Home > Blogs > vCloud Architecture Toolkit (vCAT) Blog

Micro-Segmentation with NSX for vCloud Air Network Service Providers

Micro-Segmentation with VMware NSX for VMware vCloud Air Network Service Providers


As a VMware vCloud® Air™ Network service provider running your cloud with VMware software, you’re probably familiar with technologies such as VMware NSX® and how they can be used to accomplish huge paradigm shifts within the enterprise data center. Micro-segmentation is one of the phenomena brought about by VMware NSX that facilitates one of these shifts—software-defined networking and security. Owning and operating a VMware powered data center means you are also likely seeking to leverage differentiators in the VMware platform to offer new, value-add services to your customers. What might not be clear, however, is how to take a killer feature like micro-segmentation and build differentiating use cases into the platform that can help customers and other partners in solving many challenges.

This is the first in a series of blog posts designed to help vCloud Air Network partners to do just that—offer new, differentiated services that leverage software-defined networking and security. These blog posts serve as a vehicle to introduce several forms of information. First will be the published reference architectures that match the subjects of these blogs, in this case, micro-segmentation. Second, use cases based on the reference architectures will be provided. Last, the Managed Security Services Maturity Model will offer the opportunity to provide increasingly enhanced security-related services to our customers by positioning those use cases within the maturity model that are the best fit. A separate blog on the maturity model is forthcoming.

Understanding Industry Challenges

Micro-segmentation is the ability to provide segmentation at a micro, or VM, level. Micro-segmentation may employ different mechanisms for different components of the virtual machine and in this blog we are discussing the virtual network component. In days past segmentation was achieved by means of physical separation of the servers (and their network interfaces) in order to filter tiers of an application. This of course is inefficient at best to do in a cloud computing environment although many customers and service providers are left to do just that in the name of security, compliance, etc. In the purest sense then, micro-segmentation is about bringing functionally equivalent segmentation to the virtualization layer effectively allowing virtual machines to exist in an isolated security context while consuming shared resources.

One of the fundamental challenges solved by micro-segmentation is East/West traffic in the data center. Simply put, micro-segmentation provides the ability to apply network-centric controls to virtual machines without “hairpinning” traffic, or taking all packets between every virtual machine and passing them through centralized firewall technologies to be filtered. This legacy approach creates immense operational challenges for managing physical network components, including VLANs, cabling, and overall throughput of the security devices. From a security perspective, any traffic that cannot use the hairpinning method of transport falls outside of policies, and renders “blind spots” for cyber threats to communicate. While many vendors make virtual versions of their firewall and other security appliances, performance suffers due to serialization of network traffic across many contexts in the virtualization stack.

To address many of these challenges, VMware NSX introduced VXLAN and Distributed Firewall to the mix. VXLAN extends virtual Layer 2 subnets, known as “overlay” networks, over any physical Layer 3 routed network, also known as the “underlay” networks. In addition, VMware NSX now provides a stateful, virtual firewall running in the VMware ESXi™ hypervisor memory space, right next to where the network traffic is serialized from the physical network interface. This provides not only tremendous performance benefits, but also the ability to deal with firewall tuples that are no longer bound only to the “old school” mechanisms of TCP ports, IP addresses, and so on. VMware NSX Distributed Firewall now includes next-generation features like Active Directory security identifiers, and dynamic groups of VMware vSphere® objects, where policies can be enforced independent of, or in addition to, network configurations of protected virtual machines. What is perhaps most important, no matter where those protected vSphere objects might reside in terms of ESXi hosts across a hybrid cloud, they will be protected by those policies enforced within the hypervisor space prior to being serialized for network I/O. To level set readers in understanding these concepts, see this short video:

VMware NSX Hybrid Cloud Networks and Micro-Segmentation

While this awesome new capability opens many opportunities for VMware and vCloud Air Network partners to offer something truly unique in the industry, the ways to deploy the micro-segmentation pattern must be addressed. To evaluate the critical path items, first consider the potential deployment models and types of managed services that can be offered to aid in adoption of this new method of deploying firewall security into the hybrid cloud. Prerequisite to understanding the ideal deployment model for micro-segmentation will be the planning of how to deliver the “underlay network” or the Layer 3 path from the vCloud Air Network service provider data center to the customer premises. Once this is understood, the types of VXLAN networks, along with potential Layer 3 routes, will need to be prescribed for both underlay and overlay. This approach will be decided by each service provider but does have implications as to how the NSX Distributed Firewall and micro-segmentation will be implemented.

For more background, remember that in vSphere 6 and VMware NSX 6.2, as detailed in the blog “Live Workload Mobility to a vCloud Air Network IaaS Provider” , VMware introduced features critical to the delivery of a hybrid cloud network. First was the ability for a VMware vSphere Distributed Switch™ to exist within a VXLAN network across VMware vCenter™ instances (VMware NSX Manager™ now supports up to eight vCenter instances). In addition, was the ability of cross vCenter VMware vSphere vMotion® operation which also synchronizes vSphere Distributed Switch definitions across participating vCenter instances. However, this doesn’t come without its drawbacks. In this scenario, the VMware NSX Distributed Firewall is restricted to the aforementioned legacy, or “old school”, network security tuples known as Universal Security Groups. These Universal Security Groups provide potential for shared management of policies, and assurance that migrated workloads come with a collection that is transportable across these domain boundaries (from private to public cloud). Note: Universal Services/Service Groups replicate Universal object states.

Deployment Models and Managed Services

Given the new paradigms introduced by VMware NSX Distributed Firewall, along with the myriad ways in which hybrid cloud networks can be architected and deployed, it becomes increasingly necessary to generate “line of sight” through not only the on-boarding process but also the process of taking ownership of workloads with regards to firewall policies. A critical exercise is to decide on questions such as whether or not you would support long-distance vSphere vMotion, and whether or not that is a one-time activity or can occur during only particular time windows as examples. To further illustrate this point, see Figure 1. below. In this case, up to eight vCenter instances are enlisted in a replication scheme to synchronize universal object types between them. This allows the inventory to stay updated relative to virtual machine location, network connectivity, and distributed firewall rules that will be applied.

NSX Universal

Figure 1. Multi vCenter Synchronized VMware NSX Universal Objects

While this provides the most freedom relative to workload mobility, and perhaps even elastic consumption in some cases, it does so at a loss of some of the more advanced security groupings used to dynamically enforce policies that will be discussed in future blogs. All is not lost, however, because advanced groupings and policy application are not excluded from participation. They are simply bound to a single vCenter in scope, and therefore, to a single NSX Manager on whichever side of the hybrid cloud they may lie. Because the Security Group option is available as a Universal object type, you can still group virtual machines for application of policies. However, those rules become static as opposed to the dynamic ones that are used to orchestrate many NSX security related operations.

As you will see in the upcoming blogs, this full VMware NSX security context is critical for delivering increasingly greater value in terms of security functions that you are able to offload for your customers as a managed service. While eliminating the network boundary between data centers and moving the firewall and its pertinent rule set to be enforced into each ESXi host, there remains a boundary between the private cloud or public side. This boundary is no longer necessarily of only networks but also management in nature consisting of objects with a universal context. The freedom given in operations like long-distance vSphere vMotion migration of virtual machines across these boundaries requires an understanding of how to take ownership of more facets of the customer workload that can benefit from security controls implemented by the provider, filesystem encryption, vulnerability scanning, or operating system patching just to name a few. This philosophy becomes critical in the delivery of a managed service where disruptive networking and security technology is employed.


This situation opens up opportunities to take ownership of security services management, such as firewall, along with the greatly simplified positioning of micro-segmentation, through a managed service. This will require careful coordination of items such as workload migration and application of security policy via Universal or standard NSX security groups. By defining optimal policies for each of the VMware NSX security realms and providing administrator sessions for customers to manage Universal objects (as Advanced Networking Services will do for VMware vCloud Director®), VMware wants vCloud Air Network partners to become Centers of Excellence for customers, conveying the delivery of advanced security capabilities.

Given the nature of shared responsibility that is required, many of the challenges in delivering micro-segmentation to the hybrid cloud are not unique. However, the opportunities relative to operationalizing security in a hybrid cloud model with your customers, are numerous. Managing the relationship with your customers becomes an integral part of how future services based on security will be offered. This relationship management, now consisting of even more diligence regarding what expectations should be on all sides, includes strictly-defined, measurable parameters for all security services to be delivered. With VMware NSX, its Distributed Firewall, and micro-segmentation, VMware is well on the way to delivering network security and operations in way that changes the very nature of these concerns for hybrid cloud from impediment to asset. All that is left is understanding and mapping the value in ways that can be effectively executed upon to reduce risk and to realize the hybrid cloud vision. Stay tuned for future blog posts here on the vCAT blog that will show you how to do just that.