With the release of vRealize Network Insight 3.1 on October 6th customers now have visibility to NSX Universal Objects. If you are unfamiliar with Universal Objects they are NSX Cross-vCenter objects such as Logical Switches, Distributed Logical Routers and Distributed Firewalls. Since these can be deployed across multiple vCenter domains as of NSX 6.2, having visibility in Network Insight is critical. Additionally, Network Insight 3.1 adds the ability to identify public IP addresses as part of the internal network infrastructure so that east-west communications using public IP space can be appropriately identified.
Benefits Universal Objects
As mentioned, Universal Objects allow NSX to provide Cross-vCenter capabilities. This enables increased span of NSX logical networks so that VMs on any cluster, on any vCenter Server can be connected to the same logical network. Because of this security policy management is centralized, reducing administrative overhead.
In addition, Cross-vCenter enables support for new mobility boundaries in vSphere 6, including cross-vCenter and long-distance vMotion across logical switches. Customers can also leverage Cross-vCenter for enhanced NSX support multi-site environments and use NSX as part of a disaster recovery scenario.
Since these can be deployed across multiple vCenter domains as of NSX 6.2, having visibility in Network Insight is critical. Additionally, Network Insight 3.1 adds the ability to identify public IP addresses as part of the internal network infrastructure so that east-west communications using public IP space can be appropriately identified.
Discovering Existing and New Universal Logical Switches
For existing Universal Objects, such as a Universal Logical Switch (ULS) and Universal Distributed Logical Router ( UDLR ), Network Insight identifies these objects and imports them in the correct context. For example, the diagram below shows some existing ULS allowing east-west traffic between two vCenter domains via a UDLR. Notice there is a ULS for each tier of an application (546-b3-web, 546-b2-app and 546-b4-db) as well as a transit ULS connecting the UDLR to three NSX edge gateways
Upon discovery, Network Insight identifies those as Universal Objects and denotes the appropriate scope for those NSX objects.
For environments currently monitored by Network Insight, newly created Universal Objects are also appropriately identified. For example, I create a new ULS “ULS Test” in the vSphere web client.
This newly created ULS is discovered by Network Insight.
And then it is indexed, analyzing underlays, VTEPs, associated VMs and more. Automatically!
Then the ULS is seen in a topology view in relation to the rest of the networking.
Enhanced Path Trace
Now that Network Insight can identify Universal Objects they are visible as hops within a path diagram.
To be clear, this diagram shows a whole new environment in the logical space, made of two ULS, one UDLR and a universal transit ULS. This new UDLR is not connected to all the three ESG (as is the existing one) but only to E1. This means that E1 is the “junction” between this new environment and the preexisting one.
Within Network Insight, the path between the VM “Centos-Min-1” in the Site E datacenter and the Internet, for example, contains all Universal Objects including ULS-TEST, two transit ULSs and the Universal DLR.
Another example is the path between two VMs. In this case, the VM “W2k-2” is connected to ULS-TEST in one site while VM “W2k-1” is connected to a new ULS (ULS-TEST2) in a different site. The VMs connect via a Universal DLR. It is easy to visualize the east-west traffic between these two VMs, in two different sites, using Network Insight.
Consider the path below. This shows a path between a VM (LiveAuctionW1) connected to an ULS belonging to the preexisting environment and a VM (centos-min-2) connected to a ULS belonging to the new environment. Note that the path between the two includes the edge gateway, ESG-1, which is the nexus of the connection between the two.
What About Universal DFW Rules?
One of the key features of Network Insight is the ability to analyze NSX DFW rules. Naturally, customers need this capability extended to the Universal scope as well. Consider the screen capture below and note the search scope is defined as ‘Universal’ – the resulting 13 rules are displaying for this environment.
Even better, customers can easily determine the impact of Universal DFW rules on a given VM. Here we can see the applicable rules for Centos-Min-1.
Marking Public IP Addresses as Internal
Many customer use public IP address space within the datacenter. Network Insight now allows admins to mark public IP addresses as “internal” so that flows are properly identified as east-west rather than assuming they are north-south due to the IP addresses. To classify public IPs for internal use, simply go to Settings > Datacenter Public IPs and provide any single IPs, IP ranges or subnets.
Now east-west flows are properly analyzed. In the example below we are using public IP addresses on a ULS. This is correctly counted as an internal address space and paths have been discovered in the correct context, shown in the two screen captures below.
Network Insight 3.1 adds awareness of NSX Universal Objects and marking of public IP addresses for internal use. This gives administrators better visibility between NSX deployments that span vCenter servers and provides comprehensive east-west traffic visibility.