On the heels of announcing general availability of NSX Cloud on June 5th, we’re pleased to announce that NSX Cloud was selected as Best of Show runners-up in the cloud computing category at Interop Tokyo. The full list of all winners is available here. For those unfamiliar, Interop Tokyo is a major event of over 140,000 attendees, and this award requires an hour presentation including a demo and Q&A to the Interop Committee, so this award came with some scrutiny and we’re proud to have received it.
Let’s deep dive a little into what NSX Cloud is all about. As enterprises make the transition to a hybrid cloud model, new challenges inherent to managing this hybrid cloud model arise, including: how to extend enterprise network policies seamlessly to the cloud, how to have complete operational visibility into traffic flows across your hybrid environment, and how to maintain a consistent security policy across private and public clouds. These are key concerns for Network and Security administrators as well as cloud architects. NSX Cloud is designed to address these requirements.
NSX Cloud together with NSX Data Center provides a uniform operational model across Public Cloud and on-premises deployments. This allows Cloud IT to simplify and scale operations across a growing number of virtual networks, availability zones, regions and clouds. One can manage and monitor private cloud, and public cloud workloads, across AWS and Azure from a single, consolidated inventory view through NSX Cloud. From an operations standpoint, RESTful APIs and automation tools make it possible to programmatically provision, configure, and manage networking and security infrastructure on-demand. Having a single set of security policies spanning your hybrid cloud, the real-time network tracing, and the broad operational visibility that NSX Cloud provides to private and public cloud environments, all remain key problem-solving capabilities that are driving NSX Cloud adoption among our customers.
NSX Cloud Architecture
NSX Cloud is an on-premises product offering, deployed and managed by customers, and designed to work as an extension of NSX Data Center to provide a consistent management paradigm across private and public clouds. A quick look at the NSX Cloud architecture and how it fits into the overall NSX portfolio will provide the necessary context. NSX Cloud components can be grouped into two categories – (i) components which are installed on-premises in the on-premises data center, and (ii) components which are deployed in the cloud.
Management Plane & Control Plane
NSX Cloud’s management plane consists of NSX Manager (MP) and Cloud Service Manager (CSM). Both these components are deployed on-premises within the customer’s data center. The NSX Manager for NSX Cloud is exactly the same manager which is deployed on-premises as part of NSX Data Center. Hence, if you already have an on-premises NSX-T Data Center deployment, you will use the same manager. There is no need to deploy a separate instance of NSX Manager. As NSX Data Center and NSX Cloud will use the same NSX Manager instance, this allows you to have a true single pane of glass management and single policy across your on-premises and cloud workloads.
In addition to NSX Manager, NSX Cloud also deploys the Cloud Service Manager (CSM). The Cloud Service Manager is the management endpoint for public cloud-specific constructs. CSM enables the management and monitoring of all deployments across your public clouds, i.e., AWS and Azure, by providing a single consolidated inventory view of all accounts, regions, VPCs/VNETs and instances. It also provides real time operational network and security status of every VM that is running in the cloud. CSM also provides workflows to deploy all public cloud gateways directly through the CSM. Why do we need a separate CSM? There are multiple constructs that are unique to the public cloud, e.g., AWS accounts / Azure subscriptions, AWS VPCs / Azure VNETs, cloud regions, etc. In order to preserve this cloud topology and still be able to provide a single pane of glass for all your public cloud deployments, we developed the Cloud Service Manager. As you deploy CSM, you will register the CSM to the specific NSX Manager and henceforth, the NSX MP and CSM will work in sync as your unified management plane across your hybrid cloud.
Beyond the Management plane, we have the NSX Controller Cluster that provides the central control plane (CCP). The CCP is deployed within the customer’s datacenter and provides the same functionalities for cloud as it does for on-premises. Once again, if you already have an on-premises NSX Data Center deployment, there is no need for deploying a separate CCP. NSX Cloud will use the existing CCP already available.
Cloud Gateways and the NSX Data Plane
Beyond the centralized management and control plane components, NSX Cloud also deploys the NSX Public Cloud Gateway (PCG) in the cloud VPC/VNETs. The Public Cloud Gateway (PCG) acts as a local control plane thereby increasing resiliency and provides connectivity to the NSX Cloud Management Plane (MP) and Central Control Plane (CCP). This architecture enables NSX Cloud to withstand any hybrid connectivity outages as well. In the event of a communication issue between the on-premises NSX Manager / Controllers and the cloud, the PCG, acting as the local control plane, ensures that all security and networking policies continue to remain enforced in the cloud workloads. The PCG is deployed through the VPC / VNET onboarding workflows within CSM, without requiring additional configuration directly on the PCG appliance or through the cloud management portal. The PCG enables API-based communications between MP / CCP and the public cloud portal. The PCG also monitors the parent VPC / VNET and discovers new VMs that are instantiated. Based on your NSX Cloud configuration, you can automatically quarantine new VMs that are not secured by NSX Cloud security policies. The PCG also provides an endpoint that can offer additional networking and security functions within the VPC / VNET (more on that in a subsequent blog).
Within on-premises environments, the NSX Data Center data-plane is deployed at the hypervisor layer. However, as public cloud customers, you do not have access to the cloud hypervisors. Hence, the NSX Cloud data-plane is deployed as an agent within each cloud VM. The NSX Agent acts as the data-plane for micro-segmentation enforcement and overlay networking of workload VMs. The NSX Cloud architecture builds in specific checks and balances to ensure that the agent to PCG communication is secure (will have a separate blog post on the agent – PCG security, but in short, this ain’t your typical agent).
VMware NSX Cloud required some well thought-out architecture with clear demarcations between on-premises and cloud components. The result is consistent networking and security to on-premises and native public cloud endpoints in their hybrid cloud deployments. With our current release, we take a huge leap towards our pursuit for a Hybrid Cloud NSX solution. The good news is, we are just getting started!