LHC2103BU NSX and VMware Cloud on AWS: Deep Dive Ray Budavari, Senior Staff Technical Product Manager NSX @rbudavari #VMworld #LHC2103BU
Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitment from VMware to deliver these features in any generally available product. Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind. Technical feasibility and market demand will affect final delivery. Pricing and packaging for any new technologies or features discussed or presented have not been determined. 2
Session Objectives NSX and VMware Cloud on AWS: Deep Dive Cover technical details on how networking and security are implemented in VMware Cloud on AWS Including all the gory details Learn about how NSX is foundational in enabling the VMC service Because everything interesting happens in networking and security Allow me to share what I ve been working on Complement other VMC on AWS VMworld sessions: LHC2384BU: VMware Cloud on AWS A Technical Deep Dive VMworld 2017 Content: Not for LHC2105BU: NSX and VMware Cloud on AWS: The Path to Hybrid Cloud publication 3
Agenda NSX and VMware Cloud on AWS: Deep Dive 1 VMware Cloud on AWS Overview 2 NSX in VMware Cloud on AWS 3 User Experience Walkthrough 4 Technical Deep Dive: Initial Availability 5 Technical Deep Dive: Future Releases 6 Q&A 4
VMware Cloud on AWS Overview
VMware Cloud on AWS Enabling Hybrid Cloud Leading compute, storage and network virtualization capabilities Support for broad range of workloads De-facto standard for the enterprise DC Flexible consumption economics Broadest set of cloud services Global scale and reach 6
VMware Cloud on AWS vrealize Suite, vsphere Integrated Containers, ISV Ecosystem Operational Management vcenter VMware Cloud on AWS vsphere vsan NSX ESXi on Dedicated Hardware Support for VMs and Containers vcenter vsan on Flash and EBS Storage Replication and DR Orchestration Advanced Networking & Security Services NSX Spanning onpremises and Cloud Native AWS Services Amazon EC2 AWS IoT Amazon S3 AWS Direct Connect Amazon RDS AWS IAM Customer Data Center AWS Global Infrastructure AWS Global Infrastructure VMware vsphere-based service running on the AWS Cloud 7
Key Use Cases for VMware Cloud on AWS Scenario 1: Maintain and Expand Maintain Private Cloud Expand Public Cloud Scenario 2: Consolidate and Migrate Consolidate Migrate Private Cloud Public Cloud Private Cloud NSX is essential for all these use cases Scenario 3: Workload Flexibility Flex as needed 8
NSX in VMware Cloud on AWS Networking and Security Details
NSX Services Logical switching Logical routing Firewalling and security NSX ENABLES ALL NETWORKING IN VMC VMware NSX or distribution EC2 & VPC Networking 10
NSX in VMC on AWS Introduction All VM networking in VMware Cloud on AWS is provided by NSX Provides compatibility with NSX and vsphere products used onpremises Jointly engineered solution between VMware and Amazon Delivered using an as a service cloud model 11
VMC Consumption Models for Networking and Security VMC Web Console Simplified Mode (IA) vsphere Web Client Networking Consumption with vsphere Web Client and VMC Console Customers who may not be using full VMware Stack (vsphere only) Public Cloud like consumption experience Basic Networking and Security: NAT, Firewall, VPN, Gateway Management VMworld 2017 NSX Manager vsphere Web Client Advanced Mode (Future Release) VMC Networking Consumption via NSX Full VMware Stack Multiple Admin Roles in the Org Flexibility of Public Cloud with familiarity and consistency of VMware SDDC Advanced Networking and Security: Distributed FW, Load Balancing, Service Insertion, Cross-VC Content: Not for publication VMware Cloud on AWS does not have a dependency on NSX in the on-premises environment, but NSX in both sites will provide enhanced capabilities 12
Simplified Mode Consumption Initial Availability VMC Web Console Cloud Networking Admin VMware Cloud on AWS vsphere vcenter vsan VMworld 2017 NSX vsphere Web Client VI Admin Auto-deploy and provision the VMC infrastructure resources via predefined VMC Portal workflows Setup of initial networks and admin access granted to vcenter Deploy a prescriptive network topology Establish predefined VPN connectivity Provide inbound access to workload VMs Control firewall access to workload VMs Content: Not for publication Consume pre-created VMC network services Deploy workload VMs Attach workload VMs to networks Create new networks Manage IP addressing for workload VMs 13
Advanced Mode Consumption Future Release NSX Manager Full NSX UI Networking Admin VMware Cloud on AWS vsphere vcenter vsan NSX VI Admin / Cloud Admin vsphere Web Client vsphere API Provision network and security for custom data centers Define and establish VPN connectivity with onpremises locations Define security groups and policies for workload VMs Add, modify, or delete network topologies Advanced NSX use cases: Distributed firewalls, load balancing, routing, etc. Deploy workload VMs Attach workload VMs to networks created by NSX admins Manage IP addressing for workload VMs 14
VMC Networking and Security Access Model VMC is a VMware Managed Service VMware manages hypervisor and management components Customer manages VMs NSX access in Simplified consumption mode provides: Networking and Security workflows available in the VMC Console Ability to create, update, delete logical networks via vcenter Server Advanced mode will provide full NSX access in a future release There will still restrictions to admin/infrastructure level operations All VMC users will start in Simplified Mode 15
User Experience VMware Cloud on AWS Networking and Security Walkthrough
Initial Availability VMware Cloud on AWS Networking and Security
VMware Cloud on AWS Default Networking Topology VMC SDDC Management Infrastructure Management GW (NAT, FW, VPN, DNS) Compute GW (NAT, FW, VPN, DHCP, DNS) Workloads on logical networks DLR Internet GW AWS Network N-S External Traffic Blue = N-S Red = E-W VMware Cloud on AWS Networking (NSX) Default 192.168.1.0/24 Custom 10.1.1.0/24 Custom 10.1.2.0/24 Custom 10.1.3.0/24 18
NSX Implementation Details vsphere Distributed Switch provides connectivity to the AWS physical network NSX components such as Manager, Controller and Edges are deployed into the Management resource pool Management Gateway (MGW) = NSX Edge for Management components Compute Gateway (CGW) = NSX Edge and DLR for customer VMs A default logical network with SNAT and DHCP enabled is provisioned VMworld 2017 Single CGW supported in Simplified Mode Firewall Rules are set to Default Deny NSX Edge High Availability is enabled NSX Edges are size Large by default Content: Not for publication 19
VMware Cloud on AWS Management Networking Overview vcenter Server NSX Manager NSX Controller 1 NSX Controller 2 NSX Controller 3 VM Management (VLAN) VMkernel Management (VLAN) VMkernel vmotion (VLAN) VMkernel VXLAN (VLAN) VMkernel VSAN (VLAN) Management Infrastructure Management Gateway or AWS VPC Router External Traffic AWS Network distribution Internet GW VMC on AWS ESXi Cluster 20
vsphere Networking on AWS Infrastructure VM VM ESXi ESXi Hosts (bare metal) VMware Networks VM VM VM ESXi ESXi Hosts (bare metal) VMware Networks Multiple Subnets Public VLAN5, ENI6 Multiple ENIs/VLANs Mgmt VLAN4, ENI5 VXLAN (VTEP) vmk3... 10.103.1.0/24 10.102.1.0/24 10.101.1.0/24 10.100.1.0/24 VLAN3, ENI4 VSAN vmotion Mgmt vmk2 vmk1 vmk0 VLAN2, ENI3 VLAN1, ENI2 VLAN Native, ENI1 MTU1600+ VLAN Trunk on ENA VMware Cloud on AWS Networking setup is automated as part of infrastructure provisioning 21
VMC Connectivity Details Workload VMs Use NSX for all networking and security and are decoupled from VPC Networking ESXi VMkernel interfaces use ENIs (Elastic Network Interfaces) on VPC network However there are limitations with connecting Management & Edge VMs directly to VPC networks Solution is to use NSX (of course ) AWS VPC Networking is used provide external connectivity only: Internet Gateway Customer VPC access Direct Connect in future releases 22
VMC Connectivity Deep Dive vmk3 10.0.152.5/17 GW.128.1 VTEP dvportgroup (VLAN 3) VDS 10.0.152.5/21 ENI-nsx (device id:3) VTEP 10.0.144.5/21 ENI-vsan (device id:2) vmk2 10.0.144.5/17 GW.128.1 VSAN dvportgroup (VLAN 2) VMC on AWS VPC 10.0.136.5/21 ENI-vmotion (device id:1) vmk1 10.0.136.5/17 GW.128.1 vmotion dvportgroup (VLAN 1) 10.0.128.5/21 default ENI (device id:0) vmk0 10.0.128.5/17 GW.128.1 Host Mgmt dvportgroup (VLAN 0) Management Subnet (10.0.128.0/17 - Router: 10.0.128.1) NSX Mgr 10.0.224.9 vcenter 10.0.224.8 Management dvportgroup (VLAN 101) 10.0.224.0/19 GW.224.1 pnic ENA device hdlr-m.224.2 10.0.160.5/21 ENI-m (device id:4) Management Gateway.218.2 public dvportgroup (VLAN 100) 10.0.192.0/19 GW.192.1 LIF2 10.0.224.1 LIF2 10.0.192.1 LIF1 10.0.160.5 (VLAN 4) Compute Gateway hdlr-p.218.3 LIF1 10.0.0.5 (VLAN 5) 10.0.0.5/20 ENI-p (device id:5) 10.0.224.2 10.0.218.2 Public Subnet (10.0.0.0/20 - Router: 10.0.0.1) ESXi Host (Repeated on each host in Cluster) Mgt VM Add/Move (VMCI callout) Add/Remove routes on DLR 0/0 route VMC Agent Add/Move Secondary IP (AWS API) Internet or VPN GW AWS Network 23
IA Internet and L3VPN Connectivity On-Prem Workloads Customer DC On-Prem Management Management Traffic Compute Traffic On-Prem Gateway Internet Software Defined Data Center (SDDC) Management GW (NAT, FW, VPN) Internet GW IPSec VPN L3 - Compute Compute GW (NAT, FW, VPN, DHCP) DLR VMware Cloud on AWS Management Network Existing VMs and Management on-premises 192.168.10.0/24 192.168.20.0/24 VPN Connectivity using NSX ESG (Route selected networks or all traffic to on-premises over VPN tunnel) 24
VMC VPN Connectivity Details VMC Console provides streamlined VPN configuration Policy Based VPN from NSX Edge IPsec VPN standards based interoperable with all compliant devices Enables choice of on-premises gateway 25
VPN Connectivity Details VMC Supported IPsec VPN Parameters at IA Settings in Bold are configurable, while others are hard coded Phase 1 Settings IKEv1 Phase 2 Settings AES-256 Main mode Diffie-Hellman Group 2 AES-256 Diffie-Hellman Group 2 SHA-1 Pre-shared secret SA lifetime of 28800 seconds (eight hours) SHA-1 SA lifetime of 3600 seconds (one hour) Perfect forward secrecy (PFS) Enabled 26
VMC and AWS Services VMware Cloud on AWS provides access to AWS services within the region of deployment By default access to AWS Services from VMC VMs will be via the Internet (using AWS IGW) Provides a base level of capability Bandwidth limits for IGW do apply Customer VPC access (using VMware Cloud Endpoint) Provides higher bandwidth connectivity to selected AWS Services Requires an existing customer VPC VMworld 2017 Content: Not for Direct Connect is planned in Future Releases Access to AWS Services Amazon EC2 AWS IoT Amazon S3 AWS Direct Connect Amazon RDS publication AWS IAM 27
IA Optimized Connectivity to Native AWS Services VPC route table 192.168.0.0 192.168.1.0 192.168.2.0 Customer VPC VPC Endpoints Amazon S3 VPC subnets EC2 Instances Internet GW Optimized Traffic Flow AWS Networking East-West Connection Software Defined Data Center (SDDC) Internet GW Compute Gateway ENI from Customer VPC DLR VMware Cloud on AWS VNI 5000 VNI 5001 NSX route table Distributed Router 172.16.0.0 172.16.1.0 172.16.2.0 EC2 Instances, Private AWS services or VPC Endpoints in customers existing VPCs Direct Connectivity from VMC to Customer VPCs (without VPC Peering) 28
VMC and AWS Services Details What actually happens during the Account Connection Process? Step 1 At SDDC Deployment time, connect to your AWS account 29
VMC and AWS Services Details Step 2 Run VMC Cloud Formation Template 30
VMC and AWS Services Details Step 3 Select Discovered VPC and Subnet Create ENIs to enable the optimized connectivity 31
VMC and AWS Services Details Step 4 SDDC is provisioned and connected to your VPC Details of connected VPC are available under CGW 32
VMC and AWS Services Details Step 5 Routing Tables are updated to enable connectivity Step 6 Firewalling for traffic to/from Customer VPC within VMC 33
Future Releases VMware Cloud on AWS Networking and Security
Future L2VPN Connectivity Customer VPC On-Prem Management Edge L2VPN VLAN 10 VLAN 20 On-Prem Gateway Management Traffic Compute Traffic Internet L2 Extension Software Defined Data Center (SDDC) L2VPN Compute Internet GW Management GW (NAT, FW, VPN) 192.168.10.0/24 Compute GW (NAT, FW, VPN, DHCP) DLR VMware Cloud on AWS Management Network 192.168.20.0/24 Existing VMs and Management on-premises L2VPN for Hybrid use cases (with or without NSX on premises) 35
Future AWS Direct Connect Customer DC On-Prem Management Customer VPC VLAN 10 On-Prem Gateway VLAN 20 Compute Traffic Up to 10Gbps AWS Direct Connect (L3) Private VIF Public VIF AWS Private VIF AWS VGW Software Defined Data Center (SDDC) VLAN Edge Gateway VXLAN DLR VMware Cloud on AWS VNI 5000 VNI 5001 Distributed Router EC2 & RDS Instances AWS VGW AWS Lambda CloudFront Amazon S3 Amazon RDS Etc Direct Connect for high bandwidth connectivity to on-premises from Customers VMC CDC AWS Services 36
Future Advanced Network and Security features Customer Data Center On-Prem Management VLAN 10 On-Prem Gateway VLAN 20 Internet AWS GW VLAN Software Defined Data Center (SDDC) NSX Services Custom CGW Default CGW VXLAN VXLAN Distributed Router DFW VMware Cloud on AWS LB Existing VMs and Management components on-premises Advanced NSX feature set available for in VMC - DFW (FW Ruleset and Service composer) - Load Balancing (one arm and inline) - Flexible Network Topologies 37
Future Partner Service Integration Customer Data Center On-Prem Management VLAN 10 On-Prem Gateway VLAN 20 Internet Compute N-S Traffic AWS GW VLAN Software Defined Data Center (SDDC) MGW CGW VMKNICs Mgt/vMotion/ VXLAN/VSAN Management Traffic VXLAN Distributed Router Partner Management Console Service Insertion VMware Cloud on AWS ESXi Network and Host components Partner SVM on each host 3 rd Party LS Default LS Existing VMs and Management components on-premises Partner Service Integration through NetX and EPSec Partner components on overlay network Connectivity to vcenter and NSX Manager Re-direct rules to partner SVMs 38
Future Cross-VC NSX Customer DC Sec-Group-1 Sec-Group-3 VNI 9001 VNI 5001 NSX Services Edge Gateway Internet GW (or DX) Internet GW (or DX) NSX Services Universal Distributed Logical Router UDLR Universal Logical Switch Software Defined Data Center (SDDC) Edge Gateway Sec-Group-2 VNI 9001 VMware Cloud on AWS VNI 6002 Sec-Group-3 NSX both on-premises and in VMC enabling Cross-VC NSX services All Local and Universal NSX capabilities available VM Mobility Full Multi-Site and DR Centralized Management 39
VMware Cloud on AWS and NSX Summary VMware Cloud on AWS is a major initiative for VMware VMC is designed to support all of VMware s existing customers Extends key SDDC capabilities to Public Cloud: Centralized Management Enterprise grade Security Consistent operational model Cross-VC vmotion for VM Mobility DR/Multi-Site as a Service Compatibility with Automation tools 40
Questions 41
Thank You Ray Budavari @rbudavari
Backup
VMware Cloud on AWS User Experience NSX is front and center in VMware Cloud on AWS Portal Network Dashboard provides a view of NSX components and connectivity 46
VMware Cloud on AWS User Experience Simplified mode provides basic networking and security functionality Firewall VPN Logical NAT Public IPs 47