2. Student Guide & Internal & Confidential Update Daily
https://goo.gl/VVmVZ0
vRealizeAir –NEW Cloud Management SaaS Offerings http://ouo.io/6TMPF
How to Help Customers Install, Deploy and Migrate to the
vRealizeOperations Manager 6.0 (formerly vCOps) http://ouo.io/1pL8wo
Showing Costs Back in the Virtualized Environment vRealize Business
Standard Proof of Concept (formerly ITBM) http://ouo.io/30TzE
vRealizeCloud Management Portfolio Overview and Glimpse into the
Future http://ouo.io/OpLGQB
vRealizeSuite: VMware’s vRealizeCloud Management Platform http://ouo.io/t5n5MO
vRealizeAutomation (formerly vCAC) and NSX: Automating Networking &
Security Infrastructure http://ouo.io/CyCXv
Journey of the Deal: Best Practices from a VMware Cloud Management
Partner http://ouo.io/vBVQdO
The Practical Path to NSX and Network Virtualization http://ouo.io/47hme
Why an SSDC Approach with NSX is Better for Your Channel Business http://ouo.io/1hY4l
4. Why NSX?
Support for Detailed, Programmable Application Topologies
Security PoliciesSecurity Groups
Logical Switching, Routing, Firewall, Load Balancing
Web
App
Database
Web
“Standard Web”
Firewall – allow inbound
HTTP/S, allow outboundANY
IPS – prevent DOS attacks,
enforce acceptable use
“Standard App”
Firewall – allow inbound TCP
8443, allow outbound SQL
Database
“Standard Database”
Firewall – allow inbound SQL
Vulnerability Management –
Weekly Scan
App
VM VM
VM VM
VM
VM
“Default”
Firewall – Access shared
services (DNS, AD)
Anti-Virus – Scan Daily
Default
5. Logical Switch
Logical Router
NSX
Logical Firewall
Logical Load
Balancer
NSX with vRealize Automation
Dynamic Configuration and Deployment of NSX Logical Services
On Demand Application Delivery
vRealize Automation
Service Catalog
Resource
Reservation
Multi-Machine
Blueprint
Cloud Management
Platform
Network Profiles
Security Policies
Security Groups
Web
App
Database
VM VM
VM VM VM
VM
6. NSX Use Case – Self Service IT
Multi-
Machine
Blueprints
Cloud
Consumer
Cloud Admin
SLA
Cost Profile
Security
Networking
Service
Catalog
Service
Request
Network Admin Load Balancer Admin
Standardized Templates
Logical Load
Balancer
Security Admin
AVAILABILITYSECURITYCONNECTIVITY
External Networks Network Profiles Security Tags Security Groups Security Policies
7. NSX Use Case – On Demand Micro-Segmentation
6
Web
App
Databas
e
PRIVATE
No external
connectivity
VM
VM VM
VM VM VM
Isolation
Controlled
Communication Path
Advanced Services
Communication Path
Segmentation Advanced Services
No
Communication Path
9. Feature Overview – NSX & vRealize Automation 6.2
Connectivity
Network Profiles for On-Demand Network Creation
– Define Routed, NAT and Private network profiles based on application topology
Connect to pre-created External networks NSX
Distributed Logical Router (DLR) Support
– Optimize east-west traffic by connecting On-Demand Logical Switches to a pre-created DLR
All On-Demand Edges use NSX 6.1 version
Security
App Isolation
– Automatic creation of security group per app with default policy to permit traffic between tiers
and block all inbound/outbound traffic
On Demand creation of Security Groups based on Security Policies
– Select pre-defined NSX security policies which apply to security groups for component VMs
– Allows self-service consumption of DFW Rules,AV, DLP, IDS/IPS, Vulnerability Mgmt
– Select pre-defined NSX security tag which is applied to VMs and used to dynamically place
workloads in security groups
Security Tags
Availability
On-demand Load Balancer in One-Armed Mode or Inline Mode
- NSX Load Balancing configuration used
Extensibility
Business Logic moved to NSX vCO Plugin
Web
App
Database
VM VM
VM VM VM
VM
10. Web
App
DatabaseWeb
VM
Web
App
Database
VM
Web
App
Database
VM
NSX Distributed Logical Router
NSX Logical
Distributed
Router
• Optimized routing for East/West traffic directly at the source Hypervisor, distributed
across all Hosts
• No virtual appliance required for Routing
• Dynamic Routing available (OSPF and BGP)
• Previously Distributed Logical Routing could only be leveraged on External Networks
The Network Admin will
configure a pre-defined
Distributed Logical
Router that can then be
shared by multiple
networks provisioned
on-demand by vRA
App
Database
VM
VM VM
VM VM VM
Scales up to 1000
logical interfaces!
Edge
Gateway
11. vRA Routed Gateways
• Blueprint with routed network profile must use a routed gateway to talk to external networks
• Routed gateway is defined at the Reservation level for routed and external profiles
• One gateway only per External Network Profile
• Determines whether Distributed Logical Router or NSX Edge Gateway will be used by a Routed
Network Profile
Routed Gateway
NSX Edge
Routed Gateway
Distributed Logical Router
Web
App
Database
VM
VM VM
VM VM VM
Web
App
Database
VM
VM VM
VM VM VM
Application Level
NSX Edge
Static route added
Directly connected
12. NSX Security Groups & Security Policies
• End-Users and CloudAdmins are able to select pre-defined security policies already
approved by the Security Admin in NSX
• Security policies are applied to one or more security groups where workloads are members
• These security groups are created
on-demand by vRA at deployment time
WHAT you
want to
protect
HOinbWoundyHoTuTPw/S,ant
toIPpS r–optreevcentt DitOS
attacks, enforce
acceptable use
SECURITY GROUP
SECURITY POLICY
Members (VM, vNIC)
and Context
(user identity,
security posture)
“Standard Web”
Firewall – allow
allow outbound ANY
Services (Firewall, antivirus,
IPS etc.) and Profiles (labels
representing specific policies)
13. NSX Security Tags
• NSX Security Tags can be used to define IF/THEN workflows for security services, e.g. IF user
selects a “Finance” application, THEN place the VM in the “Finance” security group
INFRASTRUCTURE
APPS
Security Admin
“Finance Policy”
IF Tag = Finance
THEN add VM to
Security Group
“Finance” with
Security Policy
“Finance”
Step 1: Security Admin pre-defines a
Security Group and a Security Policy
with dynamic membership based on a
Security Tag
“Finance App”
Set Tag
“Finance”
Cloud Admin
Multi-
Machine
Blueprint
Step 2: Cloud Admin creates a Multi-
Machine Blueprint which sets a Security
Tag. Cloud Admin needs no knowledge
of Security Groups or Security Policies.
14. NSX Security Tags
• NSX Security Tags can be used to define IF/THEN workflows for security services, e.g. IF user
selects a “Finance” application, THEN place the VM in the “Finance” security group
INFRASTRUCTURE
APPS
Requests
“Finance App”
Service
Catalog
Step 3: End-User requests Application
via the Service Catalog
Cloud
Consumer
Step 4: VM is automatically deployed
with its Security Tag SGW=FiHnaAncTe you
protect
Step 5: VM is dynamically assigned
to the relevant pre-defined
Security Group
w ant to
15. NSX Application Isolation
• Application Isolation provides an optional first level of security. When selected all inbound and
outbound application access is blocked, while inter application traffic is permitted
• Component level Security Policies are applied
at a higher precedence to permit selected traffic
Web
App
Database
VM VM
VM VM VM
VM
Web
App
Database
VM VM
VM VM VM
VM
16. NSX Load Balancing
• vRA leverages NSX for both on-demand and pre-created Logical Load Balancing
• If an NSX Edge is the default gateway for component VMs, Inline Load Balancing is used
• If the component VMs are connected to a network using the Distributed Logical Router or an
External Network then Load Balancing is configured for One-Arm mode
One-Arm Load
Balancing
Inline Load
Balancing
Web
App
Database
VM VM
VM VM VM
VM
Web
App
Database
VM VM
VM VM VM
VM
Application Level
NSX Edge
DEixstterrinbaulted
GaLtoegwicaayl
Router
17. vCAC Networking and Security Architecture – 6.0 release
vCloud Automation Center
Rest API
NSX for vSphere
ESXivCenter Server
vSphere API
vCNS Model
Business logic
AMQP
18. vRA Networking and Security Architecture – 6.1+ release
vRealize Automation
ESXivCenter Server
vCenter Orchestrator
NSX vCO Plugin
Rest API
NSX
Rest API
vSphere API
NSX Model
Business logic
AMQP
19. NSX vRealize Orchestrator Plugin
CONFIDENTIAL 25
Benefits
• Ability to support multiple product versions (vCNS, NSX)
transparently to vRA
• Network and security workflows are decoupled from cloud
management platform, enabling more rapid release and
updates/fixes to workflows
• Easier to extend/customize workflows by adding your own logic
• Provide Self Service access to NSX vCO workflows through
Advanced Service Designer
• Can also be used standalone without vRA
Note: Initial version of NSX vCO Plugin is limited to functionality
required by vRA and is only supported for these out of the
box workflows
21. vRO Considerations
1) Install NSX vRO Plugin if using
standalone vRO Server
2) Setup Endpoints in vRA
vCenter with NSX & vRO
3) NSX endpoint in vRO will
automatically be created
4) Manually run vRO workflow
to enable support for
overlapping subnets
22. vRA NSX Networking & Security Workflows
Connect to NSX using vCO REST API
Create App Isolation Security Policy
Create App Isolation Security Group
Assign Policy to Security Group
Create Component Security Group
Assign Policy to Security Group
Create VXLAN Logical Switches
Create NSX Edge Services Gateway
Connect Networks to Logical Routers
Multi Machine Provisioning Multi Machine Destroy
Configure Load Balancing & DHCP Services
Configure Default Gateway/Inject Static Route
Assign Security Tags
Add component machines to Security Groups
Connect to NSX using vCO REST API
Delete Security Groups
Disconnect DLR LIFs
Delete Edge
Delete Static Route
Delete VXLAN Logical Switches
Reclaim IP Addresses or Range
Remove NAT Rules
Remove Load Balancing
Configure Edge Firewall
23. vRA Data Collection
vRA IaaS
• Data Collection occurs automatically after the
endpoints are registered
• By default ‘Network and Security inventory’ Data
Collection occurs every 24 hours
• Data Collection frequency can be modified in hours
• Manual Data Collection can also be performed
NSX objects are cached by vRA using vCO inventory.
This includes the following items:
• Transport Zones
• Logical Switches
• Edge Gateways/Distributed Logical Routers
• Security Tags
• Security Groups
• Security Policies
VRM Agent -> vCenter
DEM -> vCO -> NSX
24. Naming Convention for NSX Objects
The vRA Multi Machine Service identifier is used within NSX for dynamically created objects:
▪ Logical switches “<NetworkNameInMMBP>-<MMS UUID>”
▪ Edge gateways “Edge-<MMS UUID>”
▪ Security groups “SG-<MMS UUID>”
▪ App Isolation Security policy “SG-<NSX Endpoint UUID>”
25. NSX and vRA Extensibility
31
• The NSX vRealize Orchestrator Plugin covers many common networking & security operations
• vRO also includes a HTTP-REST Plugin which allows the NSX vSphereAPI to be
directly consumed
– Allows creation of custom workflows to perform
advanced NSX operations, eg:
• Enable Edge HA
• Modify Edge sizing
• Configure additional LB features
• Create NSX Security Groups, Policies or Tags
• vRA WF stubs provide an integrated method of
calling these custom vRO workflows at specific
points in machine lifecycle
• Allows for additional NSX operations to be
inserted transparently within the requests
26. NSX and vRA Extensibility
32
• You can also use workflows from the NSX plugin as building blocks and augment with
custom scriptable tasks/workflows
• FToroCmomSipmlepxle
27. NSX and vRA Extensibility
• In addition the vRealize AutomationAdvanced Service Designer can be used to run
standalone workflows and Day 2 operations
• This provides a method of leveraging vRO workflows and plugins via the vRA Self-Service Portal
33
28. NSX and vRA Extensibility
• Service Blueprints are created in vRA using inputs/outputs from vRO workflows
• These Service Blueprints can then be published to the vRealize Service Catalog along with
other Infrastructure Blueprints
34
29. Custom Properties
• Custom Properties for Networking & Security have been available since vCAC 5.2
• Allows pre-created NSX or vCNS resources to be consumed by Component VMs
• Importantly, these custom properties apply to Single Machine Blueprints
• Custom Properties can be pre-defined, or entered at request time
• Available Properties are:
– VCNS.LoadBalancerEdgePool.Names
– VCNS.SecurityGroup.Names
– VCNS.SecurityTag.Names
30. Multi-Tier App,
Multiple Networks
Multi-Tier App,
Single Flat Network
vRealize Automation Application Topologies
Support for Multiple Network Topologies
Web
App
Database
VM VM
VM VM VM
VM
VM VM VM VM VM VM
31. NSX with vRA – On Demand Deployment Model
Provider Logical
Router (HA)
External
Networks
• 2 Tiers of Routing
– Distributed Logical Router or NSX Edge for
Application Router
– NSX Edge for Provider Router
• Dynamic Routing externally
• Dynamic Routing (DLR), Static Routing
or NAT internally (Edge)
Dynamic Routing
(OSPF, BGP)
Transit Uplink 192.168.10.0/24 (External Network Profile)
Static Route added
automatically
• On Demand Model is
typically used for more dynamic Test/Dev
style workloads, particularly when there is
a requirement for overlapping IP addresses
Dynamic Routing
(OSPF, BGP)
Web Logical
Switch (Routed)
DB Logical
Switch
(Routed)
MMS 1
Routed
App LS
(Routed)
172.16.10.0/29 172.16.10.8/29 172.16.10.16/29
Web Logical
Switch (Routed) App LS (Routed) DB LS (Routed)
MMS 2
Routed
172.16.20.0/29 172.16.20.8/29 172.16.20.16/29
Web Logical
Switch (NAT) App LS (Private) DB LS (Private)
MMS 3
NAT & Private
172.16.100.0/24 172.16.101.0/24 172.16.102.0/24
Web Logical
Switch (NAT) App LS (Private) DB LS (Private)
MMS 4
NAT & Private
172.16.100.0/24 172.16.101.0/24 172.16.102.0/24
Distributed Logical Router
32. NSX with vRA – Pre Created Deployment Model
Logical Switch 172.16.50.0/24 (External Network) 172.16.60.0/24 (External Network) Logical Switch
Prod Web SG A Prod App SG A Prod DB SG A Dev Web SG A Dev App SG A Dev DB
SG A
Dev Web SG B Dev App Dev DB
SG B SG B
Prod Web SG B Prod Prod DB SG B
App SG B
Dynamic Routing
(OSPF, BGP)
with ECMP
External
Networks• 2 Tiers of Routing
– Distributed Logical Router for
Application Router
– NSX Edge for Provider Router
• Dynamic Routing
• Use existing LS as external
network profiles
• One Arm Load Balancing on
demand
Prod-01 Dev-01
LB LB
LB
DynDaymnaicmRicoRutoinugting
(OS(OPSFP, BFG, BPG) P)
with ECMP
Transit Uplink
192.168.10.0/24
(External Network Profile)
Provider LoSgciaclaelOut Provider
Router (NSLXog6i.c1a)l Router (NSX 6.1)
MMS 1 VMs
MMS 2 VMs
MMS 3 VMs
MMS 4 VMs
• Pre-Created model is typically used with
Production or more static workloads and
the application topology is multi-tier on a
single network
Distributed Logical Router
LB