View
9
Download
0
Category
Preview:
Citation preview
8/10/20
1
Confidential │ ©2019 VMware, Inc. 1
1
Confidential │ ©2019 VMware, Inc.
Introduction to Software Defined Network (SDN)VMware NSX
2
8/10/20
2
Confidential │ ©2019 VMware, Inc.
Agenda
3
• VMware Virtual Cloud Network and NSX Data Centre Architecture
• NSX Feature and Capabilities• Layer 2, Layer 3 Function• Firewall, Micro Segmentation • Load Balance
• Product Demonstration
3
4Confidential │ ©2019 VMware, Inc.
Virtual Cloud Network
4
8/10/20
3
©2019 VMware, Inc. 5
BRANCH
DC
BRANCH
ESX
Decoupled
NSX Evolution
vSphere
5
©2019 VMware, Inc. 6
vSphere
BRANCH
BRANCH
EDGE/IOT
TELCO/NFV
BRANCH
BRANCH
DCDC
DC
BRANCH
Virtual Cloud NetworkNSX Evolution
Tied Together—Everywhere.
vRNI
CLEAR VISIBILITY
NSX Intelligence
DEEP INSIGHT
6
8/10/20
4
©2019 VMware, Inc. 7
Software Defined Networking Everywhere
Multi-VendorMultiple vendors
and multiple generations
Any TopologyL2 end-to-end, Spine/Leaf, L3
aggregation etc.
Heterogenous End-points
VMs, containers, bare metal servers
Cross Hypervisor
ESXi, KVM
Multiple CloudsPrivate, public,
hybrid, and edge clouds
7
8Confidential │ ©2019 VMware, Inc.
Virtual Cloud Network
8
8/10/20
5
© 2017 VMware Inc. All rights reserved.
Your data center
Let’s begin with how things areand how things should be…
9
9
© 2017 VMware Inc. All rights reserved.
There are four basic things in a typical data center today.
10
There has been a lot of virtualization in the data center.
Except …
Applications
Compute Storage Networking
10
8/10/20
6
© 2017 VMware Inc. All rights reserved.
Applications
Compute
Networking!
11
NetworkingStorage
The lack of networking virtualization is holding back your ability to:
Keep up with the pace of business
Secure the data center
Support your apps
11
© 2017 VMware Inc. All rights reserved.
Optimized for rapid development and delivery of all applications, for safe consumption on any device
The Software Defined Data Center
Agile SecureEfficient
It’s Time to Virtualize the WHOLE Data Center
12
12
8/10/20
7
© 2016 VMware Inc. All rights reserved. Confidential – Not for Distribution
13
© 2016 VMware Inc. All rights reserved. Confidential – Not for Distribution
14
8/10/20
8
© 2016 VMware Inc. All rights reserved. Confidential – Not for Distribution
Network Virtualization Overview
Decoupled
Hardware
Software
General Purpose Networking Hardware
Network HypervisorRequirement: IP Transport
Virtual Network
Virtual Network
Virtual Network
Workload Workload Workload
L2, L3, L4-7 Network Services
General Purpose Server Hardware
Server HypervisorRequirement: x86
Virtual Machine
Virtual Machine
Virtual Machine
Application Application Application
x86 Environment
15
15
© 2017 VMware Inc. All rights reserved.
Data Center Networking Evolution to NSXfrom a drone’s-eye view
16
8/10/20
9
© 2017 VMware Inc. All rights reserved.
DC Hardware
17
© 2017 VMware Inc. All rights reserved.
vSphere
Abstraction
18
8/10/20
10
© 2017 VMware Inc. All rights reserved.
Consolidation
19
© 2017 VMware Inc. All rights reserved.
Challenges
!
!
Manual config
No agility
No E-W security
Limited Scale
Bottleneck
20
8/10/20
11
© 2017 VMware Inc. All rights reserved.
Network & Security services in hypervisor
NSX Manager
Controller Cluster
21
© 2017 VMware Inc. All rights reserved.
NSX Manager
Controller Cluster
Network VirtualizationNetwork & Security services in hypervisor
22
8/10/20
12
© 2017 VMware Inc. All rights reserved.
Network Virtualization
NSX Manager
Controller Cluster
Switching Routing LoadBalancing
VPN Connectivityto Physical
Micro-Segmentation
23
© 2017 VMware Inc. All rights reserved.
Non Blocking
Green or Brown field
Non Distributive
In Software
Network Agnostic
Distributed Services
Programmable (REST API)
Network Virtualization
24
8/10/20
13
© 2017 VMware Inc. All rights reserved.
Web App DB
App
25
© 2017 VMware Inc. All rights reserved.
Load BalancerNSX LB: One-Arm
NSX LB: In-lineMultiple health checks
Load Balancing Algorithms
SSL Offload
Different Topologies
Content Switching
High Availability
Programmable (REST API)
26
8/10/20
14
© 2017 VMware Inc. All rights reserved.
VNIC
DFWLine Rate (20+ Gbps)
Stateful L2-L4
Monitoring
Spoofguard
Identity firewall
Programmable (REST API)
Runs in kernel space
Distributed Firewall
27
© 2017 VMware Inc. All rights reserved.
VNIC
DFWMachine name
Application tier
Security posture
Regulatory requirements
Identity
Operating system
Intelligent Grouping
28
8/10/20
15
© 2017 VMware Inc. All rights reserved.
Advanced Security Service Insertion
Network Introspection
Guest Introspection
NetX
29
© 2017 VMware Inc. All rights reserved.
Filtered and SlicedVirtual Traffic
NSX APIsService Insertion
vCenter ServerNSX Manager
vCenter APIs
Traffic Visibility Service Insertion
30
8/10/20
16
© 2017 VMware Inc. All rights reserved.
DMZ Anywhere
31
© 2017 VMware Inc. All rights reserved.
DMZ Anywhere
32
8/10/20
17
© 2017 VMware Inc. All rights reserved.
Scalability
33
© 2017 VMware Inc. All rights reserved.
Isolation
34
8/10/20
18
© 2017 VMware Inc. All rights reserved.
Cloud Management Platform
Automating IT
35
© 2017 VMware Inc. All rights reserved.
Cloud Management Platform
Automating ITIaaS
36
8/10/20
19
© 2017 VMware Inc. All rights reserved.
Cloud Management Platform
Automating IT
PaaS
37
© 2017 VMware Inc. All rights reserved.
Cloud Management Platform
Automating IT
38
8/10/20
20
© 2017 VMware Inc. All rights reserved.
VMware Cross-Cloud Architecture
GSLB
App ContinuityA/S Data Center
39
© 2017 VMware Inc. All rights reserved.
VMware Cross-Cloud ArchitectureApp ContinuityA/S Data Center
GSLB
ReduceRTO
40
8/10/20
21
© 2017 VMware Inc. All rights reserved.
VMware Cross-Cloud Architecture
GSLB
Public CloudDC3
App ContinuityA/A Data Center
41
Confidential │ ©2019 VMware, Inc. 42
Container Inventory Observability and Analytics
Global View of all containers by namespaces or by clusters
42
8/10/20
22
Confidential │ ©2019 VMware, Inc. 43
Key NSX Data Center Use-cases
Security Cloud Native Automation Multi-Cloud Networking
43
©2020 VMware, Inc. 44
EDGE/IOT
TELCO/NFV
DATA CENTER
BRANCH
BARE METAL
vSphere
BRANCH
DATA CENTER
EDGE IOT
CONTAINERS VIRTUAL MACHINES
DEEP INSIGHT
BROAD VISIBILITY
vRealize Network Insight
NSX Intelligence
SD-WANOrchestrator
NSX
DATA CENTER
Virtual Cloud NetworkNSX Provides Single Solution for VM, Containers, Bare Metal
ContainerNetworking
Container Security
ContainerAnalytics
VMware vSphere with Kubernetes
Upstream Kubernetes
VMware Tanzu
First-class Citizens
44
8/10/20
23
Confidential │ ©2019 VMware, Inc. 45
https://kubernetes.io/docs/concepts/security/overview/The 4C’s of Cloud Native Security
45
Confidential │ ©2019 VMware, Inc.©2018 VMware, Inc.
NSX Use Cases for Cloud-Native Apps
Enterprise-grade container networking
Advanced Container Networking
Micro-Segmentation for
MicroservicesGranular security at the
container level
Cross-Platform Visibility
Monitor container-to-container traffic
46
8/10/20
24
Confidential │ ©2019 VMware, Inc. 47
Container Inventory Observability and Analytics
Global View of all containers by namespaces or by clusters
47
Confidential │ ©2019 VMware, Inc. 48
NSX Container Plugin (NCP)
NCP infrastructure
NSX ManagerAPI Client
Increase Kubernetes Agility with NSX
NSX Manager
Kubernetes
Cloud Foundry
Tanzu (TKG)
vSphere with K8s
Hypervisor Bare-metal server
Broad Support for multi-cloud
Kubernetes API Server
OpenShift
*NCP Planned for TKG Release 2
New Platform 1
New platform 2
Agility and Scale
48
8/10/20
25
Confidential │ ©2020 VMware, Inc. 49
vRealize Network Insight360° across virtual, physical, and (multi) cloud
VMware ESXi
Public CloudsVMC, AWS, Azure, GCP
In-Guest & ContainersAppDefense,
NSX, PKS
VirtualNSX (V, T)
Physical Network & Firewalls
Edge/SD-WAN VeloCloud
Network Insight
Edge Flows & Metrics
Config, Streaming Telemetry
Policies, N/W Latency
Processes, Services
Native Cloud Constructs for
Net/Sec
Network• Visibility and Monitoring
• Traffic and Path Analysis, End-to-End Troubleshooting, Analytics
Security• Security (Micro-seg) Planning & Operations
• Analytics, Audit and Compliance
49
Confidential │ ©2019 VMware, Inc. 50
Converge Operations between Containers, Virtual, Physical
Connect the dots between containers and virtual and physical infrastructure
Plan security policies for micro-servicesBring network visibility to containers
Observability and Analytics
50
8/10/20
26
Confidential │ ©2020 VMware, Inc. 51
• Discover all applications in hours, not days/weeks.
• Complete your CMDB with actual application behavior.
• Reliable application groupings based on network traffic.
• Automatically discover application boundaries without any input.
• Keep application definitions up to date when new VMs are added.
Outcomes
Benefits
Flow-Based Application DiscoveryUsing Machine Learning on Traffic Patterns
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
DNS ServiceAD Service
Marketing Application
Web Tier
App Tier
DB Tier
Finance Application
Web Tier
App Tier
DB Tier
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VMVM
VM
ML Magic
51
Confidential │ ©2019 VMware, Inc. 52
Application Dashboard Updates
Summary Widget:
• Birdseye view on application status.
• Lists open events/problems.
• Lists traffic behavior changes in last 24 hours.
• Application “assembly”: VMs, Physical IPs, and/or K8s Services.
New Summary Widget
Topology in landscape
Intentional scrolling
52
8/10/20
27
53Confidential │ ©2019 VMware, Inc.
NSX Architecture
53
Confidential │ ©2019 VMware, Inc. 54
NSX Data Center Architecture For Private Cloud, Public Cloud & Containers
CONTROLPLANE
DATAPLANE
MANAGEMENT PLANE – MULTI-COMPUTE
Private or Public cloud infrastructure
NSX Manager Cluster – Manager/Controller
NSX Manager Node
(VPN Gateway, DirectConnect, ExpressRoute)
Public Cloud
Linux VM Windows VMNSX Cloud Gateway
VMware Cloud on AWS
Private Cloud
NSX Edge VM or Bare Metal
ESXi KVM
N-VDS N-VDS
Multi-Hypervisor
Container
Cloud ServiceManager
Bare Metal
NSX NSX
Cloud Foundry Adapter
NSX Container Plugin
K8/OS Adapter
54
8/10/20
28
55Confidential │ ©2018 VMware, Inc.
Load Balancing
Connectivity to physical
Edge FirewallVPN
NSX-T Networking and Security Services
Routing
DHCP
NAT
SessionsSAI1017BU - Apply Consistent Security Across VMs, Containers, and Bare MetalCNET1356BU - NSX-T Deep Dive: Load BalancingCNET2061BU - Next-Generation Reference Design with NSX-T: Part 1CNET2068BU - Next-Generation Reference Design with NSX-T: Part 2
Distributed Firewall
Distributed Services Centralized Services
MetaData
Proxy
MetaDataProxy
55
56Confidential │ ©2018 VMware, Inc.
Distributed Firewall
Distributed Switching
NSX in the Data Center
Management Cluster:• NSX Manager Cluster (x3)• vCenter
Compute Cluster:• Workloads VMs• Kernel based network
services
Edge Cluster:• Centralized Stateful Services
(F/W, L/B, etc.)• VM or Bare Metal Form
Factor
Private Cloud/On-Prem DC
ESX KVM
Hypervisor TN
VM/ BM
Edge TN
vSphere
Mgmt. Cluster
Distributed Routing
Centralised Services
NSX Manager Cluster
56
8/10/20
29
57Confidential │ ©2018 VMware, Inc.
57
58Confidential │ ©2018 VMware, Inc.
NSX UI/API – Simplified UI vs Advanced UI/APIWhat is the difference – when to use what
Advanced UISimplified UI
(Policy API’s used)
58
8/10/20
30
59Confidential │ ©2018 VMware, Inc.
NSX Terminology
Transport Node (TN)
Data plane node prepared for NSX and participating in traffic forwarding. Ex: Hypervisor, Edge Node, bare metal server with NSX Agent
NSX Virtual Distributed Switch (N-VDS)
NSX software component that performs switching on a Transport Node (N-VDS typically owns several physical NICs on the Transport Node)
Transport Zone (TZ)
Defines the boundary for logical networks over the physical infrastructure. (N-VDS on the transport nodes binds to specified Transport Zone)
Logical Segment (LS)
A virtual Layer 2 broad-cast domain created within a Transport Zone
N-VDS N-VDS N-VDS
host host hostNSX Edge
Transport Zone “TZ1”Overlay LS1
Overlay LS2LS not extended to this TN as it is not attached to TZ1
59
Unicast Packet Walk
• Web3 sends a unicast to Web1• A lookup is made for Mac1• If it’s a hit
– Frame is encapsulated– Sent unicast to remote TEPElse – Frame is flooded
60
HV3
Web1 Web3
LS
HV1TEP1 TEP3
MAC@ TEP IPMac1 à TEP1Mac2 à TEP2Mac3 à local
Mac1 à ?
Central Control Plane Cluster Mac1 à TEP1Mac2 à TEP2Mac3 à TEP3
MAC@ TEP IP
mac
1TE
P1m
ac1
mac1 Overlay
encapsulated frame
Mac1 ?
Web2
60
8/10/20
31
Disaster Recovery Today (Simple View)
CONFIDENTIAL 61
10.0.10/24 10.0.20/24
10.0.10.21 10.0.20.21 MajorRTOimpact
Change IP address,reconfigure security4
Primary Site Recovery Site
Recoverthe VM3
Replicate VM and Storage
2Physical network infrastructure Physical network infrastructure
SAN
1
Snapshot VM
SAN
Step 1&2(e.g VMware SRM)
61
Disaster Recovery with NSX Network Virtualization (Simple View)
CONFIDENTIAL
62
SAN SAN
10.0.30.21 10.0.30.21
Virtual Network10.0.30/24
80%RTO
Virtual Network10.0.30/24
NSX Controller NSX Controller
Snapshotnetwork security
2b1
Snapshot VMNetwork and securityalready exists
Recoverthe VM
3
Physical network infrastructure Physical network infrastructure2a
Replicate VM and Storage
10.0.10/24 10.0.20/24
Step 1 & 2(e.g VMware SRM)
Primary Site Recovery Site
62
8/10/20
32
Confidential │ ©2019 VMware, Inc. 63
• NSX Managed Edge• Stretch VLAN or VXLAN
• NSX Unmanaged / Standalone Edge
• VLAN-to-VXLAN support• Not dependent for NSX on-
premises
No NSX on-premises
NSX on-premises
L2VPNOn-premises to VMware Cloud on AWS SDDC for workload migration and vMotion
T0NSX-V Unmanaged Edge
(GUI Install / CLI for Updates)
IP Network
VLAN 100 L2VPN Client
DC 1 (No NSX)
VNI 100 L2VPN Server
SDDC 1
Same Broadcast Domain
VNI 100, VLAN 100
1
NSX-V Managed Edge(API only)
IP Network
VNI200 L2VPN Client
DC 2 (NSX)
T0
L2VPN Server
SDDC 2
Same Broadcast Domain
2
1
2
63
64Confidential │ ©2019 VMware, Inc.
NSX Routing
64
8/10/20
33
Confidential │ ©2019 VMware, Inc.
Logical Router Components
Distributed Component(DR) spans transport nodes and provides distributed E-W logical-routing.
Runs as a service locally in the hypervisors which have been prepared as NSX transport nodes.
Service Component(SR) is the Logical Router component responsible for providing on/off ramp gateway functionality or other centralized services.
Centralized Services like : NAT, BGP.Runs inside an Edge node
ESXi/KVM Transport Nodes
NSX Installation Bundles
Distributed Router
LRP1 LRP2 LRP3
65
Confidential │ ©2019 VMware, Inc. 66
My Traffic Goes Where?!?NSX-T Edge Node Design for VVD/VCF
Spine WAN
Compute Hypervisors (vSphere)
Infrastructure Clusters: Edge Nodes, Management Nodes
Leaf
Edge Node hosting SR
DR on every hypervisor (in kernel)
66
8/10/20
34
67Confidential │ ©2019 VMware, Inc.
NSX Firewall
67
Confidential │ ©2019 VMware, Inc. 68Confidential │ ©2018 VMware, Inc.
Perimeter-centric network security has proven insufficient. And before network virtualization, microsegmentation was operationally infeasible.
Data Center Network Security
68
Few or NoLateral ControlsInside Perimeter
Internet
Insufficient
Internet
OperationallyInfeasible
Before VMware NSX
68
8/10/20
35
Confidential │ ©2019 VMware, Inc.
WANInternet
Compute Cluster Compute Cluster
Perimeter Firewall(Physical)
NSX EDGE Service Gateway
Compute Cluster
SDDC (Software Defined DC)
DFW DFW DFW
DFW: E-W
NSX EDGE Service Gateway positioned to
protect border of the SDDC:
EDGE: North – South traffic protection
NSX DFW positioned for internal SDDC traffic protection:
DFW: East – West traffic protection
Physical
Virtual
Compute Cluster
ED
GE
: N-S
NSX Security in SDDC
CONFIDENTIAL 69
69
NSX-T Distributed Firewall
70
Micro-Segmentation
App
DMZ
Services
DB
Perimeterfirewall
AD NTP DHCP DNS CERT
Insidefirewall
Finance EngineeringHR
VM VM VM
VM VM VM
VM VM VM
VM VM VM VM VM
Zero Trust/Least Privilege Model
Each workload now has its own perimeter FW
Centralized Policy control with logical grouping
Prevents threats from spreading laterally (East-west)
Network Topology Agnostic
70
8/10/20
36
NSX-T Distributed FirewallWhat is Zero Trust ?
71
71
NSX-T Distributed Firewall
CONFIDENTIAL 72
General / Ethernet Rule Constructs
Rule Number:• Position of the rule from top to bottom• Order in which the rules are evaluated
Rule ID:• Unique 32 bit number assigned to a rule• Increasing when adding a new rule
Sources/Destinations: • IP Addresses• IP Sets
• Logical Switches • Logical Ports • NSGroups
Services:• Pre-defined or custom services or service groups• ALGs: FTP, MS_RPC, NBDG, NBNS, Oracle_TNS, Sun RPC
72
8/10/20
37
73Confidential │ ©2018 VMware, Inc.
Simplified UI: Security Workflows
Represents an environment/zone
Includes:
§ Rules
§ Groups
Default domain is pre-configured
Additional domains can be added (optional)
Rules in a domain should have at least one Group in SRC/DST that is member of the same domain
Used for Arista integration (limits rules shared) *
* Future
Domain
GROUPS Security Policy
Prod
Rule
GROUPS SEcurityPolicy
Dev
Rule
73
74Confidential │ ©2018 VMware, Inc.
Simplified UI: Security Workflows
Defines the default Distributed Firewall behavior
§ Blacklist (Default): Creates a default allow-all rule
§ Blacklist with logging
§ Whitelist: Creates a default deny-all rule
§ Whitelist with logging§ None: use existing DFW
Default.
Selection available in Simplified UI
Rules will only show up on Advance UI
Whitelist/Blacklist Connectivity Strategy
74
8/10/20
38
75Confidential │ ©2018 VMware, Inc.
Simplified UI: Security Workflows
Pre-defined Categories aligned with common policy model
Categories available for DFW and GW FW
Configure rule under relevant category
“All Rules” view available
Rules Top à Down (Left àRight)
Categories names can be changed using API
Categories: Distributed Firewall
75
76Confidential │ ©2018 VMware, Inc.
Simplified UI: Security Workflows
Pre-defined Categories aligned with common policy model
Categories available for DFW and GW FW
Configure rule under relevant category
“All Rules” view available
Rules Top à Down (Left àRight)
Categories names can be changed using API
Categories: Gateway Firewall
76
8/10/20
39
77Confidential │ ©2018 VMware, Inc.
Supports communication to a different system/application in a multi-site datacenter
Supports applications that use native cloud services
Supports URL domain on the internet
Allow traffic to FQDN/URLs for a particular VM
Enforced at DFW level. Uses DNS snooping
* In NSX-T 2.4, support of only OOTB pre-canned list of URLs
Overview
Benefits
FQDN/ URL WhitelistingFeature Overview
VMs/Physical Machines in a same or different datacenter/cloud
*.vmware.com
Native Cloud services
*.s3.amazonaws..com
*.office365.com
Domain on the internet*
Note: This feature does not cover URL classification & reputation. That is currently on roadmap and will be available in future releases
77
78Confidential │ ©2019 VMware, Inc.
NSX Load Balance
78
8/10/20
40
Confidential │ ©2019 VMware, Inc. 79
Main LB benefits
- Scale out
- High Availability
Server Pool
Server Pool
79
Confidential │ ©2019 VMware, Inc. 80
Layer4 and Layer7 Load Balancing
- Layer 4 Load Balancing- Connection-based (TCP or UDP)- Selection: Round Robin, Least Connections, etc.
- Layer 7 Load Balancing- Content-based (HTTP / HTTPS)- Selection: based on URI, Domain name, etc.- URL manipulation (redirect specific pages, add
headers, etc)- SSL Offload- etc
Server Pool
Virtual Server20.20.20.20:80
Poolwww
Poolblog
www.mysite.com
blog.mysite.com
Virtual Server30.30.30.30:80
80
8/10/20
41
Confidential │ ©2019 VMware, Inc. 81
Offer deeper Health Monitor on Pool Members
Multiple Healthchecks on PoolsFeature
Benefit
Multiple Active MonitorsMultiple Healthchecks on Pools
T1+LB
Test HTTP + HTTPS
Server PoolS
S
S
81
Confidential │ ©2019 VMware, Inc. 82
HTTPS Off-Load
HTTPS Load Balancing (1/5)
Layer7 HTTPS VIP offers 3 modes:
• HTTPS Off-LoadBest balance between security, performance, and LB flexibility.
• Security:Traffic is fully encrypted from the Client up to the LB.
• Performance:Traffic is decrypted / encrypted only once.
• HTTPS End-to-End SSLBest security, and LB flexibility.
• Security:Traffic end to end encrypted.
• Performance:This mode has lower performance with traffic decrypted/encrypted twice.
3 modes (1/2)
Server PoolS
S
S
HTTPS HTTP
VIP L7HTTPS:443
HTTPS End-to-End SSL
Server PoolS
S
S
HTTPS HTTPS
VIP L7HTTPS:443
LB decryptsand forwards in clear
LB decryptsand re-encrypts before forwarding
82
8/10/20
42
Confidential │ ©2019 VMware, Inc. 83
SSL Passthrough
HTTPS Load Balancing (2/5)
Layer7 HTTPS VIP offers 3 modes:
• SSL PassthroughBest security, limited LB flexibility.
• Security:End-to-end encryption.
• Performance:Highest performance because LB does not terminate SSL traffic.
3 modes (2/2)
Server PoolS
S
S
HTTPS
VIP L7HTTPS:443
LB does not decryptand SSL connection is terminated on Pool Members
83
Confidential │ ©2019 VMware, Inc. 84
Load Balancer
- Load Balancer (LB)- A logical entity you create- Similar to physical or virtual load balancers
- Shareable LB objects- Can be used in multiple LBs- E.g. Monitors, SSL Profiles
- LB is realized when attached to LR- Only Tier-1 LR supported- 1:1 between LR and LB
Edge NodeVM or BM
Tier-1 Tier-1
LB1 LB2
Monitor1
Pool2Pool1 Pool3
VS1 VS2
Monitor2
Pool5
VS5 VS6
84
8/10/20
43
Confidential │ ©2019 VMware, Inc. 85
Features (1/3) Load Balancer Service (LBS)
Virtual Server
Pool
PassiveMonitor
ActiveMonitor
PersistenceProfile
Client-SSLProfile
Server-SSLProfile
ApplicationProfile
LB Rules
Fast-TCP
Fast-UDP
HTTP
HTTP
HTTPS TCP UDP
ICMP
Source-IP
Cookie
SNAT
Pool Members
ProtocolsWhat applications type can be load balanced.
IPv4 and IPv6TCP, UDP with multiple port range supportHTTP, HTTPS Note: WebSocket also supported.
LB MethodHow end-users connections are split across back-end servers.
Round-Robin, Weighted_RR,Least-Connection, Weighted_LC,IP-Hash
PoolsHow backend servers are configured.
StaticDynamic (NSGroup)
PersistenceHow LB guaranties a specific user sticks to the same pool member.
Source-IPCookie (Insert, Prefix, Rewrite)
MonitorsHow LB validates application health on each pool member.
Active (LB generates HTTP/S, TCP, UDP, ICMP probes)Passive (LB monitors client connections)
LB-SNATHow LB provides LB-SNAT.
Transparent (No LB-SNAT)Automap (LB-SNAT using LB IP@)IP List (LB-SNAT using IP list)
85
Confidential │ ©2019 VMware, Inc. 86
Features (2/3) Load Balancer Service (LBS)
Virtual Server
Pool
PassiveMonitor
ActiveMonitor
PersistenceProfile
Client-SSLProfile
Server-SSLProfile
ApplicationProfile
LB Rules
Fast-TCP
Fast-UDP
HTTP
HTTP
HTTPS TCP UDP
ICMP
Source-IP
Cookie
SNAT
Pool Members
L7 LB RulesOption to allow LB to manipulate client requests and/or server responses.
Rules with Regex support(For instance: Host load balancing, URL block, urlrewrite, response header rewrite, etc)
L7 AccelerationHow LB off loads pool members.
TCP multiplexing(LB gather all different clients web requests in the same persistence pool members TCP connections. Works for HTTP and HTTPS)
SSLHow HTTPS traffic is load balanced.
SSL Offload(LB terminates HTTPS and talk HTTP to server)
SSL End-to-End(LB terminates HTTPS and talk HTTPS to server)
SSL Passthrough(LB does not terminate HTTPS and talk HTTPS to server)
SNI support(LB presents different certificates to client based on host name presented by client)
Client Certificate authentication(LB asks and validates client cert)
FIPS compliance, pre-defined cipher lists, SSLv3 support
86
8/10/20
44
Confidential │ ©2019 VMware, Inc. 87
Features (3/3) Load Balancer Service (LBS)
Virtual Server
Pool
PassiveMonitor
ActiveMonitor
PersistenceProfile
Client-SSLProfile
Server-SSLProfile
ApplicationProfile
LB Rules
Fast-TCP
Fast-UDP
HTTP
HTTP
HTTPS TCP UDP
ICMP
Source-IP
Cookie
SNAT
Pool Members
Connection ThrottlingHow LB protects VIPs + pool members against excessive load.
Client side:. Max conc. connections. Max new conn / sec
Server side:. Max conc. Connections
High AvailabilityWhat active LB synchronizes to standby LB.
L4 Flow StateSource-IP Persistence StateHealthcheck State
MonitoringWhat LB status and statistics are offered.
VIP/Pool statusVIP/Pool Sessions (Current/Max/Total/Rate)VIP/Pool Bytes (In/In-Rate/Out/Out-Rate)VIP/Pool HTTP requests (Total/Rate)
Miscellaneous Sorry ServerTCP ProfileDownload all LB configuration (API)
87
Confidential │ ©2019 VMware, Inc. 88
Demo1Full creation of LB + Services via UI
Tier-1 LR
Web1 Web2
Tier-0 LR1. Create a Load Balancer
1
2. Attach to a Tier-1 LR
2
3. Create a Pool with Healthcheck
Pool
3
Virtual Server 4. Create a Virtual Server
4
5. Attach to the Load Balancer
5
An instance or logical entity similar to a virtual load balancer
VIP + Port
88
8/10/20
45
Confidential │ ©2019 VMware, Inc. 89
Demo1Full creation of LB + Services via UI
89
Confidential │ ©2019 VMware, Inc. 90
Demo2Full creation of LB + Services via API
Tier-1 LR
Web1 Web2
Tier-0 LR1. Create a Load Balancer
1
2. Attach to a Tier-1 LR
2
3. Create a Pool with Healthcheck
Pool
3
Virtual Server 4. Create a Virtual Server
4
5. Attach to the Load Balancer
5
An instance or logical entity similar to a virtual load balancer
VIP + Port
90
8/10/20
46
Confidential │ ©2019 VMware, Inc. 91
Demo2Full creation of LB + Services via API
91
Confidential │ ©2019 VMware, Inc. 92
https://labs.hol.vmware.com/HOL/catalogs/catalog/1212Hand On Lab
92
8/10/20
47
Confidential │ ©2020 VMware, Inc.
Thank You
93
Recommended