OVHcloud Hosted Private Cloud Platform Network use cases with VMware NSX

Francois Loiseau
Technical Director
@fluatovh
ROOM 5
01.00 PM
Timo Sugliani
Global Cloud Architect
@tsugliani
OVH Hosted Private Cloud
Platform Network use cases
with VMware NSX

OVH Hosted Private Cloud Platform
Network use cases with VMware NSX
In this workshop VMware will provide a quick reminder of the main contributions
of the NSX network virtualization platform: consistent network and security
management, increased application resiliency, rapid migration of workloads to
and from the cloud.
VMware and OVH will then move on to practical cases with implementation of
micro-segmentation, dynamic routing, automatic deployment of an application,
load balancing in the OVH Hosted Private Cloud. This workshop is aimed at a
technical audience
Agenda

Agenda
Ø VMware NSX Overview
Ø Advantages compared to other solutions (Comparison with PFSense appliances)
Ø Switching / Routing (Quick overview)
Ø Network Services (Firewalling, Distributed Firewalling, NAT, LB, VPN, DHCP, etc.)
Ø OVH Private Cloud Computing design & implementation
Ø How is VMware NSX-v & Networking implemented in OVH (vRack, Public routing, etc.)
Ø How to use it ?
Ø DEMOS ! (you can’t trust slides right ?)
Ø Dynamic Routing, Distributed Firewalling, Load Balancing
Ø Fully Automated Network topology
Ø Conclusion & Questions

VMware SDDC – The Most
Comprehensive & Integrated Stack
Software-Defined Data Center
Traditional
Applications
Cloud Native
ApplicationsAPP APP APPAPP APP APP
Compute Virtualization
vSphere
Software Defined Storage
Virtual SAN
Network Virtualization
NSX
Cloud Ops Analytics Chargeback Cloud Automation
vRealize Suite
Cloud Management
Build-Your-Own Converged
Infrastructure
Hyper-Converged
Infrastructure

To deliver a Software Defined Data
Center approach
Software
Hardware
Virtual
Machines
Virtual
Networks
Virtual
Storage
Compute
Capacity
Network
Capacity
Storage
Capacity
Applications
Location Independence
Data Center Virtualization
Pooled compute, network and storage capacity
Vendor independent, best price/performance
Simplified configuration & management
Automated Operational Model
Programmatically Create,
Snapshot,
Store,
Move,
Delete,
Restore

Data Center Networking Evolution to NSX
from a drone’s-eye view

Challenges
!
!
Manual config
No agility
No E-W security
Limited Scale
Bottleneck

NSX Manager
Controller Cluster
Network
Virtualization
Network & Security services
in hypervisor

Network
Virtualization
NSX Manager
Controller Cluster
Switching Routing Load
Balancing
VPN Connectivity
to Physical
Micro-
Segmentation

Cloud Consumption
• Self Service Portal
Data Plane
NSX
Edge
ESXi
Hypervisor Kernel Modules
Distributed Services
• High – Performance Data Plane
• Scale-out Distributed Forwarding Model
Management Plane
NSX Manager
• Single configuration portal
• REST API entry-point
Control Plane
NSX Controller
• Manages Logical networks
• Control-Plane Protocol
• Separation of Control and Data Plane
FirewallDistributed
Logical Router
Logical
Switch
LogicalNetworkPhysical
Network
…
…
NSX Components
13

OVH Private Cloud design & implementation

Edge GW
NSX
ControllersNSX
Manager
Internet
Customer private network
Customer admin network

Construct Network Services in Virtual Layers
18
Provider Peripheral Network Infrastructure
SwitchingRouting Firewalling Load
Balancing
VPN
Decouple Network Services
Decouple Network Services
• Core infrastructure backbone is
agnostic of network demands at the
virtual data centers
• Flexibility of Operations
− Consumer serviced networks
− Defined Micro-segments for
various workloads
Consumer
End Customer Network Infrastructure
Virtual Data Center
VM VM VM
Private Network
(192.168.50.0/24)
VM VM VM
DMZ Network
(192.168.52.0/24)
Virtual Data Center
VM VM VM
Private Network
(192.168.50.0/24)
VM VM VM
DMZ Network
(192.168.52.0/24)
Virtual Data Center
VM VM VM
Private Network
(192.168.50.0/24)
VM VM VM
DMZ Network
(192.168.52.0/24)
Provider

Distributed networking services allow better
performance and modelling
19

NSX vSwitch and NSX Edge
20 |
22
§ NSX vSwitch (VDS)
§ VMkernel Modules
• VXLAN
• Distributed Routing
• Distributed Firewall
• Switch Security
• Message Bus
vSphere NSX Edge Services GWNSX Edge Logical Router
NSX Logical
Router Control VM
§ Control Functions only
§ Dynamic routing and
updates controller
§ Determines active ESXi
host for VXLAN to VLAN
layer 2 bridging
§ ECMP, Dynamic Routing
• BGP & OSPF
§ L3-L7 Services:
• NAT, DHCP, Load Balancer,
VPN, Firewall
§ VM form factor
§ High Availability
NSX vSwitch
ESXi
NSX Edge Services GWVDS
Hypervisor Kernel Modules
(vSphere VIBs)
FirewallLogical RouterVXLAN

NSX Logical Routing Component –
Edge Services Gateway
21
NSX Edge Services
Gateway
VPN
§ On/Off-Ramp connectivity between
logical and physical.
- Optimized for N-S Routing
Static, OSPF, BGP
- Network Services
NAT
Edge Firewall
Load Balancing
VPN (IPSec, L2, SSL VPN)
DHCP
DNS
- Internal, Uplink, Trunk Interfaces

Edge Services Gateway - Sizing
• VM form factor - 4 sizing options
• Edge form factor can be changed after initial
deployments via UI/API
NSX Edge Services
Gateway
Form
Factor
vCPU Memory (MB) Usage
X-Large 6 8192 L7 Load Balancing
*dedicated core affinity for
LB
Quad- Large 4 2048 High throughput ECMP or
High Performance Firewall
Large 2 1024 Small/Medium DC or multi-
tenant
Compact 1 512 Small Deployments, POCs
and single service use
VPN

PFSense vs NSX
Feature NSX PFSense
HA Edge HA 2 Pfsense CARP
NAT
DHCP
Firewall Portgroup Level
VPN point-to-site
VPN site-to-site
Load Balancing
CLI (local)
API Rest (FauxAPI)
VMware WebClient integrated
Firewall vNic level (DFW)
Security Groups
Data Security
SpoofGuard

vSphere Distributed Switch - admin
dvUplink-PG
vSphere Distributed Switch - vrack
dvUplink-PG

dvUplink-PG
dvUplink-PG
Management
OVH BB
VXLAN overlay

dvUplink-PG
dvUplink-PG
Management
OVH BB
VXLAN overlay
OVH DC – 1 – BHS
OVH DC – 2 – LIM
…
OVH DC – X – WW
4000 VLANs

dvUplink-PG
dvUplink-PG
Management
OVH Backbone
VXLAN overlay
OVH DC – 1 – BHS
OVH DC – 2 – LIM
…
VPN
VPN
OVH DC – X – WW
4000 VLANs

VDS and VXLAN
• VXLAN traffic uses a vmknic
which provides VXLAN Virtual
Tunnel End Point (VTEP)
functionality
• A single dvPortGroup per VDS is
created for all VTEPs
• A logical switch is a L2 broadcast
domain implemented using
VXLAN
– A dvPortGroup is created for each
logical switch
– Provides local switching & isolation
• VXLAN logical switches can
also span multiple VDSIP Fabric
Host A
vSphere
Distributed SwitchdvUplink-PG
Logical SW A
VM1
dvPG-VTEP
VXLAN
VTEP

IP Fabric
Host A Host B
vSphere Distributed Switch
Traffic Flow on a VXLAN Backed VDS
31
• In this setup, VM1 and VM2 are on different hosts but belong to the same logical
switch
• When these VMs communicate, a VXLAN overlay is established between the two
hosts
dvUplink-PG
Logical SW A
VM1
dvUplink-PG
dvPG-VTEP
VTEP
dvPG-VTEP
VTEP
VXLAN Overlay
Logical SW A
VM2

Host BHost A
vSphere Distributed Switch
Traffic Flow on a VXLAN Backed VDS
• Assume VM1 sends some traffic to VM2:
dvUplink-PG
Logical SW A
VM1
dvUplink-PG
dvPG-VTEP
VTEP
dvPG-VTEP
VTEP
Logical SW A
VM2L2 frame L2 frame
IP Fabric
VXLAN Overlay
IP/UDP/VXLANL2 frame
VM1 sends L2
frame to local
VTEP
1
VTEP adds VXLAN,
UDP & IP headers2
Physical Transport
Network forwards as
a regular IP packet
3
Destination
Hypervisor VTEP
de-encapsulates
frame
4
L2 frame
delivered to
VM2
5

VM to VM Routed Traffic Flow
NSX Logical Routing: Distributed, Feature-
Rich
33
§ Physical Infrastructure Scale Challenges –
Routing Scale
§ Multi-Tenant Routing Complexity
§ Traffic hair-pins
§ Distributed Routing in Hypervisor
§ Full featured – OSPF, BGP
§ Logical Router per Tenant
Challenges Benefits
L2
L2
Tenant A
Tenant B
L2
L2
L2
Tenant C
L2
L2
L2
CMP

NSX Logical Routing – Topology view
ESX Host A
LIF1 LIF2 LIF3
ESX Host B
LIF1 LIF2 LIF3
ESX Host C
LIF1 LIF2 LIF3
VM1
VM2
Peering
Peering
External
Network
NSX Edge VM
VXLAN 5001
VXLAN 5002
VXLAN 5003
VLAN based network
DLR instance DLR instance DLR instance DLR
VM2
External
VM1
Logical view
Physical view
DLR Control VM

Protocol and Forwarding Addresses
35
Controller
Cluster
Peering
DLR
NSX Mgr
Control VM
DataPath
Forwarding Address
172.16.99.3
172.16.99.2
Protocol Address
172.16.99.1

VLAN 20
Edge Uplink
Physical Routers
NSX ECMP Edges
VXLAN 5020
Transit Link
DLR Instance
Enterprise Routing Topology
36
…
…
E1 E2 E3 E8
DLR Control VMs
Routing peerings
Route updates via controller
Routing
peerings
VXLAN
VLAN
Web1 App1 DB1 WebN AppN DBN
External Network
VM VM VM VM VM VMVM VMVM VM VM VM

Multi Tenant Routing Topology
37
Tenant 9
DLR
Instance 9
Tenant 1
NSX Edge
VXLAN 5021
Transit Link
VXLAN 5029
Transit Link
…
§ Can be deployed by Enterprises, SPs and
hosting companies.
§ Up to 9 tenants (as 10vNICs on the Edge
VM)
§ No support for overlapping IP addresses
between Tenants connected to the same
NSX Edge.
ECMP
Routing peerings
Routing peering
Web1
App1 DB1 Web1 App1 DB1
External Network
DLR
Instance 1
VM VM VM VM VM
VM VM VM
VM VMVM VM

Multi Tenant Routing Topology
NSX Edge
VXLAN Trunk
§ Use of Trunk interface on the NSX Edge (in
addition to Internal and Uplink).
§ Allows up to 200 sub-interfaces on a single
vNIC and establish peering with a separate
DLR instance.
§ Routing protocols are supported over sub-
interfaces.
Routing
peerings
Tenant 1
Tenant
Tenan
Single vNIC
Web1
VM VM VM
App1
VM VM
DB1
VM
External Network
Web1 App1 DB1
VM VM VM VMVM VM

High Scale Multi Tenant Topology – 2-tier
Tenant 1
…
Tenant NSX Edge with
HA NAT/LB features
ECMP NSX Edge X-Large
(Route Aggregation Layer)
ECMP Tenant
NSX Edge
VXLAN Uplinks (or
VXLAN Trunk)
VXLAN Uplinks (or
VXLAN Trunk)
VXLAN 5100
Transit
…
E1 E8
Web1 App1 DB1
VM VM VM VMVM VM
DLR
Instance 9
Web1 App1 DB1
VM VM VM VMVM VM
External Network

Topologies Comparison
Topology Characteristics
Enterprise One DLR for all apps
DFW for VM to VM security
Typically no NAT
ECMP Edges
Multitenant Up to 9 tenants w/o trunk
Up to 200 tenants w/ trunk
DLR per tenant
No overlapping IP
High scale multitenant DLR and Edge per tenant
2-tier of Edges
Tenant IP scheme can overlap
Note: These topologies can be stretched across VC boundaries by using Cross-VC NSX.

Demo – Routing ESG & DLR with BGP
.222
178.33.19.206/28
NSX ESG
NSX DLR
.209
.1
CVM
.2 .3
172.16.99.0/24
VM Network
Internet
192.168.10.0/24
192.168.20.0/24
192.168.30.0/24
.x .x .x
LS-OVHDemo-Web
LS-OVHDemo-App
LS-OVHDemo-Db
Web App DB
LS-TransitNetwork
AS 65542
LS-OVHDemo-BGPSubnet 10.10.42.0/24

Demo – Routing ESG & DLR with BGP
Agenda

Demo – Distributed Firewall
.222
178.33.19.206/28
NSX ESG
NSX DLR
Demo-DFW-02
172.16.60.0/24
.209
.1
CVM
.2 .3
172.16.99.0/24
.11 .12
VM Network
LS-TransitNetwork
LS-OVHDemo-DFW
Internet
Demo-DFW-01
.1
Security Group
- Dynamic Membership
“VM Name”
Contains
“Demo-DFW-”
FW Rule
ICMP Echo/SSH
Allow/Reject/Block

Demo – Distributed Firewall
VIDEO RECORDING

Demo – Load Balancing
.222
178.33.19.206/28
NSX ESG
NSX DLR
Demo-LB-02
172.16.50.0/24
.209
.1
CVM
.2 .3
172.16.99.0/24
.11 .12
VM Network
LS-TransitNetwork
LS-OVHDemo-LB
Internet
Demo-LB-01
.1
LB
1 virtual server
1 Pool with 2 nodes (Demo-LB-01,02)
Both Demo VMs have docker running
with a sample nginx demo application

Demo - Fully Automated Network
Topology
Legacy Networking
NSX Overlay Networking
Web Frontend
172.16.250.0/24
10.0.1.0/24
vSphereDSwitch-NSXVMNetwork
Internet/WAN*
Edge Gateway
Services
10.0.2.0/24
10.0.3.0/24
Distributed
Logical Router
OSPF
Dynamic Routing
Control VM
10.0.3.1110.0.2.1110.0.1.11
Internal LIFs
10.0.1.1
10.0.2.1
10.0.3.1
172.16.250.2
172.16.250.1
172.16.250.3
178.33.19.222
Control Data
Network
Data
Optimized East/West
Traffic within the
scope of the NSX
Transport Zone
178.33.19.206/28
178.33.19.216
App Server DB Server

Demo - Fully Automated Network
Topology
VIDEO RECORDING
Agenda

OVHcloud Hosted Private Cloud Platform Network use cases with VMware NSX

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to OVHcloud Hosted Private Cloud Platform Network use cases with VMware NSX

Similar to OVHcloud Hosted Private Cloud Platform Network use cases with VMware NSX (20)

More from OVHcloud

More from OVHcloud (20)

Recently uploaded

Recently uploaded (20)

OVHcloud Hosted Private Cloud Platform Network use cases with VMware NSX