Virtualize and Secure Networks with NSX
By Tony Cuevas
VMware NSX is a network virtualization platform that delivers logical networking and security services for software-defined data centers (SDDC). Switching, routing, load balancing, and firewalling are embedded in the hypervisor and distributed across the environment. Below, Tony Cuevas reveals his favorite NSX features and breaks the platform down by its core components and essential services.
In this blog, I want to shift gears and drive down a different avenue, take the road less-traveled, and explore new horizons. Recently I attended a Software-Defined Data Center (SDDC) training class for VMware NSX and (wow!) was I impressed.
Whenever you see the words Tony and NSX together, the first image that comes to mind is Tony Stark driving off at the end of The Avengers in his stylish Acura NSX.
Source: Walt Disney Studios Motion Pictures with a Fair Use Clause invocation by firstname.lastname@example.org on YouTube. Copyright Disclaimer Under Section 107 of the Copyright Act 1976, allowance is made for “fair use” for purposes such as criticism, comment, news reporting, teaching, scholarship, and research. Fair use is a use permitted by copyright statute that might otherwise be infringing. Non-profit, educational or personal use tips the balance in favor of fair use. No copyright infringement intended.
I also happen to drive an Acura…
…but it’s the ILX and my last name is not Stark, so this blog will have to take a close second place to that first image. (In due time, I plan to trade-up to an NSX, but for now we’ll shift gears from the Acura NSX to VMware NSX.)
Introducing VMware NSX: The Ultimate Network Hypervisor
VMware NSX is a network virtualization platform that you can use to build a rich set of logical networking and security services in a software-defined data center. Businesses today leverage VMware products to virtualize servers and applications within their environments. NSX is an essential layer that includes switching, routing, firewalling, load balancing, dynamic security policies, REST APIs, VPN, and even native operations such as central CLI, traceflow, SPAN, and IPFIX to help you monitor the infrastructure. These core components and services are embedded in the hypervisor and distributed across the environment.
The VMware NSX platform layers serve as a network hypervisor offering hardware-independent provisioning and management of virtual networks. Think of NSX as leveraging the same operational model that drives your virtual machines, only this time, we’re powering entire networks.
The following diagram highlights this beautifully:
VMware NSX offers a distributed logical architecture for L2–L7 services that enables you to provision them programmatically when virtual machines are deployed and move them with the virtual machines. This means you can treat the physical network as a pool of transport capacity where network and security services are attached to virtual machines in a policy-driven approach.
The Seven Best Features of VMware NSX
- Reproduces the entire network model in software so you can add and provision along a complete spectrum from the most basic segments to the most complex multi-tier network topologies.
- Includes security and advanced networking services from leading third-party vendors.
- Builds multiple virtual networks that are more secure by design.
- Supports diverse requirements that can combine NSX services with the existing virtualized environment.
- Delivers granular security to individual workloads including micro-segmentation support.
- Enhances operational efficiency through automation and network provisioning performance improvements that accelerate what previously took days down to seconds.
- Empowers virtualization and workload mobility inside your data center and across multiple data centers free from your physical network topology.
The Seven Core Components of VMware NSX
- NSX Data Component: The NSX data component includes the NSX vSwitch and sub-components that work together to enable services. NSX packages in VIBs consist of userspace agents, kernel modules, install scripts, and configuration files that run inside the hypervisor kernel. This component gives you VXLAN bridging, distributed routing, and logical firewall services.
- NSX Management Component: This component represents the centralized network management component of the solution. It provides the single point of configuration and REST API entry points. On your vCenter server, NSX Manager is installed as a virtual appliance available to any ESX host. NSX Manager and vCenter share a one-to-one relationship where every instance of NSX Manager corresponds with one vCenter Server. This relationship extends to a cross-vCenter NSX environment where both a primary NSX Manager and one or more secondary NSX Managers exist. Use NSX Manager to deploy NSX controller nodes.
- NSX Control Component: This controller cluster component is often simply called the controller. Acting as an advanced distributed state management system, the controller provides logical switching and routing. It is the central control point for all logical switches on your network and maintains information about all hosts, logical switches (VXLANs), and distributed logical routers. To enable high-availability (HA), resiliency, and scale, controller nodes are deployed in three-member clusters where any single controller node failure does not impact any traffic in other data components. The controller cluster distributes network information to hosts and manages distributed switching and routing in the hypervisors. The three virtual appliances provide, maintain, and update the state of all network functions in the NSX domain. The controller cluster also offers an API, persistence servers, switch/logical manager, and directory server.
- NSX Virtual Switch Component: Based on VMware vSphere Distributed Switch, the NSX vSwitch (vDS-based) connects with additional components (VXLAN, distributed logical router, firewall) to enable services. Its primary mission is the abstraction of the physical network while simultaneously providing access-level switching in the hypervisor. This virtual switch component empowers network virtualization and delivers logical networks that are independent of physical constructs, such as VLANs. It also supports hypervisor scale-out, overlay networking with protocols such as VXLAN, and centralized network configuration. This component also includes traffic monitoring features (backups, restores, health checks, quality of service metrics, NetFlow/IPFIX, port-mirroring, and LACP.
- Consumption Component: NSX consumption is typically directly through the NSX Manager user interface (part of vSphere Web Client). The end-user experience of network virtualization is through your cloud management platform, since it is the source of deployed applications. Default integration support for VMware vCloud Automation Center, vCloud Director, and OpenStack with the Neutron plug-in is available for NSX. Beyond that, the REST APIs offer almost unlimited custom integration opportunities.
- NSX Edge Services Component: This component provides access to all the VMware NSX Edge services, such as firewall, NAT, DHCP, VPN, load balancing, and high availability. NSX Edge can be installed as one of two services:
- Edge Services Gateway (ESG): An ESG with a trunk can support up to 200 sub-interfaces. You can install multiple ESG virtual appliances in a datacenter. The internal interfaces connect to secure port groups and act as the gateway for all protected virtual machines in the group. Firewall rules affecting North-South traffic and other NSX Edge services are enforced on traffic between interfaces. ESG uplink interfaces connect to uplink port groups with access to a shared corporate network or a service that provides access layer networking. You can configure external IP addresses for load balancer, site-to-site VPN, and NAT services.
- Distributed Logical Router (DLR): The DLR provides East-West distributed routing with tenant IP address space and data path isolation. Virtual machines or workloads that reside on the same host on different subnets can communicate with one another without having to traverse a traditional routing interface.
- NSX Distributed Firewalling: The VMware NSX distributed firewall provides high context and isolation without jeopardizing manageability, performance, and scalability. The distributed firewall provides microsegmentation, which addresses many security challenges. The distributed firewall provides security filtering and service chaining functions on every host prepared for VMware NSX. It ensures consistent (ubiquitous) application of policy rules, optimizes traffic with no firewall hairpins and provides distributed enforcement of policy rules.
The Seven Major Services of VMware NSX
Working together, the NSX core components deliver the following functional services.
- Logical Switches: A distributed logical switch spanning one or more vCenter hosts provides virtual machine mobility (vMotion) within the data center without the boundary limitations of physical Layer 2 (VLAN). Since the logical switch contains the broadcast domain in software, the physical infrastructure is not constrained by MAC/FIB table limits. Logical switches satisfy the fault isolation, non-overlapping IP addresses, and other security requirements of cloud applications and tenants. With NSX, you can also create multiple logical switches, each serving as a single logical broadcast domain. You can logically wire an application or tenant virtual machine to a logical switch.
- Logical Routers: For enhanced network efficiency and scale, decrease the size of Layer 2 broadcast domains to take advantage of better routing of forwarding information. You can apply this capability to the East-West routing needed by workloads. You get improved direct communication between VMs without the time or expense of extended segments. Tenants can also access public networks because NSX logical routers also provide North-South connectivity.
- Logical Firewall: Segment virtual machines and other data center entities based on their attributes, names, user identities, and vCenter objects (for example, data centers or hosts). Satisfy established security requirements for multi-tenant virtual data centers including IP/VLAN constructs for building DMZs and tenant-to-tenant isolation. This service also includes a Flow Monitoring feature for auditing network traffic.
- Logical Virtual Private Networks (VPNs): NSX supports user access to private corporate applications (SSL VPN-Plus) and connectivity between NSX Edge entities and remote NSX sites (IPsec VPN) with optional VPN gateways or hardware routers from other vendors. With L2 VPN, expand your datacenter to permit virtual machines to retain network connectivity with the same IP address across geographical boundaries.
- Logical Load Balancer: The NSX Edge load balancer distributes client connections directed at a single virtual IP address (VIP) across multiple destinations configured as members of a load balancing pool. Inbound service requests are evenly distributed across multiple servers and load distribution is transparent to users. You get fast response times, maximum resource utilization, and superior throughput without overload.
- Service Composer: Assign network and security services to applications in a virtual infrastructure. Provision services in security groups and apply them to virtual machines using your security policy.
- NSX Extensibility: Integrate your NSX platform solution with other VMware products and partner solutions. Administer complex, multi-tier virtual networks independent of the existing network topology.
NSX is a powerful platform for building networks within software and achieving levels of agility, security, and economics that were previously unreachable with physical networks. It provides a complete set of logical networking elements and services including logical switching, routing, firewalling, load balancing, VPN, quality-of-service, and monitoring.
The fact that NSX offers distributed East-West firewalling across all virtual machines creates a more secure environment and protects your investment. Coming from the physical network world and that way of thinking, I have progressed along my journey to honestly say I now embrace SDDC and virtual networking. Like Tony “I am Iron Man” Stark, I’m always up for a challenge!
Until next time… Cuevas Out!