vmtalks méxico profundizandocon vmware cloud: análisisde ......def gw on-prem vm mgw edge vc (2)...
TRANSCRIPT
Confidential │ ©2020 VMware, Inc.
Laura GarroSr. Cloud Solutions Architect08-2020
VMtalksMéxico Profundizando con VMware
Cloud: análisis de redes, servicios nativos AWS y casos de uso
Confidential │ ©2020 VMware, Inc.
Agenda
2
• VMC on AWS Networking Overview
• Networking Options
• DEMO
• Internet Access to/from VMC
• Native AWS services connectivity
• DEMO
Confidential │ ©2020 VMware, Inc. 3
AWS Global Infrastructure
VMware Cloud™ on AWSPowered by VMware Cloud Foundation
AWS Global InfrastructureVMware SDDC
vSphere vSAN NSX
VMware Cloud Foundation
AWS
Amazon EC2
AmazonS3
AmazonRDS
AWS Direct
Connect
AWS IAM
AWS IoT
…
…
…
…
vCentervCenter
• ESXi on Dedicated Hardware
• Support for VMs and Containers
• vSAN on Flash and EBS Storage
• Replication and DR Orchestration
• NSX Spanning on-premises and Cloud
• Advanced Networking & Security Services
AWS Global Infrastructure
Solución completa en la Nube
VMware vRealize Suite
Confidential │ ©2020 VMware, Inc. 4
§ Key features from on-premises brought to the cloud
§ Networking
§ Security
§ Scalable and easy to consume networking
§ Simplified Interface
§ API access available
§ Multiple connectivity options
Powered by VMware NSX-TNetworking Inside the SDDC
Confidential │ ©2020 VMware, Inc. 5
InternetNSX-T Architecture view
CGW
ENI
25Gbps
Routed Network 1
192.168.1.0/24
Routed Network 2
172.16.2.0/24
VM VMVM VM
VMware Cloud VPC
Amazon EC2
AmazonS3
AmazonRDS
AWS IoT
AWS Native Services
(Customer)
L2 Extended Network
On-PremDef GW
VM
MGW
VCEdge(2)
Ctrl(3)
VPN
Workload LS-1 (Overlay) Workload LS-2 (Overlay)
ESXi hosts
NSXmgr
Edge Appliance
Direct Connect
Management Part Compute Part
Tier 0
Tier 1 Tier 1
Confidential │ ©2020 VMware, Inc. 6
Networking Inside the SDDC – A Closer Look
Edge Router
• All connectivity to workloads flows through the Edge
• Configured for Active/Standby to provide High Availability (HA)
Management Gateway
• Management traffic for vCenter, NSX, ESXi hosts, etc.
Compute Gateway
• Workload traffic, including network to network
Programmatic route configuration
• No routing protocol overhead
Pervasive security
• Edge firewall
• Distributed firewall
MGW
CGW
Edge
SDDC
NSX</>
vCenter
Confidential │ ©2020 VMware, Inc. 7
VMware Cloud on AWSNetworking Options
VMware Cloud on AWSData Center Interconnection
Direct Connect
Public Internet
L3 VPN / BGP
172.16.10.0/24 172.16.20.0/24L3 VPN
10.10.10.0/24 10.10.10.0/24L2 VPN
192.168.10.0/24 192.168.10.0/24HCX
Traditional IPSec VPN Tunnel over Internet or BGP over DX
Compatible with any on-premises router.
Interconnect two distinct network ranges.
NSX L2 VPN
Stretch networks between private and public cloud.
Requires installation of NSX Standalone Edge Client on-prem (does not require NSX licensing on-prem).
Easy to configure.
HCX
L2VPN (or L3VPN if no requirement to stretch network), combined with WAN Optimization engine and vSphere compatibility back to vSphere 5.0.
Best option for bulk migration.
Highly Secure (IPSec with AES 256 Suite-B encryption)
172.16.10.0/24 172.16.20.0/24BGP (L3 VPN optional)
10.10.10.0/24 10.10.10.0/24L2 VPN
192.168.10.0/24 192.168.10.0/24HCX
Confidential │ ©2020 VMware, Inc. 8
Fastest way to get connected and start using VMCRoute and Policy Based VPN
Route Based
Policy Based
BGP
MGW
CGW
Edge
SDDC
Supports any IPSec compliant endpoint
Policy based VPN for simple connectivity requirements
vCenter NSX
9Confidential │ ©2020 VMware, Inc.
DEMO
10Confidential │ ©2020 VMware, Inc.
Outbound Internet AccessVia IPSec VPN
Confidential │ ©2020 VMware, Inc. 11
The on-prem router/firewall will advertise 0.0.0.0 to VMC over IPSec.
All traffic from VMC-VM in VMware Cloud on AWS would be sent (encrypted) over IPSec VPN (over the AWS IGW) to exit to the Internet.
Traffic path highlighted in blue line.
Outbound Internet AccessWith IPSec VPN, Internet breakout on-prem
VMware Cloud on AWSOn-Premises Data Center
IPSec VPN
Compute
Storage
Network
Compute
Storage
NetworkvSphere-based SDDC with NSX
CGW
Network A
MGW
Internet FW
NAT
Router
Network 172.16.10.0/24
Network 172.16.20.0/24
Public Internet
Hey VMC - my local networks are 172.16.10.0/24 and
172.16.20.0/24
and I’ll also advertise 0.0.0.0/0 so that all Internet-bound traffic goes through the Internet FW.
VMC-VM
Additional notes:
Traffic can go via standard Internet Proxy.
Use the ‘route-based’ VPN instead of ‘policy-based’ VPN if possible.
BGP Peering Session (if using route-based VPN).
Confidential │ ©2020 VMware, Inc. 12
All traffic from VMC-VM in VMware Cloud on AWS would go through the CGW directly to the AWS Internet gateway to the Internet.
Traffic path highlighted in blue line.
Outbound Internet AccessWith IPSec VPN, Internet breakout on AWS
VMware Cloud on AWSOn-Premises Data Center
IPSec VPN
Compute
Storage
Network
Compute
Storage
NetworkvSphere-based SDDC with NSX
CGW
Network A
MGW
Internet FW
NAT
Router
Network 172.16.10.0/24
Network 172.16.20.0/24
Public Internet
Hey VMC - my local networks
are 172.16.10.0/24
and 172.16.20.0/24
VMC-VM
Additional notes:
Use the ‘route-based’ VPN instead of ‘policy-based’ VPN if possible.
BGP Peering Session (if using route-based VPN).
Public Internet
13Confidential │ ©2020 VMware, Inc.
Inbound Internet AccessVMware Cloud on AWS
Confidential │ ©2020 VMware, Inc. 14
If the customer uses his own Public IPs and advertise it to the Internet on-prem, inbound traffic from an Internet user will go through the on-premInternet FW where the destination IP will be natted to the private IP of VMC-VM and transferred across DX/VPN to VMC-VM.
Inbound Internet AccessVia on-prem Internet FW
VMware Cloud on AWSOn-Premises Data Center
AWS Direct Connect
Compute
Storage
Network
Compute
Storage
NetworkvSphere-based SDDC with NSX
CGW
Network A
MGW
Internet FW
NAT
Router
Network 172.16.10.0/24
Network 172.16.20.0/24
Public Internet
VMC-VM
IPSec VPN
Public IP
Private IP
User
Confidential │ ©2020 VMware, Inc. 15
If the customer requests Public IPs via the VMC console, they can NAT them to VMs in VMware Cloud on AWS.
Inbound traffic from an Internet user will go through the AWS IGW and the VMC CGW.
Inbound Internet AccessVia AWS Internet GW
VMware Cloud on AWSOn-Premises Data Center
AWS Direct Connect
Compute
Storage
Network
Compute
Storage
NetworkvSphere-based SDDC with NSX
CGW
Network A
MGW
Internet FW
NAT
Router
Network 172.16.10.0/24
Network 172.16.20.0/24
Public Internet
VMC-VM
IPSec VPN
Public IP
Private IP
User
Public Internet
Confidential │ ©2020 VMware, Inc.
VPCVPC = Virtual Private Cloud
Your virtual data center on AWS
Block of IPs that define your network (typically RFC 1918)
Can span multiple AZs
Default VPCsAvailability Zone A Availability Zone B
VPC CIDR: 10.1.0.0 /16
Confidential │ ©2020 VMware, Inc. 17
Native AWS Integration
VMware Cloud on AWS SDDC Native AWS Services
vCenter
MGW
CGW
EC2 i3 MetalVPC Subnet
ENIs
VPCEndpoint
S3
NSX
VM VMVM VM
EC2
• Deploy Hybrid Applications across your VMware SDDC and native AWS services
• Sub-Millisecond latency via AWS Elastic Network Interfaces (ENI) and VPC Endpoints
• No Cost ingress/egress data transfers within AZ
• Modernise applications by integrating VMware with breadth of AWS servicesDynamo
Elastic Network Interfaces
18Confidential │ ©2020 VMware, Inc.
DEMO
Confidential │ ©2020 VMware, Inc.
Thank You