View
246
Download
2
Category
Preview:
Citation preview
Percy WadiaAmol Tipnis
MMC1532BE
#VMworld #MMC1532BE
Using VMware NSX Cloud for Enhanced Networking and Security for AWS Native Workloads
VMworld 2017 Content: Not fo
r publication or distri
bution
• This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not been determined.
Disclaimer
2#MMC1532BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Agenda
1 VMware Cloud Services
2 Introducing NSX Cloud
3 Key Customer Challenges
4 NSX Cloud Service Approach
5 Next Steps
3#MMC1532BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Consistent InfrastructureVM Infrastructure • Container Infrastructure
Consistent OperationsManagement and Operations • Across Clouds
VMware Cloud Infrastructure Public Cloud IaaS
VISIBILITY OPERATIONS AUTOMATION SECURITY GOVERNANCE
Cloud Management
VMware Cloud Services
Cloud Native AppsTime to market • Innovation • Scale • Differentiation
Existing AppsReduce Costs • Security • Reliability • Control
CONTAINERSVIRTUAL MACHINES
VMware CloudRun, Manage, Connect, Secure Any App on Any Cloud to Any Device
VMware Cloud on AWSfor VMware
4#MMC1532BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
VMware Cloud ServicesManage, Govern and Secure Public and Private Cloud Apps
Discovery
Cost Insight
NSX Cloud
Network Insight
AppDefense
Wavefront
ON PREMISES DATA CENTER
Visibility into apps and resources they consume. Analyze usage and utilization across clouds.
Accounting and cost optimization for multiple clouds. Track and analyze your costs and trends.
Secure networks with micro-segmentationCreate private networks within or across clouds.
Operational visibility, control, and compliance across clouds. Optimize performance, health, and availability.
Metrics-driven monitoring and real-time analytics.
Governance for running workloads.
5#MMC1532BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Key Challenges In Public Clouds
6
AWS Account 1
Cloud Network Admin Cloud Security Admin
DevOps / Developer
Extending enterprise network to cloud
Lack of visibility in cloud traffic flows
Remain focused on Application development and deployment
Security policy consistency across hybrid
Dev-ops compliance to enterprise security policies
Leverage enterprise operational tools
#MMC1532BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
VMware NSX Cloud
7
Visibility across clouds
Unified security policy
Network Portability
Consistent Operations VPC
AppWeb DB AppWeb DB
VNET
VMware NSX Cloud
ConsistencyVisibility Security Networking
AppWeb DB
VPC
Consistent networking and security for applications running natively in public clouds
#MMC1532BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Visibility into your cloud environment becomes challenging ...
8
DevOps – 1
Cloud Admin
AWS Account 1
How do I consistently know what I am managing and securing...
Within my VPC?
Web App DB Web App DB
...
Web App DB Web App DB
...
VPC
#MMC1532BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
... With VPC Sprawl increasing the complexity ...
9
DevOps – 1
How do I consistently know what I am managing and securing...
Across VPCs within an Account?
Web App DB Web App DB
...
Web App DB Web App DB
...
VPC C
Web App DB Web App DB
...
Web App DB Web App DB
...
VPC B
AWS Account 1
Web App DB Web App DB
...
Web App DB Web App DB
...
VPC A
Cloud Admin
#MMC1532BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
... Adding the multiple cloud accounts exacerbates the challenge
10
DevOps – 1
DevOps – 2
DevOps – 3
How do I consistently know what I am managing and securing...
Across multiple Accounts?
Web App DB Web App DB
...
Web App DB Web App DB
...
VPC C
Web App DB Web App DB
...
Web App DB Web App DB
...
VPC B
AWS Account 3
Web App DB Web App DB
...
Web App DB Web App DB
...
VPC A Web App DB Web App DB
...
Web App DB Web App DB
...
VPC C
Web App DB Web App DB
...
Web App DB Web App DB
...
VPC B
AWS Account 2
Web App DB Web App DB
...
Web App DB Web App DB
...
VPC A Web App DB Web App DB
...
Web App DB Web App DB
...
VPC C
Web App DB Web App DB
...
Web App DB Web App DB
...
VPC B
AWS Account 1
Web App DB Web App DB
...
Web App DB Web App DB
...
VPC A
#MMC1532BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Demo: Visibility through VMware NSX Cloud Service Manager
11
VMworld 2017 Content: Not fo
r publication or distri
bution
12
Single Inventory View across all
accounts and all VPCs
Operational network / security status of
every VM enables Rapid Response
1: A Single Pane of Glass across all VPCs, all accounts ...
#MMC1532BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
... And eventually, across all clouds
13
FUTURES
Manage and Monitor your cloud across AWS and Azure from a
single, consolidated inventory view in NSX Cloud
#MMC1532BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
AWS VPC 3 Security Groups
AWS VPC 2 Security Groups
Web App DB Web App DB
VPC 3
...Web App DB Web App DB
VPC 2
...
Cloud Security controls are different... with their own limitations
14
• Multiple VPCs create multiple security touch-points
• Cloud Security Resource Limitations inhibit consolidation
• Static Group membership and IP-address rules require coordination at deployment
• Cloud Operational framework Inconsistent from On-premise
AWS Account 1
Cloud Admin
Web App DB Web App DB
VPC 1
...
AWS VPC 1 Security Groups
#MMC1532BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
2: A Single Security Posture Across your hybrid cloud
15
✓ Single Security Policy
✓ Rich set of abstractions
✓ Dynamic security group membership
✓ No cloud-resource limitations
VPC 1 VPC 2
Security Group 2
Security Policy
VNET 1
Security Group 3
Security Group 1
Cloud Admin
#MMC1532BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
3: Real Time Operational Visibility Into Firewall Rule Invocations
16
SYSLOG
• Route firewall logs to industry-standard syslog, leverage SIEM tool of your choice
• Real-time Operational visibility into your cloud security posture
• Operationally consistency with your on-premise security environment
AWS Account 1
Web App DB
VPC
#MMC1532BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Demo: Decoupling Application Deployment and Security
17
VMworld 2017 Content: Not fo
r publication or distri
bution
4: Defense in Depth through Default Quarantine
18
• Multi-layered security through NSX and AWS security groups managed by NSX
• Fully Configurable to each VPC with exclusion lists
• Best of Both Worlds – Greater agility for test&dev, higher structural integrity for production
Test and Dev
NSX Managed
...
NSX Unmanaged
...
Production
✘QuarantinedNSX Managed
...
+
#MMC1532BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Demo: Multi-layered Security through Default Quarantine
19
VMworld 2017 Content: Not fo
r publication or distri
bution
5: Extend Enterprise Network Policy to Cloud
20
✓ Single network policy, deploy anywhere
✓ Full control of IP addresses
✓ Stretch subnets across public cloud availability zones
Static VPC Network Topology
...
VPC A
NSX Logical Network Topology
Web App DB Web App DB
...
...
VPC N
...
#MMC1532BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
6: Network Trace and Visibility
21
✓ East-west traffic visibility within VPCs
✓ Trouble-shooting ease in cloud environments
✓ Consistency with on-prem operational tools
#MMC1532BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Demo: Troubleshooting through NSX Traceflow
22
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX on - premise and in the cloud
23
NSX on-premises NSX Cloud
We give you bits
You install
You patch, upgrade
Perpetual license (usually)
Features are (mostly) the same
On your servers / In your network
Just log in and use
No installation
We take care of patches/ upgrades
Pay per use
Runs in cloud
#MMC1532BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
A Dedicated NSX instance for your Cloud Environment
24
CUSTOMER NSX MANAGERS
NSX CLOUDDASHBOARD
NSX Manager Cloud Service Manager
VPC -N VPC -1
NSX cloud gateway NSX cloud gateway
...
VPC -N VPC -1
NSX cloud gateway NSX cloud gateway
...
CUSTOMER COMPUTE VPCs
NSX Manager Cloud Service Manager
CUSTOMER 1 CUSTOMER 2
#MMC1532BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
VMware NSX Cloud – Under the Covers Architecture
25
Customer AWS Account
CONTROLPLANE
DATAPLANE
MANAGEMENT PLANE
CLOUDGATEWAY
Linux VM Windows VM
NSX Cloud Gateway
NSX CLOUDDASHBOARD
Public cloud infrastructure
with hypervisor (ex: AWS)
VMware AWS Account
NSX Controller Cluster
NSX Manager Cloud Service Manager
#MMC1532BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Operational Control Without Infrastructure Management
26
NSX Operations VMware Customer
NSX Cloud Deployment ✓
Onboard Compute VPCs ✓
Manage Security, Network policies ✓
NSX Maintenance / Upgrades ✓
#MMC1532BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
#MMC1532BE CONFIDENTIAL
NSX Cloud Summary
27
Cloud Network Admin Cloud Security Admin
DevOps / Developer
Defines Network Topology And IP Addressing
Focuses on App Development and Deployment
Mandates Security Policies and Ensures Compliance
Decoupling maintains Agility Control Cloud Networking & Security
VMworld 2017 Content: Not fo
r publication or distri
bution
Getting Started with VMware NSX Cloud is Easy
28Request Access @ https://cloud.vmware.com
VMworld 2017 Content: Not fo
r publication or distri
bution
All 3 Days
Solutions Exchange Talk to our experts and learn more about VMware Cloud Services
Hands On Labs Self services Experience: Try out VMware Cloud Services yourself
Tuesday
MMC1532BE Using VMware NSX for Enhanced Networking and Security for AWS Native Workloads
MMC3164BE How Data Science is Transforming Operations: Introduction to Wavefront by VMware
Wednesday
MMC2888GE How We’ve Accelerated Innovation While Keeping Our Cloud Spending in Check
MMC3074BEThree Ways to Use New VMware Cross-Cloud Services to Efficiently Run Workloads Across AWS, Azure, and
vSphere: VMware and Customer Technical Session
Thursday
MMC2820BE Live Demo: 3 Best Practices for Deploying, Managing and Securing AWS EC2 Apps with VMware Cloud Services
MMC3066BEHow Do You Use Network Insights' SaaS to Secure Multitier Hybrid Apps Running on vSphere, VMware Cloud on
AWS, and AWS Native?
29
Continue the NSX Cloud journey!
Take the Hands-on Lab for NSX Cloud HOL-1822-01-NET
VMware NSX Cloud - Secure Native Workloads in AWS!
Learn more about VMware Cloud Services
#MMC1532BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Recommended