As you may have read earlier this month, NSX Data Center and NSX SD-WAN by VeloCloud are part of the expanded VMware NSX portfolio to enable virtual cloud networking. A Virtual Cloud Network provides end-to-end connectivity for applications and data, whether they reside in the data center, cloud or at the edge. I wanted to follow up, and walk through an example using NSX Data Center and NSX SD-WAN of how one could build an end to end segmentation model from the data center to the branch.
NSX SD-WAN Segmentation
Beyond lowering cost and increasing agility and simplicity of branch connectivity, one of the key values provided by NSX SD-WAN by VeloCloud is enterprise segmentation, which provides isolated network segments across the entire enterprise, enabling data isolation or separation by user or line of business, support for overlapping IP addresses between VLANs and support for multiple tenants. NSX SD-WAN provides this segmentation using a VRF-like concept with simplified, per-segment topology insertion. This is accomplished by inserting a “Segment ID” into the SD-WAN Overlay header as traffic is carried from one NSX SD-WAN Edge device to another Edge. Networks on the LAN-side of an NSX SD-WAN Edge with different segment IDs cannot see each other’s routes.
NSX SD-WAN Segmentation also enables customers to apply different per-application policies to each segment, so that for instance traffic from the PCI segment is always routed across the Data Center, and handled at a high priority basis, while traffic from users on the Guest Segment using their cloud-applications is steered over the local Internet connection.
By both using NSX SD-WAN at the branch offices and the data center. and using NSX Data Center in the data center to provide application-based network and security virtualization, customers can now extend isolated domains all the way from the branch offices to the applications being hosted in the enterprise data center.
This enables an enterprise for instance to run both Guest and Employee-facing applications or both PCI and non-PCI workloads on the same platform and provide isolation to these workloads all the way into the branch.
In addition to the network-level segmentation NSX SD-WAN provides across branches and the data center, NSX Data Center provides network and security virtualization provisioned right along with the application in the data center, with micro-segmentation enabling the fine-grained security controls our customers need to achieve a least-privilege architecture.
Extending Branch Segmentation into the Data Center
In the data center, NSX Data Center can integrate with the NSX SD-WAN Edge by peering with the NSX Edge Services Gateway (ESG) on a per-segment basis. For each segment, a unique (set of) NSX ESG can be deployed, each with their own unique Distributed Logical Router and logical switches. When applications are being provisioned, the appropriate Logical Switches are applied to each application (tier), which provides network-level isolation between applications behind NSX ESG and SD-WAN Segments.
The Distributed Firewall, a component of NSX Data Center, provides micro-segmentation within each of these segments, so that applications and application instances can be isolated, and a least-privilege security model can be implemented by only allowing the flows an application needs to function (i.e. within a particular application instance, Tomcat can communicate to the Database server but only using MYSQL flows). With NSX Data Center for vSphere 6.4, we introduced Layer-7 based Service Objects, allowing visibility and enforcement based on application Identity in addition to already existing enforcement based on port.
With the same 6.4 release, the Identity Firewall feature was also expanded to support Multiple-User sessions, or Remote Desktop Session Host (RDSH).
Virtual Desktops or Remote Desktop Sessions are also commonly used to provide branch-users secure access to applications hosted in the data center. Hosting Virtual Desktop Infrastructure or Remote Desktop Session Hosts in the data center reduces the need for hardware at branch locations and helps enterprises to deliver a consistent and user-experience regardless of the physical location of the user.
In the below demo, I’m demonstrating how a hypothetical healthcare customer (Elastic Sky Healthcare) leverages NSX SD-WAN at their branch hospitals and NSX Data Center + NSX SD-WAN at their data center to provide isolated network segments for Employee, Guest and PCI users, with applications for each of these segments hosted in the data center, completely isolated from each other. On top of this enterprise-wide network segmentation, the NSX Distributed Firewall is leveraged to micro-segment the applications and application-tiers.
Finally, you will see how Elastic Sky Healthcare enables their employees to access applications in the data center through VMware Horizon Remote Desktop Services, and how different employees can access only the applications they need access to. (i.e. medical staff is able to access the MRS application while the IT staff can access the IT infrastructure).
This demo is just one example of how NSX Data Center and NSX SD-WAN together enable customers to streamline branch office implementations while enabling end-to-end segmentation and visibility from the data center to the branch.
If you would like to learn more about the use-cases and features covered in this blog, I would recommend to check out the below links:
Good to know use-case of SD_WAN with NSX.