Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Sai ChaitanyaProduct Line Manager Cloud Native Apps @ NSX
CNA1091BU
#VMworld #CNA1091BU
One Stop Container Networking
VMworld 2017 Content: Not fo
r publication or distri
bution
• This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not been determined.
Disclaimer
#CNA1091BU CONFIDENTIAL 2
VMworld 2017 Content: Not fo
r publication or distri
bution
3
AGENDA
App
Transformation
Cloud Native
Networking &
Security
NSX-T – platform
for Cloud Native
Apps
Customer Use
CasesNext Steps
1 2 3 4 5
VMworld 2017 Content: Not fo
r publication or distri
bution
4
APP TRANSFORMATION
OS
APP
OS
APP
OS
APP
OS
APP
OS
APP
WebApp
DB
Cloud Native App Platform
Web – App – DB architecture
Traditional app server – Websphere,
Weblogic, IIS
Microservices architecture
Cloud Native Application platform –
Kubernetes, Cloud Foundry, Mesos
Current App architecture Emerging App architecture
Deployed in VMs Deployed in Containers
VMworld 2017 Content: Not fo
r publication or distri
bution
5
CLOUD NATIVE APPLICATION PLATFORMS
Enable complete automation in app deployment
Cloud Native App Platform1 Deploy code
2 App URL
NETWORKING MONITORING
STORAGESECURITY PORTABILITY
DIAGNOSIS AVAILABILITY
SERVICE DISCOVERY
REPEATABLE DEPLOYMENTS
SCHEDULING IDENTITY LOGGING
Kubernetes
Developers love Kubernetes and Cloud Foundry
VMworld 2017 Content: Not fo
r publication or distri
bution
6
CLOUD NATIVE APPS ON EXISTING NETWORK & SECURITY INFRA
Cloud-native apps are fast to build…but complex to put into production and
integrate into the IT infrastructure and processes
NAT
LB
Data Center Network
Cloud Native App Platform
Container Network
Current data center network & security infra don’t
support complete automation
No integration with cloud native application platform
CNA platforms implement Container networking
Multiple networking stacks introduce Operational,
Security & Compliance challenges
VMworld 2017 Content: Not fo
r publication or distri
bution
7
CLOUD NATIVE NETWORKING & SECURITY
VMworld 2017 Content: Not fo
r publication or distri
bution
8
NSX-T
Network & Security platform for cloud native & traditional apps
Integrated with modern application
platforms
Common operational model for
traditional and cloud native
Integrated with data center network,
tools & processes
Native “Container” Networking & Security
Leverage existing investments
Introduction to NSX-T Architecture [NET1510BU]
Kubernetes Networking with NSX-T Deep Dive [NET1522BU]Recommended Sessions
Physical Network
& Security
NSX Network & Security
VMworld 2017 Content: Not fo
r publication or distri
bution
9
NSX-T & CLOUD NATIVE APPS
NSX-T 2.0
Native Container
Networking
Microsegmentation
for Containers
Load Balancing
Monitoring &
Troubleshooting
Containers
Integration with
existing tools &
processes
Reference Designs
Provision & manage network like cloud native apps
VMworld 2017 Content: Not fo
r publication or distri
bution
10
NSX-T & CLOUD NATIVE APPS
NSX-T 2.0Microsegmentation
for Containers
Load Balancing
Monitoring &
Troubleshooting
Containers
Integration with
existing tools &
processes
Reference Designs
Provision & manage network like cloud native apps
Native Container
Networking
VMworld 2017 Content: Not fo
r publication or distri
bution
11
CURRENT NETWORKING FOR CONTAINER APPS
NAT
LB
Cloud Native App Platform
Private Container Network
No direct Layer 3 reachability to Container
Network – need NAT
Application identity lost on all traffic leaving the
platform due to NAT
Latency & Performance bottlenecks
1
1
2
HIPPA and PCI compliance typically use IP
address to identify the application traffic2
VMworld 2017 Content: Not fo
r publication or distri
bution
12
NSX-T CONTAINER NETWORKING
Container Network integrated with Data
Center Network with routing (BGP)
Automated creation / deletion of
container network
Two modes – routed & private container network
Cloud Native App Platform
172.20.1.0/24 172.20.2.0/24
10.4.0.128/27
Namespace Network Type :
RoutedSNAT IP
172.19.0.6
172.20.0.0/27
Namespace Network Type :
Private
Conserve IP address space in core
DC network
Maintain isolation between core
network & container network
Private Container Network
App identified using SNAT IP address
of the namespace in core network
Routed Container Network
VMworld 2017 Content: Not fo
r publication or distri
bution
13
DEMO – NSX-T ROUTED AND PRIVATE CONTAINER NETWORK
VMworld 2017 Content: Not fo
r publication or distri
bution
14
NSX-T & CLOUD NATIVE APPS
NSX-T 2.0Microsegmentation
for Containers
Load Balancing
Monitoring &
Troubleshooting
Containers
Integration with
existing tools &
processes
Reference Designs
Provision & manage network like cloud native apps
Native Container
Networking
VMworld 2017 Content: Not fo
r publication or distri
bution
15
APP TRANSFORMATION & CONTAINER SECURITY
Current Apps in VMsMicroservices in Containers
Increase the surface of attack Need to secure each REST endpoint
Multiple apps share the container host Need to isolate containers at the network level (container
runtime provides process and filesystem isolation)
Microservices access VMs and database
apps
Need Network Security that spans VM, Container and
baremetal
Microservices are updated more
frequently
Network Security infrastructure must support automation,
be integrated into application platform
VMworld 2017 Content: Not fo
r publication or distri
bution
16
MICROSEGMENTATION FOR CONTAINERS
Use Cases
Cloud Native App Platform –
Instance 1
Namespace
shopping_cart
Namespace
notifications
Cloud Native App Platform –
Instance n
Namespace
payments
Namespace
auth
Apps & Databases
1Inter Microservice – same cloud
native platform instance
2Inter Microservice – multiple
instances of CNA platform/s
3 Microservice to VM or
Database app
1 23
With Cloud Native apps we have an opportunity to add security to app definition – not a bolt on
VMworld 2017 Content: Not fo
r publication or distri
bution
17
NSX-T & CONTAINER MICROSEGMENTATION
Workflow 1 : using cloud native platform for policy definition
Cloud Native App Platform – Instance 1
Deploy app and Network Policy
e.g. Kubernetes Network Policy
Namespace
shopping_cart
Namespace
notifications
1
1
NSX implements K8s Networks
Policy using DFW and NS
Groups
2
Kubernetes Network policy doesn’t allow
securing traffic between -
Apps in different clusters
K8s apps and external apps
Visit NSX booth K8s Network Policy demo
VMworld 2017 Content: Not fo
r publication or distri
bution
18
NSX-T & CONTAINER MICROSEGMENTATION
Workflow 2 : using NSX for policy definition
Cloud Native App Platform – Instance 1
Admin defines policy using
NSX NS Groups (Security
Groups) , Distributed Firewall
rules
Namespace
shopping_cart
Namespace
notifications
1
2
Deploy app with Kubernetes
labels 2
1
NS Groups membership criteria –
{dynamic, tags }
NSX translates Kubernetes
labels to NSX tags3
NSX
Update NS Group membership
Apply DFW rules
VMworld 2017 Content: Not fo
r publication or distri
bution
19
NSX-T & CLOUD NATIVE APPS
NSX-T 2.0Microsegmentation
for Containers
Load Balancing
Monitoring &
Troubleshooting
Containers
Integration with
existing tools &
processes
Reference Designs
Provision & manage network like cloud native apps
Native Container
Networking
VMworld 2017 Content: Not fo
r publication or distri
bution
20
NSX-T LOAD BALANCING FOR CONTAINERS
Cloud Native App Platform
172.20.0.0/27 172.20.0.32/27
Namespace
user_auth
Namespace
shopping_cart
Inter Microservice – NSX-T implements
K8s Service using OVS
Kubernetes
External to K8s - interoperates with
external Load Balancers (Ngnix, F5)
Cloud Foundry
Inter Microservice – client side e.g. using
Eureka in Spring Cloud Service
External to CF – GO Router (Layer 7 Router
LB not pluggable in CF
1
12
2
3
4
5
VMworld 2017 Content: Not fo
r publication or distri
bution
21
CLOUD NATIVE APP ON DATA CENTER NETWORK
VMworld 2017 Content: Not fo
r publication or distri
bution
22
DEMO: CLOUD NATIVE APP ON DATA CENTER N/W
Kubernetes
172.20.0.0/27
yeb-ui yeb-app
Namespace : yelb
Redis Database
172.30.0.0/27
Kubernetes integration
Automated provisioning of network,
security and Load Balancing as part of
app deployment
Security across Container and VMs
Common troubleshooting tooling for
Containers and VMs
Native Container Networking
VMworld 2017 Content: Not fo
r publication or distri
bution
23
DEMO: CLOUD NATIVE APP ON DATA CENTER N/WNetworking, Security & Load Balancing configured as part of application deployment
VMworld 2017 Content: Not fo
r publication or distri
bution
24
NSX-T & CLOUD NATIVE APPS
NSX-T 2.0Microsegmentation
for Containers
Load Balancing
Monitoring &
Troubleshooting
Containers
Integration with
existing tools &
processes
Reference Designs
Provision & manage network like cloud native apps
Native Container
Networking
VMworld 2017 Content: Not fo
r publication or distri
bution
25
MONITORING FOR CLOUD NATIVE APPS
Send / Receive stats for Unicast, Bcast/Mcast
and Dropped traffic
Traffic Mirroring
Rule statistics – packets, bytes, sessions
Syslog
NSX Traceflow
NSX Search enables co-relating app and
infrastructure instantaneously enabling efficient
incident response
Simulate app traffic between containers and / or
VMs and identify failure points
Container Cluster and App context in NSX
VMworld 2017 Content: Not fo
r publication or distri
bution
26
LOGINSIGHT INTEGRATION FOR CONTAINERS
VMworld 2017 Content: Not fo
r publication or distri
bution
27
MONITORING MICROSEGMENTATION WITH LOGINSIGHT – VM AND CONTAINER
VMworld 2017 Content: Not fo
r publication or distri
bution
28
NSX-T & CLOUD NATIVE APPS
NSX-T 2.0Microsegmentation
for Containers
Load Balancing
Monitoring &
Troubleshooting
Containers
Integration with
existing tools &
processes
Reference Designs
Provision & manage network like cloud native apps
Native Container
Networking
VMworld 2017 Content: Not fo
r publication or distri
bution
29
LIFT & SHIFT - THE EARLY USE CASE
80
20
2016
Lift Shiftexisting apps
New CloudNative Apps
50
2020
Lift Shiftexisting apps
New CloudNative Apps
IDC Doc US41663716 - Enterprise Interview Results: Container Software Strategies Point to Long-Lasting Virtualization
Synergies
“By 2020 we would like to migrate 80% of our J2EE apps from Websphere to Kubernetes. We would like to do this with minimal or no changes to network services (Load Balancer, Firewall) design” Network Architect, Global Financial
Container Cluster & Application context in
NSX
VMworld 2017 Content: Not fo
r publication or distri
bution
30
F5 AND NSX-T CONTAINER NETWORK
NS: kube-public
10.4.0.0/27 k8s-
master
k8s-
node1
k8s-
node2
.10 .11 .12
Kubernetes ClusterNamespace Networks K8s IP Block
10.4.0.0/14
NS: default
10.4.0.64/27
NSX-T1NSX-T1
k8s-node-vifs This logical switch is not connected to any logical router (black hole network)
This logical switch is used to connect the node mgmtinterfaces to the outside world
10.0.1.0/24
K8s Master & Node VMs
k8s-mgmt
Pre-existing logical topologyfor Kubernetes 'out-of-the-box'
namespaces
NS: kube-system
10.4.0.32/27
One-cloudNSX Edge
vPodRouter
192.168.100.0/24
.1
.3
NSX-T0T0 - NAT IP Pool
172.19.0.0/24
.1
eBGP Session
AS 65001
AS 65002
30
BIG-IP Platform
192.168.100.100
VMworld 2017 Content: Not fo
r publication or distri
bution
31
NSX-T & CLOUD NATIVE APPS
NSX-T 2.0Microsegmentation
for Containers
Load Balancing
Monitoring &
Troubleshooting
Containers
Integration with
existing tools &
processes
Provision & manage infra like cloud native apps
Native Container
Networking
Reference Designs
VMworld 2017 Content: Not fo
r publication or distri
bution
32
ADDRESSING PCI DSS 3.2 WITH VMWARE NSX-T
A Micro-Audit of NSX-T Segmentation for Microservices Containers and Virtual Machines
• Validation Exercises
– Inter and intra container environment segmentation testing
• Across Kubernetes namespaces
• Within a Kubernetes namespace (representative of unique services (pods and containers) that support a single entity microservice deployment
– Container to Virtual Machine Segmentation Testing
– Automation of policy enforcement in support of orchestrated auto-scaling and remediation processes
– Capability of Spoof Guard for traffic validation and prevent man-in-the-middle ARP Poisoning Attack
– Investigation of distributed network encryption to protect sensitive application data in transit
Publishing in September, 2017
VMworld 2017 Content: Not fo
r publication or distri
bution
33
NSX-T MICRO-AUDIT RESULTS NSX-T
• NSX-T distributed firewall provided segmentation via micro-segmentation to sufficiently isolate and separate CDE from non-CDE both in the container environment and in the virtual machine environment
• NSX-T distributed firewall provided adequate control capabilities between services and tiers for multi-tier/multi-faceted microservice applications in the CDE both within the container namespace and across to virtual machines
• Dynamic membership of network security groups (NsGroups) allows for automation of policy application for microservices scaling
• NSX-T SpoofGuard was found to be effective in blocking ARP Poisoning Attacks executed from the Kali-Linux instance
• NSX-T distributed network encryption may be useful for providing additional control over cardholder data transmissions within the cardholder data environment
VMworld 2017 Content: Not fo
r publication or distri
bution
34
CUSTOMER USE CASES
VMworld 2017 Content: Not fo
r publication or distri
bution
35
Scaling e-commerce platform
GLOBAL RETAILER
“We need direct Layer 3 routing between F5 and the frontend PODs on Kubernetes. Direct routing enables us to identify which POD gets accessed at a specific time just looking at the logs, simplifying troubleshooting and security.
It gives us the visibility that our security team needs on PCI environments”
PaaS architect
#3 retailer in the world 7k shops
24 B in sales
VMworld 2017 Content: Not fo
r publication or distri
bution
36
GLOBAL FINANCIAL SERVICES FIRM
Embracing open banking
in a secure, compliant way
“We would like to use NSX-T as our Container Firewall as it provides us the ability to segment container-to-container & container-to-vm traffic” – VP & Head of ITVMworld 2017 Content: N
ot for publicatio
n or distribution
+ =
NSX and Cloud Native Apps
Developer Productivity Security & Compliance
Operationalize Containers Re-use tool & process investments
Platform for Digital Transformation
VMworld 2017 Content: Not fo
r publication or distri
bution
Next steps
• Hands on Lab : VMware NSX-T with
Kubernetes [ELW182602U]
• VMware Network Virtualization Blog
• VMware NSX YouTube channel
Learn Use Contact
• POC Guide
https://communities.vmware.com
/community/vmtn/nsx
• NSX sales
• @vmwarensx
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
THANK YOU#vmworld2017
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution