MGT1969

VMware NSX and vCloud

Automation Center Integration
Technical Deep Dive
Ray Budavari, VMware, Inc
Zackary Kielich, VMware, Inc

Disclaimer
This presentation may contain product features that are currently under development.
This overview of new technology represents no commitment from VMware to deliver these

features in any generally available product.

Features are subject to change, and must not be included in contracts, purchase orders, or

sales agreements of any kind.

Technical feasibility and market demand will affect final delivery.

Pricing and packaging for any new technologies or features discussed or presented have not

been determined.

CONFIDENTIAL

Agenda
1

Background

NSX and vCloud Automation Center

Whats new in NSX & vCAC 6.1

Deployment Topologies

Demonstration

Q&A

CONFIDENTIAL

Business Wants Agility. IT Wants Control.

Need to align requirements from multiple stakeholders
I just want my app - FAST.
Dont ask me about
networking and security.

Fast is good but I know exactly what

I need to connect, secure and scale
my app.

Cloud Consumer

If the network goes down, I have to

answer for it. Self-service could
mean no service if I dont control
how systems are connected.

Network Admin

Zero trust ensures only clean &

compliant systems in the data
center but doesnt self-service
mean loss of this control?

Security Admin

I need to ensure SLAs for connectivity,

security & availability when I dont even own
the infrastructure.

Cloud Admin

Users want to scale their app tiers ondemand but they have to wait for me to
install and configure their service. Am I the
bottleneck to self-service IT?

Load Balancer Admin

Traditional Infrastructure Provisioning

Days - Weeks

Wait

Wait

Infrastructure
Service

Wait

Work

Manual effort
Network

Switch

Connect Ethernet
cables,
configure switch port,
VLANs, access control
lists, assign IP
addresses

Router

Configure router
interface to connect
to switch ports.
Configure routing
protocols.

NETWORK OPS

Firewall

Connect networks to
firewall appliances,
configure firewall rules
based on physical
constructs e.g. IP address
and VLANs

SECURITY OPS

Load Balancer

Connect networks to load

balancer appliances, create
and populate load balancer
pool, assign Virtual IP
Address to external interface

LOAD BALANCING ADMIN

Agenda
1

Background

NSX and vCloud Automation Center

Whats new in NSX & vCAC 6.1

Deployment Topologies

Demonstration

Q&A

CONFIDENTIAL

Why NSX ?

Support for Detailed, Programmable Application Topologies

Logical Switching, Routing, Firewall, Load Balancing
Security Groups
Default
VM

VM

VM

Security Policies
Default
Firewall Access shared
services (DNS, AD)
Anti-Virus Scan Daily

Web
Web
VM

VM

App

Firewall allow inbound

HTTP/S, allow outbound ANY
IPS prevent DOS attacks,
enforce acceptable use

Standard App
App

Database

Standard Web

VM

Firewall allow inbound TCP

8443, allow outbound SQL

Standard Database
Database

Firewall allow inbound SQL

Vulnerability Management
Weekly Scan

vCAC integrated with NSX

Dynamic Configuration and Deployment of NSX Logical Services
NSX

On Demand Application Delivery

vCloud Automation Center

Service Catalog

Logical Switch

Resource
Reservation

VM

VM

VM

Web
Logical Router

Cloud
Management
Platform

VM

App

Logical Firewall

Database

Multi-Machine
Blueprint

Logical Load
Balancer

VM

Security Policies
Security Groups
Network Profiles

VM

vCAC Application Deployment Topologies

Support for Multiple Network Topologies

Multi-Tier App,
Single Flat Network

Multi-Tier App,
Multiple Networks

VM

VM

VM

Web

App

Database

VM

VM

VM

VM

VM

VM

VM

VM

VM

Cloud Consumer Profile

The Typical User Wants Easy

Pre-defined
by Cloud Architect
I just want my app. Dont ask me
about networking and security.

Logical Load Balancer

Security Policies
Security Groups

Policy=Default_TestDev

Network Profiles

Cloud
Consumer
VM

VM

VM

Web

Leverage
Templates

VM

VM

App
VM

DB

Cloud Admin

Cloud Consumer Profiles

Some Users Want to Customize
I know exactly what I need for
connecting, securing and scaling my
app. Let me deal with it.

Customizable
For Cloud Consumer
Multi-Machine
Blueprint

Policy=Default_TestDev

VM

VM

VM

Web
VM

VM

App

Cloud
Consumer

VM

DB

Configurable

Cloud Admin

Understanding vCAC Network Profiles

Network Admins pre-define network profiles for connectivity
Cloud Admins define multi-machine blueprints using these pre-defined network profiles
Certain network types can be combined in a multi-machine blueprint
EXTERNAL
Web

VM

VM

VM

Web

Any upstream
Router *
VM

App

VM

VM

Database

ROUTED
Web

NAT

VM

App
Database

VM

VM

VM

VM

VM

Any upstream
Router *

4 NETWORK PROFILES
External
Routed
NAT
Private

Logical
Router

VM

VM

Database

NAT Gateway

PRIVATE
VM

App

* Any upstream Router - can also

be NSX Distributed Logical
Router or NSX Edge Services GW

VM

VM

VM

App

Web

Logical
Router **

VM

Any upstream
Router *

Database

VM

VM

VM

VM

VM

No external
connectivity

Logical
Router

Understanding vCAC Network Profiles

Network Admins pre-define network profiles for connectivity
Cloud Admins define multi-machine blueprints using these pre-defined network profiles
Certain network types can be combined in a multi-machine blueprint
EXTERNAL
Web

VM

VM

VM

App

VM

VM

Database

ROUTED
Web

VM

App
Database

VM

VM

VM

Any upstream
Router *

VM

Logical
Router **

Any upstream
Router *

VM

VM

Logical
Router

VM

VM

NAT Gateway

PRIVATE

VM

VM

VM

Why
use
anhave
EXTERNAL
When
you
overlapping IP Web
Network
Profile?
addresses across networks that
need external connectivity.
App
4 NETWORK
PROFILES
When
you are connecting
to a
Why
use
ROUTED
Network
External
pre-created
Why
anetwork.
PRIVATE
Network IP
e.g.
I use
ama using
and overlapping
Database
Profile?

Routed
Profile? across my web, access
addresses
NAT
e.g.
havean
existing
network
andIdatabase
tiers, and
will deploy
When
you
need
end
to
end

Private
(VXLAN
or
VLAN
backed)
thatneed
I
Whenapp
youinstances
dont need
external
many
that
still
routable
access
uniqueexternal
IP
want
to connect
component
VMs
connectivity.
inbound
and/orwith
outbound
addresses.
to,
potentially for multiple
Web
access
applications.
Single
e.g. I wantMulti-Tier,
to do performance
App
e.g.
INetwork
need
provide
end-user
Flat
topology
testing
onto
my
app, but
I dont
access
need to
to my
set Production
up remote access
Database
workloads
for end users

VM

Any upstream
Router *
VM

NAT

Why use a NAT Network Profile?

VM

VM

VM

VM

VM

No external
connectivity

Logical
Router

Agenda
1

Background

NSX and vCloud Automation Center

Whats new in NSX & vCAC 6.1

Deployment Topologies

Demonstration

Q&A

CONFIDENTIAL

14

Feature Overview - vCloud Automation Center 6.1 & NSX

Range of features from pre-created to on-demand network and security services.
Connectivity
Network Profiles for On-Demand Network Creation
Define routed, NAT, private, external profiles for variety of app topologies
Option to connect to pre-created networks (logical or physical)
VM

VM

VM

NSX Distributed Logical Router (DLR)

Optimize for east-west traffic by connecting to pre-created DLR

Web

VM

VM

App

Security
On-Demand Micro-segmentation
Automatic creation of security group per app w/ default deny firewall rules

Database

VM

Apply Firewall and Advanced Security Policies

Select pre-defined NSX security policies to apply to app/tier
Antivirus, DLP, Intrusion Prevention, Vulnerability Mgmt

Connect Business Logic to Security Policy

Extensibility
Business Logic moved to NSX vCO Plugin
- Allows vCO workflows to be leveraged by
Advanced Service Designer

Select pre-defined NSX security tag which is applied to workload and

interpreted by NSX to place in pre-defined security group

Availability
On-demand Load Balancer in One-Armed Mode or Inline Mode
Plus option for using pre-created load balancing

vCAC Networking and Security Architecture 6.0 release

Business logic

vCNS Model

vCloud Automation Center

Rest API

vSphere API
vCenter Server

NSX for vSphere

AMQP
ESXi

vCAC Networking and Security Architecture 6.1 release

NSX Model
Business logic

vCloud Automation Center

Rest API
NSX vCO Plugin
Rest API

vSphere API
vCenter Server

vCenter Orchestrator

NSX

AMQP
ESXi

NSX vCenter Orchestrator Plugin

Benefits of abstracting with vCO
Benefits
Ability to support multiple product versions (vCNS, NSX)

transparently to vCAC

Network and security workflows are decoupled from policy engine,

enabling more rapid release and update to workflows

Ability to deliver fixes and updates more rapidly

Easier to extend/customize workflows by adding your own logic or

leveraging other systems

Provide Self Service access to NSX vCO workflows through

Advanced Service Designer

Note: Initial version of NSX vCO Plugin is limited to functionality

required by vCAC and is only supported for these out of the box
workflows
CONFIDENTIAL

18

NSX Distributed Logical Router

Scales up to 1000
logical interfaces!

Web
Web
App
Web
App
DatabaseWeb
App
Database
App
Database

VM

Database

VM

VM

VM

VM

VM

The Network Admin will

configure a pre-defined
Distributed Logical
Router that can then be
shared by multiple
networks provisioned
on-demand by vCAC.

VM

Edge
Gateway

VM

VM

NSX Logical
Distributed
Router

Optimized routing for East/West traffic directly at the source Hypervisor, distributed
across all Hosts
No virtual appliance required for Routing
Dynamic Routing available (OSPF and BGP)
Previously Distributed Logical Routing could only be leveraged on External Networks

vCAC Routed Gateways

Blueprint with routed network profile must use a routed gateway to talk to external networks
Routed gateway is defined at the Reservation level for routed and external profiles
One gateway only per External Network Profile
Determines whether Distributed Logical Router or NSX Edge Gateway will be used by a Routed
Network Profile

Web

VM

App
Database

VM

VM

VM

Directly connected

VM

Web

VM

App

VM

Database
Routed Gateway
Distributed Logical Router

VM

VM

VM

Static route added

VM

VM

Application Level Routed Gateway

NSX Edge
NSX Edge

NSX Security Groups & Security Policies

End-Users and Cloud Admins are able to select pre-defined security policies already
approved by the Security Admin in NSX

Security policies are applied to one or more security groups where workloads are
members

These security groups are created

on-demand by vCAC at deployment time

Standard Web

Firewall allow
inbound HTTP/S,
allow outbound ANY
IPS prevent DOS
attacks, enforce
acceptable use

HOW you want

to protect it

Members (VM, vNIC)

and Context (user
identity, security
posture)

WHAT you
want to
protect

SECURITY GROUP

SECURITY POLICY

Services (Firewall,
antivirus, IPS etc.) and
Profiles (labels
representing specific
policies)

NSX Security Tags

NSX Security Tags can be used to define IF/THEN workflows for security services, e.g. IF
user selects a Finance application, THEN place the VM in the Finance security group

Finance App
Set Tag
Finance

Step 2: Cloud Admin creates a MultiMachine Blueprint which sets a Security

Tag. Cloud Admin needs no knowledge
of Security Groups or Security Policies.

Cloud Admin

APPS

Multi-Machine
Blueprint

INFRASTRUCTURE
Finance Policy
Security Admin

IF Tag = Finance
THEN add VM to
Security Group
Finance with
Security Policy
Finance

Step 1: Security Admin pre-defines a

Security Group and a Security Policy with
dynamic membership based on a Security
Tag

NSX Security Tags

NSX Security Tags can be used to define IF/THEN workflows for security services, e.g. IF
user selects a Finance application, THEN place the VM in the Finance security group

Requests
Finance App

Step 3: End-User requests Application

via the Service Catalog

Cloud
Consumer
Service
Catalog

Step 4: VM is automatically deployed

with its Security Tag

Step 5: VM is dynamically assigned to

the relevant pre-defined Security
Group

APPS
INFRASTRUCTURE
SG=Finance
WHAT

you
want to
protect

NSX Application Isolation

Application Isolation provides an optional first level of security. When selected all inbound and
outbound application access is blocked, while inter application traffic is permitted

Component level Security Policies are applied

at a higher precedence to permit selected traffic

VM

VM

VM

Web

VM

VM

Web
VM

VM

App

Database

VM

VM

VM

App
VM

Database

VM

NSX Load Balancing

vCAC leverages NSX for both on-demand and pre-created Logical Load Balancing
If an NSX Edge is the default gateway for component VMs, Inline Load Balancing is used
If the component VMs are connected to a network using the Distributed Logical Router or an
External Network then Load Balancing is configured for One-Arm mode
Inline Load
Balancing

One-Arm Load
Balancing

VM

VM

VM

VM

Web

Web
VM

VM

VM

App

Database

VM

VM

VM

App
VM

External
Distributed
Gateway
Logical
Router

Database

VM

Application Level
NSX Edge

On Demand Micro-Segmentation
PRIVATE
Web

VM

App
Database

VM

VM

VM

VM

No external
connectivity

VM

Isolation

No
Communication Path

Segmentation

Controlled
Communication Path

Advanced Services

Advanced Services
Communication Path
26

Agenda
1

Background

NSX and vCloud Automation Center

Whats new in NSX & vCAC 6.1

Deployment Topologies

Demonstration

Q&A

CONFIDENTIAL

27

vCAC with NSX On Demand Deployment Model

2 Tiers of Routing

On Demand Model is typically

used for more dynamic Test/

Distributed Logical Router or NSX

Edge for Application Router

Dev style workloads,

External
Networks

NSX Edge for Provider Router

particularly when there is a

requirement for overlapping

Dynamic Routing externally

Dynamic Routing (DLR), Static

IP addresses

Dynamic Routing
(OSPF, BGP)

Provider Logical
Router (HA)

Routing or NAT internally (Edge)

Static Route added
automatically

Dynamic Routing
(OSPF, BGP)

Transit Uplink 192.168.10.0/24 (External Network Profile)

MMS 1
Routed
Distributed Logical Router
Web Logical
Switch (Routed)

172.16.10.0/29

App LS
(Routed)

172.16.10.8/29

DB Logical
Switch
(Routed)

172.16.10.16/29

Web Logical
Switch (Routed)

MMS 2

MMS 3

Routed

NAT & Private

App LS (Routed)

172.16.20.0/29

DB LS (Routed)

172.16.20.8/29

Web Logical
Switch (NAT)

172.16.20.16/29

MMS 4
NAT & Private

App LS (Private)

172.16.100.0/24

DB LS (Private)

172.16.101.0/24

Web Logical
Switch (NAT)

172.16.102.0/24

App LS (Private)

172.16.100.0/24

DB LS (Private)

172.16.101.0/24

172.16.102.0/24

vCAC with NSX Pre Created Deployment Model

Pre-Created model is typically used with

2 Tiers of Routing
Application Router

NSX Edge for Provider Router

Dynamic Routing
Use existing LS as external

Production or more static workloads

External
Networks

Distributed Logical Router for

and the application topology is multi-tier

on a single network

Dynamic
Routing
Dynamic
Routing
(OSPF,
BGP)
(OSPF,
BGP)
with ECMP

Provider Logical
Scale Out Provider
Router (NSX
6.1) Router (NSX 6.1)
Logical

network profiles

MMS 1 VMs

One Arm Load Balancing

on demand (vCNS Edge in
6.0, NSX Edge in 6.1)

MMS 2 VMs
Dynamic
Dynamic Routing
Routing
(OSPF, BGP)
with ECMP

MMS 3 VMs

Transit Uplink

MMS 4 VMs

192.168.10.0/24
(External Network Profile)

LB

LB
LB

Prod Web SG A

Distributed Logical Router

Prod-01
Logical Switch 172.16.50.0/24 (External Network)

Prod App SG A

Prod DB SG A Prod Web SG B Prod Prod DB SG B

App SG B

Dev-01
172.16.60.0/24 (External Network) Logical Switch

Dev Web SG A

Dev App SG A

Dev DB
SG A

Dev Web SG B

LB

Dev App Dev DB

SG B
SG B

Agenda
1

Background

NSX and vCloud Automation Center

Whats new in NSX & vCAC 6.1

Deployment Topologies

Demonstration

Q&A

CONFIDENTIAL

30

Live Demonstration

Agenda
1

Background

NSX and vCloud Automation Center

Whats new in NSX & vCAC 6.1

Deployment Topologies

Demonstration

Q&A

CONFIDENTIAL

32

Questions

VMworld Hands on Labs

HOL-SDC-1413 IT Outcomes - Faster Delivery of Infrastructure and Apps through Automation
HOL-SDC-1424 VMware NSX in the SDDC
CONFIDENTIAL

33

Coming
Soon!

vRealize
Existing

New Name

New SaaS

vCenter Operations
Management Suite

vRealize Operations

vRealize Air Operations

vCloud Automation Center

vRealize Automation

vRealize Air Automation

IT Business Management

vRealize Business

vRealize Air Business

Other examples:
vRealize Log Insight formerly known as Log Insight
vRealize Orchestrator formerly known as vCenter Orchestrator
34

vRealize Suite 6
New

A cloud management platform

purpose-built for the hybrid cloud
Includes:
vCenter Operations Management Suite
vCloud Automation Center
IT Business Management Suite Standard
vCenter Log Insight

vCloud Suite value proposition

extended to hybrid cloud

Available: Q3 2014
35

Thank You
Ray Budavari (@rbudavari)

Zack Kielich (@zackomatic)

http://www.vmware.com/products/nsx/
http://www.vmware.com/products/vcloud-automation-center

Fill out a survey

Every completed survey is entered into a
drawing for a $25 VMware company store
gift certificate

MGT1969

VMware NSX and vCloud

Automation Center Integration
Technical Deep Dive
Ray Budavari, VMware, Inc
Zackary Kielich, VMware, Inc