Starting with the 4.0 release of Network Insight, VMware is providing support for VMware Cloud on AWS, including visibility into your configuration and flows for security planning. Support for VMware Cloud on AWS is currently in Preview. Additionally, Network Insight is expanding support for Cisco ASA, Cisco ACI, and BGP-EVPN. Paths can now be traced between VMs running in VMware Cloud on AWS, on premises in vSphere, or with EC2 instances running in Amazon Web Services (AWS). We’ve also added static and dynamic thresholds with the ability to trigger alarms when certain conditions occur. Network Insight also offer expanded NSX day-2 events, sFlow support, and F5 router visibility. All of these updates are on tap for the big 4.0 release! I’ve picked a few of the new features for a deeper dive.
One of the cooler features in this release is preview support for VMware Cloud on AWS. You’ll be able to see your configurations, network metrics from NSX and vCenter, and best of all IPFIX flows between VMware Cloud on AWS VMs and back to your on premises NSX and vSphere environments. So if you want to keep an eye on a cloud-based application or hybrid application running between your public and private cloud, determine who they are talking to, understand your security posture, and other day-2 health monitoring options, network insight has you covered. We show the configurations on both ends, overlay and underlay entities in the path, firewall rules, and where there might be problems. In a nutshell, the features you’ve become accustomed to for on premises visibility and planning are now extended fully to external cloud environments such as VMware Cloud on AWS and Native AWS.
In the screenshot above, we see a path has been traced between a VMware Cloud on AWS VM and on premises vSphere VM. For this path, you can view deep information from VMware Cloud on AWS, including VMs, Hosts, security, and network configs, your VPN connection, and on premises VMs, Hosts, security posture, plus network configs. Notice the NSX T0/T1 routers along with applied firewall rules, specific to the path, are visible. Each entity in the path can be clicked to show further information about configurations and associated problems. Clicking the firewall icon beneath the VM in the orange section, the brick wall icon, displays the firewall rules applied to the VMware Cloud on AWS VM by the NSX distributed firewall. This path view is great for seeing all the datasources stitched together to help understand and monitor environments.
VMware Cloud on AWS support is included within the Plan Security option in Network Insight, shown above. Network Insight can view traffic patterns for VMware Cloud on AWS backed applications, these traffic patterns help rationalize apps from a networking point of view. Once application rationalization is complete, micro-segmentation planning and implementation can move forward in VMware Cloud on AWS using the recommended firewall rules Network Insight provides. As with other datasources, this is a near-real time look at the traffic and configurations within and external to VMware Cloud on AWS.
A major focus for Network Insight is providing underlay network visibility and monitoring. With this release, Network Insight now shows Cisco ACI entities. Simply point Network Insight at an APIC controller and configuration details, including ACI fabric, EPGs, EPG mappings, Bridge Domains, L2 paths to leaf nodes and visibility as a VRF in the VM-to-VM path are available. SNMP-based metrics are also supported for the APIC and switches. In the VM-to-VM path above, notice the ACI spine and leaf fabric elements are visible. Each part of the fabric can be clicked into for further configuration and status details.
Individual dashboards are available for Leaf and Spine fabric (shown above), switches, EPGs, and application profiles. Finally, powerful searches can be built around each ACI entity to highlight specific configurations or scenarios. You can then add the results to a pinboard and trigger alarms, if necessary. We are working on a deeper dive on ACI in a separate blog article, stay tuned.
For Cisco ASA firewalls, our goal was to provide a similar level of visibility into your security posture that we provide with Palo Alto Networks and CheckPoint devices. The ASA firewall support includes visibility into security context, access rules, access groups, network and service objects or groups, discovery and change events, and firewall rules in the VM-to-VM path. The VRF view above shows a view of the ASA firewall and routing tables, with further details on the router interfaces and device configurations. Only the firewall rules that are specific to the path appear in the window. Network Insight also provides broader views of ASA rules and other configurations beyond what appears in the VM-to-VM path views.
Network Insight adds dynamic or static threshholds to collected metrics. On the static side, you can trigger a notification if a metric value exceeds or decreases from a specific value. For example, VMs in an application encounter packet drop > 100 in a certain interval or traffic rate for a cluster drops below 50 Mb over an hour. Each of these conditions can trigger an alert. For dynamic thresholds, if a value deviates from past behavior, an alert can be triggered. In this scenario, an application could be monitored for changes in traffic patterns. If a significant deviation occurs an alert could be triggered.
The updated NSX-T datasource adds support for a number of new health-related events and metrics, such as connectivity issues between NSX components, number of NSX API calls, packet drops, flow count, network rate, and byte count to name a few. Metrics are provided for NSX-T logical switches, logical ports, router interfaces, and firewall rules. NAT is also supported, including the ability to view all SNAT, DNAT, Reflexive (stateless) rules. In the path screenshot, NAT details include the original and translated IPs, Service Router connection, plus in and out interfaces.
Also in this release, pinboards become a searchable entity, an example search could be: pinboard where name like ‘flows’, will return every pinboard with the name flows included. Also, pinboards can be set as a homepage. Setting a favorite or useful pinboard as a homepage makes sure your most critical applications and metrics are front and center when needed.
Direct upgrades are supported from 3.8 and 3.9 to 4.0. The upgrade process has never been easier and faster. There are a number of other new features in the release. As I mentioned earlier, we’ll be posting additional blog articles to explore this release. Keep an eye out for further blog articles and enjoy your Holidays.