NEDG2600BU Achieving a Best-of- Breed SD-WAN

Achieving a Best-of-Breed SD-WAN Technology Ecosystem

Tony Banuelos, Vmware, Inc.

#vmworld #NEDG2600BU

NEDG2600BU

VMworld 2019 Content: Not for publication or distribution

©2019 VMware, Inc. 2

Forward Looking Statements

Disclaimer

• This presentation may contain product features or functionality that are currently under development.

• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.

• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

• Technical feasibility and market demand will affect final delivery.

• Pricing and packaging for any new features/functionality/technology discussed or presented, have not been determined.

The information in this presentation is for informational purposes only and may not be incorporated into any contract. There is no commitment or obligation to deliver any items presented herein. VMworld 2019 Content: Not for publication or distribution


vSphere

BRANCH

BRANCH

EDGE/IOT

TELCO/NFV

BRANCH

BRANCH

DCDC

DC

BRANCH

Virtual Cloud Network

Tied Together.Everywhere.

vRNI

CLEAR VISIBILITY

Containers | Virtual Machines | Bare Metal

VCN



Hyperscale

Client to Cloud to Container

Emerging Trends for WAN Edge

Multi- & Hybrid Cloud

Native Advanced Security

Advanced Analytics

Self-healing Networks

SD-WAN enables all enterprises to reach any cloud - private, public, mid-mile, security, application, IoT - securely at scale.VMworld 2019 Content: Not for publication or distribution

©2019 VMware, Inc.

Agenda

5

VMware SD-WAN Overview

VMware SD-WAN as a Security Platform

VMware SD-WAN as a Network Monitoring Platform

VMware SD-WAN as a Multi-Cloud Platform

Summary


6©2019 VMware, Inc.

VMware SD-WAN by VeloCloudOverview



Cloud-Delivered Network for Today’s Cloud Era

Data Center Application Storage Network

The Cloud is the..



Simplified WAN Management

Assured Application Performance

Managed On-ramp to the Cloud

VMware SD-WAN by VeloCloud Benefits

Branch Edges

SaaS / IaaS

Zero-touch deployments, simplified operations, one-click service insertion

Direct cloud access with performance, reliability and security

Datacenter Edges

Transport independent performance for the most demanding apps, leverages economical bandwidth

SD-WAN OverlayPrivate /MPLS 3G/4G LTE

Internet Broadband

VMware SD-WAN Orchestrator

Cloud Gateways

Software Defined WAN Overlay



• Zero-touch provisioning

• Group business-level policies

• Automatic link profiling

Multi-Tenant All-In-One OrchestrationMulti-tenant managed IT portal * Enterprise wide * Site drill down: link and usage discovery

CLIVMworld 2019 Content: Not for publication or distribution


VMware SD-WAN “Zero Touch Provisioning” (ZTP)Unique Flexibility of Two Options

No IT required on-site nor online

No pre-staging required

No security riskif box lost

No site by site linkprofile needed

Step 1 Step 1

Step 2 Step 2

Orchestrator

Activation code

Pull config

Staging Profile

Call home

Push config

Logical Edge

Profile

Staging Profile

Physical install only

Pull Activation• Handles static IP / No serial number tracking

Push Activation• No activation code to installer

Interchangeable approaches:• Can install (Push) then still follow up with activation code• Can Pull but use staging profile, then Push final profile



• Drives automation and optimization

Assured Application Performance over Any Type of Link

VMware SD-WAN DMPO - MEASURE, STEER, REMEDIATE

• Sub-second steering without session drops

• Aggregated bandwidth for single flows

• Protects against concurrent degradation

• Enables single link performance

Dynamic Per Packet Steering

On Demand Remediation

Continuous Link Monitoring



Video conference over a WAN link with 2% packet loss

End-user Experience

Without VMware SD-WAN With VMware SD-WANVMworld 2019 Content: Not for publication or distribution


• O365 on a Single Link (Brownout condition) from Branch in Thailand to Gateway in Singapore

VMware SD-WAN

Non-SDWAN

Optimized Performance for Cloud Apps – Office 365



Cloud Infrastructure

Cloud Scale Redundancy

SSAE16 Type II Audited Data

Centers

99.99% Reliability SLA

Regions

30

Orchestrators

60+Gateways

1000+



VMware SD-WAN as a Security Platform



Admin access security



VMware SD-WAN by VeloCloud Orchestrator Single Sign-OnVeloCloud

Orchestrator Admin authentication performed by IdPVCO redirects login to IdP

Manage SD-WAN Network

Admin clicks Sign In with provider option button

Enters assigned Enterprise domain VCO redirects

to IdP sign-in page

Admin successfully signs in with IdP and is redirected to VCO management landing page

1

2

34VMworld 2019 Content: Not for publication or distribution


Network Security



Why VMware SD-WANSimple Control and Management To Secure WAN Traffic

Utilizing Deep Application Recognition and Business

Policies, VMware SD-WAN allows enterprises to selectively backhaul

Internet traffic to DC’s and simplify Cloud Migration without compromising

user traffic filtering

Per-Application Business Policies

Architecture to integrate with the major CloudWeb Security (CWS)

services in a secure and scalable manner

VNF Integration

Leverage Firewall VNF’s to build a strong security

ecosystem for branch of the future

Cloud Web Security (CWS) Integration

Further Segregation of trusted and

untrusted user trafficat the branch

Segmentation



Distributed Services Insertion

On-premises SecurityCorporate / Regional

Cloud Security Service

VMware SD-WAN by VeloCloud Dynamic Multipath Optimization delivers application performance and reliability to cloud

Automated tunneling eliminates site by site configurations

Single-click Application-Aware Policiesfor granular service insertion

Branch Site

VMware SD-WANEdge Hub

VMware SD-WANGateway by VeloCloud

Internet / web

VNF or Native Security

VMware SD-WANEdge by VeloCloud

Dynamic Multi-Path Optimization

Datacenter

Intelligent Backhaul Security


©2019 VMware, Inc.

VMware SD-WAN Security for OnPrem Branch Deployments

Partner NGFW VMware Stateful Firewall* Partner CWS

Delivery ModelPartner Virtual Network

FunctionNative Integration Partner Cloud Security

Management

Simple service insertion from VCO

Multi-vendor management(VMware SD-WAN Orchestrator and Partner VNF Orchestrator)

Single Orchestrator for SD-WAN and Security

(VMware SD-WAN Orchestrator)

Simple service insertion from VCO

Multi-vendor management(VMware SD-WAN Orchestrator and Partner VNF Orchestrator)

Target Enterprise Market Segments

Security First EnterprisesAll Market Segments

(SMB-Large)All Market Segments

(SMB-Large)

InternetInternet Internet

* Coming Q4CY2019VMworld 2019 Content: Not for publication or distribution


Cloud Web Security (CWS) Integration Options

Simplify tunnel configuration to Cloud Web Security

VCGs are in close proximity to the partner Cloud Web Security PoP. Leverage DMPO for performance.

Per-app service insertion when connect through VCG or direct Edge

IPS

ec

IPS

ec

IPS

ec

Direct tunnel from Edge

DMPO tunnel to VCG, VCG to CWS



Simple insertion of security servicesCloud Web Security Service Insertion

Cloud Security via VMware SD-WAN Gateway

Internet

MPLS

Untrusted mission-critical internet traffic uses DMPO up to CWS via VCG

Cloud Security Direct from Branch

Internet

MPLS

Untrusted non-mission critical web traffic goes direct to interne via CWS

Web bound traffic needing inspectionVMworld 2019 Content: Not for publication or distribution


Provide option for CSS when it is

configured.

● Creates a business policy rule for

internet backhaul via CSS.

● Backhaul is achieved just like GW,

create a backhaul business policy

rule for direct.

New Internet Backhaul Option for CSS

New capability



VMware SD-WAN Virtual Services Platform

3rd-party Firewall VNF on Edge

Virtual Ready Edges

ETA: Oct CY 19

(Edge 520v, Edge 840)

Available NOW

Leverage best-of-breed VNF with SD-WAN

Simple, one-click service insertion

Automate VM lifecycle and registration

VMware SD-WAN Edge



On-Prem Security Services Partner VNFSingle Box solution with best of breed network services

VMware SD-WAN Edge OS


©2019 VMware, Inc.

VMware SD-WAN Native Security

Security Service Stateful Firewall URL Filtering

Delivery Mode Native Integration Native Integration

ManagementSingle Orchestrator for SD-WAN and

Security(VMware SD-WAN Orchestrator)

Single Orchestrator for SD-WAN and Security

(VMware SD-WAN Orchestrator)

Market Segments Target Enterprise Market Segments Security First Enterprises

Target Release Q4CY2019 Q1CY2019



VMware SD-WAN as a Network Monitoring Platform


©2019 VMware, Inc.

VMware SD-WAN Network Visibility

Open Interfaces for monitoring

• SD-WAN platform provides system level events, device and link status, traffic flow details and network topology details

• Protocols supported: Netflow IPFIX, RESTful API, SNMP* v2 and v3, Syslog*

• Partners will obtain SDK documentation, Netflow template definitions, list of system events and alerts and SNMP MIB definitions

• External open interfaces provide the platform necessary to perform advanced network monitoring and analytics

Netflow Collector

Internet

MPLS

VCO

VMware SD-WAN Hub Edge

VMware SD-WAN Edge

VMware SD-WAN Edge

VMware SD-WAN Edge

VCG

Netflow IPFIX

SNMP*

Syslog*

API

*Coming Q4CY2019



External monitoring integrations(vRNI and Plixer)



Agent-less, Vendor-neutral, End-to-End, Scale-out Software Solution

vRNI: Most Comprehensive Network & Security Visibility Solution

VMC, Public Clouds

(VMC, AWS, Azure, etc.)

Containers(K8s, PKS,OpenShift)

Virtual(NSX V & T,

PACE,vSphere)

Physical Network(Switches/Routers)

vRNI

FW and LBs SD-WANEdges

In-band Telemetry



vRNI: App-Centric workflows

Flows

Blueprints/Templates

(CAS)

ComputeManagers,

PACE

SNOW (CMDB)

Tags

PacketSignatures/

DPI

EndpointProcess

APM/Sectool

UserConfig

App-Centric Network Operations

Application network topology, APM and troubleshooting

App-Centric Security Visibility/Planning

Assessment, Planning business level policy

Detect unprotected apps

App-Centric Predictive Analytics based on

Collective IntelligenceOutlier, Threshold, Behavior

Analysis

Automated App Reconciliation,Mapping

Future

VMNames


©2019 VMware, Inc.

VMware SD-WAN Network VisibilityEnd-to-end Visibility and Analytics across Branch, WAN, SDDC, Cloud for NSX/non-NSX customers

Assessment Visibility & Analytics Troubleshooting Capacity Planning Security*

Analyze existing WAN Infra B/W analysis, type of traffic, Infra/App QOE Cost Optimization Recommendation

Dashboards, Site/App/Flow Analysis Top Performance Dashboards Analytics Path visibility and hotspots

(SDDC to branch to SAAS apps)

Predictive based on ML Current capacity based

on analytics.

Unprotected Apps Business Policy

recommendation Audit & Compliance

*Future

VCO

Edges/Hubs

Config, Runtime

IPFIX, SNMP*

Use-Cases



Plixer Scrutinizer SD-WAN view


©2019 VMware, Inc.

Application Policies


©2019 VMware, Inc.

Application Priority


©2019 VMware, Inc.

Application Route Type



VMware SD-WAN as a Cloud Platform



SD-WAN On-Ramp to IaaS

On-Ramp via SD-WAN Cloud Gateways• Aggregate multiple Internet links• Reduce Management Cycles• Extend SD-WAN to IaaS Door Step

On-Ramp via SD-WAN virtual Edge• Simplify Hybrid Connection• Enable End to End SD-WAN• Launch Virtual Edge from Marketplace

VMware SD-WAN Cloud Gateways

IPSec

VMware SD-WAN Edge

VMware SD-WAN Edge

VMware SD-WAN Virtual Edge

CY2H2019

SD-WAN

SD-WAN

Flexible Hybrid and Multi-Cloud support



Seamlessly Service Insertion On-Prem and Cloud Deployment

Flexible Hybrid and Multi-Cloud Support

Public Internet

Private Data

Center Edges

Provider

Edge

Internet

MPLSPrivate

Circuit

Orchestrator

Branch

Provider

Edge

IPSec

Branch

VMC/NSX Cloud Azure vWAN

AliCloud

AliCloud

CY 2H 2019



VMware SD-WAN + Azure virtual WANSimplify deployment with automation

VMware SD-WAN Edge VMware SD-WAN

Cloud Gateway

IPSecSD-WAN

Azure Virtual Hub

Azure Virtual WAN High scale and throughput VPN headend Low latency, optimal routing within Azure Single tunnel to reach multiple Azure workload

Integration with VMware SD-WAN Simplified and aggregated secure connectivity vs

NxN manual tunnel configuration Optimized last mile access vs best effort



VMware SD-WAN + AWSLeveraging AWS native Transit GW solution

VMware SD-WAN Edge

VMware SD-WAN Gateway

AWS Transit Gateway

IPSec

IPSec

IPSec

IPSec

IPSec

Enterprise Option 2

(Q4 2019)

MSP Option

Available w/ Static Route

Enterprise Option 1

Available Today

VMware SD-WAN Edge

MSP hosted Multi-tenant GWVMworld 2019 Content: Not for publication or distribution


Automate access to Google Services

VMware SD-WAN + Google Cloud

1000s Branches

10s

Data Centers

MPLS

Internet

VMware SD-WAN Orchestrator

With VMware SD-WAN• Simplified IP entry points into Google Services via cloud

gateways • Built in outcome driven policies to automate and simplify

configuration

BigQueryCloud VPN

Challenges for Enterprise accessing GCP• Complexing firewall configuration due to multiple IP

entry points into Google Services in GCP• Need to allow Cloud Web Security Service bypass for

Google Cloud services

Non-Google Traffic

Google Traffic



SD-WAN is not just WAN networking

VMware SD-WAN platform enables the delivery of best in class security, cloud and monitoring services

VMware SD-WAN will provide the most secure and optimal path to your end users applications

Summary




Documents

NEDG2600BU Achieving a Best-of- Breed SD-WAN