Automating NSX for Virtual Machines and …...Justin Jones, Niran Evan Chen, Mitesh Pancholy 2211 BU...

Justin Jones, Niran Evan Chen, Mitesh Pancholy

2211 BU

# Vmworld #2211

Automating NSX for Virtual Machines and Containerized Applications

VMworld 2017 Content: Not fo

r publication or distri

bution

• This presentation may contain product features that are currently under development.

• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.

• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

• Technical feasibility and market demand will affect final delivery.

• Pricing and packaging for any new technologies or features discussed or presented have not been determined.

Disclaimer

2



bution

Agenda

Overview

• DemoAutomating

NSX with vRA

• Walkthrough and DetailsAutomating PCF & NSX

• Q & ASummary



bution

NSX & CMP Overview



bution

Se

cu

rity

/ M

icro

-se

gm

en

tatio

nR

egis

try

Se

cu

rity

Ma

na

ge

ment

NSX

Virtual Container Hosts

Docker Container Hosts Kubernetes Clusters

Physical Infrastructure

NSX & PCF Overview

5

C

Docker Engine

Linux Kernel

POD POD POD

Docker Engine

Linux Kernel

POD POD POD

Docker Engine

Linux Kernel

C C

Linux

Kernel

C

Linux

Kernel

C

Linux

Kernel

C

VIC BOSH

Containers

Pivotal Cloud Foundry



bution

NSX & SDDC Overview

6

vCenter Server

• Single pane of glass and API across on-prem and cloud

• ESXi on dedicated hardware

• Support for containers and VMs

• VSAN on flash storage and EBS

• Replication and DR orchestration

• NSX spanning on-prem and cloud

• Advanced network/security services

Virtual SAN NSXvSphere



bution

vRealize Automation + NSX

7

• Unified Service Design and Delivery

• App-Centric Networking and Security

• Incorporate External Services

• Achieve greater control and visibility

• Reduce wait times for siloed IT services

• Manage Infrastructure as Code

• Lifecycle Manage Everything

• Standardized and repeatable processConverged

Blueprint

Cloud

Consumers

Cloud Admin

Applications

Extensibility

Security

Networking

Unified Service

Catalog

Network ProfilesSecurity Groups Security Policies

Network Admin Security Admin

On-Demand Load Balancer

AVAILABILITY SECURITYCONNECTIVITY

Security TagsOn-Demand

Networks

Benefits



bution

NSX Automation Use Cases

8

Automation for IT & Developers

Network Admins

Security Admins

Developers

Virtual Network Infrastructure

Physical Network Infrastructure

Application Workloads

vRealize AutomationVMworld 2017 Content: Not fo


bution

Application-centric Network And Security Services

9

Deployed & Managed in the Application Context

Support for Multi-tier Apps on Multiple

Networks or Single Flat Network

App-specific Networking Configuration

Connectivity

App-specific Security Policies

Security

Dynamic App Availability Configuration

Availability

App-specific Networking Performance

Performance

Web

App

Database VMworld 2017 Content: Not fo


bution

Automation for Security Operations ( Demo coming up )

10

NSX + vRealize Automation (vRA)

By:

Infrastructure

Operations

Approach:

Unified

Blueprint +

Service Catalog

Service:

App + Security

For:

Security

Admins



bution

vRA + NSX – Cloud Operational Model• Network Admin defines:

– Initial network configuration in NSX

– External Networks and Network Profiles in vRA

• Security Admin defines in NSX:

– Distributed Firewall Rules

– Security Groups / Policies / Tags

• Cloud architect builds Blueprints:

– Blueprints include NSX Networks, Security components, Load Balancers, VMs and Apps

• Cloud Architect publishes Blueprints

• Cloud Consumer deploy applications:

– End-to-end provisioning: networks, NAT rules, security and LB configured at deployment

11

Network Admin

Security Admin

Cloud

Architect

Cloud

Consumer

Network ProfilesExternal Networks

Security Groups Security PoliciesSecurity Tags

Converged

Blueprints

NSX Load Balancer

1

2

Service Catalog

Publish

34

5

Defines

Defines

Builds

Deploys

6 N

Applications

…

One T

ime

Recurr

ing



bution

NSX Automation Use Cases

12

Automation for IT & Developers

Network Admins

Security Admins

Developers

Virtual Network Infrastructure

Physical Network Infrastructure

Application

Workloads

vRealize Automation

Containerized

Workloads

PCF

Workloads



bution

Demo



bution

Se

cu

rity

/ M

icro

-se

gm

en

tatio

nR

egis

try

Se

cu

rity

Ma

na

ge

ment

NSX

Virtual Container Hosts

Docker Container Hosts Kubernetes Clusters

Physical Infrastructure

NSX & PCF Overview

14

C

Docker Engine

Linux Kernel

POD POD POD

Docker Engine

Linux Kernel

POD POD POD

Docker Engine

Linux Kernel

C C

Linux

Kernel

C

Linux

Kernel

C

Linux

Kernel

C

VIC BOSH

Containers

Pivotal Cloud Foundry



bution

Pivotal Cloud Foundry 101

15

war

Availability Zone 1 Availability Zone 2 Availability Zone 3

Staging

Root

FS

Build

Pack

war

`cf push`

Drop

let

A

I

A

Imyapp.foo.com

*.foo.com = NSX Edge Vip

NSX Edge

PCF Routing PCF Routing PCF Routing

LB Pool Members

“Here is my source code

Run it on the cloud for me

I do not care how”

URL Request:

myapp.foo.com

Developer



bution

PCF & NSX High Level Architecture

16

PCF ‘Foundation’

PCF

Elastic Runtime

** *

LS: Services #

LS: Infra

NSX Edge

LS: ERTLS: Services #

LS: Services #

CF Control

Plane

OpsMgr(PCF)

BOSH GORTR

DiegoBrain

TCPRTR

/26 /22

/24(s)

PCF

…

PCF

Rabbit

PCF

Mysql

* * *

Logical Routing (DLR)

IaaS: vSphere Security Zone A (Hub)

Cell

Cell

AI

A

IInternal Apps

LS: OSPF

CF ASG

PCF Isolation Segment

Rgo

rtrCELL CELL

LS: Isolation_A /22

• BOSH unifies release engineering, deployment and life cycle management of PCF platform. It supports multiple IaaS providers via its Cloud Provider Interface (CPI)

• Ops Manager is a graphical user

interface built by Pivotal on top of

BOSH for deploying and managing

PCF.

• Elastic Run Time runs Applications stacks all components needed to support it like Routers, Authentication, App Life Cycle, Service Brokers, Messaging and Metrics and Logging

• Services tiers allows users to provision and consume marketplace services or build custom services as needed.

Isolation segments is a set of resources deployed in isolation, without its own control-plane. Provides routing and compute isolation

NSX provides

L2 services – networks for the different componentsL3 services – routing between the network using a DLR and the edgeEdge services - on/off, NAT, LB, FWDFW – Distributed firewall



bution

Day 1 Automation – Concourse pipeline

17Opsman BOSH Opsman BOSH OpsmanBOSH



bution

DNS:

*.sys.pcf.foo.com

*.default-apps.foo.com

Single PCF ‘Foundation’

PCF

Elastic Runtime

** *

LS: Services #

LS: Infra

NSX Edge


LS: Services #

CF Control

Plane

Ops

Mgr

(PCF)

BOSH GO

RTR

Diego

Brain

TCP

RTR

/26 /22/24(s)

PCF

…

PCF

Rabbit

PCF

Mysql

* * *

LS: Isolation_A

PCF


GO

RTRCELL CELL CELL

/22

Public Apps

AP

PS

DNS:

*.public-apps.foo.com


IaaS: vSphere Security Zone A (Hub) IaaS: vSphere Security Zone B (Spoke)

Cell

Cell

SS

HTC

P

ISO

ISO

TC

P

SS

H

AP

PS

A

I

A

I

CF

ASG

External Services

Internal Apps

LS: OSPF

NSX Day 2 Automation – BOSH

18

• Use NSX Security Groups for dynamic security principals

– BOSH Integrated NSX (Dynamic Membership)

– Ingress & Egress PCF Org/Space Specific FW

– Dynamic LB Pool Membership

vSAN/NFS/VMFS

Resource Pool

ESX Cluster

vSAN/NFS/VMFS

Resource Pool

ESX Cluster

vSAN/NFS/VMFS

Resource Pool

ESX Cluster

VCFBOSH



bution

DNS:

*.sys.pcf.foo.com

*.default-apps.foo.com

Single PCF ‘Foundation’

PCF

Elastic Runtime

** *

LS: Services #

LS: Infra

NSX Edge


LS: Services #

CF Control

Plane

Ops

Mgr

(PCF)

BOSH GO

RTR

Diego

Brain

TCP

RTR

/26 /22/24(s)

PCF

…

PCF

Rabbit

PCF

Mysql

* * *

LS: Isolation_A

PCF


GO

RTRCELL CELL CELL

/22

Public Apps

AP

PS

DNS:

*.public-apps.foo.com


IaaS: vSphere Security Zone A (Hub) IaaS: vSphere Security Zone B (Spoke)

Cell

Cell

SS

HTC

P

ISO

ISO

TC

P

SS

H

AP

PS

A

I

A

I

CF

ASG

External Services

Internal Apps

LS: OSPF

Network Security & Controls

19

• Use NSX Security Groups for dynamic security principals

– BOSH Integrated NSX (Dynamic Membership)

– Ingress & Egress PCF Org/Space Specific FW

– Dynamic LB Pool Membership

• Use Distributed Firewall Policy

– Leverage PCF Integrated Dynamic Security Groups

– Control East+West from single policy engine

– Control App to App at the Org/Space level with Isolation Segments

vSAN/NFS/VMFS

Resource Pool

ESX Cluster

vSAN/NFS/VMFS

Resource Pool

ESX Cluster

vSAN/NFS/VMFS

Resource Pool

ESX Cluster

VCFBOSH

{}



bution

Summary



bution

Questions?VMworld 2017 Content: N

ot for publicatio

n or distribution



bution

Appendix



bution

Automating NSX for Virtual Machines and …...Justin Jones, Niran Evan Chen, Mitesh Pancholy 2211 BU...

Documents

Transcript of Automating NSX for Virtual Machines and …...Justin Jones, Niran Evan Chen, Mitesh Pancholy 2211 BU...