Distributed Networking and Security Services: Deep Dive · 2019-06-27 · NSX Distributed Services Enablement VXLAN 5001 vSphere Host VM1 MAC1 IP1 VTEP IP: 10.20.10.10 vSphere Distributed

© 2014 VMware Inc. All rights reserved.

NET1932

Anirban Sengupta, Sr. Director, NSXJayant Jain, Architect, NSX August 2017

Distributed Networking and Security Services: Deep Dive

VMworld 2017 Content: Not fo

r publication or distri

bution

• This presentation may contain product features that are currently under development.

• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.

• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

• Technical feasibility and market demand will affect final delivery.

• Pricing and packaging for any new technologies or features discussed or presented have not been determined.

Disclaimer

#NET1932 CONFIDENTIAL 2



bution

Agenda

1 Introduction

2 Distributed Service Architecture

3 Distributed Services in NSX

4 Architecture Deep Dive

5 Demo

6 Q&A

3#NET1932 CONFIDENTIAL



bution

Introduction

Distributed Service Architecture

Distributed Services in NSX

Architecture Deep Dive

Demos

Q&A



bution

Increased Application Complexity

• Applications are becoming larger and distributed

• Tiered Application model to Micro services and Containers

#NET1932 CONFIDENTIAL



bution

Deployment Agility

• Application owners are expecting faster deployment from IT

• LOBs are expecting automated and self service deployment to support CI/CD




bution

Advanced Security

• Hackers have become highly funded, sophisticated and resourceful

• Attacks are oriented towards lateral movement and privilege escalation than perimeter




bution

Introduction




Demos

Q&A



bution

Traditional Data Center Design

• Services in Data Center Aggregation layer

• Optimized for N/S Design

• Most traffic today is E/W

• Traffic needs to hairpin to Aggregation Layer for E/W

• Difficult to Automate.

• Uncertain Performance and capacity provisioning

• Unfriendly to App mobility




bution

App Network

Virtual Appliance based Services

DMZ Network

Services Network

DB Network

Finance

Finance

Finance

HR

HR

HR

IT

IT

IT

AD NTP DHCP DNS CERT

• Deployment complexity

• Topology Dependency

• Performance bottleneck

• Appliance Management

• Harder to change security policy

Internal Services

Perimeter Services




bution

App Network

Distributed Services

DMZ Network

Services Network

DB Network

Finance

Finance

Finance

HR

HR

HR

IT

IT

IT


• Omnipresent

• Topology Agnostic

• Full Automation

• Easier operations

• No Appliance Management

• Zero Trust Isolation

• Linear scalability

Internal Services

Perimeter Services




bution

Omnipresent and Topology Agnostic

App VLAN

DMZ VLAN

Services VLAN

DB VLAN

Perimeter

firewall

Inside

firewall

Finance

Finance

Finance

HR

HR

HR

IT

IT

IT


• Distributed services are deployed everywhere and can be enforced anywhere irrespective

of application architecture and network connectivity

• With each application, configuration can be added and deleted as needed.




bution

Full Automation and Easier Operations

• Software services make automation possible hence increasing agility

• Distributed services minimizes deployment and capacity challenges.

• No Appliance to deploy and manage




bution

Zero Trust Isolation and Enforcement

• Distributed Firewall makes zero trust isolation feasible

• As Firewall enforcement is on vNIC level, any security policy is easy to enforce

Internet




bution

Capacity On Demand and Line Rate Performance

• Services linearly scales with application and hence minimal provisioning and management.

• Less number of network hops making it way more efficient.




bution

Introduction



Distributed Services and NSX

Demos

Q&A



bution

17

vSphere vSphere vSphere

Data Plane

Operations

UI

Logs/Stats

CMP

Consumption

Control Plane Run-time state

Management Plane

API

API, config, etc.

NSX Manager

NSX Controller

Logical Switch

DistributedLogical Router

EdgeService Gateway

Distributed Firewall (DFW)

VMware NSX Functional Overview

Distributed Load Balancer

Distributed Network Encryption (DNE)




bution

Distributed Routing




bution

Micro Segmentation with Distributed Firewall • L4 Distributed Firewall facilitating Micro Segmentation of Datacenter

• Rules based on VC entities, IPSets, VMs with flexible Services with ipv6 compliance

Identity

-AD Groups

VC containers

- Clusters

- datacenters

- Portgroups

- VXLANServices

- Protocol

- Ports

- Custom

Action

- Allow

- Block

- Reject

IPv6 Services

VM containers

- VM names

- VM tags

- VM attributes

Choice of PEP (Policy

Enforcement Point)

-Clusters

- VXLAN

- vNICs

-…

IPv6 compliant

- IPv6 address

- IPv6 sets

Src/Dst

-IPAddress/IPSets




bution

Context Aware Micro Segmentation


• Extend L4 DFW to be Context Aware

• User, Protocols, Applications, Mobile Manifest, Third party context, etc

L4 Rule based Micro segmentation




bution

Distributed Network Encryption

21

DNE ControllerDNE Controller

DNE ManagerDNE Manager

• NSX Manager

–User defines encryption

policies

• NSX Controller

–Pushes rules to Hypervisors

–Generates tickets for

hypervisors to get secret

keys

• Key Manager

–Generates secret keys for

hypervisors

• Hypervisors

–Get secret keys from the Key

Manager and

encrypt/authenticate network

packets in and out of the

VMs

NSX Manager

NSX Controller

Hypervisor1 Hypervisor2 HypervisorN

Key Manager

1) Rules

2) Key Policies

Ticket Ticket Ticket




bution

Distributed Load Balancing

22

Load Balancer

.1

.1

.1

.1

web-01 web-02 app-01 db-01app-02

Web-Tier-01

10.0.1.0/24App-Tier-01

10.0.2.0/24

DB -Tier-01

10.0.3.0/24

Web App DBWeb App

Service-Group_Web

• Appliance-less Client based East/West Load balancer

• Linearly scalable with optimal performance




bution

Introduction




Demo

Q&A



bution

SSH Client

NSX DFW

vSphereTCP/5671

TCP/443

TCP/443

vSphere

Client

NSX

Manager

vCenter

Server

AP

I

ESXi

Host

REST API

Client

TC

P/2

2

NSX Distributed Services – System Architecture

UI Access to the NSX

Management Plane via

vSphere vCenter

1

Policy Rules are stored

in NSX Manager

.

2

Policy Rules are pushed

down to ESXi Host

[DFW Data Plane]

3

TCP/443

VXLAN DR DFWSwitch

SecurityVMworld 2017 Content: N

ot for publicatio

n or distribution

NSX Distributed Services – Internal ArchitectureComponent Details and Communication Channels

NSX Manager

Virtual Switch

VNIC User Space

Kernel Space

vsfwd/CPA

Web Browser

AMQP

Queue

Exchange

Queue Queue

IOC

hain

s

Message Bus:

AMQP

TCP 5671

TCP

443

VNIC

vSIP

IOC

hain

s

Queue

VNIC-FWVNIC-FW

vpxa

hostd

Heartbeat

TCP/UDP

902

DatabaseConfig EngineTCP

443

Services Kernel Module

vCenter Server

ESXi Host

# esxcli software vib list

…

esx-vsip 5.5.0-0.0.1744190

API



bution

26

vSphere vSphere vSphere

NSX Manager

Ruleset and Flows per vNic/VM

AppWeb DBWeb AppCPA CPA CPA

• Applied-To: Each vNic/VM can have its own

custom/crafted ruleset and Service Chain

• Contextualization: Each vNic has its own set of

flows.

• Exclude List: Individual vNic/VMs can be excluded

from having a Service Instance or Chain

• Stateful (Default) as well as Stateless Rules

Supported

• Revalidation of Rules with Ruleset change.

Control Cluster

Compute Manager

RuleSets

Inventory Updates




bution

NSX Distributed Services Enablement

VXLAN 5001

vSphere Host

VM1

MAC1

IP1

VTEP IP: 10.20.10.10

vSphere Distributed Switch

vSphere Host

VM2

VTEP IP: 10.20.10.11

VM3MAC2

IP2

MAC3

IP3

DFW Policy Rules:

Source Destination Service Action

VM1 VM2, VM3 TCP port 80 Allow

VM1 VM2, VM3 any Block

VXLAN 5001 Logical Switch

• Enforce policy at vNic:

- Services independent of

transport network (VLAN or

VXLAN) and of each other

- All VM ingress and egress

packets are subject to

Service processing.

- Independent Security Policy

per Service.

- Flexible Service Chain

- Uniformly applicable to

virtualized and non-

virtualized networks:

V-to-V and P-to-V support.

VXLAN 5001 VXLAN 5001


VM1 VIP1 TCP port 80 Balance

VM1 VIP2 TCP port 53 Balance


VM1 VM2, VM3 TCP port 80 Encrypt

VM1 VM5, VM6 any Encrypt

DLB Policy Rules:

DNE Policy Rules:




bution

NSX Distributed Services Packet PipelineL2 Pipeline.

• L2 Packet Sanity, Spoofguard.

• L2 Rule analysis.

• Flow Cache to speed up stateless processing.

L3-L7 Pipeline.

• L3 Packet Sanity, Spoofguard.

• Fragmented Packet Support

• Support for ICMP Type/Code.

• L4 Packet Sanity.

• Context discovery and mapping

• Flow Lookup.

• TCP State and Sequence Number Support, State based timers

• Address-Set Lookup, Rule Analysis.

• Flow Creation and logging.

• ALG Support (FTP, MSRPC, Oracle, DCERPC, TFTP)

Partner Pipeline [a..b..c]

• Policy Lookup for Stateful Flow

• Punt packet to Partner Service (In-Host, L2, L3)

• Receive from Partner Service and forward packet.

DNE Pipeline

• Policy Lookup for Stateful Flow

• Encrypt/Decrypt Per Policy

L2 Pipeline

L3-L7 Pipeline

1

2

From vNIC/vPort

To vPort/vNic

DFW Service

Partner Pipeline

DNE Pipeline

PS




bution

NSX Service Chaining

• Traffic exits guest VM and reaches DFW

for processing.

• Rule/Flow analysis done by DFW

• Filtering Module (Service/s) rule/flow

analysis done.

• Traffic Redirection Module steers to

Partner Services VM (In-Host/L2/L3).

• Permitted traffic forwarded via Traffic

Redirection Module.

VDS

Guest VMPartner

Services VM

Partner Console

DFW

Filtering Module

Traffic

Redirection

Module

vCenter

External Network

Slot 2

Slot 4



bution

NSX Distributed Services and vMotion

vMotion source

vMotion destination

• NSX Distributed Services fully support vMotion.

• During vMotion event, all services context move with

the VM:- Rules/Address Table

- Connection Tracker Table

- L4-L7 State

• No session loss during vMotion:

• All active sessions before mobility event remain

intact after the move.

• Separation of Control Plane-Data Plane

• All Services completely independent of VM location

or Logical Network!

No disruption to end user !

1

2

1

2



bution

Introduction to Distributed Services

Why does it matter?

Distributed Services and NSX


Demo

Q&A



bution


32#NET1932 CONFIDENTIAL



bution



bution



bution

Documents

Distributed Networking and Security Services: Deep Dive · 2019-06-27 · NSX Distributed Services Enablement VXLAN 5001 vSphere Host VM1 MAC1 IP1 VTEP IP: 10.20.10.10 vSphere Distributed