NSX-T has seen great success in the market for multi-platform network and security use-cases, including automation, multi-cloud adoption, and containers as customers move through the digital transformation initiative. NSX-T is the industry’s only network and security platform delivering a wide range of L2-L7 services, built from the ground up for workloads running on all types of infrastructure – virtual machines, containers, physical servers and both private and public clouds.
This year, we are hyper-focused on innovation, and in bringing transformative capabilities to market through NSX-T, which is the foundation for both our VMware NSX Data Center and NSX Cloud offerings. This release of NSX-T further strengthens our intrinsic security capabilities architected directly into networks and public and private cloud workloads that applications and data live on, reducing the attack surface. This version also keeps up the accelerated pace of innovation we are delivering on for scalability, cloud-native support, and operational simplicity which can accelerate customers’ adoption of a Virtual Cloud Network architecture.
Key Focus Areas in NSX-T 2.5
Launching NSX Intelligence – A Native, Distributed Analytics Engine
Analytics-based policy recommendation and compliance, streamlined security operations
NSX Intelligence is a distributed analytics engine that provides continuous data-center wide visibility for network and application security teams helping deliver a more granular and dynamic security posture, simplify compliance analysis, and streamline security operations.
Traditional approaches involve sending extensive packet data and telemetry to multiple disparate centralized engines for analysis, which increase cost, operational complexity, and limit the depth of analytics. In contrast, NSX Intelligence, built natively within the NSX platform, distributes the analytics within the hypervisor on each host, sending back relevant meta-data to a scale-out, lightweight appliance for visualization, reporting and building machine-learning models.
Combining the deep workload and network context unique to NSX, the engine provides detailed application topology visualization, automated security policy recommendations, continuous monitoring of every flow, and an audit trail of security policies, all built into the NSX management console for a single-pane-of-glass experience.
NSX Intelligence: Flow-based Visualization and Automatic Policy Recommendation
NSX Intelligence, the crown jewel of the NSX-T 2.5 release, is making a big splash at VMworld 2019 US. Watch this space for a detailed blog on NSX Intelligence in a few weeks.
Hybrid Cloud Networking and Security with NSX Cloud
New operational mode adds choice and flexibility for customers
NSX Cloud offers customers a new model for multi-cloud network management that provides consistent networking and security for applications running natively in the public cloud, and across multiple public clouds. When paired with NSX Data Center, NSX Cloud provides operators a single view of networking services and security policies that are applied to all workloads, whether on VMs running in a private data center, or workloads hosted in AWS or Azure.
With NSX-T 2.5, we are building upon the success of NSX Cloud and introducing a new deployment and operational mode referred to as the Native Cloud Enforced mode. This mode provides a consistent policy model across the hybrid cloud network and reduces overhead by eliminating the need to install NSX tools in workload VMs in the public cloud. The NSX security policies are translated into the cloud provider’s native security constructs via APIs, enabling common and centralized policy enforcement across clouds.
In contrast to the new mode, the original mode of operation, the NSX Enforced mode, leverages NSX tools for uniform and granular policy enforcement. This mode provides truly consistent policy across clouds, directly controlled by NSX, and despite the discrepancies between cloud providers’ native constructs or the unique characteristics of each cloud provider’s security controls.
Each of these modes has its own set of advantages, giving customers the flexibility to choose the option that best meets their needs. Today, NSX Cloud is the only hybrid cloud solution in the market to support both an agent-based and agentless mode of operation.
Native Cloud Enforced mode in NSX Cloud on Azure
Keep an eye out for a detailed blog post discussing the full set of NSX Cloud capabilities in NSX-T 2.5.
Security Enhancements and Compliance
NSX-T achieves FIPS 140-2 compliance!
As a long-time software provider for the US Federal Government, VMware is committed to delivering products and services that meet various regulatory compliance requirements and can support the most secure and sensitive environments. We are proud to announce that NSX-T 2.5 has completed FIPS testing and is officially FIPS compliant. In other words, starting NSX-T 2.5, customers will have the ability to generate a FIPS compliance report, which enables customers to configure/manage their NSX deployments in FIPS compliant mode.
FIPS compliance has been widely adopted around the world in both governmental and non-governmental sectors (e.g. financial services, utilities, healthcare), as well as Fortune 100 companies, as a practical security benchmark and a realistic best practice. Stay tuned for a detailed blog post on FIPS in the coming weeks!
Bolstering the intrinsic security arsenal with Layer 7, VPN, and more
The explosion of new, complex application architectures requires sophisticated defense mechanisms that understand application services and implement strategies like micro-segmentation to reduce the attack surface of the network. Earlier this year, VMware introduced the Service-defined Firewall at RSA. Software-defined Firewall is a combination of NSX and AppDefense designed specifically to mitigate threats inside a data center or cloud network. NSX-T delivers security to diverse endpoints such as VMs, containers, and bare metal, as well as to various cloud platforms.
In this release, NSX-T continues to amp up its ability to deliver consistent, pervasive connectivity and intrinsic security for applications and data across any environment.
Extending Layer 7 support to NSX Edge Firewall and KVM environments
A deeper level of application visibility and control is required as applications have become more complex. NSX-T supports rich security enforcement capabilities such as L4-L7 stateful distributed firewalling (DFW), Identity/User ID firewalling, and FQDN/URL whitelisting.
This release brings the ability to apply Layer 7 application ID-based or context-aware rules to the NSX edge (gateway) firewall for north-south traffic.
NSX-T 2.5 also enables support for Layer 7 application ID-based DFW in KVM environments, further strengthening the platform’s multi-hypervisor capabilities.
VPN Enhancements for Multi-tenancy
With this capability, cloud providers, such as VMware Cloud Provider partners, can easily scale their multi-tenant cloud solutions. They can now provide per-tenant IPSec VPN connectivity, resulting in better tenant isolation and a more scalable architecture. Previously, IPsec connectivity was supported only on Tier 0 gateways.
Packet Mirroring for East-West Traffic Monitoring (via Service Insertion)
NSX-T now supports the ability to forward a duplicate copy of packets to a partner Service Virtual Machine (SVM) such as Gigamon and NETSCOUT for inspection, monitoring or collection of statistics. This eliminates the need to pass the original packets through the network monitoring service, improving network latency and making the monitoring process seamless and non-intrusive.
Additionally, we have added several security enhancements such as multiple App-ID profiles per rule, FQDN/URL on KVM, and context/metadata subscription for north-south Service Insertion.
Simplified Operational Experience
Driving toward a better user experience with enhanced firewall operations and dashboards
How does NSX bring the public cloud experience to on-premises data centers? By making operations simple and consistent. One thing we set our mind to early on was improving the user experience at every level – UI, dashboards, APIs, systems – and for all users – network and security admins, sysadmins, DevOps, developers. This release brings several enhancements that makes it easier to operate seamlessly from a Day 2 perspective.
Streamlining Firewall Operations: This capability provides the ability to save DFW rule configuration as drafts (both automatic and manual) and revert or rollback to a previous configuration if needed, simplifying troubleshooting and remediation. There are several cool features included, such as, draft cloning, multi-user drafting and locking, and adjustable timeline and search functionality.
Distributed Firewall Config: Auto/Manual Drafts, Rollbacks
Capacity Monitoring Dashboard: This includes the addition of several improvements and additional metrics to the capacity dashboard which show the number of objects (such as Logical Switches, TO/T1 Logical Routers, DHCP Server instances, System-wide NAT rules) configured relative to the maximum supported in the product.
Industry Leadership, Joint Engagements, New Avenues
NSX continues to be a disruptor in the networking and security space. NSX is a core element of many VMware solutions such as VMware Cloud Foundation, VMware Cloud on AWS, and VMware vCloud NFV. NSX is also at the center of many of VMware’s strategic partnerships and joint solutions with companies such as AWS, Azure, Dell Technologies, Google Cloud and IBM Cloud. Most recent ones include the VMware Cloud on Dell EMC solution launched at Dell Tech World and the Azure VMware Solutions which generally available starting May this year. And last year, the VMware-AWS partnership reached a new level with the announcement of two new solutions –VMware Cloud on AWS Outposts and VMware Cloud Foundation for Amazon EC2.
This release expands the breadth and depth of several use-cases in security, automation, multi-cloud networking, and cloud-native applications. The Virtual Cloud Network is the ultimate destination for customers, supported by NSX-T to enable consistent networking and intrinsic security for workloads of any type (VMs, containers, bare metal) and located anywhere (data center, cloud, edge). Watch this space for a series of deep-dive blogs on some of the key capabilities supported in this release of NSX-T 2.5. Note that the NSX-T 2.5 release is expected to start shipping in a few days.
Hope you have a great time at VMworld 2019 US!
- NSX-T 2.5 Download page, Release notes, Documentation (available upon GA)
- NSX-T 2.4 Release Blog
- NSX Cloud Lightboard videos
- Get started with a Beginner or Advanced NSX Hands-On-Lab (HOL)
- VMware product page, customer stories, and technical resources
- VMware NSX YouTube Channel, including 40+ Light Board videos!
- Contact your VMware sales representative for an overview and demonstration of NSX-T