NET1192BE Multisite Networking & Security with Cross-vC NSX Josh Coulling Networking & Security Senior System Engineer #VMworld #NET1192BE
Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitment from VMware to deliver these features in any generally available product. Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind. Technical feasibility and market demand will affect final delivery. Pricing and packaging for any new technologies or features discussed or presented have not been determined. #NET1192BE CONFIDENTIAL 2
NSX customer momentum is growing exponentially Q2 1,300+ 2016 Customers Q2 2,600+ 2017 2,600+ customers across all industries and organizational sizes representing 100% year-over-year growth Deployments NSX Over two new deployments of NSX per day. Number of deployments increased 3x year-over-year Certifications 8,800+ Certified NSX professionals #NET1192BE CONFIDENTIAL 3
NSX is everywhere SERVICE PROVIDER HEALTHCARE FINANCE TECHNOLOGY PUBLIC SECTOR EDUCATION RETAIL TRAVEL AND TRANSPORT or distribution #NET1192BE CONFIDENTIAL 4
Telling the End-to-End NSX Story SOLUTION LEVEL PRODUCT LEVEL INITIATIVE LEVEL PROJECT LEVEL SECURITY Micro-segmentation AUTOMATION IT Automating IT SDDC NSX PLATFORM APP CONTINUITY Disaster Recovery 70%+ of our customers who buy NSX for a specific project will use NSX for other capabilities Secure End User DMZ Anywhere Developer Cloud Multi-tenant Infrastructure Multi Data Center Pooling Cross Cloud #NET1192BE CONFIDENTIAL 5
Has anyone here had to migrate an app or apps across sites (DC s)? Who here has had to architect a DR plan that accounts for Compute, Storage & Networking? Does anyone here span their applications across multiple sites or availability zones? 6 #NET1192BE CONFIDENTIAL
Multi-Site networking & security is hard... #NET1192BE CONFIDENTIAL 7
#NET1192BE CONFIDENTIAL Todays Applications Active are distributed systems Data center 1 VM VM VM Security Policy / ACL Layer 3 Load balancing Layer 2 & IP Layer 2 & IP Data center 2 VM Passive or distribution VM VM Layer 2 & IP VM VM VM VM 8
Agenda 1 Multisite & Multisite Challenges 2 Multi-vCenter Use Cases & Overview 3 Concepts & Architecture Overview 4 Deployment Models 5 Summary 6 Q&A #NET1192BE CONFIDENTIAL 9
Agenda 1 Multisite & Multisite Challenges 2 Multi-vCenter Use Cases & Overview 3 Concepts & Architecture Overview 4 Deployment Models 5 Summary 6 Q&A #NET1192BE CONFIDENTIAL 10
Multisite Challenges & Traditional Multisite Technologies Data center 1 VM VM VM Security Policy? ACL? Layer 3? Load balancer configuration? Layer 2 & IP Config? VMworld 2017 Content: Not for Layer 2 & IP Config? Layer 2 & IP Config? Challenges when moving apps across sites for DR, A/A or pooling resources, are: Re-IP addressing of workloads Reconfigure physical N/W for L2-L3 requirements Recreate security policy at secondary site What about Layer 4 Layer 7 configuration? publication Traditional Multisite Technologies Dark Fiber, OTV & VPLS over MPLS Addresses Challenge of Layer 2 Stretch & IP Address Preservation Hardware Dependencies Associated Costs Long Lead Times Does not address Layer 4 Layer 7 configuration VM VM 11 #NET1192BE CONFIDENTIAL
#NET1192BE CONFIDENTIAL What is Cross-vC NSX for Multisite? Ability to: Create Logical Networks that span multiple physical sites & vcenter Boundaries Universal Network Security Policy Unified & Centralised point of management 12
Capability Connectivity Between Sites Multi-Data Centre Public Cloud Branch Office Remote Users Active / Active or Active / Standby Separate or Stretched Clusters Cross-vCenter Layer 2 Extension into Public Cloud Does not predicate NSX on both sites Application Continuity Industry Standard IPSEC VPN Secure connectivity to Remote or Branch Offices Multi Vendor Device Support SSL Client OSX, Windows & Linux Secure connectivity to end users Use Case Multi-DC Pooling Disaster Recovery Application Migration Design Considerations: Bandwidth between entities Latency between sites MTU Considerations Administrative Domain #NET1192BE CONFIDENTIAL
#NET1192BE CONFIDENTIAL VMware NSX for Multisite Universal Controller Cluster vcenter-a NSX Primary Data Centre 1 Data Centre 2 Secure, high availability, distributed, virtualized resource pool Universal distributed logical router Universal Synchronisation Service NSX for Multi-Site Addresses Layer 2 Layer 7 N/W & Security Services: Universal Logical Switch Universal Distributed Logical Router Universal Distributed Firewall Decoupled from hardware (L2oL3) Configuration consistency across sites Completely software based solution API for full automation vcenter-b NSX Secondary 14
#NET1192BE CONFIDENTIAL Agenda 1 Multisite & Multisite Challenges 2 Multi-vCenter Use Cases & Overview 3 Concepts & Architecture Overview 4 Deployment Models 5 Summary 6 Q&A 15
Cross-VC NSX Use Cases #1 Disaster Recovery Synchronize applications, networking, and security across locations to reduce recovery time Universal Controller Cluster vcenter-a NSX Primary Data Centre 1 Data Centre 2 Secure, high availability, distributed, virtualized resource pool Universal distributed logical router or Synchronized logical networking and security (Cross vc NSX) IP Address Maintained & Consistent Security Policy distribution vcenter-b NSX Secondary Primary
Cross-VC NSX Use Cases #2 Multi DC Pooling Pool resources from multiple vcenter domains to drive 15 20% better compute utilisation Universal Controller Cluster vcenter-a NSX Primary Converged Data Centre w/ NSX Secure, high availability, distributed, virtualized resource pool Universal distributed logical router vcenter-b NSX Secondary 17
Cross-VC NSX Use Cases #3 Workload Mobility Logical networks spanning multiple sites allows for enhanced workload mobility across sites Universal Controller Cluster vcenter-a NSX Primary Data Centre 1 Data Centre 2 Secure, high availability, distributed, virtualized resource pool Universal distributed logical router or distribution vcenter-b NSX Secondary 18
Agenda 1 Multisite & Multisite Challenges 2 Multi-vCenter Use Cases & Overview 3 Concepts & Architecture Overview 4 Deployment Models 5 Summary 6 Q&A #NET1192BE CONFIDENTIAL 19
Cross vcenter NSX - Concepts Primary NSX Manager: Used to deploy and configure NSX universal objects There can only be one primary NSX Manager within the NSX environment Secondary NSX Manager: Universal Synchronisation Service: Universal Objects are sychronised to the second NSX Manager from the primary There can be up to 7 secondary NSX Managers Process on the primary NSX Manager that syncs only the universal objects to the secondary NSX Managers Universal Control Cluster: Three central controllers that maintain information about local & universal objects Universal Objects: Objects associated with multiple vcenter domains or span multiple vcenters Universal Transport Zone Defined from NSX Manager, spans vcenters Universal Logical Switch Logical switch span L2 across vcenters Universal Distributed Logical Router Span L3 uplink for ULS across vcenters Universal Distributed Firewall Security Policy that spans vcenters #NET1192BE CONFIDENTIAL 20
Cross vcenter NSX Concepts (Cont d) Universal Distributed Firewall: Distributed Firewall spanning across vcenter boundaries Provides consistent security policies across all vcenter domains/sites Universal Firewall Rules & Universal Security Groups (enhancements with NSX 6.3): Universal Distributed Firewall rules are configured & administered centrally under the Universal section of the Distributed Firewall Security Policies can be applied across all vcenter boundaries Security Groups can be configured across vcenter boundaries leveraging Controller Disconnected Mode (CDO) (new with NSX 6.3): NSX data plane has implicit forwarding, however, in dynamic environments with large amounts of network changes, forwarding can fail as guest VTEP information cannot be updated due to controller failure scenario CDO provides the ability to guarantee successful forwarding of traffic even in dynamic environments with high rates of VM vmotion or VM creation #NET1192BE CONFIDENTIAL 21
#NET1192BE CONFIDENTIAL 22
Cross vcenter NSX - Architecture Local & Universal Object Creation via UI & API NSX Manager A Primary Universal Synchronisation Service Universal Controller Cluster Local Object Creation via UI & API NSX Manager B Secondary Local Object Creation via UI & API NSX Manager H Secondary vcenter-a vcenter-b vcenter-h VMworld 2017 Content: Not for publication ESXi ESXi ESXi #NET1192BE CONFIDENTIAL 23
#NET1192BE CONFIDENTIAL Agenda 1 Multisite & Multisite Challenges 2 Multi-vCenter Use Cases & Overview 3 Concepts & Architecture Overview 4 Deployment Models 5 Summary 6 Q&A 24
Multi-Site NSX Deployment Models Active / Active Egress Multi-Data Centre w/ Multi-vCenter Multi-Data Centre w/ Single vcenter Active / Passive Egress Multi-Data Centre w/ Multi-vCenter Multi-Data Centre w/ Single vcenter Local Egress Local Egress / Route Metric #NET1192BE CONFIDENTIAL
#NET1192BE CONFIDENTIAL Agenda 1 Multisite & Multisite Challenges 2 Multi-vCenter Use Cases & Overview 3 Concepts & Architecture Overview 4 Deployment Models 5 Summary 6 Q&A 26
Summary Cross-VC NSX provides solutions and flexibility for networking and security across multiple vcenter domains/sites Workloads are no longer constrained to vcenter boundaries Consistent security policy enforcement can be applied across a multi-site multi-vcenter deployment without additional manual intervention Cross-VC NSX provides for ease of site migration and enhanced Disaster Recovery Cross-VC NSX supports several deployment models supporting different customer requirements #NET1192BE CONFIDENTIAL 27
Questions? Engage Find NSX Resources vmware.com/products/nsx Network Virtualization Blog blogs.vmware.com/networkvirtualization Humair Ahmed s Blog http://humairahmed.com/blog VMworld Barcelona - Try VMworld Free Hands-on Labs Expert-Led Hands On Labs: ELW182201E NSXaaS Secure Native Workloads in AWS Workshop Self-Paced Hands On Labs: SPL182502E NSX & SRM Active Standby Solution SPL182601E NSX-T Getting Started SPL182602E NSX-T with Kubernetes VMworld Barcelona - Learn VMworld Breakout Sessions NET3236SE NSX Everywhere: The Network Bridge for On- Premises, Private, and Native Public Clouds NET1188BE Disaster Recovery Solutions with NSX NET2415BE Utilising NSX Load Balancing for scalability, reliability & security: Overview, best practice & customer case study NET3081PE Customer Panel on VMware NSX NET1510BE Introduction to NSX-T Architecture NET1522BE Kubernetes networking with NSX-T Deep Dive NET1836BE NSX-T Advanced Architecture Concepts Learn NSX-V Multisite Options & Cross-VC Design Guide https://communities.vmware.com/docs/doc-32552 #NET1192BE CONFIDENTIAL 29