This article was originally posted here, 24 August 2018.
Announced in AWS Summit in New York last month and also briefly mentioned on the prior blog, Announcing General Availability of VMware NSX-T Data Center 2.2.0, NSX-T networking and security is now available in Preview Mode for new SDDC deployments on VMware Cloud on AWS. Please reach out to your sales/SE contact for more information. In this blog post, I give an overview of the advanced networking and security functionality provided by NSX-T within VMware Cloud on AWS.
You can also check out the VMware Cloud on AWS Networking with VMware NSX-T documentation page for additional information. Also, if you will be at VMworld 2018, make sure to attend the VMware Cloud on AWS with NSX sessions listed below; we will go into a deep dive of all the functionality and show how VMware Cloud on AWS is being used by customers.
VMware Cloud on AWS with NSX: Use Cases, Design, and Implementation [NET1327BU]
Speaker: Humair Ahmed, Senior Technical Product Manager, VMware
Date: Wednesday, Aug 29, 1:00 p.m. – 2:00 p.m.
Advanced NSX Services in VMware Cloud on AWS: Use Cases and Best Practices [NET2409BU]
Speaker: Vyenkatesh Deshpande, Sr. Product Line Manager, VMware
Date: Wednesday, Aug 29, 2:30 p.m. – 3:30 p.m.
NSX is the underlying networking and security platform in VMware Cloud on AWS. With NSX-T, we have enabled the following enhancements/capabilities with the first four being major features driving NSX-T SDDC.
NSX-T Features for VMware Cloud on AWS SDCC (Preview Mode)
- DFW
- Security Groups (based on IP Address, VM Instance, VM Name, Security Tags)
- Route Based IPSEC VPN with Redundancy
- Direct Connect Private VIF for all traffic
- Connectivity from Overlay to Management Infrastructure
- vCenter Management Appliance access from connected VPC
- DNS Zones
- Port Mirroring
- IPFIX
The underlying SDDC networking topology with NSX-T is similar to NSX-V SDDC in the sense that you still have a management gateway (MGW) for management and a compute gateway (CGW) for compute. A few key differences here are the following:
- MGW and CGW are no longer VM appliances; instead they are logical constructs inside the same edge appliance; MGW and CGW are what’s know in NSX-T as T1 routers which also have distributed components on each hypervisor. You can think of T1 routers in a sense as a distributed logical router (DLR) in NSX-V
- MGW and CGW are connected together via another router known in NSX-T as a T0 router which provides connectivity in and out of the data center; this connectivity provided natively with the NSX-T architecture also provides some inherent enhancements which I’ll discuss in more detail later in the post
- The vCenter management network is now an overlay; vCenter is sitting on an overlay which allows for the same operational tools to be used for compute and vCenter management VMs/workloads
- There is no longer a need to have a separate VPN tunnel for MGW and CGW; with NSX-T SDDC, all VPNs terminate on the T0, which is connected to both the CGW and MGW, thus it is a single VPN design
- The edges with NSX-T leverage DPDK providing for enhanced performance
- The ESXi hosts in VMware Cloud on AWS with NSX-T are now NVDS based (instead of VDS as prior)
Below is the underlying network topology in VMware Cloud on AWS with NSX-T.
Figure 1: VMware Cloud on AWS with NSX-T SDDC
With NSX-T, the layout under the Networking and Security tab has been redesigned to simplify and make it easier for users to navigate. As you can see from the below screenshot, the menu is provided to the left with the networking and security sections at the top. Users can easily jump to one of the respective sections: Overview, Network, Security, Inventory, Tools and System.
Figure 2: VMware Cloud on AWS with NSX-T SDDC Console
Network Segments
All networking and security configuration is now done through the VMware Cloud on AWS console via the Networking and Security tab, including creating network segments. This provides ease of operations and management by having all networking and security access through the console. Prior, users had to use the NSX plugin from vCenter to create network segments.
Figure 3: Creating Network Segments with NSX-T SDDC
Distributed Firewall
Using VMware Cloud on AWS with NSX-T, users have the capability to implement micro-segmentation with Distributed Firewall. Granular security policies can be applied at the VM-level allowing for segmentation within the same L2 network or across separate L3 networks. This is shown in the diagram below.
div id=”attachment_22823″ class=”wp-caption aligncenter”>
Figure 4: Micro-segmentation via DFW with NSX-T SDDC
From the below screenshot, you can see, in addition to the ability to create multiple sections, users can organize DFW rules into groups (Emergency Rules, Infrastructure Rules, Environment Rules, and Application Rules. The rules are hit from the top-down.
Figure 5: DFW GUI with NSX-T SDDC
Security Groups
In addition to the new DFW capabilities, grouping objects can now be leveraged within security policies. Security groups support the following grouping criteria/constructs:
- IP Address
- VM Instance
- Matching criteria of VM Name
- Matching Criteria of Security Tag
As shown by the below screen shot, Security Groups can be created under Workload Groups or Management Groups. Workload Groups can be used in DFW and CGW firewall policies and Management Groups can be used under MGW firewall policies. Management Groups only support IP addresses as these groups are infrastructure based. Predefined Management Groups groups already exist for vCenter, ESXi hosts, and NSX Manager. Users can also create groups here based on IP address for on-prem ESXi hosts, vCenter, and other management appliances.
Figure 6: Creating Security Groups with NSX-T SDDC
In the below screenshot you can see I have deployed some VMs in vCenter and you can see the VMs in inventory within the console. Additionally, I’ve tagged the VMs with Web, App, and DB Security Tags respectively.
Figure 7: Assigning Security Tags to VMs
Route Based IPSEC VPN with Redundancy
In addition to Policy Bases IPSEC VPN, Route Based IPSEC VPN is now also possible. Users can configure BGP to run over IPSEC so networks are automatically advertised and learned between the VMware Cloud on AWS SDDC and on-prem. This simplifies operations and also prevents manual errors in configuration updates every time a network change needs to be made. In addition, Route Based IPSEC VPN provides redundancy where multiple VPNs can be setup to on-prem and BGP can be leveraged to configure active/passive paths.
Figure 8: Route Based IPSEC VPN with NSX-T SDDC
Figure 9: Configuring Route Based IPSEC VPN with NSX-T SDDC
Direct Connect Private VIF for all Traffic
Another major enhancement with NSX-T SDDC ia that all traffic is now supported over Direct Connect Private VIF. This greatly simplifies connectivity and configuration, and VPNs are no longer required to carry certain traffic. See my prior blog, VMware Cloud on AWS with Direct Connect: NSX Networking and vMotion to the Cloud with Demo, on some additional info and background on using Direct Connect with VMware Cloud on AWS. Now, Direct Connect private VIF can be utilized to carry all traffic between on-Prem and VMware Cloud on AWS SDDC.
Figure 10: All Traffic Over Direct Connect Private VIF with NSX-T SDDC
Connectivity from Overlay to Management Infrastructure
With NSX-T SDDC, CGW and MGW are connected via a T0 router as explained prior and shown in the topology diagram below; thus, workloads on overlay can now access management infrastructure behind the MGW. The NSX-T architecture provides this inherently. Prior, the only way to achieve this communication was to setup a VPN between CGW and MGW. Users can setup automation, monitoring, and other operational tools on compute network segments which can now communicate easily with management infrastructure like vCenter and ESXi hosts.
Figure 11: Connectivity from Overlay to Management Infrastructure
vCenter Management Access from Connected Native AWS VPC
vCenter Management access is also now possible from the Connected Native AWS VPC. In addition to learning the VMware Cloud on AWS network segments, the Connected Native AWS VPC is also notified on how to reach the vCenter Management network which is also now an overlay. This enables users to run automation, monitoring, or other applications/appliances in the Connected Native AWS VPC which can access the vCenter Management network.
Figure 12: vCenter Management Access from Connected Native AWS VPC
DNS Zones
An additional enhancement is the capability to now have multiple DNS zones, thus providing additional flexibility to users who want to use multiple DNS servers based on domain.
Figure 13: DNS Zones Configuration in NSX-T SDDC
Port Mirroring
Port mirroring is now possible where a user can deploy a port mirroring appliance like Wireshark on a compute network segment in VMware Cloud on AWS SDDC and have traffic from other workloads mirrored to it.
Figure 14: Port Mirroring with NSX-T SDDC
IPFIX
IPFIX can also now be leveraged for monitoring and traffic analysis. A monitoring tool such as Plixer Scrutinizer or another 3rd party tool for traffic analysis can be deployed on a compute network segment in VMware Cloud on AWS SDDC and be configured as a collector.
Figure 15: IPFIX Configuration with NSX-T SDDC
As you can see, there are a lot of exciting enhancements coming with NSX-T SDDC in VMware Cloud on AWS. To learn more about advanced networking and security with NSX-T in VMware Cloud on AWS, make sure to attend the following VMworld 2018 sessions; I’ll see you there!
VMware Cloud on AWS with NSX: Use Cases, Design, and Implementation [NET1327BU]
Speaker: Humair Ahmed, Senior Technical Product Manager, VMware
Date: Wednesday, Aug 29, 1:00 p.m. – 2:00 p.m.
Advanced NSX Services in VMware Cloud on AWS: Use Cases and Best Practices [NET2409BU]
Speaker: Vyenkatesh Deshpande, Sr. Product Line Manager, VMware
Date: Wednesday, Aug 29, 2:30 p.m. – 3:30 p.m.
