VMware Cloud Foundation 4.2 announces the release of one of the most anticipated features for VCF customers: NSX-T Federation. NSX-T Federation capabilities provide a cloud-like operating model for network administrators by simplifying the consumption of networking and security constructs. This includes centralized management, consistent networking and policy configuration with enforcement and synchronized operational state across large scale federated NSX-T deployments.
Globalization, security and disaster recovery considerations are driving businesses to diversify locations across multiple regions. NSX-T Federation provides the ability to manage, control and synchronize multiple NSX-T deployments across different VCF instances which could be in a region or deployed across regions in geographically dispersed data centers. This provides our customers the tooling needed to meet their business objectives while simplifying the life of their network, security and cloud administrators providing workload mobility and simplifying disaster recovery.
NSX-T Federation Use Cases
NSX Federation support in Cloud Foundation enables several use cases.
- Operational Simplicity: Administrators can register and then control multiple NSX-T deployments from a single interface. This capability provides a single pane of management for multiple deployments, simplifying administration.
- Common policy configuration and enforcement: Global Manager is the key component of NSX-T Federation which provides GUI and REST API endpoint and makes you able to configure consistent security policies across multiple locations and then pushes the configuration to one or more Local Managers. This capability reduces administrative burden and minimizes the opportunity for human error.
- Global Networking: Customers can create global networking objects, such as routers and network segments, that have the option of spanning one or more sites and include failover/fail-back capability. Global networking is key to simplifying network designs and to building a disaster recovery solution.
- Simplified Disaster Recovery: By spanning logical networking and security across sites, NSX-T Federation inherently provides features desired by disaster recovery. Applications can be restarted at the recovery site upon a DR event while maintaining their IP addresses. Furthermore, security posture for the applications is maintained as security policies attach to the workload which means the policies move with the workload and are uniformly enforced.
What is NSX-T Federation?
With NSX-T Federation a new concept of a Global Manager (GM) is introduced, which enables a single pane of glass offering central configuration of the network and security services for all locations, and one NSX-T Manager Cluster per location called here Local Manager (LM), managing Transport Nodes for that location (hypervisors and Edge nodes). The GM pushes the network and security configuration to the different LM, which implements it locally. Another key capability of NSX Federation is the ability to create logical routers and network segments that span locations. Stretched networking and consistent policies paired with DR solutions such as Site Recovery Manager enables workloads to move and scale beyond vCenter boundaries.
VCF Architecture for NSX-T Federation
NSX-T federation support in VMware Cloud Foundation 4.2 is introduced via manual guidance targeted for greenfield deployments (fresh installed VCF 4.2 deployments). Customers can use our guidance to layer NSX-T Federation on top of multiple or multi-region VCF deployments.
In an environment with multiple regions, you can deploy multiple NSX-T Global Manager clusters in an Active/Standby model, ideally distributed over two regions for availability purposes: When a region-wide outage occurs, the standby region (including the standby cluster) takes over the active role. The configuration is synchronized between the active and standby clusters, to prevent config loss. The Local Managers (or NSX-T Manager instances deployed by VCF) in each region are then registered to the Global Manager. NSX-T Global Manager provides the user interface and the RESTful API for creating, configuring, and monitoring NSX-T global objects, such as global virtual network segments, and global Tier-0 and Tier-1 gateways.
For data plane, we recommend a two-tier architecture, where a global Tier-0 spans both regions and will provide N/S connectivity for region specific and cross-region segments. In this multi-region design, you use three Tier-1 gateways – one for Region A only segments, one for Region B only segments, and one for segments which span Region A and Region B. For workloads that require global connectivity, a tier-1 router is deployed that spans both regions. This router and any connected segments will have failover capability. Each region will have a region-specific Tier-1 router deployed, where local segments can be created and attached. This guarantees that site-specific networks remain available if a region failure occurs in another region.
A VCF environment may contain multiple federated workload domains that are separated from each other. This allows for ease of management, operational simplicity, and the ability to scale each federated instance up to the NSX-T Federation supported deployment limits.
You can choose to federate VI Workload domains without federating the management domain. If you need availability of the management components such as vRA, vROps deployed in the management domain, then you need to federate the management domain as well. NSX-T Federation moves the management plane from Local Manager to Global Manager. Any VMware or 3rd party products that integrate with NSX-T or consume NSX-T APIs should evaluate their compatibility with NSX-T Federation.
Available Now
The journey of VMware Cloud Foundation with NSX-T Federation has just begun and we have exciting times ahead! With the technical capabilities of NSX-T federation and power of VCF automation simplifying life cycle management, deploy and day-n operations, we will be able to cater to a variety of use cases based on business demands and preferred architectures. To learn more about the architecture and design aspects of NSX-T Federation with VCF 4.2, please check out our documentation.
