Ray Budavari, Sr Staff Technical Product Manager NSXVenky Deshpande, Product Manager NSX
LHC2105BU
#VMworld #LHC2105BU
NSX and VMware Cloud on AWS: The Path to Hybrid Cloud
VMworld 2017 Content: Not fo
r publication or distri
bution
• This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not been determined.
Disclaimer
2#LHC2105BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Session Objectives – NSX and VMC: The Path to Hybrid Cloud
• Understand the different use cases and functionality for networking and security in VMware Cloud on AWS
– LHC2103BU: NSX and VMware Cloud on AWS: Deep Dive session will cover the technical implementation details
• See cool demos showcasing networking in VMware Cloud on AWS
• Learn how to take a phased approach to leveraging Hybrid Cloud capabilities
3#LHC2105BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Agenda – NSX and VMC: The Path to Hybrid Cloud
1 VMware Cloud on AWS Overview
2 Phase 1: Standalone VMC
3 Phase 2: Secure Connectivity
4 Phase 3: Hybrid Management
5 Phase 4: Native Cloud Services
6 Phase 5: Workload Mobility
7 Q&A
4
VMworld 2017 Content: Not fo
r publication or distri
bution
VMware Cloud on AWS: Enabling Hybrid Cloud
Leading compute, storage and
network virtualization capabilities
Support for broad range of
workloads
De-facto standard for the
enterprise DC
Flexible consumption economics
Broadest set of cloud services
Global scale and reach
#LHC2105BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
VMware Cloud on AWS
7
AWS Global Infrastructure
VMware Cloud™ on AWS
AWS Global InfrastructureCustomer Data
Center
vSphere vSAN NSX
Operational
ManagementNative AWS
Services
vRealize Suite, ISV ecosystem
vCentervCenter
• VMware SDDC running on AWS bare metal
• Sold, operated and supported by VMware
• Support for all VM types
• On-demand capacity & flexible consumption
• Operational consistency with on-premises
SDDC
• Workload portability and hybrid operations
• Global AWS footprint, reach, availability
• Direct access to native AWS services
Service Highlights
#LHC2105BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
VMware Cloud on AWS – Hybrid Cloud Phases
Phase 5:Workload Mobility
Phase 4:Native Cloud
Services
Phase 3:Hybrid
Management
Phase 2:Secure
Connectivity
Phase 1:Standalone
Public Cloud (VMC)
Capabilities
#LHC2105BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Phase 1: Standalone VMCNetworking and Security
VMworld 2017 Content: Not fo
r publication or distri
bution
VMware Cloud on AWS – Standalone SDDC
12
VMware software deployed on dedicated AWS - Elastic Bare Metal hardware
VMware Cloud
NSX
Manager
ESXi …
MGW CGW …
ESXi
ESXi
ESXi …
Fully configured VMware software stack
running on AWS infrastructure provisioned
on-demand
Latest Software
• VCSA, ESXi, NSX, VSAN, H5 Client
Dynamic Capacity
• DRS/HA Compute Cluster
• VSAN Storage Cluster
• NSX Network Virtualization
Prescriptive Topology
• Stand Alone Cloud Cluster
• Hybrid Connectivity to on-premises
• Secure by Default Policy
Overview
vCenter
Server
NSX
Controllers
VM
VM
VM
VM
VM
VM
Operate
VPN VPN
#LHC2105BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Standalone VMC – Topology
Software Defined Data Center (SDDC)
Management
Network
Management GW
(NAT, FW, VPN)
VMware Cloud
on AWS
Compute GW
(NAT, FW,
VPN, DHCP)
DB: 192.168.103.0/24Web: 192.168.101.0/24
On-PremGateway
Customer DC
On-Prem Mgmt
On-Prem
Workloads
Internet
Internet GW
East-West
North-South
Customer VPC
VPC Endpoints
Internet GW
VPC subnets
Amazon
S3
EC2 Instances
Compute Traffic
DLR
App: 192.168.102.0/24
VPC route
table
192.168.101.0
192.168.102.0
192.168.103.0
#LHC2105BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
DemoSDDC DeploymentNetwork & Security Consumption in VMC
14
VMworld 2017 Content: Not fo
r publication or distri
bution
Standalone VMC – Key Points
15
▪ Run VMware software using a cloud like consumption model, while retaining the familiar vSphere experience
▪ Provision standalone workloads in Cloud supporting both East/West and North/South network connectivity requirements
▪ VMC supports flexible network topologies: Single or Multi tier applications
▪ Stateful Perimeter Firewalling and NAT services for Management & Compute workloads provided by NSX
#LHC2105BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Phase 2: Secure ConnectivityConnecting to On-Premises
VMworld 2017 Content: Not fo
r publication or distri
bution
Secure Connectivity – IPsec VPN
• IKEv1
• PFS DH2,DH5,DH14,DH15,DH16
• PSK authentication
• SHA1
• Encryption – AES-CBC (128, 256), AES-CGM (128), 3DES-CBC (192)
• NAT Traversal, Dead Peer Detection
• UI & API based Configuration
• Interoperable IPsec implementation tested with all major vendors
NSX IPsec VPN Features
• AES-NI H/W Offload
• 2+ Gbps throughput per edge
Performance
• Site to Site VPN
• Securely Connect VMC to On-Premises DC
Use Cases
17
Internet / WAN
VMC on AWS
Hybrid Cloud
VPN
VMware Cloud on AWS
NSX Edge
IPsec VPN
Tunnel
IPsec VPN
Tunnel
IPsec VPN
Tunnel
IPsec VPN
Tunnel
Remote Gateway Remote Gateway
Remote GatewayRemote Gateway
#LHC2105BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Secure Connectivity– Topology
Software Defined Data Center (SDDC)
Management
Network
Management GW
(NAT, FW, VPN)
VMware Cloud
on AWS
Compute GW
(NAT, FW,
VPN, DHCP)
DB: 192.168.103.0/24Web: 192.168.101.0/24
On-PremGateway
Customer DC
On-Prem Mgmt
On-Prem
Workloads
Internet
Internet GW
Customer VPC
VPC Endpoints
Internet GW
VPC subnets
Amazon
S3
EC2 Instances
Management Traffic
Compute Traffic
DLR
App: 192.168.102.0/24
VPC route
table
192.168.101.0
192.168.102.0
192.168.103.0
#LHC2105BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Secure Connectivity – Key Points
20
▪ IPsec VPN enables secure management and workload access from VMCto on-premises
• Provides choice of Remote Gateway:
– Physical or Virtual form factor
– From any standards compliant vendor
• VMC leverages NSX Edge for networking services
▪ VMware has validated common VPN devices for interoperability
▪ In addition whitepapers will be published with VMC Partners
#LHC2105BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Phase 3: Hybrid ManagementCentralized Management
VMworld 2017 Content: Not fo
r publication or distri
bution
Hybrid Linked Mode
22
▪ Single pane of glass for Hybrid Cloud Management
▪ Hybrid Linked Mode provides operational consistency
▪ On-Premises vCenter connects to SDDC vCenters
▪ Decouple version dependencies between Cloud and
On-Premises
▪ Support Cross-Cloud vMotion in Future Releases
#LHC2105BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
vCenter Content Library
23
▪ Automatically synchronize content across
cloud instances and on-premises
▪ Distribute your content effortlessly
▪ OVA
▪ ISO Images
▪ Scripts
▪ Templates
SUBSCRIBERVMC SDDC
ON-PREMSDDC
SUBSCRIBERVMC SDDC
#LHC2105BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Hybrid Management – Topology
Software Defined Data Center (SDDC)
Management
Network
Management GW
(NAT, FW, VPN)
VMware Cloud
on AWS
Compute GW
(NAT, FW,
VPN, DHCP)
DB: 192.168.103.0/24Web: 192.168.101.0/24
On-PremGateway
Customer DC
On-Prem Mgmt
On-Prem
Workloads
Internet
Internet GW
Customer VPC
VPC Endpoints
Internet GW
VPC subnets
Amazon
S3
EC2 Instances
Hybrid Management
DLR
App: 192.168.102.0/24
VPC route
table
192.168.101.0
192.168.102.0
192.168.103.0
#LHC2105BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
DemoHybrid Linked Mode & Content Library
25
VMworld 2017 Content: Not fo
r publication or distri
bution
Hybrid Management – Key Points
26
▪ Leverage secure connectivity to use VMC as an extension of your on-premises environment
▪ Consistent Management enabled through:
▪ Hybrid Linked Mode
▪ Content Library
▪ Using the same interfaces (UI and API) across both environments
▪ Supports different administrative domains:
▪ Software Versions
▪ SSO Configuration
#LHC2105BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Phase 4: Native Cloud ServicesConnected AWS VPC through ENIs
VMworld 2017 Content: Not fo
r publication or distri
bution
AWS VPC Connectivity
28
Compute GW
(NAT, FW,
VPN, DHCP)
192.168.101.0/24 192.168.102.0/24
Customer VPC
VPC Endpoints Internet GW
VPC subnets
Amazon
S3
EC2 Instances
DLR
• High BW connectivity to AWS Service
• One VPC connection support
• Access to EC2 Instance and S3 endpoint at IA
• Establishing Connectivity through ENIs
• Access control using AWS Security Group and CGW FW
Overview
• Optimized access to AWS services without transit charges
Benefits
• Establish connectivity between traditional and cloud native applications
• Utilize S3 object storage for backup and other use cases
Use Cases
VPC Router
VPC Connectivity throughENI
VMC SDDC
VMware
Cloud on
AWS
#LHC2105BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Native Cloud Services – Topology
Software Defined Data Center (SDDC)
Management
Network
Management GW
(NAT, FW, VPN)
VMware Cloud
on AWS
Compute GW
(NAT, FW,
VPN, DHCP)
DB: 192.168.103.0/24Web: 192.168.101.0/24
On-PremGateway
Customer DC
On-Prem Mgmt
On-Prem
Workloads
Internet
Internet GW
Customer VPC
VPC Endpoints
Internet GW
VPC subnets
Amazon
S3
EC2 Instances
Optimized VPCConnectivity
Hybrid Management
Access to AWSServices
DLR
App: 192.168.102.0/24
VPC route
table
192.168.101.0
192.168.102.0
192.168.103.0
#LHC2105BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Native Cloud Services – Key Points
31
▪ Enabled as part of the Technical Partnership between VMware and AWS
▪ Unique capability to VMware Cloud on AWS
▪ Access AWS native services without transit charges
▪ High Bandwidth, optimized connectivity
▪ Enables new use cases for cloud consumption from VMC workloads
#LHC2105BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Phase 5: Workload MobilityFuture Releases
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX L2VPN
• SSL secured L2 extension over any IP network
• Multiple management domains
• Can co-exist with existing default gateway
• No specialized hardware required
• Long Distance / High Latency connectivity
• Supports Client site with or without NSX
NSX L2VPN Features
• Supports up to 750Mbps per tunnel
• AES-NI supported if available
Performance
• Data Center Migrations (P2V, V2V, VLAN2VXLAN)
• Disaster Recovery & Testing
• Cloud Bursting & Onboarding
• Limited VM Mobility
Use Cases
33
SSLL3
NetworkRemote
GatewaysAWS
Gateways
Site A
Networks
Site B
Networks
SSL
L2 Extensions
On-Prem DC VMC on AWS
L2VPNClient
L2VPNServer
VM
VM
VM
VM
VM
VM
VM
VM VPNVPN
SSLL3
NetworkRemote
GatewaysAWS
Gateways
Site A
Networks
Site B
Networks
SSL
L2 Extensions
On-Prem DC VMC on AWS
L2VPNClient
L2VPNServer
VM
VM
VM
VM
VM
VM
VM
VM VPNVPN
OVA
VPN
Managed or Unmanaged L2VPN Client
NSX Manager
#LHC2105BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Workload Mobility – Topology
Software Defined Data Center (SDDC)
Management
Network
Management GW
(NAT, FW, VPN)
VMware Cloud
on AWS
Compute GW
(NAT, FW,
VPN, DHCP)
DB: 192.168.103.0/24Web: 192.168.101.0/24
On-PremGateway
Customer DC
On-Prem Mgmt
On-Prem
Workloads
Internet
Internet GW
Customer VPC
VPC Endpoints
Internet GW
VPC subnets
Amazon
S3
EC2 Instances
Optimized VPCConnectivity
Management Traffic
Hybrid Management
DLR
App: 192.168.102.0/24
VPC route
table
192.168.101.0
192.168.102.0
192.168.103.0
NetworkExtension
#LHC2105BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
DemoWorkload Mobility via Network Extension
35
VMworld 2017 Content: Not fo
r publication or distri
bution
Workload Mobility – Key Points
36
▪ Leverage NSX L2VPN (even without NSX on-premises) to enable migration use cases:
▪ Cold Migration
▪ vMotion
▪ Disaster Recovery
▪ Cloud Bursting
▪ Move workloads to and from VMC while retaining IP Addressing
▪ Flexible deployment model
▪ Any network combination of VLAN and VXLAN supported
#LHC2105BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Network Services in VMC on AWS
Software Defined Data Center (SDDC)
Management
Network
Management GW
(NAT, FW, VPN)
VMware Cloud
on AWS
Compute GW
(NAT, FW,
VPN, DHCP)
DB: 192.168.103.0/24Web: 192.168.101.0/24
On-PremGateway
Customer DC
On-Prem Mgmt
On-Prem
Workloads
Internet
Internet GW
East-West
North-South
Customer VPC
VPC Endpoints
Internet GW
VPC subnets
Amazon
S3
EC2 Instances
Optimized VPCConnectivity
Management Traffic
Hybrid Management
Compute Traffic
Access to AWSServices
DLR
App: 192.168.102.0/24
VPC route
table
192.168.101.0
192.168.102.0
192.168.103.0
#LHC2105BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
VMware Cloud on AWS and NSX – Summary
• VMware Cloud on AWS is a major initiative for VMware
• Extends key SDDC capabilities to Public Cloud
• VMC can accelerate and simplify your adoptionof Public Cloud
• Enables Hybrid Cloud with flexibility
• Choose the path that is right for you
38
VMworld 2017 Content: Not fo
r publication or distri
bution
Thank YouRay Budavari@rbudavariVenky Deshpande
VMworld 2017 Content: Not fo
r publication or distri
bution
• Ray Budavari, @rbudavari
• Venky Deshpande
VMworld 2017 Content: Not fo
r publication or distri
bution