Post on 13-Apr-2017
Introducing Application Self-servicewith Networking and Security
Using vRealize Automation and NSXAndrew Voltmer, VMware, Inc
Becky Smith, VMware, Inc
MGT5360
#MGT5360
• This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not been determined.
Disclaimer
CONFIDENTIAL 2
CONFIDENTIAL 3
Virtualization► Accelerate service delivery
(weeks days)► Resource pooling► HW consolidation
IT Automation, The Next Wave of IT Efficiency
IT
Effic
ienc
y
Time
► Accelerate service delivery (days min)
► Improve operational efficiency► Optimize resource utilization► Reduce complexity via
standardization
CloudAutomation & Management
CONFIDENTIAL 4
Business Wants Agility. IT Wants Control.
Compute Admin Security Admin
We want our application on-demand with compute, storage, networking and security!
Cloud Users
Deliver high-performance networking quickly
Applications
Infrastructure
Ensure secure ITProvide the right VM for the job
Network Admin
CONFIDENTIAL 5
1 Software Defined Data Center
2 NSX Network and Security Virtualization
3 vRealize Automation for Applications and Infrastructure
4 Application Self-Service with Networking and Security Using vRealize Automation and NSX
Agenda
VMware’s Software Defined Data Center
6
CONFIDENTIAL 7
Infrastructure and Apps Are Subject to Wait
WaitWait
Infrastructure Service DeliveryDays
Application and Change DeliveryWeeks
WorkWaitWaitWaitWorkWait
Changes
Compute
Physical Hardware
Private Clouds
Public Clouds
Hybrid CloudVMware &
vCloud Data Center Partners
Virtualized InfrastructureAbstract & Pool
Compute Abstraction =
Server Virtualization
Network
Network Abstraction =
Virtual Networking
Storage
Storage Abstraction =
Software-Defined Storage
CONFIDENTIAL 8
Hybrid Cloud(Private / Public)
Physical
Software-Defined Data Center (SDDC) Cloud Management Platform enables the One Cloud, Any Application Approach
SOFTWARE-DEFINED DATA CENTER
Compute Network Storage
End-User Computing
Extensibility
Applications
Cloud Management Platform
Business OperationsAutomation
Virtualized Infrastructure
Compute Network Storage
CONFIDENTIAL 9
Dynamically Configure Application Services on SDDCAutomated delivery of secure, scalable and high performing multi-tier applications utilizing VMware’s SDDC
Wait WorkWait
AutomatedApplicationDeployment
ManualNetwork
Configuration
VMware NSXNetwork
Virtualization
Minutes
“Zero Touch”Deployment
vRealizeAutomation
VMware ESXCompute
Virtualization
Hours or Days
NSX Network and Security Virtualization
10
CONFIDENTIAL 11
Start With Your Existing Physical Network InfrastructureWithout network virtualization, you are hardware defined
Internet
Physical Network Topology
CONFIDENTIAL 12
Compute Capacity…
Internet
Physical Network Topology
CONFIDENTIAL 13
Data Center Virtualization Layer…
Internet
Physical Network Topology
CONFIDENTIAL 14
A “Network Hypervisor”
Internet
Network Hypervisor
Physical Network Topology
CONFIDENTIAL 15
The Operational Model of a VM for the Networking
Internet
Virtual NetworksSoftware Containers, Like VMs
Virtual Network Topology
Physical Network Topology
Network Hypervisor
CONFIDENTIAL 16
ProvidesA Faithful Reproduction of Network & Security Services in Software
Switching Routing Firewalling LoadBalancing
VPN Connectivityto Physical
Policies, Groups,
Tags
Management APIs to program all services
CONFIDENTIAL 17
NSX – Virtual Networking and Security
Web
App
DatabaseVM
“Default” Firewall – Access shared services (DNS, AD) Anti-Virus – Scan Daily
Security PoliciesSecurity Groups
My App
Web
App
Database
“Standard Web” Firewall – allow inbound HTTP/S, allow outbound ANY IPS – prevent DOS attacks, enforce acceptable use
“Standard App” Firewall – allow inbound ANY,
allow outbound ODBC
“Standard Database” Firewall – allow inbound
ODBC Vulnerability Management –
Weekly Scan
Support for Detailed, Programmable Application Topologies
Logical Switching, Routing, Firewall, Load Balancing
vRealize Automation for Applications and Infrastructure
18
CONFIDENTIAL 19
VMware’s Automation Solution to Onboard the Cloud
Automation / Infrastructure-as-a-Service
Manual provisioning On-demand, automated self – service access
Technology sprawl High standardizationInitial provisioning Lifecycle management
Homogeneous Enterprise wide / heterogeneousExtensibleOne inflexible approach
Virtualized infrastructure Any service from any layerManual approvals High governance
Journey with many starting points and many maturity levels Application Release Automation / DevOps
Standardized MW / DB–as-a-Service
IT-as-a-Service“Service Broker”
CONFIDENTIAL 20
vRealize Automation Policy Management
BusinessGroups
BA
C
USERS
A
C
B
A
Authentication & Role-Based
Authorization
AuthorizedUsers
ResourceReservations
Cost Profile
A
Tier 1
Public
Physical
Virtual
Shared Infrastructure
ServiceBlueprints
A
Requisition
Cost Profile
Provision
Manage
Retire
Public
Physical
Virtual
CB
B
A
B
A
CBA
“Who provisions what and where”
Application Self-Service with Networking and Security Using vRealize Automation and NSX
21
CONFIDENTIAL 22
Traditional Infrastructure Provisioning with NetworkingDays - Weeks
Wait WorkWaitWait
Infrastructure Service
FirewallSwitch Router Load Balancer
Connect Ethernet cables,
configure switch port, VLANs, access control lists, assign
IP addresses
Configure router interface to
connect to switch ports. Configure
routing protocols.
Connect networks to firewall appliances,
configure firewall rules based on physical constructs e.g. IP
address and VLANs
Connect networks to load balancer appliances, create and populate load balancer
pool, assign Virtual IP Address to external
interface
NETOPS SECOPS LOAD BALANCER ADMIN
Manual effortsNetwork
CONFIDENTIAL 23
Application Centric Network and Security ServicesDeployed and managed in the application context
Web
App
Database
VM VM
VM VM VM
VM
• Applications configured with dedicated or shared virtual switches and routers depending on needs
• Virtual Machines can be moved (vMotion) without changing virtual network configuration
• Application specific policies including firewall rules, intrusion detection integration, and agentless anti-virus scanning at each application tier
• Dynamic configuration of application specific load balancers
• Without expensive physical hardwareVM
• Networks configured to meet unique performance needs of each application
• Shared or dedicated switches, routers and load balancers depending on performance needs
VM VM
VM VM
VM VM VM
CONFIDENTIAL 24
Blueprint of the Modern Application
Define Once – Multiple Use
Deployment Time Options for Users
Support for Multiple Network Topologies
Repeatable Deployments
From Single Machine to Multi-Tier Applications
CONFIDENTIAL 25
Catalog of Applications
“One Click” Deployment
Order your Application with Networking and Security
N+S Built On-Demand via NSX API
Automated IP Addressing
Automatic Cleanup With App Disposal
CONFIDENTIAL 26
Group into Complete Application Environments or ServicesPredefined, Tested, Compliant, Repeatable
Logical Load BalancerNetwork ProfilesDefault Gateway Security Groups Security PoliciesSecurity Tags
AVAILABILITYSECURITYCONNECTIVITY
Catalog Item
Complete Application Environment
Blueprint
CONFIDENTIAL 27
Top NSX Solutions with vRealize Automation
The Power of NSX and vRealize Automation delivers Application Deployment with . . .
On-Demand Networking and Security
On-Demand Security
Existing Networking and Security
Application Deployment with On-Demand Network and Security ServicesThe Power of VMware NSX and vRealize Automation
CONFIDENTIAL 29
Application Deployment with On-Demand Networking & Security
Web/App
Database
VM VM
VM
Logical switches and routers created by NSX when the user creates an application
Single-tier or multi-tier NAT or routed topologies
Automated IP addressing of VMs and subnets
On-demand security groups built per app and per tier with VMs placed into groups
Security policies applied to dynamically created groups
Load-balancer dynamically deployed for application
Application Deployment with On-Demand Micro-SegmentationThe Power of VMware NSX and vRealize Automation
CONFIDENTIAL 31
Application Deployment with On-Demand Micro-Segmentation
Web/AppDatabase
VM VMVM
VMs placed on pre-created logical switches
On-demand security groups created when application is deployed
Security policies applied to dynamically created groups
Micro-segmentation on larger L2 networks
Load-balancer configuration dynamically deployed
VMs and security groups removed when app destroyed but networking remains
Application Deployment into Existing Network and Security ServicesThe Power of VMware NSX and vRealize Automation
CONFIDENTIAL 33
Application Deployment into Existing Network and Security Services
Web/App
Database
VM VM
VM
Pre-created logical switches and routers defined by the NSX admin - VMs are wired to pre-created switches
Security Groups pre-defined to match security tags for each tier of application
When a cloud user selects a catalog item VMs are wired to NSX switches and tagged with appropriate security tags
Enforcement is based on combining the tag with the rules in the security group
Applications can be single tier or multi-tier – typically routed topologies
CONFIDENTIAL 34
Multi-Tier App,Multiple Networks
Multi-Tier App,Single Flat Network
Application Deployment TopologiesSupport for Multiple Network Topologies
Web
App
Database
VM VM
VM VM VM
VM
VM VM VM VM VM VM
Demo
35
CONFIDENTIAL 36
Questions
http://www.vmware.com/products/vrealize-automation/
http://www.vmware.com/products/nsx/
Check out: Hands-On Labs: HOL-SDC-1632, HOL-SDC-1624, HOL-SDC-1603
Session: NET5362 Enabling Automated Network & Security Services with NSX and vRealize Automation
Introducing Application Self-servicewith Networking and Security
Using vRealize Automation and NSXAndrew Voltmer, VMware, Inc
Becky Smith, VMware, Inc
MGT5360
#MGT5360