vRealize Network Insight 3.5 (vRNI) introduces a number of great features, which improve our visibility and ability to ensure a secure and compliant configuration. Also Network Insight is now available as a service. This means you can rely on VMware to handle management and updates of Network Insight, with the same great feature set you enjoy when running vRNI in your datacenter. From an architectural standpoint, the main difference between Network Insight in your datacenter and the Network Insight service is the placement of our platform and proxy instances. With the Network Insight service, you only need to deploy a Proxy VM to start collecting flows and other data from your datacenter. If your goal is to focus on AWS entities, a proxy VM isn’t required. Just register for the Network Insight service, enter your AWS credentials, setup VPC Flow logs, and you are good to go. You can read more about the process from our VMware Cloud Services onboarding webpage.
PCI compliance is a focus for many organizations. With that in mind, we are introducing a new PCI compliance dashboard. The dashboard focuses on portions of PCI DSS relevant to networking and security operations. The goal is to assess compliance for your NSX environments. Accessing the PCI compliance dashboard is very straightforward. Click the Security icon, select a scope, and you will receive detailed information on the disposition of associated entities. Entities include VMs and security groups plus relevant firewall rules, flows, and changes through a PCI lens. Frequently assessed entities can also be saved as a search and pinned for quick access.
vRNI has always offered visibility and analysis of IPFIX flow traffic traversing the vSphere Distributed Switch (VDS). The aforementioned VDS IPFIX traffic allows vRNI to show traffic patterns and facilitates microsegmentation planning and implementation. We now offer visibility into IPFIX flows from NSX as well. This visibility provides deeper flow details, including dropped flows in the path. These dropped flows appear as a deny when we examine flow details. Assuming a least trust model is in place, firewall action visibility helps you troubleshoot connectivity issues, but they also can help you find gaps in your security posture. For example, if you view an application in test dev communicating with a production instance, you can quickly determine whether an allow or deny is in place. The best part, is Network Insight will show you firewall actions across all the relevant entities so you can pinpoint exactly where a potential gap might be. Additionally, you can plan the ideal place to implement NSX distributed firewalls (DFW) based on whether the flows are protected or unprotected by DFWs.
Check Point support, specifically the vSEC Management Server, is available as well. We include host, gateway, network, address range, and access rules. You will find Check Point details in the VM to VM path widget, where we show applicable firewall rules in the path, and specific Check Point entity widgets. Additionally, Check Point entities are fully available to query via Network Insight’s powerful search capabilities.
Equal-Cost Mult-Path (ECMP) routing functionality was introduced in NSX to provide scalability and resilience improvements to routes. Network Insight now shows potential paths when ECMP routing is involved. Also ECMP Edges are displayed in the VM to VM path widget. This allows you to quickly determine the ideal configuration and whether there are gaps in your configuration. Additionally, you can understand where ECMP is enabled and thus where a DFW or 3rd party firewall would be required for your microsegmentation strategy.
There are a number of other features we announced with vRealize Network Insight 3.5, including our new NSX Edge dashboard, improved dashboard navigation, additional third party device support, and data source migration. You can visit our overview blog on vRealize Network Insight 3.5 for further information.
With each release, VMware is continuing to remain ahead of the curve as the market leader for underlay and overlay network visibility and management. Stay tuned!