 2017 Content: Not fo
r publication or distri
bution