Self-service IT with vRealize Automation and NSXNET4291

Ray Budavari VMware

Student Guide & Internal & Confidential Update Dailyhttps://goo.gl/VVmVZ0

vRealizeAir –NEW Cloud Management SaaS Offerings http://ouo.io/6TMPFHow to Help Customers Install, Deploy and Migrate to the vRealizeOperations Manager 6.0 (formerly vCOps) http://ouo.io/1pL8woShowing Costs Back in the Virtualized Environment vRealize Business Standard Proof of Concept (formerly ITBM) http://ouo.io/30TzEvRealizeCloud Management Portfolio Overview and Glimpse into the Future http://ouo.io/OpLGQB

vRealizeSuite: VMware’s vRealizeCloud Management Platform http://ouo.io/t5n5MOvRealizeAutomation (formerly vCAC) and NSX: Automating Networking & Security Infrastructure http://ouo.io/CyCXvJourney of the Deal: Best Practices from a VMware Cloud Management Partner http://ouo.io/vBVQdO

The Practical Path to NSX and Network Virtualization http://ouo.io/47hme

Why an SSDC Approach with NSX is Better for Your Channel Business http://ouo.io/1hY4l

Agenda

CONFIDENTIAL 2

1 NSX and vRealize Automation

2 NSX & vRA 6.2 Updates

3 Deployment Considerations

4 Demonstration

5 Q&A

Why NSX?Support for Detailed, Programmable Application Topologies

Security PoliciesSecurity Groups

Logical Switching, Routing, Firewall, Load Balancing

Web

App

Database

Web “Standard Web” Firewall – allow inbound

HTTP/S, allow outbound ANY IPS – prevent DOS attacks,

enforce acceptable use

“Standard App” Firewall – allow inbound

TCP 8443, allow outbound SQL

Database“Standard Database”

Firewall – allow inbound SQL

Vulnerability Management – Weekly Scan

App

VM VM

VM VMVM

VM

“Default” Firewall – Access shared

services (DNS, AD) Anti-Virus – Scan Daily

Default

Logical Switch

Logical Router

NSX

Logical Firewall

Logical LoadBalancer

NSX with vRealize AutomationDynamic Configuration and Deployment of NSX Logical Services

On Demand Application Delivery

vRealize AutomationService Catalog

Resource Reservation

Multi-Machine Blueprint

Cloud Management Platform

Network Profiles

Security Policies

Security Groups

Web

App

Database

VM VM

VM VM VM

VM

NSX Use Case – Self Service IT

Multi- Machine

Blueprints

Cloud Consumer

Cloud Admin

SLA

Cost Profile

Security

Networking

Service Catalog

Service Request

Network Admin Load Balancer Admin

Standardized Templates

Logical Load Balancer

Security Admin

AVAILABILITYSECURITYCONNECTIVITYExternal Networks Network Profiles Security Tags Security Groups Security

Policies

NSX Use Case – On Demand Micro-Segmentation

6

Web

App

Database

PRIVATE

No external connectivity

VM

VM VM

VM VM VM

Isolation

Controlled Communication Path

Advanced Services Communication Path

Segmentation Advanced Services

No Communication Path

Agenda

CONFIDENTIAL 14

1 NSX and vRealize Automation

2 NSX & vRA 6.2 Updates

3 Deployment Considerations

4 Demonstration

5 Q&A

Feature Overview – NSX & vRealize Automation 6.2Connectivity

Network Profiles for On-Demand Network Creation– Define Routed, NAT and Private network profiles based on application topologyConnect to pre-created External networks NSX Distributed Logical Router (DLR) Support– Optimize east-west traffic by connecting On-Demand

Logical Switches to a pre-created DLRAll On-Demand Edges use NSX 6.1 versionSecurity

App Isolation– Automatic creation of security group per app with default policy to permit traffic between

tiers and block all inbound/outbound traffic

On Demand creation of Security Groups based on Security Policies– Select pre-defined NSX security policies which apply to security groups for component VMs– Allows self-service consumption of DFW Rules, AV, DLP, IDS/IPS, Vulnerability Mgmt

– Select pre-defined NSX security tag which is applied to VMs and used to dynamically place workloads in security groups

Security Tags

AvailabilityOn-demand Load Balancer in One-Armed Mode or Inline Mode- NSX Load Balancing configuration used

ExtensibilityBusiness Logic moved to NSX vCO Plugin

Web

App

Database

VM VM

VM VM VM

VM

Web

App

DatabaseWebVM

Web

App

DatabaseVM

Web

App

DatabaseVM

NSX Distributed Logical Router

NSX Logical Distributed

Router

• Optimized routing for East/West traffic directly at the source Hypervisor, distributed across all Hosts

• No virtual appliance required for Routing• Dynamic Routing available (OSPF and BGP)• Previously Distributed Logical Routing could only be leveraged on External

Networks

The Network Admin will configure a pre-defined Distributed Logical Router that can then be shared by multiple networks provisioned on-demand by vRA

App

DatabaseVM

VM VM

VM VM VM

Scales up to 1000 logical interfaces!

EdgeGateway

vRA Routed Gateways• Blueprint with routed network profile must use a routed gateway to talk to external networks• Routed gateway is defined at the Reservation level for routed and external profiles• One gateway only per External Network Profile• Determines whether Distributed Logical Router or NSX Edge Gateway will be used by a Routed

Network Profile

Routed GatewayNSX Edge

Routed GatewayDistributed Logical Router

Web

App

DatabaseVM

VM VM

VM VM VMWeb

App

DatabaseVM

VM VM

VM VM VM

Application LevelNSX Edge

Static route addedDirectly connected

NSX Security Groups & Security Policies• End-Users and Cloud Admins are able to select pre-defined security policies already

approved by the Security Admin in NSX• Security policies are applied to one or more security groups where workloads are

members• These security groups are createdon-demand by vRA at deployment time

WHAT youwant to

protect

HOinbWoundyHoTu

TPw/S,anttoIPpS r–

optreevcentt DitOS attacks, enforce acceptable use

SECURITY GROUP

SECURITY POLICYMembers (VM, vNIC) and Context(user identity, security posture)

“Standard Web” Firewall – allow

allow outbound ANY

Services (Firewall, antivirus, IPS etc.) and Profiles (labels representing specific policies)

NSX Security Tags• NSX Security Tags can be used to define IF/THEN workflows for security services, e.g. IF user

selects a “Finance” application, THEN place the VM in the “Finance” security group

INFRASTRUCTURE

APPS

Security Admin

“Finance Policy” IF Tag = Finance

THEN add VM to Security Group “Finance” with Security Policy “Finance”

Step 1: Security Admin pre-defines a Security Group and a Security Policy with dynamic membership based on a Security Tag

“Finance App” Set Tag

“Finance”

Cloud AdminMulti-

Machine Blueprint

Step 2: Cloud Admin creates a Multi- Machine Blueprint which sets a Security Tag. Cloud Admin needs no knowledge of Security Groups or Security Policies.

NSX Security Tags• NSX Security Tags can be used to define IF/THEN workflows for security services, e.g. IF user

selects a “Finance” application, THEN place the VM in the “Finance” security group

INFRASTRUCTURE

APPS

Requests “Finance App”

Service Catalog

Step 3: End-User requests Application via the Service Catalog

Cloud Consumer

Step 4: VM is automatically deployed with its Security Tag

SGW=FiHnaAnc

Te youprotect

Step 5: VM is dynamically assigned to the relevant pre-defined Security Group

w ant to

NSX Application Isolation• Application Isolation provides an optional first level of security. When selected all inbound and

outbound application access is blocked, while inter application traffic is permitted• Component level Security Policies are applied

at a higher precedence to permit selected traffic

Web

App

Database

VM VM

VM VM VM

VM

Web

App

Database

VM VM

VM VM VM

VM

NSX Load Balancing• vRA leverages NSX for both on-demand and pre-created Logical Load Balancing• If an NSX Edge is the default gateway for component VMs, Inline Load Balancing is used

• If the component VMs are connected to a network using the Distributed Logical Router or an External Network then Load Balancing is configured for One-Arm mode

One-Arm Load Balancing

Inline Load Balancing

Web

App

Database

VM VM

VM VM VM

VM

Web

App

Database

VM VM

VM VM VM

VMApplication Level

NSX EdgeDEixstterrinbaulted GaLtoegwicaayl

Router

vCAC Networking and Security Architecture – 6.0 release

vCloud Automation Center

Rest APINSX for vSphere

ESXi

vCenter Server

vSphere API

vCNS Model

Business logic

AMQP

vRA Networking and Security Architecture – 6.1+ release

vRealize Automation

ESXi

vCenter Server

vCenter Orchestrator

NSX vCO Plugin

Rest APINSX

Rest API

vSphere API

NSX Model

Business logic

AMQP

NSX vRealize Orchestrator Plugin

CONFIDENTIAL 25

Benefits• Ability to support multiple product versions (vCNS, NSX)

transparently to vRA• Network and security workflows are decoupled from cloud

management platform, enabling more rapid release and updates/fixes to workflows

• Easier to extend/customize workflows by adding your own logic

• Provide Self Service access to NSX vCO workflows through Advanced Service Designer

• Can also be used standalone without vRA

Note: Initial version of NSX vCO Plugin is limited to functionality required by vRA and is only supported for these out of thebox workflows

Agenda

CONFIDENTIAL 26

1 NSX and vRealize Automation

2 NSX & vRA 6.2 Updates

3 Deployment Considerations

4 Demonstration

5 Q&A

vRO Considerations

1) Install NSX vRO Plugin if using standalone vRO Server

2) Setup Endpoints in vRAvCenter with NSX & vRO

3) NSX endpoint in vRO will automatically be created

4) Manually run vRO workflow to enable support for overlapping subnets

vRA NSX Networking & Security WorkflowsConnect to NSX using vCO REST API

Create App Isolation Security Policy

Create App Isolation Security Group

Assign Policy to Security Group

Create Component Security Group

Assign Policy to Security Group

Create VXLAN Logical Switches

Create NSX Edge Services Gateway

Connect Networks to Logical Routers

Multi Machine Provisioning Multi Machine Destroy

Configure Load Balancing & DHCP Services

Configure Default Gateway/Inject Static Route

Assign Security Tags

Add component machines to Security Groups

Connect to NSX using vCO REST API

Delete Security Groups

Disconnect DLR LIFs

Delete Edge

Delete Static Route

Delete VXLAN Logical Switches

Reclaim IP Addresses or Range

Remove NAT Rules

Remove Load Balancing

Configure Edge Firewall

vRA Data Collection

vRA IaaS

• Data Collection occurs automatically after the endpoints are registered

• By default ‘Network and Security inventory’ Data Collection occurs every 24 hours

• Data Collection frequency can be modified in hours

• Manual Data Collection can also be performed

NSX objects are cached by vRA using vCO inventory. This includes the following items:• Transport Zones• Logical Switches• Edge Gateways/Distributed Logical Routers• Security Tags• Security Groups• Security Policies

VRM Agent -> vCenter

DEM -> vCO -> NSX

Naming Convention for NSX ObjectsThe vRA Multi Machine Service identifier is used within NSX for dynamically created objects:▪ Logical switches “<NetworkNameInMMBP>-<MMS UUID>”▪ Edge gateways “Edge-<MMS UUID>”▪ Security groups “SG-<MMS UUID>”▪ App Isolation Security policy “SG-<NSX Endpoint UUID>”

NSX and vRA Extensibility

31

• The NSX vRealize Orchestrator Plugin covers many common networking & security operations

• vRO also includes a HTTP-REST Plugin which allows the NSX vSphere API to be directly consumed– Allows creation of custom workflows to perform

advanced NSX operations, eg:• Enable Edge HA• Modify Edge sizing• Configure additional LB features• Create NSX Security Groups, Policies or Tags

• vRA WF stubs provide an integrated method of calling these custom vRO workflows at specific points in machine lifecycle

• Allows for additional NSX operations to be inserted transparently within the requests

NSX and vRA Extensibility

32

• You can also use workflows from the NSX plugin as building blocks and augment with custom scriptable tasks/workflows

• FToroCmomSipmlepxle

NSX and vRA Extensibility• In addition the vRealize Automation Advanced Service Designer can be used to run

standalone workflows and Day 2 operations• This provides a method of leveraging vRO workflows and plugins via the vRA Self-

Service Portal

33

NSX and vRA Extensibility• Service Blueprints are created in vRA using inputs/outputs from vRO workflows

• These Service Blueprints can then be published to the vRealize Service Catalog along with other Infrastructure Blueprints

34

Custom Properties• Custom Properties for Networking & Security have been available since vCAC 5.2• Allows pre-created NSX or vCNS resources to be consumed by Component VMs• Importantly, these custom properties apply to Single Machine Blueprints• Custom Properties can be pre-defined, or entered at request time• Available Properties are:

– VCNS.LoadBalancerEdgePool.Names– VCNS.SecurityGroup.Names– VCNS.SecurityTag.Names

Multi-Tier App, Multiple Networks

Multi-Tier App,Single Flat Network

vRealize Automation Application TopologiesSupport for Multiple Network Topologies

Web

App

Database

VM VM

VM VM VM

VM

VM VM VM VM VM

VM

NSX with vRA – On Demand Deployment Model

Provider Logical Router (HA)

ExternalNetworks

• 2 Tiers of Routing– Distributed Logical Router or NSX Edge for

Application Router– NSX Edge for Provider Router

• Dynamic Routing externally• Dynamic Routing (DLR), Static Routing

or NAT internally (Edge)Dynamic Routing

(OSPF, BGP)

Transit Uplink 192.168.10.0/24 (External Network Profile)

Static Route addedautomatically

• On Demand Model istypically used for more dynamic Test/Dev style workloads, particularly when there is a requirement for overlapping IP addresses

Dynamic Routing (OSPF, BGP)

Web LogicalSwitch (Routed)

DB Logical Switch (Routed)

MMS 1Routed

App LS (Routed)

172.16.10.0/29 172.16.10.8/29 172.16.10.16/29

Web Logical Switch (Routed) App LS (Routed) DB LS (Routed)

MMS 2Routed

172.16.20.0/29 172.16.20.8/29 172.16.20.16/29

Web Logical Switch (NAT) App LS (Private) DB LS (Private)

MMS 3NAT & Private

172.16.100.0/24 172.16.101.0/24 172.16.102.0/24

Web Logical Switch (NAT) App LS (Private) DB LS (Private)

MMS 4NAT & Private

172.16.100.0/24 172.16.101.0/24 172.16.102.0/24

Distributed Logical Router

NSX with vRA – Pre Created Deployment Model

Logical Switch 172.16.50.0/24 (External Network) 172.16.60.0/24 (External Network) Logical Switch

Prod Web SG A Prod App SG A Prod DB SG A Dev Web SG A Dev App SG A Dev DB SG A

Dev Web SG B Dev App Dev DBSG B

SG B

Prod Web SG B Prod Prod DB SG BApp SG B

Dynamic Routing (OSPF, BGP)with ECMP

External Networks• 2 Tiers of Routing

– Distributed Logical Router for Application Router

– NSX Edge for Provider Router

• Dynamic Routing• Use existing LS as external

network profiles• One Arm Load Balancing

ondemand

Prod-01 Dev-01

LB LB

LB

DynDaymnaicmRico

Rutoinugting

(OS(OPSFP, BFG,

BPG) P)with ECMP

Transit Uplink192.168.10.0/24(External Network Profile)

Provider LoSgciaclaelOut Provider Router (NSLXog6i.c1a)l Router (NSX 6.1) MMS 1 VMs

MMS 2 VMsMMS 3 VMsMMS 4 VMs

• Pre-Created model is typically used with Production or more static workloads and the application topology is multi-tier on a single network

Distributed Logical RouterLB

Agenda

CONFIDENTIAL 39

1 NSX and vRealize Automation

2 NSX & vRA 6.2 Updates

3 Deployment Considerations

4 Demonstration

5 Q&A

Live Demonstration

Agenda

CONFIDENTIAL 41

1 NSX and vRealize Automation

2 NSX & vRA 6.2 Updates

3 Deployment Considerations

4 Demonstration

5 Q&A

Questions

Please submit your feedback via our mobile app.

Thank YouRay Budavari (@rbudavari) http://www.vmware.com/products/nsx/