VMware NSX Extensibility: Network and Security
Services from 3rd-Party Vendors
Anirban Sengupta, VMware
Adina Simu, VMware
NET5522
#NET5522
2
Session Objectives
Discuss the main use cases of extending NSX with services
from technology partners
• Security services
• Connectivity between virtual and physical workloads
• Application delivery services
Present an example of NSX in action: NSX Partner Lab
Review the architecture of NSX Extensibility
3
Recommended Sessions & Labs
NET5716 – Advanced NSX Architecture
NET5266 – Bringing Network Virtualization to VMware
Environments with NSX
NET5270 – Virtualized Network Services Model with NSX
Hands on labs on NSX: HOL-SDC-1303 and HOL-SDC-1319
Group Discussion: SEC1003-GD
4
Agenda
Introduction to NSX
NSX Extensibility use cases
• Security services
• Connectivity between virtual and physical workloads
• Application delivery services
How we collaborate with Partners: NSX Partner Cloud Lab
Architectural considerations for NSX Extensibility
Framework
5
VMware Solutions
Public Clouds Private Clouds
Hybrid Cloud Seamlessly extend your data center to the public cloud
Virtual Workspace Manage access to services, applications and data for any device
The New Role for IT: IT as a Service
Software-Defined Data Center Virtualize the entire data center
Management and Automation
Storage and Availability Compute Network and Security
6
VMware NSX – Networking & Security Capabilities
Any Application
(without modification)
Virtual Networks
VMware NSX Network Virtualization Platform
Logical L2
Any Network Hardware
Any Cloud Management Platform
Logical
Firewall Logical
Load Balancer
Logical L3
Logical
VPN
Any Hypervisor
Logical Switching– Layer 2 over Layer 3,
decoupled from the physical network
Logical Routing– Routing between
virtual networks without exiting the
software container
Logical Firewall – Distributed Firewall,
Kernel Integrated, High Performance
Logical Load Balancer – Application Load
Balancing in software
Logical VPN – Site-to-Site & Remote
Access VPN in software
NSX API – RESTful API for integration into
any Cloud Management Platform
Partner Eco-System
7
Virtual Networks Virtual Networks
VMware NSX System Architecture
Any Cloud Management Platform
Overlay Transport
NSX vSwitch
NSX Controller
NSX API
NSX
Gateway
Any Network Hardware
Any Hypervisor
HW Partner Extensions
Ph
ysic
al to
Virtu
al
Physical or Virtual Workloads
Any Application
SW Partner Extensions
NSX Manager
8
Agenda
Introduction to NSX
NSX Extensibility use cases
• Security services
• Connectivity between virtual and physical workloads
• Application delivery services
How we collaborate with Partners: NSX Partner Cloud Lab
Architectural considerations for NSX Extensibility
Framework
9
Use Case: Securing the Software Defined Data Center
“My compute is pooled
and virtualized.
How do i secure it?”
10
How to Secure Applications with NSX Logical Containers
VM
VM
VM VM
VM VM
VM
VM
VM VM
VM
VM
VM
VM
VM VM VM
VM VM VM VM
VM VM
VM VM VM
VM
VM
VM
VM
VM
VM
VM VM
VM VM
VM
VM
VM VM
VM
VM
VM
VM
VM VM VM
VM VM VM VM
VM VM
VM VM VM
VM
VM
VM
VM
Simplify application management boundaries
11
NSX Partner Solutions are Programmable Through Lifecycle
Install NSX Extension from
3rd party vendor
Configure service
Create service policy templates
Consume service
Monitor service
Uninstall NSX Extension from
3rd party vendor
12
How to Install NSX Partner Solutions
1
Register the 3rd party solution with NSX Manager
2 Deploy partner appliances
3 Consume service!
13
Automated deployment of NSX and Partner appliances
VM
VM
VM VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
Cloud Admin
Security Admin
14
DEMO Register and Deploy NSX Partner Service
16
Distributed Filtering and Redirection
Scale-out architecture
• Embedded in the Hypervisor
Line rate performance
• 10Gbps+ per host
Flexible access control
architecture
• NSX Logical Containers
• VM Tags
• User Identity and Active
Directory support
No VM can circumvent
the redirection filters
• Rules follow the VMs
VM
VM
VM VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
17
Service Consumption Using Traditional Operational Experience
NSX UI
• NSX Partner Services are integrated with NSX service screens (Load Balancer, Gateways, Firewall)
NSX API
• NSX Partner Services are integrated with NSX APIs
NSX operational model now extended to partner services
18
Cloud admin view: Consuming security services
+ NGFW
19
Service Consumption Using NSX Service Composer
NSX Service Composer unifies and integrates service consumption across NSX native and 3rd party services
NSX operational model now extended to partner services
20
NSX Service Composer UI
21
Use Case: Using a 3rd Party Load Balancer from NSX
“How do I use my
preferred ADC
appliances with NSX?”
22
NSX seamlessly extends with ADC capabilities from partners
Any Application
(without modification)
Virtual Networks
VMware NSX Network Virtualization Platform
Logical L2
Any Network Hardware
Any Cloud Management Platform
Logical
Firewall Logical
Load Balancer
Logical L3
Logical
VPN
Any Hypervisor
Logical
Load Balancer
Virtual IP: 172.168.1.1
Member pool: 10.0.0.1, 10.0.0.2
[OPTIONAL
Partner ADC template: Web Gold]
23
Use Case: Connecting the Virtual and Physical Workloads
“How do I connect my
physical workloads to
virtual networks?”
24
2013: The Majority of Access Ports are Virtual
Half of all Server Access Ports are already virtual…
…and are on track be ~67% years in 2 years
*40% of vAdmins managing virtual switching
0
20
40
60
2010 2011 2012 2013 2014 2015
Po
rts i
n M
illi
on
s
Virtual Server Access Ports
32% CAGR
CREHAN RESEARCH Inc.
Physical Server Access Ports
15 % CAGR
25
NSX Logical Networks Can Extend to Physical Servers
Physical network (port, or VLAN)
NSX L2 Gateway
Logical network (VNI)
26
L2
L3
Logical Network
L2
vSwitch
NSX L2 Gateway
NSX Operational Model Now Available for Physical Ports
Physical Network (Arista, Cisco, HP, Juniper, Cumulus,…)
VM VM
vSphere Hyper-V* XenServer KVM
vSwitch vSwitch vSwitch vSwitch
Hardware
Software
Controller Cluster
API
VLAN
NSX Manager
NSX L2 Gateway
HW Partner
“Neutron API”
VLAN
VLAN
CMP
27
L2 Gateways from 3rd Party Hardware Vendors
Benefits:
• Granular access: can pull a single physical port into the virtual world
• Connect bare metal workloads with higher performance/throughput
Same operational model (provisioning, monitoring)
as virtual networks
Consistent provisioning and operations for entire Data Center,
regardless of workloads, over a simple IP fabric
28
Agenda
Introduction to NSX
NSX Extensibility use cases
• Security services
• Connectivity between virtual and physical workloads
• Application delivery services
How we collaborate with Partners: NSX Partner Cloud Lab
Architectural considerations for NSX Extensibility
Framework
29
Let’s Do a Mind Bending Exercise
30
NSX Nested Environments
NSX Manager
NSX Controller
NSX vSwitch
NSX Gateway
31
Site A
L2
VLAN
VLAN
L3
Logical Network
L2
Site B
WAN Infrastructure
Architecture for a Multi-site Product Development Lab
32
Site A Site B
NSX Is Enabling the Industry Leaders to Innovate Fast
33
Agenda
Introduction to NSX
NSX Extensibility use cases
• Security services
• Connectivity between virtual and physical workloads
• Application delivery services
How we collaborate with Partners: NSX Partner Cloud Lab
Architectural considerations for NSX Extensibility
Framework
34
Any Cloud Management Platform
Overlay Transport
NSX vSwitch
NSX Controller
NSX API with Partner extensions
NSX
Gateway
Any Network Hardware
Any Hypervisor
Data plane HW Partner Extensions
Ph
ysic
al to
Virtu
al
NSX Manager Partner Service
Manager
Data plane
Data plane
VMware NSX System Extensibility Architecture
Management plane
35
Netx Management Plane
• Comprehensive RESTful apis for integration with
CMS
• Services catalog – Service definition and
registration
• Ability for partner management plane to register
for callbacks.
• Automatic and on-demand deployment for
multiple scenario and configuration of Service
instances.
• Extensibilty for partners to register and make
available configuration templates for
consumption.
• Profiles for consumption of the Service with
control over the perimeter of where it is applied to
• Status reporting and statistics.
vCNS Server
Partner
Management Server
VirtualCenter
REST
36
Example: Central Management for security services
• Centralized management with single pane of glass on vSphere Client
• Rich dynamic container based rules apart from just IP addresses.
VC containers
- Clusters
- datacenters
- Portgroups
- VXLAN
VM containers
- VM names
- VM tags
- VM attributes
Identity
- User identity
- Groups
IPv6 compliant
- IPv6 address
- IPv6 sets
Services
- Protocol
- Ports
- Custom
IPv6 Services
Choice of PEP -Clusters
- VXLAN
- vNICs
37
Control Plane Integration with NSX
NSX Controller communicates with 3rd party hardware appliances
to create on demand overlay tunnels, extending virtual networks
Dynamic connection to logical networks using OVSDB
38
API (OVSDB)
Tunnels (VXLAN)
Physical
Workloads
VM
Controller Cluster
Hypervisor
vSwitch
Hypervisor
vSwitch
Hypervisor
vSwitch
Hypervisor
vSwitch VM VM
Logical network (VNI)
Connecting the Physical to the Virtual
39
Hypervisor
Local Controller
VM VM VM VM
Scalable Control Plane
• Central controller sends the rules to the pertinent hosts.
• Each local controller evaluates the rules and sends the right rules to the right VMs.
Any Cloud Management Platform
NSX Controller (Runtime State)
NSX API
Any Network Hardware
Ph
ysic
al to
Virtu
al
NSX Manager (Desired State)
Hypervisor
Local Controller
VM VM VM VM
40
Services Data Plane Integration with NSX
Filtering at each vNIC
• based on IP, VM containers, Identity, etc.
• at line rate
Support for stateful and stateless redirection to virtual or physical
appliances.
Partner can program the redirection filters in real time
• Programmability of rules and connection/context tracker
• Context tracking on a micro-flow level
Flows that need redirection can be sent to:
• host resident virtual appliances (using VMCI)
• appliances on the same L2 network (MAC redirect)
• any IP address (GRE encapsulation)
Can chain any number of redirections
Service chaining order is controlled by admin
41
Virtual Network – A Complete Network in Software
42
Service Chaining with NSX
Multiple Services can be placed in any point of the logical pipeline
Partner services are agnostic of the other services in the chain
Each partner service can manipulate rules and connection/context information for their own filter in a secure sandbox
No dependency on the ordering for different service encapsulations in the chain
Admin has the control to setup services and can dynamically add/delete/modify filters with minimal packet drops
43 43 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Extending with 3rd party security solutions
External Network
vSwitch
Guest VM
IDS/IPS
DFW
NGFW
NSX Manager Panorama NSM
44
Recommended Sessions & Labs
NET5716 – Advanced NSX Architecture
NET5266 – Bringing Network Virtualization to VMware
Environments with NSX
NET5270 – Virtualized Network Services Model with NSX
Hands on labs on NSX: HOL-SDC-1303 and HOL-SDC-1319
Group Discussion: SEC1003-GD
THANK YOU
VMware NSX Extensibility: Network and Security
Services from 3rd-Party Vendors
Anirban Sengupta, VMware
Adina Simu, VMware
NET5522
#NET5522