CNA1091BU One Stop Container Networking or distribution€¦ · One Stop Container Networking VMworld 2017 Content: Not for publication or distribution • This presentation may contain

Sai ChaitanyaProduct Line Manager Cloud Native Apps @ NSX

CNA1091BU

#VMworld #CNA1091BU

One Stop Container Networking

VMworld 2017 Content: Not fo

r publication or distri

bution

• This presentation may contain product features that are currently under development.

• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.

• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

• Technical feasibility and market demand will affect final delivery.

• Pricing and packaging for any new technologies or features discussed or presented have not been determined.

Disclaimer

#CNA1091BU CONFIDENTIAL 2



bution

3

AGENDA

App

Transformation

Cloud Native

Networking &

Security

NSX-T – platform

for Cloud Native

Apps

Customer Use

CasesNext Steps

1 2 3 4 5



bution

4

APP TRANSFORMATION

OS

APP

OS

APP

OS

APP

OS

APP

OS

APP

WebApp

DB

Cloud Native App Platform

Web – App – DB architecture

Traditional app server – Websphere,

Weblogic, IIS

Microservices architecture

Cloud Native Application platform –

Kubernetes, Cloud Foundry, Mesos

Current App architecture Emerging App architecture

Deployed in VMs Deployed in Containers



bution

5

CLOUD NATIVE APPLICATION PLATFORMS

Enable complete automation in app deployment

Cloud Native App Platform1 Deploy code

2 App URL

NETWORKING MONITORING

STORAGESECURITY PORTABILITY

DIAGNOSIS AVAILABILITY

SERVICE DISCOVERY

REPEATABLE DEPLOYMENTS

SCHEDULING IDENTITY LOGGING

Kubernetes

Developers love Kubernetes and Cloud Foundry



bution

6

CLOUD NATIVE APPS ON EXISTING NETWORK & SECURITY INFRA

Cloud-native apps are fast to build…but complex to put into production and

integrate into the IT infrastructure and processes

NAT

LB

Data Center Network


Container Network

Current data center network & security infra don’t

support complete automation

No integration with cloud native application platform

CNA platforms implement Container networking

Multiple networking stacks introduce Operational,

Security & Compliance challenges



bution

7

CLOUD NATIVE NETWORKING & SECURITY



bution

8

NSX-T

Network & Security platform for cloud native & traditional apps

Integrated with modern application

platforms

Common operational model for

traditional and cloud native

Integrated with data center network,

tools & processes

Native “Container” Networking & Security

Leverage existing investments

Introduction to NSX-T Architecture [NET1510BU]

Kubernetes Networking with NSX-T Deep Dive [NET1522BU]Recommended Sessions

Physical Network

& Security

NSX Network & Security



bution

9

NSX-T & CLOUD NATIVE APPS

NSX-T 2.0

Native Container

Networking

Microsegmentation

for Containers

Load Balancing

Monitoring &

Troubleshooting

Containers

Integration with

existing tools &

processes

Reference Designs

Provision & manage network like cloud native apps



bution

10


NSX-T 2.0Microsegmentation

for Containers

Load Balancing

Monitoring &

Troubleshooting

Containers

Integration with

existing tools &

processes

Reference Designs


Native Container

Networking



bution

11

CURRENT NETWORKING FOR CONTAINER APPS

NAT

LB


Private Container Network

No direct Layer 3 reachability to Container

Network – need NAT

Application identity lost on all traffic leaving the

platform due to NAT

Latency & Performance bottlenecks

1

1

2

HIPPA and PCI compliance typically use IP

address to identify the application traffic2



bution

12

NSX-T CONTAINER NETWORKING

Container Network integrated with Data

Center Network with routing (BGP)

Automated creation / deletion of

container network

Two modes – routed & private container network


172.20.1.0/24 172.20.2.0/24

10.4.0.128/27

Namespace Network Type :

RoutedSNAT IP

172.19.0.6

172.20.0.0/27

Namespace Network Type :

Private

Conserve IP address space in core

DC network

Maintain isolation between core

network & container network

Private Container Network

App identified using SNAT IP address

of the namespace in core network

Routed Container Network



bution

13

DEMO – NSX-T ROUTED AND PRIVATE CONTAINER NETWORK



bution

14



for Containers

Load Balancing

Monitoring &

Troubleshooting

Containers

Integration with

existing tools &

processes

Reference Designs


Native Container

Networking



bution

15

APP TRANSFORMATION & CONTAINER SECURITY

Current Apps in VMsMicroservices in Containers

Increase the surface of attack Need to secure each REST endpoint

Multiple apps share the container host Need to isolate containers at the network level (container

runtime provides process and filesystem isolation)

Microservices access VMs and database

apps

Need Network Security that spans VM, Container and

baremetal

Microservices are updated more

frequently

Network Security infrastructure must support automation,

be integrated into application platform



bution

16

MICROSEGMENTATION FOR CONTAINERS

Use Cases

Cloud Native App Platform –

Instance 1

Namespace

shopping_cart

Namespace

notifications

Cloud Native App Platform –

Instance n

Namespace

payments

Namespace

auth

Apps & Databases

1Inter Microservice – same cloud

native platform instance

2Inter Microservice – multiple

instances of CNA platform/s

3 Microservice to VM or

Database app

1 23

With Cloud Native apps we have an opportunity to add security to app definition – not a bolt on



bution

17

NSX-T & CONTAINER MICROSEGMENTATION

Workflow 1 : using cloud native platform for policy definition

Cloud Native App Platform – Instance 1

Deploy app and Network Policy

e.g. Kubernetes Network Policy

Namespace

shopping_cart

Namespace

notifications

1

1

NSX implements K8s Networks

Policy using DFW and NS

Groups

2

Kubernetes Network policy doesn’t allow

securing traffic between -

Apps in different clusters

K8s apps and external apps

Visit NSX booth K8s Network Policy demo



bution

18

NSX-T & CONTAINER MICROSEGMENTATION

Workflow 2 : using NSX for policy definition

Cloud Native App Platform – Instance 1

Admin defines policy using

NSX NS Groups (Security

Groups) , Distributed Firewall

rules

Namespace

shopping_cart

Namespace

notifications

1

2

Deploy app with Kubernetes

labels 2

1

NS Groups membership criteria –

{dynamic, tags }

NSX translates Kubernetes

labels to NSX tags3

NSX

Update NS Group membership

Apply DFW rules



bution

19



for Containers

Load Balancing

Monitoring &

Troubleshooting

Containers

Integration with

existing tools &

processes

Reference Designs


Native Container

Networking



bution

20

NSX-T LOAD BALANCING FOR CONTAINERS


172.20.0.0/27 172.20.0.32/27

Namespace

user_auth

Namespace

shopping_cart

Inter Microservice – NSX-T implements

K8s Service using OVS

Kubernetes

External to K8s - interoperates with

external Load Balancers (Ngnix, F5)

Cloud Foundry

Inter Microservice – client side e.g. using

Eureka in Spring Cloud Service

External to CF – GO Router (Layer 7 Router

LB not pluggable in CF

1

12

2

3

4

5



bution

21

CLOUD NATIVE APP ON DATA CENTER NETWORK



bution

22

DEMO: CLOUD NATIVE APP ON DATA CENTER N/W

Kubernetes

172.20.0.0/27

yeb-ui yeb-app

Namespace : yelb

Redis Database

172.30.0.0/27

Kubernetes integration

Automated provisioning of network,

security and Load Balancing as part of

app deployment

Security across Container and VMs

Common troubleshooting tooling for

Containers and VMs

Native Container Networking



bution

23

DEMO: CLOUD NATIVE APP ON DATA CENTER N/WNetworking, Security & Load Balancing configured as part of application deployment



bution

24



for Containers

Load Balancing

Monitoring &

Troubleshooting

Containers

Integration with

existing tools &

processes

Reference Designs


Native Container

Networking



bution

25

MONITORING FOR CLOUD NATIVE APPS

Send / Receive stats for Unicast, Bcast/Mcast

and Dropped traffic

Traffic Mirroring

Rule statistics – packets, bytes, sessions

Syslog

NSX Traceflow

NSX Search enables co-relating app and

infrastructure instantaneously enabling efficient

incident response

Simulate app traffic between containers and / or

VMs and identify failure points

Container Cluster and App context in NSX



bution

26

LOGINSIGHT INTEGRATION FOR CONTAINERS



bution

27

MONITORING MICROSEGMENTATION WITH LOGINSIGHT – VM AND CONTAINER



bution

28



for Containers

Load Balancing

Monitoring &

Troubleshooting

Containers

Integration with

existing tools &

processes

Reference Designs


Native Container

Networking



bution

29

LIFT & SHIFT - THE EARLY USE CASE

80

20

2016

Lift Shiftexisting apps

New CloudNative Apps

50

2020

Lift Shiftexisting apps

New CloudNative Apps

IDC Doc US41663716 - Enterprise Interview Results: Container Software Strategies Point to Long-Lasting Virtualization

Synergies

“By 2020 we would like to migrate 80% of our J2EE apps from Websphere to Kubernetes. We would like to do this with minimal or no changes to network services (Load Balancer, Firewall) design” Network Architect, Global Financial

Container Cluster & Application context in

NSX



bution

http://www.idc.com/getdoc.jsp?containerId=US41663716

30

F5 AND NSX-T CONTAINER NETWORK

NS: kube-public

10.4.0.0/27 k8s-

master

k8s-

node1

k8s-

node2

.10 .11 .12

Kubernetes ClusterNamespace Networks K8s IP Block

10.4.0.0/14

NS: default

10.4.0.64/27

NSX-T1NSX-T1

k8s-node-vifs This logical switch is not connected to any logical router (black hole network)

This logical switch is used to connect the node mgmtinterfaces to the outside world

10.0.1.0/24

K8s Master & Node VMs

k8s-mgmt

Pre-existing logical topologyfor Kubernetes 'out-of-the-box'

namespaces

NS: kube-system

10.4.0.32/27

One-cloudNSX Edge

vPodRouter

192.168.100.0/24

.1

.3

NSX-T0T0 - NAT IP Pool

172.19.0.0/24

.1

eBGP Session

AS 65001

AS 65002

30

BIG-IP Platform

192.168.100.100



bution

31



for Containers

Load Balancing

Monitoring &

Troubleshooting

Containers

Integration with

existing tools &

processes

Provision & manage infra like cloud native apps

Native Container

Networking

Reference Designs



bution

32

ADDRESSING PCI DSS 3.2 WITH VMWARE NSX-T

A Micro-Audit of NSX-T Segmentation for Microservices Containers and Virtual Machines

• Validation Exercises

– Inter and intra container environment segmentation testing

• Across Kubernetes namespaces

• Within a Kubernetes namespace (representative of unique services (pods and containers) that support a single entity microservice deployment

– Container to Virtual Machine Segmentation Testing

– Automation of policy enforcement in support of orchestrated auto-scaling and remediation processes

– Capability of Spoof Guard for traffic validation and prevent man-in-the-middle ARP Poisoning Attack

– Investigation of distributed network encryption to protect sensitive application data in transit

Publishing in September, 2017



bution

33

NSX-T MICRO-AUDIT RESULTS NSX-T

• NSX-T distributed firewall provided segmentation via micro-segmentation to sufficiently isolate and separate CDE from non-CDE both in the container environment and in the virtual machine environment

• NSX-T distributed firewall provided adequate control capabilities between services and tiers for multi-tier/multi-faceted microservice applications in the CDE both within the container namespace and across to virtual machines

• Dynamic membership of network security groups (NsGroups) allows for automation of policy application for microservices scaling

• NSX-T SpoofGuard was found to be effective in blocking ARP Poisoning Attacks executed from the Kali-Linux instance

• NSX-T distributed network encryption may be useful for providing additional control over cardholder data transmissions within the cardholder data environment



bution

34

CUSTOMER USE CASES



bution

35

Scaling e-commerce platform

GLOBAL RETAILER

“We need direct Layer 3 routing between F5 and the frontend PODs on Kubernetes. Direct routing enables us to identify which POD gets accessed at a specific time just looking at the logs, simplifying troubleshooting and security.

It gives us the visibility that our security team needs on PCI environments”

PaaS architect

#3 retailer in the world 7k shops

24 B in sales



bution

36

GLOBAL FINANCIAL SERVICES FIRM

Embracing open banking

in a secure, compliant way

“We would like to use NSX-T as our Container Firewall as it provides us the ability to segment container-to-container & container-to-vm traffic” – VP & Head of ITVMworld 2017 Content: N

ot for publicatio

n or distribution

+ =

NSX and Cloud Native Apps

Developer Productivity Security & Compliance

Operationalize Containers Re-use tool & process investments

Platform for Digital Transformation



bution

Next steps

• Hands on Lab : VMware NSX-T with

Kubernetes [ELW182602U]

• VMware Network Virtualization Blog

• VMware NSX YouTube channel

Learn Use Contact

• POC Guide

https://communities.vmware.com

/community/vmtn/nsx

• NSX sales

• @vmwarensx



bution



bution

THANK YOU#vmworld2017



bution



bution



bution

Documents

CNA1091BU One Stop Container Networking or distribution€¦ · One Stop Container Networking VMworld 2017 Content: Not for publication or distribution • This presentation may contain