NET5270

Virtualized Network Services Model

with VMware NSX
Arun Goel, VMware
Serge Maskalik, VMware

#NET5270

Agenda
Introduction
NSX Edge Gateway
Routing & Firewalling
LB
VPN

Scale & Operations

vCloud Hybrid Service Deployment

Introduction

What is this session about?

VMware vCD

VMware vCAC
NSX API

NSX Controller & NSX Manager

L3 Gateway

L2 Gateway

VM

VM

ADC/LB

VM

VM

VM

Endpoint
Security

VM

KVM XEN Hyper-V

VMware vSphere

Any Network Hardware

NSX
Edge
Firewall
GatewayVPN

Drivers Cloud Scale and Agility

Cloud requires Automation
Rapidly provision at any point in network
Self-Service with tenant isolation
Automation needs ability to Reproduce
Build for machines Rest APIs not CLI

Standard Hardware x86 not ASICs

Replication needs Simplification
Simple feature set cloud use cases with High Availability & Performance
Single Management Plane simplify operations

Simplify, Reproduce and Automate to achieve Cloud Scale

5

Use Cases
External
Networks
L2 VPN
BGP
L2 Bridge
Perimeter NSX Edge
(HA, FW, NAT, VPN, LB Services)

Bridged
VLAN

VM
OSPF

Bridged Logical
Switch

Management
VLAN

Transit
Logical Switch

VM
Logical Distributed Router

LB

Web

App

DB

Web
6

App

DB

The Services Journey

Mainstream2
Early
Majority1
Early
Adopters

2011

Innovators

Enhanced FW
Basic LB
Basic VPN
Basic NAT

2010
Baseline
FW/Router

Science
Fiction
7

1
2

Bundled with vCloud Suites

Fortune 50 in Production

2013
2012
Enterprise Grade
Firewall
L7 LB
SSL VPN
Advanced NAT
Static Routing
Compliance
Certifications
IPSec VPN H/W
Accel

LB Scale,
Performance, SSL,
L7++
10G Firewall
L2VPN
Dynamic Routing
OSPF, BGP, IS-IS
IPv6

NSX Edge Gateway

Best of Breed

Multi-tenant/multi-context
Optimal placement
Run-time re-balancing
Perpetual redundancy
Advanced resource isolation
Scalable MGMT 2500 multi-tenant instances

Edge Gateway Highlights

AES256 2Gb/s, 100k CPS FW/NAT/LB, 10Gb/s+ per
tenant
512 Edge contexts per node maximum X nodes in rack
960Gb/s encryption & 300 Gb/s FW/NAT/LB per rack
Reasonable way to get to 500M concurrent connections
State-of-the-art resource/perf isolation via vSphere
Best placement, dynamic balancing, 1+1 redundancy

NSX Edge Gateway

NSX Edge Gateway: Cloud ready integrated network services

Firewall

Overview

Load Balancer

Integrated L3 L7 services from

VMware

VPN
Routing
L2/L3
Gateway

L2/L3 Gateway

Virtual appliance model to allows

cloud agility and scale-out
Benefits
Real time service instantiation

VM

VM

VM

VM

VM

Support for dynamic service

differentiation per
tenant/application
Uses x86 compute capacity

10

Logical Firewall/Routing
Features
Tenant A

OSPF/eBGP/iBGP/IS-IS

Tenant B
L2
L2
L2

Tenant C
L2

L2

L2

Virtualization and identity

context firewall

L2
L2

Scale & Performance

Remove hairpins and
bottlenecks

Attend following sessions for more details:

SEC 5293
SEC 5294
NET 5266

11

Line rate performance with

distributed scale out
architecture
Use Cases
Create on demand networks to
speed up application
provisioning

Logical Firewall

VApp

Deny

Allow
WebServer

VApp Network

12

AppServer

DbServer

Logical Firewall

VApp

Deny

Allow
WebServer

VApp Network

13

AppServer

DbServer

14

Logical Load Balancing

Features

Web 1

Web 2

Web 3

TCP, HTTP, HTTPS with Stateful HA

Multiple Virtual IPs each with separate
server pool and configurations
Multiple load balancing algorithms
Multiple Session Persistence methods
Configurable health checks
Application Rules
SSL Termination with Certificate
Management
Transparent/Full Proxy Mode
IPv6
Scale & Performance
10Gb/s throughput
50,000 CPS
1M Concurrent Connections
Use Cases
Per Tenant Cloud LB
Dynamic VIP for applications

15

Logical Load Balancing

vApp

Load Balancer

WebServer-1

WebServer-2

Routed or Direct vApp Network

Request

16

Logical Load Balancing

vApp

WebServer-1

WebServer-2

Isolated vApp Network

Load Balancer on
regular Edge

VDC Network

17

Request

18

Logical User (SSL) and Site 2 Site (IPSec) VPN

Features

Internet/
WAN

Interoperable IPsec tested with major

vendors
Clients on all major OS (Win, Apple,
Linux)
Remote Authentication via Active
Directory, RSA Secure ID, LDAP,
Radius
TCP Acceleration
Encryption 3DES, AES128, AES256
AESNI H/W Offload
NAT & Perimeter Firewall Traversal
Scale and Performance

Internet/
WAN

High Performance AES-NI

acceleration
2 Gb/s throughput per tenant
Use Cases
Cloud to Corporate
Cloud On-boarding
Remote Office/Branch Office
Remote Management

19

Logical L2 VPN
Features

VM

VM

SSL-based
Web-proxy Support
L2 Bridge to Cloud
Broadcast support

VM

Scale & Performance

High Performance AES-NI
acceleration
2 Gb/s throughput per tenant
Internet/
WAN

Public
Cloud

Use Cases
Cloud On-boarding
Cloud Bursting

20

21

So What?
External
Networks
L2 VPN
BGP

Management
VLAN

VM

22

So What?
External
Networks

Simplify, Replicate and Automate to achieve Cloud Scale

23

NSX Integrated Partners

VMware vCD

VMware vCAC

NSX API
NSX Controller & NSX Manager
Partner Extensions

Security Services

L2 Gateway

24

ADC/LB

Firewall

IDS/IPS

AV/FIM

Vulnerability
Management

Scale and Operations

25

NSX Edge Gateway Line-rate Performance

Test: using HTTP1.1, 10 requests/session fetching 200KB web page @ 7000 CPS
H/W: HP DL380 G8, Intel E5-2690 2.9 Ghz 8-core x 2 sockets, Intel 82599 (Niantic)
Config: HA on, 366 NAT/FW rules, one uplink, one downlink vNIC

26

Operations

Load Balancer
Firewall

Centralized Management for 2000

appliances

CLI for the humans

27

Analytics using
VCOPs

Syslog

Edge Operations in vCops

28

vCHS

29

About vCloud Hybrid Service (vCHS)

Goals

Support of Thousands of Tenants

The New Role for IT: IT as
a Service

Virtual Workspace

Manage access to services, applications and data for any

device

Scalable Physical Hardware

Plan for capacity growth
Traffic flows
Data usage

Private
Clouds

Public
Clouds

Hybrid Cloud

Seamlessly extend your data center to the public cloud

Elastic Design (SDDC, SDN)

Minimize dependencies on proprietary hardware
Use high bandwidth connections

Software-Defined Data Center

Virtualize the entire data center

Management and Automation

Storage and
Availability

Compute

Network and
Security

Exploit Vmwares software intelligence to deliver a

complete SDDC

Objectives

Maximize cost effectiveness

Maximize hardware utilization
30

vCHS Edge

Why Edge?
Evaluated leading Hardware and Software vendors to build the service
Edge was the only multiservice device that can be rapidly deployed, meet
scalability needs and integrate with vCD and vSphere

Features Deployed (vCNS 5.1)

Firewall
Distributed
scale of
Rules

31

Load
Balancing
Web
Server LB
Dynamic
Per Tenant

VPN
IPSEC
Tunnel
SSL VPN
DCE L2
VPN

L3 Gateway
Static
Routes
Default
Gateway

Looking forward NSX what are we excited about?

Performance and Scalability increases for Firewall, Load Balancer,

Router and VPN

Dynamic routing Support for BGP

Layer 7 Load balancing SSL Termination

32

Questions?
To get complete understanding of NSX Optimized for
vSphere checkout
Network Virtualization
NET5266 - Network Virtualization for vSphere environments with VMware NSX

Integrating 3rd Party Services in NSX

NET5522: NSX Extensibility: Network and Security Services from 3rd-Party Vendors

NSX Operations and Troubleshooting (Advanced Technical)

NET5790: Operational Best Practices for NSX in VMware Environments
NET5654: Troubleshooting VXLAN and Network Services in a Virtualized Environment

33

THANK YOU

NET5270
Virtualized Network Services Model
with VMware NSX
Arun Goel, VMware
Serge Maskalik, VMware

#NET5270