self service it with v realizeautomation and nsx
TRANSCRIPT
Self-service IT with vRealize Automation and NSXNET4291
Ray Budavari VMware
Student Guide & Internal & Confidential Update Dailyhttps://goo.gl/VVmVZ0
vRealizeAir –NEW Cloud Management SaaS Offerings http://ouo.io/6TMPFHow to Help Customers Install, Deploy and Migrate to the vRealizeOperations Manager 6.0 (formerly vCOps) http://ouo.io/1pL8woShowing Costs Back in the Virtualized Environment vRealize Business Standard Proof of Concept (formerly ITBM) http://ouo.io/30TzEvRealizeCloud Management Portfolio Overview and Glimpse into the Future http://ouo.io/OpLGQB
vRealizeSuite: VMware’s vRealizeCloud Management Platform http://ouo.io/t5n5MOvRealizeAutomation (formerly vCAC) and NSX: Automating Networking & Security Infrastructure http://ouo.io/CyCXvJourney of the Deal: Best Practices from a VMware Cloud Management Partner http://ouo.io/vBVQdO
The Practical Path to NSX and Network Virtualization http://ouo.io/47hme
Why an SSDC Approach with NSX is Better for Your Channel Business http://ouo.io/1hY4l
Agenda
CONFIDENTIAL 2
1 NSX and vRealize Automation
2 NSX & vRA 6.2 Updates
3 Deployment Considerations
4 Demonstration
5 Q&A
Why NSX?Support for Detailed, Programmable Application Topologies
Security PoliciesSecurity Groups
Logical Switching, Routing, Firewall, Load Balancing
Web
App
Database
Web “Standard Web” Firewall – allow inbound
HTTP/S, allow outbound ANY IPS – prevent DOS attacks,
enforce acceptable use
“Standard App” Firewall – allow inbound
TCP 8443, allow outbound SQL
Database“Standard Database”
Firewall – allow inbound SQL
Vulnerability Management – Weekly Scan
App
VM VM
VM VMVM
VM
“Default” Firewall – Access shared
services (DNS, AD) Anti-Virus – Scan Daily
Default
Logical Switch
Logical Router
NSX
Logical Firewall
Logical LoadBalancer
NSX with vRealize AutomationDynamic Configuration and Deployment of NSX Logical Services
On Demand Application Delivery
vRealize AutomationService Catalog
Resource Reservation
Multi-Machine Blueprint
Cloud Management Platform
Network Profiles
Security Policies
Security Groups
Web
App
Database
VM VM
VM VM VM
VM
NSX Use Case – Self Service IT
Multi- Machine
Blueprints
Cloud Consumer
Cloud Admin
SLA
Cost Profile
Security
Networking
Service Catalog
Service Request
Network Admin Load Balancer Admin
Standardized Templates
Logical Load Balancer
Security Admin
AVAILABILITYSECURITYCONNECTIVITYExternal Networks Network Profiles Security Tags Security Groups Security
Policies
NSX Use Case – On Demand Micro-Segmentation
6
Web
App
Database
PRIVATE
No external connectivity
VM
VM VM
VM VM VM
Isolation
Controlled Communication Path
Advanced Services Communication Path
Segmentation Advanced Services
No Communication Path
Agenda
CONFIDENTIAL 14
1 NSX and vRealize Automation
2 NSX & vRA 6.2 Updates
3 Deployment Considerations
4 Demonstration
5 Q&A
Feature Overview – NSX & vRealize Automation 6.2Connectivity
Network Profiles for On-Demand Network Creation– Define Routed, NAT and Private network profiles based on application topologyConnect to pre-created External networks NSX Distributed Logical Router (DLR) Support– Optimize east-west traffic by connecting On-Demand
Logical Switches to a pre-created DLRAll On-Demand Edges use NSX 6.1 versionSecurity
App Isolation– Automatic creation of security group per app with default policy to permit traffic between
tiers and block all inbound/outbound traffic
On Demand creation of Security Groups based on Security Policies– Select pre-defined NSX security policies which apply to security groups for component VMs– Allows self-service consumption of DFW Rules, AV, DLP, IDS/IPS, Vulnerability Mgmt
– Select pre-defined NSX security tag which is applied to VMs and used to dynamically place workloads in security groups
Security Tags
AvailabilityOn-demand Load Balancer in One-Armed Mode or Inline Mode- NSX Load Balancing configuration used
ExtensibilityBusiness Logic moved to NSX vCO Plugin
Web
App
Database
VM VM
VM VM VM
VM
Web
App
DatabaseWebVM
Web
App
DatabaseVM
Web
App
DatabaseVM
NSX Distributed Logical Router
NSX Logical Distributed
Router
• Optimized routing for East/West traffic directly at the source Hypervisor, distributed across all Hosts
• No virtual appliance required for Routing• Dynamic Routing available (OSPF and BGP)• Previously Distributed Logical Routing could only be leveraged on External
Networks
The Network Admin will configure a pre-defined Distributed Logical Router that can then be shared by multiple networks provisioned on-demand by vRA
App
DatabaseVM
VM VM
VM VM VM
Scales up to 1000 logical interfaces!
EdgeGateway
vRA Routed Gateways• Blueprint with routed network profile must use a routed gateway to talk to external networks• Routed gateway is defined at the Reservation level for routed and external profiles• One gateway only per External Network Profile• Determines whether Distributed Logical Router or NSX Edge Gateway will be used by a Routed
Network Profile
Routed GatewayNSX Edge
Routed GatewayDistributed Logical Router
Web
App
DatabaseVM
VM VM
VM VM VMWeb
App
DatabaseVM
VM VM
VM VM VM
Application LevelNSX Edge
Static route addedDirectly connected
NSX Security Groups & Security Policies• End-Users and Cloud Admins are able to select pre-defined security policies already
approved by the Security Admin in NSX• Security policies are applied to one or more security groups where workloads are
members• These security groups are createdon-demand by vRA at deployment time
WHAT youwant to
protect
HOinbWoundyHoTu
TPw/S,anttoIPpS r–
optreevcentt DitOS attacks, enforce acceptable use
SECURITY GROUP
SECURITY POLICYMembers (VM, vNIC) and Context(user identity, security posture)
“Standard Web” Firewall – allow
allow outbound ANY
Services (Firewall, antivirus, IPS etc.) and Profiles (labels representing specific policies)
NSX Security Tags• NSX Security Tags can be used to define IF/THEN workflows for security services, e.g. IF user
selects a “Finance” application, THEN place the VM in the “Finance” security group
INFRASTRUCTURE
APPS
Security Admin
“Finance Policy” IF Tag = Finance
THEN add VM to Security Group “Finance” with Security Policy “Finance”
Step 1: Security Admin pre-defines a Security Group and a Security Policy with dynamic membership based on a Security Tag
“Finance App” Set Tag
“Finance”
Cloud AdminMulti-
Machine Blueprint
Step 2: Cloud Admin creates a Multi- Machine Blueprint which sets a Security Tag. Cloud Admin needs no knowledge of Security Groups or Security Policies.
NSX Security Tags• NSX Security Tags can be used to define IF/THEN workflows for security services, e.g. IF user
selects a “Finance” application, THEN place the VM in the “Finance” security group
INFRASTRUCTURE
APPS
Requests “Finance App”
Service Catalog
Step 3: End-User requests Application via the Service Catalog
Cloud Consumer
Step 4: VM is automatically deployed with its Security Tag
SGW=FiHnaAnc
Te youprotect
Step 5: VM is dynamically assigned to the relevant pre-defined Security Group
w ant to
NSX Application Isolation• Application Isolation provides an optional first level of security. When selected all inbound and
outbound application access is blocked, while inter application traffic is permitted• Component level Security Policies are applied
at a higher precedence to permit selected traffic
Web
App
Database
VM VM
VM VM VM
VM
Web
App
Database
VM VM
VM VM VM
VM
NSX Load Balancing• vRA leverages NSX for both on-demand and pre-created Logical Load Balancing• If an NSX Edge is the default gateway for component VMs, Inline Load Balancing is used
• If the component VMs are connected to a network using the Distributed Logical Router or an External Network then Load Balancing is configured for One-Arm mode
One-Arm Load Balancing
Inline Load Balancing
Web
App
Database
VM VM
VM VM VM
VM
Web
App
Database
VM VM
VM VM VM
VMApplication Level
NSX EdgeDEixstterrinbaulted GaLtoegwicaayl
Router
vCAC Networking and Security Architecture – 6.0 release
vCloud Automation Center
Rest APINSX for vSphere
ESXi
vCenter Server
vSphere API
vCNS Model
Business logic
AMQP
vRA Networking and Security Architecture – 6.1+ release
vRealize Automation
ESXi
vCenter Server
vCenter Orchestrator
NSX vCO Plugin
Rest APINSX
Rest API
vSphere API
NSX Model
Business logic
AMQP
NSX vRealize Orchestrator Plugin
CONFIDENTIAL 25
Benefits• Ability to support multiple product versions (vCNS, NSX)
transparently to vRA• Network and security workflows are decoupled from cloud
management platform, enabling more rapid release and updates/fixes to workflows
• Easier to extend/customize workflows by adding your own logic
• Provide Self Service access to NSX vCO workflows through Advanced Service Designer
• Can also be used standalone without vRA
Note: Initial version of NSX vCO Plugin is limited to functionality required by vRA and is only supported for these out of thebox workflows
Agenda
CONFIDENTIAL 26
1 NSX and vRealize Automation
2 NSX & vRA 6.2 Updates
3 Deployment Considerations
4 Demonstration
5 Q&A
vRO Considerations
1) Install NSX vRO Plugin if using standalone vRO Server
2) Setup Endpoints in vRAvCenter with NSX & vRO
3) NSX endpoint in vRO will automatically be created
4) Manually run vRO workflow to enable support for overlapping subnets
vRA NSX Networking & Security WorkflowsConnect to NSX using vCO REST API
Create App Isolation Security Policy
Create App Isolation Security Group
Assign Policy to Security Group
Create Component Security Group
Assign Policy to Security Group
Create VXLAN Logical Switches
Create NSX Edge Services Gateway
Connect Networks to Logical Routers
Multi Machine Provisioning Multi Machine Destroy
Configure Load Balancing & DHCP Services
Configure Default Gateway/Inject Static Route
Assign Security Tags
Add component machines to Security Groups
Connect to NSX using vCO REST API
Delete Security Groups
Disconnect DLR LIFs
Delete Edge
Delete Static Route
Delete VXLAN Logical Switches
Reclaim IP Addresses or Range
Remove NAT Rules
Remove Load Balancing
Configure Edge Firewall
vRA Data Collection
vRA IaaS
• Data Collection occurs automatically after the endpoints are registered
• By default ‘Network and Security inventory’ Data Collection occurs every 24 hours
• Data Collection frequency can be modified in hours
• Manual Data Collection can also be performed
NSX objects are cached by vRA using vCO inventory. This includes the following items:• Transport Zones• Logical Switches• Edge Gateways/Distributed Logical Routers• Security Tags• Security Groups• Security Policies
VRM Agent -> vCenter
DEM -> vCO -> NSX
Naming Convention for NSX ObjectsThe vRA Multi Machine Service identifier is used within NSX for dynamically created objects:▪ Logical switches “<NetworkNameInMMBP>-<MMS UUID>”▪ Edge gateways “Edge-<MMS UUID>”▪ Security groups “SG-<MMS UUID>”▪ App Isolation Security policy “SG-<NSX Endpoint UUID>”
NSX and vRA Extensibility
31
• The NSX vRealize Orchestrator Plugin covers many common networking & security operations
• vRO also includes a HTTP-REST Plugin which allows the NSX vSphere API to be directly consumed– Allows creation of custom workflows to perform
advanced NSX operations, eg:• Enable Edge HA• Modify Edge sizing• Configure additional LB features• Create NSX Security Groups, Policies or Tags
• vRA WF stubs provide an integrated method of calling these custom vRO workflows at specific points in machine lifecycle
• Allows for additional NSX operations to be inserted transparently within the requests
NSX and vRA Extensibility
32
• You can also use workflows from the NSX plugin as building blocks and augment with custom scriptable tasks/workflows
• FToroCmomSipmlepxle
NSX and vRA Extensibility• In addition the vRealize Automation Advanced Service Designer can be used to run
standalone workflows and Day 2 operations• This provides a method of leveraging vRO workflows and plugins via the vRA Self-
Service Portal
33
NSX and vRA Extensibility• Service Blueprints are created in vRA using inputs/outputs from vRO workflows
• These Service Blueprints can then be published to the vRealize Service Catalog along with other Infrastructure Blueprints
34
Custom Properties• Custom Properties for Networking & Security have been available since vCAC 5.2• Allows pre-created NSX or vCNS resources to be consumed by Component VMs• Importantly, these custom properties apply to Single Machine Blueprints• Custom Properties can be pre-defined, or entered at request time• Available Properties are:
– VCNS.LoadBalancerEdgePool.Names– VCNS.SecurityGroup.Names– VCNS.SecurityTag.Names
Multi-Tier App, Multiple Networks
Multi-Tier App,Single Flat Network
vRealize Automation Application TopologiesSupport for Multiple Network Topologies
Web
App
Database
VM VM
VM VM VM
VM
VM VM VM VM VM
VM
NSX with vRA – On Demand Deployment Model
Provider Logical Router (HA)
ExternalNetworks
• 2 Tiers of Routing– Distributed Logical Router or NSX Edge for
Application Router– NSX Edge for Provider Router
• Dynamic Routing externally• Dynamic Routing (DLR), Static Routing
or NAT internally (Edge)Dynamic Routing
(OSPF, BGP)
Transit Uplink 192.168.10.0/24 (External Network Profile)
Static Route addedautomatically
• On Demand Model istypically used for more dynamic Test/Dev style workloads, particularly when there is a requirement for overlapping IP addresses
Dynamic Routing (OSPF, BGP)
Web LogicalSwitch (Routed)
DB Logical Switch (Routed)
MMS 1Routed
App LS (Routed)
172.16.10.0/29 172.16.10.8/29 172.16.10.16/29
Web Logical Switch (Routed) App LS (Routed) DB LS (Routed)
MMS 2Routed
172.16.20.0/29 172.16.20.8/29 172.16.20.16/29
Web Logical Switch (NAT) App LS (Private) DB LS (Private)
MMS 3NAT & Private
172.16.100.0/24 172.16.101.0/24 172.16.102.0/24
Web Logical Switch (NAT) App LS (Private) DB LS (Private)
MMS 4NAT & Private
172.16.100.0/24 172.16.101.0/24 172.16.102.0/24
Distributed Logical Router
NSX with vRA – Pre Created Deployment Model
Logical Switch 172.16.50.0/24 (External Network) 172.16.60.0/24 (External Network) Logical Switch
Prod Web SG A Prod App SG A Prod DB SG A Dev Web SG A Dev App SG A Dev DB SG A
Dev Web SG B Dev App Dev DBSG B
SG B
Prod Web SG B Prod Prod DB SG BApp SG B
Dynamic Routing (OSPF, BGP)with ECMP
External Networks• 2 Tiers of Routing
– Distributed Logical Router for Application Router
– NSX Edge for Provider Router
• Dynamic Routing• Use existing LS as external
network profiles• One Arm Load Balancing
ondemand
Prod-01 Dev-01
LB LB
LB
DynDaymnaicmRico
Rutoinugting
(OS(OPSFP, BFG,
BPG) P)with ECMP
Transit Uplink192.168.10.0/24(External Network Profile)
Provider LoSgciaclaelOut Provider Router (NSLXog6i.c1a)l Router (NSX 6.1) MMS 1 VMs
MMS 2 VMsMMS 3 VMsMMS 4 VMs
• Pre-Created model is typically used with Production or more static workloads and the application topology is multi-tier on a single network
Distributed Logical RouterLB
Agenda
CONFIDENTIAL 39
1 NSX and vRealize Automation
2 NSX & vRA 6.2 Updates
3 Deployment Considerations
4 Demonstration
5 Q&A
Live Demonstration
Agenda
CONFIDENTIAL 41
1 NSX and vRealize Automation
2 NSX & vRA 6.2 Updates
3 Deployment Considerations
4 Demonstration
5 Q&A
Questions
Please submit your feedback via our mobile app.
Thank YouRay Budavari (@rbudavari) http://www.vmware.com/products/nsx/