Announced in AWS Summit in New York last month and also briefly mentioned on the prior blog, Announcing General Availability of VMware NSX-T Data Center 2.2.0 , NSX-T networking and security is now available in Preview Mode for new SDDC deployments on VMware Cloud on AWS. Please reach out to your sales/SE contact for more information. In this blog post, I give an overview of the advanced networking and security functionality provided by NSX-T within VMware Cloud on AWS.
You can also check out the VMware Cloud on AWS Networking with VMware NSX-T documentation page for additional information. Also, if you will be at VMworld 2018, make sure to attend the VMware Cloud on AWS with NSX sessions listed below; we will go into a deep dive of all the functionality and show how VMware Cloud on AWS is being used by customers.
V Mware Cloud on AWS with NSX: Use Cases, Design, and Implementation [NET1327BU]Speaker: Humair Ahmed , Senior Technical Product Manager, VMware
Date: Wednesday, Aug 29, 1:00 p.m. 2:00 p.m.
Advanced NSX Services in VMware Cloud on AWS: Use Cases and Best Practices [NET2409BU]Speaker: Vyenkatesh Deshpande, Sr. Product Line Manager, VMware
Date: Wednesday, Aug 29, 2:30 p.m. 3:30 p.m.
NSX is the underlying networking and security platform in VMware Cloud on AWS. With NSX-T, we have enabled the following enhancements/capabilities with the first four being major features driving NSX-T SDDC.
NSX-T Features for VMware Cloud on AWS SDCC (Preview Mode)
DFW Security Groups (based on IP Address, VM Instance, VM Name, Security Tags) Route Based IPSEC VPN with Redundancy Direct Connect Private VIF for all traffic Connectivity from Overlay to Management Infrastructure vCenter Management Appliance access from connected VPC DNS Zones Port Mirroring IPFIXThe underlying SDDC networking topology with NSX-T is similar to NSX-V SDDC in the sense that you still have a management gateway (MGW) for management and a compute gateway (CGW) for compute. A few key differences here are the following:
MGW and CGW are no longer VM appliances; instead they are logical constructs inside the same edge appliance; MGW and CGW are what’s know in NSX-T as T1 routers which also have distributed components on each hypervisor. You can think of T1 routers in a sense as a distributed logical router (DLR) in NSX-V MGW and CGW are connected together via another router known in NSX-T as a T0 router which provides connectivity in and out of the data center; this connectivity provided natively with the NSX-T architecture also provides some inherent enhancements which I’ll discuss in more detail later in the post The vCenter management network is now an overlay; vCenter is sitting on an overlay which allows for the same operational tools to be used for compute and vCenter management VMs/workloads There is no longer a need to have a separate VPN tunnel for MGW and CGW; with NSX-T SDDC, all VPNs terminate on the T0, which is connected to both the CGW and MGW, thus it is a single VPN design The edges with NSX-T leverage DPDK providing for enhanced performance The ESXi hosts in VMware Cloud on AWS with NSX-T are now NVDS based (instead of VDS as prior)Below is the underlying network topology in VMware Cloud on AWS with NSX-T.
Figure 1: VMware Cloud on AWS with NSX-T SDDC
With NSX-T, the layout under the Networking and Security tab has been redesigned to simplify and make it easier for users to navigate. As you can see from the below screenshot, the menu is provided to the left with the networking and security sections at the top. Users can easily jump to one of the respective sections: Overview, Network, Security, Inventory, Tools and System.
Figure 2: VMware Cloud on AWS with NSX-T SDDC Console
Network Segments
All networking and security configuration is now done through the VMware Cloud on AWS console via the Networking and Security tab, including creating network segments. This provides ease of operations and management by having all networking and security access through the console. Prior, users had to use the NSX plugin from vCenter to create network segments.
Figure 3: Creating Network Segments with NSX-T SDDC
Distributed Firewall
Using VMware Cloud on AWS with NSX-T, users have the capability to implement micro-segmentation with Distributed Firewall. Granular security policies can be applied at the VM-level allowing for segmentation within the same L2 network or across separate L3 networks. This is shown in the diagram below.
Figure 4: Micro-segmentation via DFW with NSX-T SDDC
From the below screenshot, you can see, in addition to the ability to create multiple sections, users can organize DFW rules into groups (Emergency Rules, Infrastructure Rules, Environment Rules, and Application Rules. The rules are hit from the top-down.
Figure 5: DFW GUI with NSX-T SDDC
Security Groups
In addition to the new DFW capabilities, grouping objects can now be leveraged within security policies. Security groups support the following grouping criteria/constructs:
IP Address VM Instance Matching criteria of VM Name Matching Criteria of Security TagAs shown by the below screen shot, Security Groups can be created under Workload Groups or Management Groups. Workload Groups can be used in DFW and CGW firewall policies and Management Groups can be used under MGW firewall policies. Management Groups only support IP addresses as these groups are infrastructure based. Predefined Management Groups groups already exist for vCenter, ESXi hosts, and NSX Manager. Users can also create groups here based on IP address for on-prem ESXi hosts, vCenter, and other management appliances.
Figure 6: Creating Security Groups with NSX-T SDDC
In the below screenshot you can see I have deployed some VMs in vCenter and you can see the VMs in inventory within the console. Additionally, I’ve tagged the VMs with Web, App, and DB Security Tags respectively.
Figure 7: Assigning Security Tags to VMs
Route Based IPSEC VPN with Redundancy
In addition to Policy Bases IPSEC VPN, Route Based IPSEC VPN is now also possible. Users can configure BGP to run over IPSEC so networks are automatically advertised and learned betw