Distributed Networking and Security Services: Deep Dive · 2019-06-27 · NSX Distributed Services Enablement VXLAN 5001 vSphere Host VM1 MAC1 IP1 VTEP IP: 10.20.10.10 vSphere Distributed

NET1932

Anirban Sengupta, Sr. Director, NSXJayant Jain, Architect, NSX August 2017

Distributed Networking and Security Services: Deep Dive

VMworld 2017 Content: Not fo

r publication or distri

bution

• This presentation may contain product features that are currently under development.

• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.

• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

• Technical feasibility and market demand will affect final delivery.

• Pricing and packaging for any new technologies or features discussed or presented have not been determined.

Disclaimer

#NET1932 CONFIDENTIAL 2

bution

Agenda

1 Introduction

2 Distributed Service Architecture

3 Distributed Services in NSX

4 Architecture Deep Dive

5 Demo

3#NET1932 CONFIDENTIAL

bution

Introduction

Distributed Service Architecture

Distributed Services in NSX

Architecture Deep Dive

bution

Increased Application Complexity

• Applications are becoming larger and distributed

• Tiered Application model to Micro services and Containers

#NET1932 CONFIDENTIAL

bution

Deployment Agility

• Application owners are expecting faster deployment from IT

• LOBs are expecting automated and self service deployment to support CI/CD

bution

Advanced Security

• Hackers have become highly funded, sophisticated and resourceful

• Attacks are oriented towards lateral movement and privilege escalation than perimeter

bution

Introduction

bution

Traditional Data Center Design

• Services in Data Center Aggregation layer

• Optimized for N/S Design

• Most traffic today is E/W

• Traffic needs to hairpin to Aggregation Layer for E/W

• Difficult to Automate.

• Uncertain Performance and capacity provisioning

• Unfriendly to App mobility

bution

App Network

Virtual Appliance based Services

DMZ Network

Services Network

DB Network

Finance

AD NTP DHCP DNS CERT

• Deployment complexity

• Topology Dependency

• Performance bottleneck

• Appliance Management

• Harder to change security policy

Internal Services

Perimeter Services

bution

App Network

Distributed Services

DMZ Network

Services Network

DB Network

Finance

• Omnipresent

• Topology Agnostic

• Full Automation

• Easier operations

• No Appliance Management

• Zero Trust Isolation

• Linear scalability

Internal Services

Perimeter Services

bution

Omnipresent and Topology Agnostic

App VLAN

DMZ VLAN

Services VLAN

DB VLAN

Perimeter

firewall

Inside

firewall

Finance

• Distributed services are deployed everywhere and can be enforced anywhere irrespective

of application architecture and network connectivity

• With each application, configuration can be added and deleted as needed.

bution

Full Automation and Easier Operations

• Software services make automation possible hence increasing agility

• Distributed services minimizes deployment and capacity challenges.

• No Appliance to deploy and manage

bution

Zero Trust Isolation and Enforcement

• Distributed Firewall makes zero trust isolation feasible

• As Firewall enforcement is on vNIC level, any security policy is easy to enforce

Internet

bution

Capacity On Demand and Line Rate Performance

• Services linearly scales with application and hence minimal provisioning and management.

• Less number of network hops making it way more efficient.

bution

Introduction

Distributed Services and NSX

bution

vSphere vSphere vSphere

Data Plane

Operations

Logs/Stats

Consumption

Control Plane Run-time state

Management Plane

API, config, etc.

NSX Manager

NSX Controller

Logical Switch

DistributedLogical Router

EdgeService Gateway

Distributed Firewall (DFW)

VMware NSX Functional Overview

Distributed Load Balancer

Distributed Network Encryption (DNE)

bution

Distributed Routing

bution

Micro Segmentation with Distributed Firewall • L4 Distributed Firewall facilitating Micro Segmentation of Datacenter

• Rules based on VC entities, IPSets, VMs with flexible Services with ipv6 compliance

Identity

-AD Groups

VC containers

- Clusters

- datacenters

- Portgroups

- VXLANServices

- Protocol

- Ports

- Custom

Action

- Allow

- Block

- Reject

IPv6 Services

VM containers

- VM names

- VM tags

- VM attributes

Choice of PEP (Policy

Enforcement Point)

-Clusters

- VXLAN

- vNICs

IPv6 compliant

- IPv6 address

- IPv6 sets

Src/Dst

-IPAddress/IPSets

bution

Context Aware Micro Segmentation

• Extend L4 DFW to be Context Aware

• User, Protocols, Applications, Mobile Manifest, Third party context, etc

L4 Rule based Micro segmentation

bution

Distributed Network Encryption

DNE ControllerDNE Controller

DNE ManagerDNE Manager

• NSX Manager

–User defines encryption

policies

• NSX Controller

–Pushes rules to Hypervisors

–Generates tickets for

hypervisors to get secret

• Key Manager

–Generates secret keys for

hypervisors

• Hypervisors

–Get secret keys from the Key

Manager and

encrypt/authenticate network

packets in and out of the

NSX Manager

NSX Controller

Hypervisor1 Hypervisor2 HypervisorN

Key Manager

1) Rules

2) Key Policies

Ticket Ticket Ticket

bution

Distributed Load Balancing

Load Balancer

web-01 web-02 app-01 db-01app-02

Web-Tier-01

10.0.1.0/24App-Tier-01

10.0.2.0/24

DB -Tier-01

10.0.3.0/24

Web App DBWeb App

Service-Group_Web

• Appliance-less Client based East/West Load balancer

• Linearly scalable with optimal performance

bution

Introduction

bution

SSH Client

NSX DFW

vSphereTCP/5671

TCP/443

vSphere

Client

Manager

vCenter

Server

REST API

Client

NSX Distributed Services – System Architecture

UI Access to the NSX

Management Plane via

vSphere vCenter

Policy Rules are stored

in NSX Manager

Policy Rules are pushed

down to ESXi Host

[DFW Data Plane]

TCP/443

VXLAN DR DFWSwitch

SecurityVMworld 2017 Content: N

ot for publicatio

n or distribution

NSX Distributed Services – Internal ArchitectureComponent Details and Communication Channels

NSX Manager

Virtual Switch

VNIC User Space

Kernel Space

vsfwd/CPA

Web Browser

Exchange

Queue Queue

Message Bus:

TCP 5671

VNIC-FWVNIC-FW

Heartbeat

TCP/UDP

DatabaseConfig EngineTCP

Services Kernel Module

vCenter Server

ESXi Host

# esxcli software vib list

esx-vsip 5.5.0-0.0.1744190

bution

vSphere vSphere vSphere

NSX Manager

Ruleset and Flows per vNic/VM

AppWeb DBWeb AppCPA CPA CPA

• Applied-To: Each vNic/VM can have its own

custom/crafted ruleset and Service Chain

• Contextualization: Each vNic has its own set of

flows.

• Exclude List: Individual vNic/VMs can be excluded

from having a Service Instance or Chain

• Stateful (Default) as well as Stateless Rules

Supported

• Revalidation of Rules with Ruleset change.

Control Cluster

Compute Manager

RuleSets

Inventory Updates

bution

NSX Distributed Services Enablement

VXLAN 5001

vSphere Host

VTEP IP: 10.20.10.10

vSphere Distributed Switch

vSphere Host

VTEP IP: 10.20.10.11

VM3MAC2

DFW Policy Rules:

Source Destination Service Action

VM1 VM2, VM3 TCP port 80 Allow

VM1 VM2, VM3 any Block

VXLAN 5001 Logical Switch

• Enforce policy at vNic:

- Services independent of

transport network (VLAN or

VXLAN) and of each other

- All VM ingress and egress

packets are subject to

Service processing.

- Independent Security Policy

per Service.

- Flexible Service Chain

- Uniformly applicable to

virtualized and non-

virtualized networks:

V-to-V and P-to-V support.

VXLAN 5001 VXLAN 5001

VM1 VIP1 TCP port 80 Balance

VM1 VIP2 TCP port 53 Balance

VM1 VM2, VM3 TCP port 80 Encrypt

VM1 VM5, VM6 any Encrypt

DLB Policy Rules:

DNE Policy Rules:

bution

NSX Distributed Services Packet PipelineL2 Pipeline.

• L2 Packet Sanity, Spoofguard.

• L2 Rule analysis.

• Flow Cache to speed up stateless processing.

L3-L7 Pipeline.

• L3 Packet Sanity, Spoofguard.

• Fragmented Packet Support

• Support for ICMP Type/Code.

• L4 Packet Sanity.

• Context discovery and mapping

• Flow Lookup.

• TCP State and Sequence Number Support, State based timers

• Address-Set Lookup, Rule Analysis.

• Flow Creation and logging.

• ALG Support (FTP, MSRPC, Oracle, DCERPC, TFTP)

Partner Pipeline [a..b..c]

• Policy Lookup for Stateful Flow

• Punt packet to Partner Service (In-Host, L2, L3)

• Receive from Partner Service and forward packet.

DNE Pipeline

• Policy Lookup for Stateful Flow

• Encrypt/Decrypt Per Policy

L2 Pipeline

L3-L7 Pipeline

From vNIC/vPort

To vPort/vNic

DFW Service

Partner Pipeline

DNE Pipeline

bution

NSX Service Chaining

• Traffic exits guest VM and reaches DFW

for processing.

• Rule/Flow analysis done by DFW

• Filtering Module (Service/s) rule/flow

analysis done.

• Traffic Redirection Module steers to

Partner Services VM (In-Host/L2/L3).

• Permitted traffic forwarded via Traffic

Redirection Module.

Guest VMPartner

Services VM

Partner Console

Filtering Module

Traffic

Redirection

Module

vCenter

External Network

Slot 2

Slot 4

bution

NSX Distributed Services and vMotion

vMotion source

vMotion destination

• NSX Distributed Services fully support vMotion.

• During vMotion event, all services context move with

the VM:- Rules/Address Table

- Connection Tracker Table

- L4-L7 State

• No session loss during vMotion:

• All active sessions before mobility event remain

intact after the move.

• Separation of Control Plane-Data Plane

• All Services completely independent of VM location

or Logical Network!

No disruption to end user !

bution

Introduction to Distributed Services

Why does it matter?

Distributed Services and NSX

bution

Context Aware Micro Segmentation

32#NET1932 CONFIDENTIAL

bution

Distributed Networking and Security Services: Deep Dive · 2019-06-27 · NSX Distributed Services Enablement VXLAN 5001 vSphere Host VM1 MAC1 IP1 VTEP IP: 10.20.10.10 vSphere Distributed

Documents

vSphere トラブルシューティング - VMware › jp.....

OpenStack VXLAN VTEP Gateway with Pica8 and Midokura ·...

vSphere Networking - VMware vSphere 7 · 2020. 12. 12. ·....

vSphere Distributed SwitchIntroduction to the vSphere...

VMware vSphere High Availability 5.0 Deployment Best...

Hóa phân tích- VTEP

Understanding VMware vSphere DRS Performance...UNDERSTANDING...

What’s New in VMware vSphere 5.0 · PDF fileNetFlow on...

OpenStack VXLAN VTEP Gateway with Pica8 and …...VXLAN VTEP...

Configuring PVRDMA in VMware vSphere 6 - Lenovo Press · PDF...

vSphere Networking - VMware vSphere 6 Diagrams of a vSphere....

vSphere Networking - VMware vSphere 6 · Applying...

vSphere Networking - VMware vSphere 6 · 2020-02-25 ·...

351seau vSphere - VMware vSphere 6...Migrer la mise en...

VMware vSphere Distributed Switch— Technical Deep...

Vsphere Distributed Switch Best Practices