compliance enterprise network network_security nsx pivotal_cloud_foundry security vmware

Developer-Ready Infrastructure with Pivotal Cloud Foundry and VMware NSX

A funny thing happened on the way to the public cloud: your enterprise data center improved a lot.

The new battleground for business is rapid software delivery. Automation means speed, the more the better.

IT and business leaders took these trends to heart. They paired up, and listened to the needs of developers. They bought and integrated the right solutions. The output of this collaboration: a full stack, running on-premises. A collection of services delivered by a platform *and* infrastructure – “developer-ready infrastructure” if you will.

What's powering the revitalized enterprise data center? Often, it's Pivotal Cloud Foundry (PCF) and virtualization tech from VMware.

An app-centric platform drives the "build, deploy, operate" workflow for cloud-native apps. Developers enjoy a familiar self-service model, without thinking about infrastructure. And the package is price-competitive with public clouds.

Thanks to the souped-up data center, devs can now focus on what adds value to the business: their code!

Automation (Almost) Everywhere

PCF manages runtime dependencies and delivers high availability. Developers no longer fret about logs or scaling – the platform does it all for them. Operators use VMware vSphere® to run pools of compute and VMware vSAN™ to manage virtual disks at scale.

Delivering IT services is frictionless. Automated capabilities are everywhere. Well, almost everywhere.

There's still the physical network. In some data centers, network admins must fiddle with routers, load balancers, firewalls, and switches. This is often the last vestige of manual work, the part most orgs have yet to abstract.

That's where VMware NSX™ comes in.

Software-Defined Awesome

Thanks to vSphere, there's no need to manage physical servers. VMware NSX does the same for the network. It reproduces the entire network with software.

Use NSX to create virtual networks, switches, firewalls, and load balancers at will. Change network components as easily as VM components. This is exciting stuff, and many of your peers already use this tech.

PCF is an opinionated platform that transforms how teams work. And it plugs right into the NSX model. That means it's easier to set up, secure, and manage network traffic into (and out of) your PCF deployment. Here's how this works in practice.

A logical reference architecture for Pivotal Cloud Foundry atop VMware vSphere with NSX, featuring three clusters.

How does NSX make PCF better? Let's take a look!

  • Instantly provision your initial PCF network. Before you deploy PCF for the first time, run a custom install script. This creates your network topology, load balancers, routers, and NAT devices. There's no need to wait days or weeks for physical provisioning of these elements. NSX does it for you.

  • Cookie-cutter repeatability ends configuration drift. As your PCF footprint grows, each installation will look the same. You've built a template for the network design. Every PCF install is identical, predictably deployed and fully isolated the same way. This may be the single most potent element of an NSX-powered PCF install available today.

  • Firewall rules are far simpler to manage. Managing firewall rules for your PCF deployment is a breeze. Define rules globally, then implement them locally at the edge. NSX automates firewall deployment and policy enforcement. That means even the most complex scenarios are easier maintain over time.

  • Verify compliance with at-a-glance inspection of traffic flows. Does your PCF workload need to meet certain network isolation requirements? No problem! NSX and complementary tools deliver complete visibility to all network traffic. This real-time view shows you how packets move through your network. It's easy to confirm that the apps that need to run in isolation actually do run in isolation! Satisfying internal and external audits is a snap.

  • Built-in high availability for load balancers and firewalls. PCF includes four levels of HA. This offers failover protection through the platform for your app. But what about the network? NSX delivers native HA for load balancers and firewalls, so it's easier to meet SLAs.

That's the upside of NSX in your PCF deployment. Without NSX, there's more manual effort and cost. For vSphere environments, these are the common bottlenecks:

  • Network engineers must create VLANs, physical firewalls, and load balancers manually. Configuration and modifications are manual as well. These requests can take weeks or months to fulfill.

  • Physical firewalls and their ongoing human management increase cost.

  • Every network change is manual. This introduces risk.

  • Every new PCF installation is bespoke, reducing efficiency.

In years past, these bottlenecks were part of doing business. Now, they delay the time-to-value for your custom code.

Zero Trust Please!

We have many customers running PCF and NSX. We've received great feedback in recent months. A common theme: customers want to apply the Zero Trust Model in their data center. The "Zero Trust" approach eschews the idea of a "trusted" and "untrusted" network security. Instead, all network traffic is untrusted. Why is this so popular? Two reasons. First, enterprise architectures are growing in complexity. It's much harder to enforce this dual-model when things change rapidly. Second, the threat landscape is evolving quickly. A network that was trusted today could become compromised tomorrow.

To this end, we're pleased to announce two new features in PCF 1.10 that help NSX customers improve their security posture.

Trusted and verifiable network isolation segments. This feature is critical in highly secure and regulated environments. Workloads with sensitive data can be subject to compliance and accreditation standards. Often, these apps must run isolated from other apps and traffic. That's why we introduced isolation segments in PCF 1.10.

Now, operators can easily configure networks for application deployment that are separate from other workloads. With NSX, users can see how network traffic flows through PCF. Verification of the required isolation is instant. Enforcing isolation policies – and proving compliance – in traditional networks is far more difficult.

Operators use isolation segments in PCF 1.10 to deploy specific workloads to isolated networks.

Check out how network isolation segments work in Pivotal Cloud Foundry today.

Container-to-container (C2C) networking. With this feature, PCF apps can directly communicate with each other. Developers can tailor networking policies for app-to-app interactions, boosting security. No more whitelisting traffic, no more public routes for private apps!

Over time, administrators will be able to use "C2C networking" to enforce even more granular controls. Want to limit specific apps so they only access specific services? You can do that with future support for controls down to the CIDR, protocol, and port level.

These programmatic controls are a best practice for an enterprise. With thousands of apps and hundreds of users, what can you trust? Zero!

C2C networking has many other benefits. You gain comprehensive, policy-driven app security and support for multiple TCP/UDP ports. There's no need to hairpin through the Gorouter, so latency goes down.

Want to extend NSX security policies to your PCF apps? This support is coming soon with an NSX CNI plugin that integrates with container networking. That's the advantage of C2C networking's pluggable design!

This feature is beta in PCF 1.10. You can enable this capability in the Elastic Runtime Tile via self-service.

Take an App-Centric View

You become a digital disrupter with microservices, continuous delivery, and a DevOps culture. Focus on these three concepts, and you'll capitalize on your cloud-native application opportunity. And with the right investments, your data center can remain a viable place to run your apps in the years ahead.

Read more about developer-ready infrastructure in this blog post from VMware.

Want to learn more about how PCF and NSX are better together? Our engineers and architects have reference architectures for PCF and NSX. Review them today!

Interested in a more complete look at reference architectures with VMware NSX? Check out a new whitepaper Pivotal Cloud Foundry – Secure, Hybrid Banking Reference Architectures.

Learn more about the most recent release of Pivotal Cloud Foundry.

Supporting Quotes

"Developer-ready infrastructure provides the technology bridge to support the people, processes and culture changes required by organizations for IT operations and developer teams to successfully embrace cloud-native development practices. Combining VMware’s container-native infrastructure with Pivotal’s cloud-native application platform enables IT to deliver developer-ready infrastructure that enables developers to deploy the right software, faster and more frequently by eliminating the drag of traditional operational concerns. Together, our mutual customers benefit from an ecosystem of developer-friendly products and services combined with enterprise agility, automation, and security.” 
– Milin Desai, vice president of products, networking and security business unit, VMware