Automating NSX for Virtual Machines and …...Justin Jones, Niran Evan Chen, Mitesh Pancholy 2211 BU...
Transcript of Automating NSX for Virtual Machines and …...Justin Jones, Niran Evan Chen, Mitesh Pancholy 2211 BU...
Justin Jones, Niran Evan Chen, Mitesh Pancholy
2211 BU
# Vmworld #2211
Automating NSX for Virtual Machines and Containerized Applications
VMworld 2017 Content: Not fo
r publication or distri
bution
• This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not been determined.
Disclaimer
2
VMworld 2017 Content: Not fo
r publication or distri
bution
Agenda
Overview
• DemoAutomating
NSX with vRA
• Walkthrough and DetailsAutomating PCF & NSX
• Q & ASummary
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX & CMP Overview
VMworld 2017 Content: Not fo
r publication or distri
bution
Se
cu
rity
/ M
icro
-se
gm
en
tatio
nR
egis
try
Se
cu
rity
Ma
na
ge
ment
NSX
Virtual Container Hosts
Docker Container Hosts Kubernetes Clusters
Physical Infrastructure
NSX & PCF Overview
5
C
Docker Engine
Linux Kernel
POD POD POD
Docker Engine
Linux Kernel
POD POD POD
Docker Engine
Linux Kernel
C C
Linux
Kernel
C
Linux
Kernel
C
Linux
Kernel
C
VIC BOSH
Containers
Pivotal Cloud Foundry
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX & SDDC Overview
6
vCenter Server
• Single pane of glass and API across on-prem and cloud
• ESXi on dedicated hardware
• Support for containers and VMs
• VSAN on flash storage and EBS
• Replication and DR orchestration
• NSX spanning on-prem and cloud
• Advanced network/security services
Virtual SAN NSXvSphere
VMworld 2017 Content: Not fo
r publication or distri
bution
vRealize Automation + NSX
7
• Unified Service Design and Delivery
• App-Centric Networking and Security
• Incorporate External Services
• Achieve greater control and visibility
• Reduce wait times for siloed IT services
• Manage Infrastructure as Code
• Lifecycle Manage Everything
• Standardized and repeatable processConverged
Blueprint
Cloud
Consumers
Cloud Admin
Applications
Extensibility
Security
Networking
Unified Service
Catalog
Network ProfilesSecurity Groups Security Policies
Network Admin Security Admin
On-Demand Load Balancer
AVAILABILITY SECURITYCONNECTIVITY
Security TagsOn-Demand
Networks
Benefits
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX Automation Use Cases
8
Automation for IT & Developers
Network Admins
Security Admins
Developers
Virtual Network Infrastructure
Physical Network Infrastructure
Application Workloads
vRealize AutomationVMworld 2017 Content: Not fo
r publication or distri
bution
Application-centric Network And Security Services
9
Deployed & Managed in the Application Context
Support for Multi-tier Apps on Multiple
Networks or Single Flat Network
App-specific Networking Configuration
Connectivity
App-specific Security Policies
Security
Dynamic App Availability Configuration
Availability
App-specific Networking Performance
Performance
Web
App
Database VMworld 2017 Content: Not fo
r publication or distri
bution
Automation for Security Operations ( Demo coming up )
10
NSX + vRealize Automation (vRA)
By:
Infrastructure
Operations
Approach:
Unified
Blueprint +
Service Catalog
Service:
App + Security
For:
Security
Admins
VMworld 2017 Content: Not fo
r publication or distri
bution
vRA + NSX – Cloud Operational Model• Network Admin defines:
– Initial network configuration in NSX
– External Networks and Network Profiles in vRA
• Security Admin defines in NSX:
– Distributed Firewall Rules
– Security Groups / Policies / Tags
• Cloud architect builds Blueprints:
– Blueprints include NSX Networks, Security components, Load Balancers, VMs and Apps
• Cloud Architect publishes Blueprints
• Cloud Consumer deploy applications:
– End-to-end provisioning: networks, NAT rules, security and LB configured at deployment
11
Network Admin
Security Admin
Cloud
Architect
Cloud
Consumer
Network ProfilesExternal Networks
Security Groups Security PoliciesSecurity Tags
Converged
Blueprints
NSX Load Balancer
1
2
Service Catalog
Publish
34
5
Defines
Defines
Builds
Deploys
6 N
Applications
…
One T
ime
Recurr
ing
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX Automation Use Cases
12
Automation for IT & Developers
Network Admins
Security Admins
Developers
Virtual Network Infrastructure
Physical Network Infrastructure
Application
Workloads
vRealize Automation
Containerized
Workloads
PCF
Workloads
VMworld 2017 Content: Not fo
r publication or distri
bution
Demo
VMworld 2017 Content: Not fo
r publication or distri
bution
Se
cu
rity
/ M
icro
-se
gm
en
tatio
nR
egis
try
Se
cu
rity
Ma
na
ge
ment
NSX
Virtual Container Hosts
Docker Container Hosts Kubernetes Clusters
Physical Infrastructure
NSX & PCF Overview
14
C
Docker Engine
Linux Kernel
POD POD POD
Docker Engine
Linux Kernel
POD POD POD
Docker Engine
Linux Kernel
C C
Linux
Kernel
C
Linux
Kernel
C
Linux
Kernel
C
VIC BOSH
Containers
Pivotal Cloud Foundry
VMworld 2017 Content: Not fo
r publication or distri
bution
Pivotal Cloud Foundry 101
15
war
Availability Zone 1 Availability Zone 2 Availability Zone 3
Staging
Root
FS
Build
Pack
war
`cf push`
Drop
let
A
I
A
Imyapp.foo.com
*.foo.com = NSX Edge Vip
NSX Edge
PCF Routing PCF Routing PCF Routing
LB Pool Members
“Here is my source code
Run it on the cloud for me
I do not care how”
URL Request:
myapp.foo.com
Developer
VMworld 2017 Content: Not fo
r publication or distri
bution
PCF & NSX High Level Architecture
16
PCF ‘Foundation’
PCF
Elastic Runtime
** *
LS: Services #
LS: Infra
NSX Edge
LS: ERTLS: Services #
LS: Services #
CF Control
Plane
OpsMgr(PCF)
BOSH GORTR
DiegoBrain
TCPRTR
/26 /22
/24(s)
PCF
…
PCF
Rabbit
PCF
Mysql
* * *
Logical Routing (DLR)
IaaS: vSphere Security Zone A (Hub)
Cell
Cell
AI
A
IInternal Apps
LS: OSPF
CF ASG
PCF Isolation Segment
Rgo
rtrCELL CELL
LS: Isolation_A /22
• BOSH unifies release engineering, deployment and life cycle management of PCF platform. It supports multiple IaaS providers via its Cloud Provider Interface (CPI)
• Ops Manager is a graphical user
interface built by Pivotal on top of
BOSH for deploying and managing
PCF.
• Elastic Run Time runs Applications stacks all components needed to support it like Routers, Authentication, App Life Cycle, Service Brokers, Messaging and Metrics and Logging
• Services tiers allows users to provision and consume marketplace services or build custom services as needed.
Isolation segments is a set of resources deployed in isolation, without its own control-plane. Provides routing and compute isolation
NSX provides
L2 services – networks for the different componentsL3 services – routing between the network using a DLR and the edgeEdge services - on/off, NAT, LB, FWDFW – Distributed firewall
VMworld 2017 Content: Not fo
r publication or distri
bution
Day 1 Automation – Concourse pipeline
17Opsman BOSH Opsman BOSH OpsmanBOSH
VMworld 2017 Content: Not fo
r publication or distri
bution
DNS:
*.sys.pcf.foo.com
*.default-apps.foo.com
Single PCF ‘Foundation’
PCF
Elastic Runtime
** *
LS: Services #
LS: Infra
NSX Edge
LS: ERTLS: Services #
LS: Services #
CF Control
Plane
Ops
Mgr
(PCF)
BOSH GO
RTR
Diego
Brain
TCP
RTR
/26 /22/24(s)
PCF
…
PCF
Rabbit
PCF
Mysql
* * *
LS: Isolation_A
PCF
PCF Isolation Segment
GO
RTRCELL CELL CELL
/22
Public Apps
AP
PS
DNS:
*.public-apps.foo.com
Logical Routing (DLR)
IaaS: vSphere Security Zone A (Hub) IaaS: vSphere Security Zone B (Spoke)
Cell
Cell
SS
HTC
P
ISO
ISO
TC
P
SS
H
AP
PS
A
I
A
I
CF
ASG
External Services
Internal Apps
LS: OSPF
NSX Day 2 Automation – BOSH
18
• Use NSX Security Groups for dynamic security principals
– BOSH Integrated NSX (Dynamic Membership)
– Ingress & Egress PCF Org/Space Specific FW
– Dynamic LB Pool Membership
vSAN/NFS/VMFS
Resource Pool
ESX Cluster
vSAN/NFS/VMFS
Resource Pool
ESX Cluster
vSAN/NFS/VMFS
Resource Pool
ESX Cluster
VCFBOSH
VMworld 2017 Content: Not fo
r publication or distri
bution
DNS:
*.sys.pcf.foo.com
*.default-apps.foo.com
Single PCF ‘Foundation’
PCF
Elastic Runtime
** *
LS: Services #
LS: Infra
NSX Edge
LS: ERTLS: Services #
LS: Services #
CF Control
Plane
Ops
Mgr
(PCF)
BOSH GO
RTR
Diego
Brain
TCP
RTR
/26 /22/24(s)
PCF
…
PCF
Rabbit
PCF
Mysql
* * *
LS: Isolation_A
PCF
PCF Isolation Segment
GO
RTRCELL CELL CELL
/22
Public Apps
AP
PS
DNS:
*.public-apps.foo.com
Logical Routing (DLR)
IaaS: vSphere Security Zone A (Hub) IaaS: vSphere Security Zone B (Spoke)
Cell
Cell
SS
HTC
P
ISO
ISO
TC
P
SS
H
AP
PS
A
I
A
I
CF
ASG
External Services
Internal Apps
LS: OSPF
Network Security & Controls
19
• Use NSX Security Groups for dynamic security principals
– BOSH Integrated NSX (Dynamic Membership)
– Ingress & Egress PCF Org/Space Specific FW
– Dynamic LB Pool Membership
• Use Distributed Firewall Policy
– Leverage PCF Integrated Dynamic Security Groups
– Control East+West from single policy engine
– Control App to App at the Org/Space level with Isolation Segments
vSAN/NFS/VMFS
Resource Pool
ESX Cluster
vSAN/NFS/VMFS
Resource Pool
ESX Cluster
vSAN/NFS/VMFS
Resource Pool
ESX Cluster
VCFBOSH
{}
VMworld 2017 Content: Not fo
r publication or distri
bution
Summary
VMworld 2017 Content: Not fo
r publication or distri
bution
Questions?VMworld 2017 Content: N
ot for publicatio
n or distribution
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
Appendix
VMworld 2017 Content: Not fo
r publication or distri
bution