NET2761BU NSX Data Center Load Balancing and VPN Services Derek Deukyoon Kang, VMware, Inc. Vinay Reddy, VMware, Inc. #vmworld #NET2761BU
Disclaimer This presentation may contain product features or functionality that are currently under development. This overview of new technology represents no commitment from VMware to deliver these features in any generally available product. Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind. Technical feasibility and market demand will affect final delivery. Pricing and packaging for any new features/functionality/ technology discussed or presented, have not been determined. 2
TELCO/NFV EDGE/IOT BRANCH TELCO/NFV BRANCH BRANCH BRANCH BRANCH BRANCH BRANCH EDGE/IOT BRANCH BRANCH TELCO/NFV BRANCH EDGE/IOT The Virtual Cloud Network Connect and Protect your Business 3
Public Clouds VMs, Containers, Microservices Telco Networks Virtual Cloud Networking Built-in Connect & Protect any workload across any environment w M V 2 d l or 018 t o N : t n te Private Data Centers b u p for Identity d r no o i t a lic Automated n o i t u b i r ist Secure Connectivity Availability Policy Scalability Analytics and Insights Things Apps and Data n o C Programmable Application Centric Users Branch Offices 4
VMware NSX Portfolio The Foundation of the Virtual Cloud Network NETWORKING AND SECURITY MANAGEMENT AND AUTOMATION Cloud-Based Management Workflow Automation Blueprints / Templates Insights / Discovery Visibility NSX Data Center Networking and security for data center workloads Network Insight Network discovery and insights NETWORK AND SECURITY VIRTUALIZATION AppDefense Modern application security vrealize Automation End-to-end workload automation Security Integration Extensibility Automation Elasticity NSX Cloud NSX SD-WAN by VeloCloud WAN connectivity services NSX Hybrid Connect Networking and security for Public Cloud workloads Data center and cloud workload migration 5
NSX Load Balancing Services 6
(source: https://f5.com/about-us/news/the-state-of-application-delivery) 17 Number of Applications the org to plan to deploy over next 12 months Top Requirements Availability Scalability Security 7
Manual Processes Uneven Connectivity and Security Management Complexity Software-defined, Pervasive, Programmable Way to Network and Services Challenges NSX Solution 8
What is Load Balancing Service? Client Session Server c1 web 1 c2 web 2 c3 web 3 Load Balancer VIP : Port web 1 Virtual Server web 2 web 3 Health Monitoring Up Up Down L4 /L7 Traffic Distribution Persistence Health Monitoring 9
Benefits of NSX Logical Load Balancer Deployment Features Integration Software-defined Load Balancer 100% API driven / GUI / CLI Deploy LB instances on demand Full life cycle management Centralized management L4 / L7 load balancing TCP/UDP/HTTP/HTTPS App rules Persistence Source IP and cookie SSL termination Offload and proxy TLS mutual authentication Health monitoring ICMP, TCP, UDP, HTTP, DNS, FTP Integral part of NSX platform Cloud management platform vrealize Automation OpenStack (VIO) vcloud Director (vcd) Cloud-native integration Pivotal Container Service (PKS) OpenShift 10
NSX Load Balancer Customers 1,000+ Top Reasons for Adoption CAPEX Savings Automation Quick Deployment Part of NSX Platform Better Capacity Planning Horizontal Scale 11
Deploy a Load Balancer Production LB Staging LB Edge Services Gateway LB Testing Challenges Taking days or weeks to deploy physical or virtual appliances due to complexity involved with initial setup and network plumbing Solution Centralized life cycle management of a load balancer Benefits Quick and easy deployment Placing an LB close to workload Single pane of glass for LB and security 12
Deploying a Load Balancer Example 13
Creating a Virtual Server Overview Name Virtual Server My_VS IP : Port 20 : 443 Protocol Application Profile Application Rules Pool HTTPS Application Profile Construct to allow for entering further details on a given Protocol of Virtual Server, e.g. persistence, X-Forwarded- For, SSL Application Rules Construct for a set of rules and options for matching conditions and taking actions, e.g. URL switching, header rewrite Pool Construct to specify members, including a reference to a service monitor Service Monitor Construct for health monitoring rules 14
Creating a Virtual Server Example 15
HTTP Persistence 1. Request (New session) 2. Request 4. Response set-cookie: svr=web1 Server selection 3. Response web 1 web 2 Challenges Sending all requests of a client session to the same application server Solution Cookie-based persistence where a cookie or a cookie value can be added transparently by LB Benefits Better scalability without complicating application logic 5. Request cookie: svr=web1 6. Request 16
HTTP Persistence Configuration Example Create an Application Profile for cookie persistence Apply it to a Virtual Server 17
SSL Termination HTTPS HTTPS SSL Offload HTTP web 1 web 2 HTTPS web 1 web 2 Challenges Content switching and access control on encrypted (HTTPS) traffic Solution Terminate SSL on LB and perform content switching Benefits Managing encrypted traffic Centralized SSL policy management SSL Proxy 18
SSL Termination Configuration Example SSL Offload SSL Proxy (end-to-end SSL) 19
Cloud Native Integration Pivotal Container Service NSX External Traffic k8s Cluster LB k8s Load Balancing Services Ingress (HTTP/HTTPS LB) Ingress controller Rules Tea-svc Lattesvc Pod 1A Pod 2A cafe.example.com/tea : Tea-svc cafe.example.com/latte: latte-svc Pod 1B Pod 2B Challenges Ingress controller monitoring Auto deployment of LB as K8s ingress controller Solution NSX plugin for k8s that auto deploys an NSX LB instance when it creates a networking stack for a k8s cluster Benefits Single pane of glass for networking and security stacks for k8s clusters Centralized GUI access for advanced LB configuration and monitoring 20
Cloud Native Integration Configuration Example apiversion: extensions/v1beta1 kind: Ingress metadata: name: cafe-ingress spec: rules: - host: cafe.example.com http: paths: - path: /tea backend: servicename: tea-svc serviceport: 80 http: paths: - path: /latte backend: servicename: latte-svc serviceport: 80 Kubernetes (PKS) Virtual Server cafe-ingress LB Rules cafe.example.com/tea : tea-svc cafe.example.com/tea : latte-svc Pools tea-svc, latte-svc NCP (NSX Container Plugin) NSX Load Balancer 21
Key Takeaways Complete life cycle management of LB services API driven Cloud native integration NSX Logical Load Balancer Software Defined Ease-of-Deployment CAPEX Savings Quick deployment no installation task Single point of management Included as part of NSX licenses Deploy as many instances as needed without licensing restrictions 22
NSX VPN Services 23
When do you use VPN to Extend the Networks? Use Cases Data Center Consolidation Disaster Avoidance/Recovery Capacity Expansion/ Cloud Bursting 24
Extending Networks Different Approaches Layer 2 Network Extension (L2VPN) Seamless VM migration (incl. Long distance vmotion) w/o IP address change May require Egress Optimization Reduced Interoperability Layer 3 Network Extension (IPSec) Better Interoperability (standard protocols, i.e. IPSEC) Simple routing: no Egress Optimization required IP addresses must change when VMs migrate 25
NSX VPN Service Advantages Software Defined Layer 2 Extension (L2VPN) Layer 3 Extension (IPSec) Works on any IP network Simpler to implement Faster time to market Reduced cost Extend VLAN to VLAN Extend VXLAN to VXLAN Extend VLAN to VXLAN Egress Routing Optimized Interoperable IPsec tested with major vendors AES-NI H/W Offload NAT Traversal, Dead Peer Detection support 26
Layer 2 Extension (L2VPN) L2VPN Server Site A SSL Site A Network s Physical Routers L3 network L2 Extensions Physical Routers SSL Site B Network s Site B L2VPN Client L2VPN service is provided by NSX Edge Traffic flows through a SSL over TCP connection (NAT & Proxies supported) 27
L2VPN Network Types VLAN to VLAN VXLAN to VXLAN VM VM VM VM VXLAN VXLAN to VLAN VLAN
L2VPN L2+L3 or L2 Only L2VPN Edges can be the gateways of stretched subnets, or do only L2 bridging L2VPN Edge Site Networks Physical Routers VM VXLAN VM VLAN L2VPN Edge unnumbered Site Networks Physical Routers Physical Gateway VM VXLAN VM VLAN L2VPN Edge unnumbered Site Networks DLR Physical Routers Distribute d Logical Router VM VXLAN VM VXLAN L2+L3: Edge as Gateway L2 only: Physical Gateway L2 only: DLR as Gateway
L2VPN Supported Topologies L2VPN works as a client/server solution: A single Edge can only be either a L2VPN client or server A L2VPN server can have up to 5 clients connected (Hub and Spoke) A L2VPN client can connect only to a single server VLAN IDs/VNIs can be mixed based on Tunnel ID Client L2VPN Point-to-Point L2 (1 server 1 client) Server Client L2VPN L2VPN Client Client Server L2VPN L2VPN L2VPN Client Hub-and-Spoke L2 (1 server up to 5 clients) Client
L2VPN Egress Optimization L2VPN supports Egress Optimization, by using the same gateway on both sites ARP filtering on gateway address is used to avoid conflicting MAC address unnumbered Site A L2VPN Server 17260.0/24 SSL Site A Networks Physical Routers Physical Gateway Hdr Payload VM VM VM VM L3 network L2 Extensions Hdr Payload VM VM Physical Routers VM VM SSL Site B Networks Site B L2VPN Client unnumbered 1726.20.0/2 4
L2VPN Configuration Server Client
L2VPN Standalone Client For migrations, hybrid cloud, it is possible to deploy a Standalone L2VPN Client-only Edge NSX licensing is required only for the server-side, not for the client. Site A Managed L2VPN Server L2 only or L2+L3 SSL Site A Networks Physical Routers VM VM VM VM L3 network L2 Extensions OVA VM VM Physical Routers Physical Gateway VM VM SSL Site Networks Site B Standalone L2VPN Client unnumbered
L2VPN Standalone Client (cont.) Standalone L2VPN Client-only Edge comes in OVA form-factor: Initial configuration is provided via OVF properties A set CLI is introduced in NSX for vsphere 6.2, to allow configuration changes without a reboot Works exclusively in L2-only mode: All subinterfaces are unnumbered, no routing is performed (a router must be already present) L2VPN Egress Optimization is still supported No other services (Routing, Firewall, NAT, LB, DHCP, IPSec, SSLVPN, etc.) are supported Only VLAN-backed subinterfaces are supported on the Client side (no VXLAN) OVA
Layer 3 Extension (IPSEC) IPSec VPN IPSec VPN IPSec VPN Interoperable IPsec tested with major vendors AES-NI H/W Offload NAT Traversal, Dead Peer Detection UI & API based Edge Configuration and Monitoring 35
Deployment Scenario 1 Hub & Spoke Spoke-to-Spoke Traffic NOT Allowed ESG4 (edge-44) DLR-3.4 66.6630.4 <-> 88.8830.4 1.4 66.6630.0/24 NETWORK LAYOUT 50.0.0/16 40.0.0.0/ 8 1726936/28 ESG1 (edge-40) 11.0.0/16 10.0.0/8 7 8.2 11.2.0.0/16 21.0.0/16.3.40 R3 R2 DLR-1 R1 21.01/16.41 DLR-2.3 172693.32/28. 1 20.0.0.0/ 8 ESG3 (edge-42) 21.01 <-> 31.01 ESG4 (edge-44).4 1 DLR-3 ESG4-ESG1 TUNNELS LAYOUT 50.0.0/16 40.0.0.0/ 8 ESG1 (edge-40) 10.0.0/8 DLR-1 11.0.0/16.2 21.0.0/16 11.2.0.0/16 21.01/16.3. 1 20.0.0.0/ 8 ESG3 (edge-42) ESG3-ESG1 21.01 <-> 31.01 One hub site (ESG1, DLR- 1) and two remote spoke sites (ESG4, DLR-3) (ESG3, DLR-2) The goal is to enable IP connectivity between each spoke s networks and networks belonging to the hub site No spoke-to-spoke direct or indirect traffic is allowed DLR-2 11.01/16 11.2.02/16 11.01/16 11.2.02/16 36
Deployment Scenario 1 Hub & Spoke Spoke-to-Spoke Traffic NOT Allowed ESG4 ESG4 (edge-44).4 1 DLR-3 ESG4-ESG1 50.0.0/16 40.0.0.0/ 8 ESG1 (edge-40) 11.0.0/16 10.0.0/8 DLR-1.2 11.2.0.0/16 ESG1 66.6630.4 <-> 88.8830.4 11.01/16 11.2.02/16 37
NAT Deployment Scenario 2 Hub & Spoke Spoke-to-Spoke Traffic Allowed ESG4 (edge-44) 66.6630.4 <-> 88.8830.4 DLR-3.4 1.4 66.6630.0/24 NETWORK LAYOUT 50.0.0/16 40.0.0.0/ 8 1726936/28 ESG1 (edge-40) 11.0.0/16 10.0.0/8 7 8.2 11.2.0.0/16 21.0.0/16.3.40 R3 R2 DLR-1 R1 21.01/16.41 DLR-2.3 172693.32/28. 1 20.0.0.0/ 8 ESG3 (edge-42) NAT for internal subnet 21.01 <-> 31.01 ESG4 (edge-44).4 1 DLR-3 ESG4-ESG1 TUNNELS LAYOUT 50.0.0/16 40.0.0.0/ 8 ESG1 (edge-40) 10.0.0/8 DLR-1 11.0.0/16.2 21.0.0/16 11.2.0.0/16 21.01/16.3. 1 20.0.0.0/ 8 ESG3 (edge-42) ESG3-ESG1 21.01 <-> 31.01 One hub site (ESG1, DLR- 1) and two remote spoke sites (ESG4, DLR-3) (ESG3, DLR-2) The goal is to enable IP connectivity between each spoke s networks and networks belonging to the hub site Spoke-to-spoke indirect ( through hub site ) traffic is allowed DLR-2 11.01/16 11.2.02/16 11.01/16 11.2.02/16 38
Deployment Scenario 2 Hub & Spoke Spoke-to-Spoke Traffic Allowed, 31.0.0.0 /8 ESG4 ESG4 (edge-44).4 1 DLR-3 ESG4-ESG1 50.0.0/16 40.0.0.0/ 8 ESG1 (edge-40) 11.0.0/16 10.0.0/8 DLR-1.2 11.2.0.0/16 ESG1, 31.0.0.0 /8 66.6630.4 <-> 88.8830.4 11.01/16 11.2.02/16 39
Deployment Scenario 2 Hub & Spoke Spoke-to-Spoke Traffic Allowed ESG4 (edge-44).4 1 DLR-3 ESG4-ESG1 50.0.0/16 40.0.0.0/8 ESG1 (edge-40) 11.0.0/16 11.01/16 10.0.0/8 DLR-1.2 21.0.0/16 11.2.0.0/16 11.2.02/16 21.01/16.3 20.0.0.0/8 ESG3 (edge-42) ESG3-ESG1 21.01 <-> 31.01 DLR-2 40
Interoperability with Physical Endpoints R5 21.01/16.42 ESG3.41 (edge-42) 20.0.0.0/8.3 DLR-1 172693.32/28 21.0.0/16 77.77.01/16 21.01 <-> 31.01 crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp key 123456 address 172693.41! crypto ipsec transform-set ESG3 esp-3des esp-sha-hmac mode tunnel! crypto map ESG3 10 ipsec-isakmp set peer 172693.41 set transform-set ESG3 set pfs group1 match address 100! access-list 100 permit ip 77.77.0.0 0.0.255.255 31.0.0 0.0.255.255! interface GigabitEthernet1 crypto map ESG3 Edge IPSEC implementation is interoperable with major hardware vendors implementations Example of a working configuration between an edge gateway and a Cisco router 41
Key Takeaways Complete life cycle management of VPN services API/UI driven NSX VPN Software Defined Flexible Deployment CAPEX Savings Multiple options VXLAN, VLAN, IPSec Single point of management Standalone Edge for Non-NSX Domains Included as part of NSX licenses Deploy as many instances as needed without licensing restrictions 42
Where to Get Started Engage and Learn Join the NSX VMUG Community vmug.com/nsx Connect with your Peers communities.vmware.com Embrace the NSX Mindset nsxmindset.com Find NSX Resources vmware.com/go/networking Read the Network Virtualization Blog blogs.vmware.com/networkvirtualization Try Free Hands-on Labs labs.hol.vmware.com Virtual Cloud Network Guided Demo vcndemo.com Experience Attend the Networking and Security Sessions Showcases, breakouts, quick talks & group discussions Visit the VMware Booth Product overviews, use-case demos Visit Technical Partner Booths Integration demos Infrastructure, security, operations, visibility, and more Meet the Experts Join our experts in an intimate roundtable discussion Take VMware Education - Training and Certification vmware.com/go/nsxtraining Free NSX Training on Coursera vmware.com/go/coursera 43
PLEASE FILL OUT YOUR SURVEY. Take a survey and enter a drawing for a VMware company store gift card. #vmworld #NET2761BU
THANK YOU! #vmworld #NET2761BU