Professional Documents
Culture Documents
Disclaimer
This presentation may contain product features that are currently under development.
This overview of new technology represents no commitment from VMware to deliver these
Features are subject to change, and must not be included in contracts, purchase orders, or
been determined.
CONFIDENTIAL
Agenda
1
Background
Deployment Topologies
Demonstration
Q&A
CONFIDENTIAL
Cloud Consumer
Network Admin
Security Admin
Cloud Admin
Users want to scale their app tiers ondemand but they have to wait for me to
install and configure their service. Am I the
bottleneck to self-service IT?
Wait
Wait
Infrastructure
Service
Wait
Work
Manual effort
Network
Switch
Connect Ethernet
cables,
configure switch port,
VLANs, access control
lists, assign IP
addresses
Router
Configure router
interface to connect
to switch ports.
Configure routing
protocols.
NETWORK OPS
Firewall
Connect networks to
firewall appliances,
configure firewall rules
based on physical
constructs e.g. IP address
and VLANs
SECURITY OPS
Load Balancer
Agenda
1
Background
Deployment Topologies
Demonstration
Q&A
CONFIDENTIAL
Why NSX ?
VM
VM
Security Policies
Default
Firewall Access shared
services (DNS, AD)
Anti-Virus Scan Daily
Web
Web
VM
VM
App
Standard App
App
Database
Standard Web
VM
Standard Database
Database
Logical Switch
Resource
Reservation
VM
VM
VM
Web
Logical Router
Cloud
Management
Platform
VM
App
Logical Firewall
Database
Multi-Machine
Blueprint
Logical Load
Balancer
VM
Security Policies
Security Groups
Network Profiles
VM
Multi-Tier App,
Single Flat Network
Multi-Tier App,
Multiple Networks
VM
VM
VM
Web
App
Database
VM
VM
VM
VM
VM
VM
VM
VM
VM
Pre-defined
by Cloud Architect
I just want my app. Dont ask me
about networking and security.
Policy=Default_TestDev
Network Profiles
Cloud
Consumer
VM
VM
VM
Web
Leverage
Templates
VM
VM
App
VM
DB
Cloud Admin
Customizable
For Cloud Consumer
Multi-Machine
Blueprint
Policy=Default_TestDev
VM
VM
VM
Web
VM
VM
App
Cloud
Consumer
VM
DB
Configurable
Cloud Admin
VM
VM
VM
Web
Any upstream
Router *
VM
App
VM
VM
Database
ROUTED
Web
NAT
VM
App
Database
VM
VM
VM
VM
VM
Any upstream
Router *
4 NETWORK PROFILES
External
Routed
NAT
Private
Logical
Router
VM
VM
Database
NAT Gateway
PRIVATE
VM
App
VM
VM
VM
App
Web
Logical
Router **
VM
Any upstream
Router *
Database
VM
VM
VM
VM
VM
No external
connectivity
Logical
Router
VM
VM
VM
App
VM
VM
Database
ROUTED
Web
VM
App
Database
VM
VM
VM
Any upstream
Router *
VM
Logical
Router **
Any upstream
Router *
VM
VM
Logical
Router
VM
VM
NAT Gateway
PRIVATE
VM
VM
VM
Why
use
anhave
EXTERNAL
When
you
overlapping IP Web
Network
Profile?
addresses across networks that
need external connectivity.
App
4 NETWORK
PROFILES
When
you are connecting
to a
Why
use
ROUTED
Network
External
pre-created
Why
anetwork.
PRIVATE
Network IP
e.g.
I use
ama using
and overlapping
Database
Profile?
Routed
Profile? across my web, access
addresses
NAT
e.g.
havean
existing
network
andIdatabase
tiers, and
will deploy
When
you
need
end
to
end
Private
(VXLAN
or
VLAN
backed)
thatneed
I
Whenapp
youinstances
dont need
external
many
that
still
routable
access
uniqueexternal
IP
want
to connect
component
VMs
connectivity.
inbound
and/orwith
outbound
addresses.
to,
potentially for multiple
Web
access
applications.
Single
e.g. I wantMulti-Tier,
to do performance
App
e.g.
INetwork
need
provide
end-user
Flat
topology
testing
onto
my
app, but
I dont
access
need to
to my
set Production
up remote access
Database
workloads
for end users
VM
Any upstream
Router *
VM
NAT
VM
VM
VM
VM
VM
No external
connectivity
Logical
Router
Agenda
1
Background
Deployment Topologies
Demonstration
Q&A
CONFIDENTIAL
14
VM
VM
Web
VM
VM
App
Security
On-Demand Micro-segmentation
Automatic creation of security group per app w/ default deny firewall rules
Database
VM
Extensibility
Business Logic moved to NSX vCO Plugin
- Allows vCO workflows to be leveraged by
Advanced Service Designer
Availability
On-demand Load Balancer in One-Armed Mode or Inline Mode
Plus option for using pre-created load balancing
vCNS Model
Rest API
vSphere API
vCenter Server
AMQP
ESXi
NSX Model
Business logic
Rest API
NSX vCO Plugin
Rest API
vSphere API
vCenter Server
vCenter Orchestrator
NSX
AMQP
ESXi
transparently to vCAC
18
Web
Web
App
Web
App
DatabaseWeb
App
Database
App
Database
VM
Database
VM
VM
VM
VM
VM
VM
Edge
Gateway
VM
VM
NSX Logical
Distributed
Router
Optimized routing for East/West traffic directly at the source Hypervisor, distributed
across all Hosts
No virtual appliance required for Routing
Dynamic Routing available (OSPF and BGP)
Previously Distributed Logical Routing could only be leveraged on External Networks
Web
VM
App
Database
VM
VM
VM
Directly connected
VM
Web
VM
App
VM
Database
Routed Gateway
Distributed Logical Router
VM
VM
VM
VM
VM
Security policies are applied to one or more security groups where workloads are
members
Standard Web
Firewall allow
inbound HTTP/S,
allow outbound ANY
IPS prevent DOS
attacks, enforce
acceptable use
WHAT you
want to
protect
SECURITY GROUP
SECURITY POLICY
Services (Firewall,
antivirus, IPS etc.) and
Profiles (labels
representing specific
policies)
Finance App
Set Tag
Finance
Cloud Admin
APPS
Multi-Machine
Blueprint
INFRASTRUCTURE
Finance Policy
Security Admin
IF Tag = Finance
THEN add VM to
Security Group
Finance with
Security Policy
Finance
Requests
Finance App
Cloud
Consumer
Service
Catalog
APPS
INFRASTRUCTURE
SG=Finance
WHAT
you
want to
protect
VM
VM
VM
Web
VM
VM
Web
VM
VM
App
Database
VM
VM
VM
App
VM
Database
VM
One-Arm Load
Balancing
VM
VM
VM
VM
Web
Web
VM
VM
VM
App
Database
VM
VM
VM
App
VM
External
Distributed
Gateway
Logical
Router
Database
VM
Application Level
NSX Edge
On Demand Micro-Segmentation
PRIVATE
Web
VM
App
Database
VM
VM
VM
VM
No external
connectivity
VM
Isolation
No
Communication Path
Segmentation
Controlled
Communication Path
Advanced Services
Advanced Services
Communication Path
26
Agenda
1
Background
Deployment Topologies
Demonstration
Q&A
CONFIDENTIAL
27
External
Networks
IP addresses
Dynamic Routing
(OSPF, BGP)
Provider Logical
Router (HA)
Dynamic Routing
(OSPF, BGP)
MMS 1
Routed
Distributed Logical Router
Web Logical
Switch (Routed)
172.16.10.0/29
App LS
(Routed)
172.16.10.8/29
DB Logical
Switch
(Routed)
172.16.10.16/29
Web Logical
Switch (Routed)
MMS 2
MMS 3
Routed
App LS (Routed)
172.16.20.0/29
DB LS (Routed)
172.16.20.8/29
Web Logical
Switch (NAT)
172.16.20.16/29
MMS 4
NAT & Private
App LS (Private)
172.16.100.0/24
DB LS (Private)
172.16.101.0/24
Web Logical
Switch (NAT)
172.16.102.0/24
App LS (Private)
172.16.100.0/24
DB LS (Private)
172.16.101.0/24
172.16.102.0/24
2 Tiers of Routing
Application Router
Dynamic Routing
Use existing LS as external
External
Networks
Dynamic
Routing
Dynamic
Routing
(OSPF,
BGP)
(OSPF,
BGP)
with ECMP
Provider Logical
Scale Out Provider
Router (NSX
6.1) Router (NSX 6.1)
Logical
network profiles
MMS 1 VMs
MMS 2 VMs
Dynamic
Dynamic Routing
Routing
(OSPF, BGP)
with ECMP
MMS 3 VMs
Transit Uplink
MMS 4 VMs
192.168.10.0/24
(External Network Profile)
LB
LB
LB
Prod Web SG A
Prod App SG A
Dev-01
172.16.60.0/24 (External Network) Logical Switch
Dev Web SG A
Dev App SG A
Dev DB
SG A
Dev Web SG B
LB
Agenda
1
Background
Deployment Topologies
Demonstration
Q&A
CONFIDENTIAL
30
Live Demonstration
Agenda
1
Background
Deployment Topologies
Demonstration
Q&A
CONFIDENTIAL
32
Questions
33
Coming
Soon!
vRealize
Existing
New Name
New SaaS
vCenter Operations
Management Suite
vRealize Operations
vRealize Automation
IT Business Management
vRealize Business
Other examples:
vRealize Log Insight formerly known as Log Insight
vRealize Orchestrator formerly known as vCenter Orchestrator
34
vRealize Suite 6
New
Available: Q3 2014
35
Thank You
Ray Budavari (@rbudavari)
MGT1969