Embed Size (px)
Citation preview
HPE Reference Configuration for VMware NSX integration with HPE Hyper Converged 380 Incorporating software-defined networking for the multipurpose HPE Hyper Converged infrastructure
Technical white paper
Technical white paper
Contents Executive summary ................................................................................................................................................................................................................................................................................................................................ 3 Introduction ................................................................................................................................................................................................................................................................................................................................................... 3 Solution overview ..................................................................................................................................................................................................................................................................................................................................... 4 Solution components ............................................................................................................................................................................................................................................................................................................................ 5
Hardware ................................................................................................................................................................................................................................................................................................................................................... 5 Software ..................................................................................................................................................................................................................................................................................................................................................... 6
Deployment and configuration guidance for the solution.................................................................................................................................................................................................................................. 7 Use Case validation ............................................................................................................................................................................................................................................................................................................................ 10
Use Case 1: Deploy workload VMs from HPE HC 380 Management UI in VxLAN backed virtual networks .......................................................................................... 10 Use Case 2: Protect workload VMs using centralized and stateful distributed firewall policies ........................................................................................................................... 12 Use Case 3: Distributed routing for workload VMs between VxLANs and external networks .............................................................................................................................. 13 Use Case 4: Provide application HA and scaling using VMware NSX load balancing ................................................................................................................................................... 14
Summary ...................................................................................................................................................................................................................................................................................................................................................... 14 Resources and additional links ................................................................................................................................................................................................................................................................................................ 15
Technical white paper Page 3
Executive summary The HPE Hyper Converged 380 offers a seamless integration of compute, storage and virtualization. HPE Hyper Converged 380 accelerates the speed and agility of deploying virtualized workloads by simplifying IT and improving operational efficiency. The HPE Hyper Converged 380 platform is highly scalable in capacity and performance because of its building block (appliance) model. The HPE Hyper Converged Management UI is a simplified web console which enables the IT generalist to quickly provision VMs with 5 simple clicks.
As virtualized workloads scale rapidly, IT must move faster. As a result there is a higher demand on your IT for isolation, security and visibility. VMware NSX™ is a VMware® network virtualization platform that allows IT administrators to dynamically create and manage virtual networks independent of underlying physical network topology. VMware NSX is a non-disruptive solution that is deployed on any IP network, including existing data center network designs or next generation fabric architectures from any networking vendor. With NSX, you already have the physical network infrastructure you need to deliver a software-defined data center.
This Reference Configuration demonstrates the following benefits:
• Ability to consume software-defined virtual networks and security services for virtualized workloads deployed on the HPE Hyper Converged infrastructure without any reconfiguration of the physical network
• Micro-segmentation and granular stateful security delivered directly to the virtualized workloads deployed from HPE HC 380 Management UI, thus reducing risk and the impact of security breaches
• Enhance virtualized workload mobility, independent of physical networks within and across data centers
• Enables IT to provision resources required to deploy applications and services quickly and reduce provisioning time from days to seconds
• Provide on-demand application high availability (HA) and increased performance for virtualized workloads deployed on the HPE Hyper Converged 380
The software-defined security and networking solution from VMware NSX combined with the HPE Hyper Converged 380 platform enable an IT organization to seamlessly transform into an internal IT service provider.
Target audience: This document is intended for IT professionals/administrators who use, manage, or administer virtualized IT environments and want to augment a solution with software-defined network capabilities, such as micro-segmentation, firewall and application high availability delivered at the VM level. This information is also intended for those who evaluate, recommend, or design new IT high performance architectures, and who want to understand the combined value of the Hewlett Packard Enterprise and VMware solution to radically simplify and secure VM vending with HPE Hyper Converged platforms. The reader should have a strong know-how of network security and virtualization.
Note This document is provided without warranty or contract, either explicit or implied. The use of this document does not change your HPE Hyper Converged 380 support. Your HPE HC 380 support contract continues to cover the base product; however, it does not cover the features or functions added to the HC 380 as a result of implementing the steps described herein. If you have any questions, please submit questions at hpe.com/contact/feedback
Introduction The HPE Hyper Converged 380 is a hyperconverged appliance that offers a highly available and scalable integrated server and storage infrastructure. The HPE Hyper Converged 380 Management UI adds full lifecycle management, VM provisioning and updates in a single pane of glass. The HPE Hyper Converged 380 delivers a turn-key virtualization solution for customers who want to quickly deliver the resources for application development and consumption.
The HPE Hyper Converged 380 accelerates the deployment of virtualized workloads, improves operational efficiency and reduces complexity. The highly scalable HPE Hyper Converged 380 and the simplified HPE HC 380 Management UI allow deploying VMs and hence applications and services at cloud speed. As a result the IT organization must provision network resources in sync to support the business needs faster. In other words, the software centric design of the HPE Hyper Converged infrastructure needs a software-defined networking solution in order to scale in sync.
Technical white paper Page 4
VMware NSX is a software-defined networking and security solution from VMware which is one of the pillars in building the software-defined data center. VMware NSX reproduces all network and security services of data centers in logical space for best speed/agility and a deeper security. Improving operational efficiency is the top benefit expected by those planning to deploy HPE Hyper Converged infrastructure. VMware NSX based software-defined networking and security will further enhance operational efficiency by overcoming the limitations of traditional hardware-defined networking.
Solution overview Designed from the ground up for the software-defined data center, the HPE Hyper Converged 380 provides a pre-installed and pre-integrated platform to enable a standardized approach to virtual server deployment, and is available in two workload configurations: General Virtualization, and Virtual Desktop Infrastructure (VDI). In this Reference Configuration, the HPE Hyper Converged 380 nodes were deployed in the General Virtualization configuration which is a base virtualization platform preconfigured for development environments, web/app servers and lightweight applications.
The HPE Hyper Converged 380 Installation Guide was used to install the Hyper Converged 380 nodes. The HPE Hyper Converged 380 supports both local and remote VMware vCenter™ Server options. However, VMware NSX best practices recommend using a dedicated management cluster for hosting the vCenter and VMware NSX components, hence, this Reference Configuration was validated only for the remote vCenter option. The HPE HC 380 Management UI was used to deploy virtual machines. The HPE Hyper Converged 380 storage was managed using the simplified HPE OneView for VMware vCenter plugin. VMware NSX was deployed and managed using the existing (remote) vCenter Server while the NSX advanced services like firewall and routing were deployed on the shared HPE Hyper Converged 380 cluster.
This Reference Configuration was implemented as shown in figure 1 and validated for the following use cases:
• Use Case 1: Deploy workload VMs using HPE HC 380 Management UI in VxLAN backed virtual networks
• Use Case 2: Protect workload VMs using centralized and stateful distributed firewall policies
• Use Case 3: Distributed routing for workload VMs between VxLANs and external networks
• Use Case 4: Provide application HA and scaling using NSX load balancing
Technical white paper Page 5
Figure 1. Logical diagram of HPE Hyper Converged 380 and VMware NSX services integration
Solution components Hardware For the validation of this Reference Configuration, a total of four HPE Hyper Converged 380 nodes were configured and the onboard HPE HC 380 Management UI was used for deploying sample workload VMs. Each of the nodes had the following configuration:
• 2x Intel® Xeon® CPU E5-2620 v3 @ 2.40GHz (6 cores per socket), 128 GB R-DIMMs memory
• 1x Storage Block with 8 drives (2xSSD and 6xHDD) Hybrid Block – Mixed Use with Usable capacity 6.8TB
• HPE Ethernet (Type FlexLOM) 10Gb 2-port 560FLR-SFP+ Adapter
• HPE Embedded Ethernet 1Gb 4-port 331i Adapter
Technical white paper Page 6
Figure 2. HPE Hyper Converged 380 server front views, with and without bezel
Figure 3. HPE Hyper Converged 380 server rear view
Software Table 1 lists the key software components required to validate this Reference Configuration. Refer to the “Resources and additional links” section for more information, including the HPE Hyper Converged 380 Release Notes for Update 2.
Table 1. HPE and VMware software matrix
Software Version
HPE Hyper Converged 380 Update 2 1.10.04
VMware NSX Manager 6.2.4.4292526
Technical white paper Page 7
Deployment and configuration guidance for the solution For the validation of this Reference Configuration, the following steps were performed:
• A total of four HPE Hyper Converged 380 nodes were deployed and managed by an existing (remote) vCenter Server using the “HPE Hyper Converged 380 Installation Guide”.
• VMware NSX Manager and three NSX Controllers were deployed on a separate vSphere ESXi cluster managed by the remote vCenter Server and configured with VMware NSX Enterprise Edition licensing, using the VMware NSX installation guide from the VMware NSX for vSphere Documentation,
Key point It is recommended that the management ESXi cluster and the HPE Hyper Converged 380 cluster be managed by separate vCenter Servers.
• HPE Hyper Converged 380 storage datastores were managed using the HPE OneView for VMware vCenter plugin installed on the remote vCenter Server.
• In addition to the standard VLANs (ESXi Mgmt, vMotion and iSCSI Storage), a dedicated VLAN (e.g., 51) for the VxLAN Overlay network and two VLANs for the edge uplink networks (e.g., 61 and 62) were configured for north-south connectivity.
• Once the HPE Hyper Converged 380 nodes were initialized, a VMware Virtual Distributed Switch (e.g., HC380-dvSwitch) was created using the unused ports in the HPE Embedded Ethernet 1Gb 4-port 331i Adapter. Figure 4 shows the HPE HC 380 VMware Virtual Distributed networking configuration for the ESXi hosts in in the HPE HC 380 Cluster.
Key point VMware Distributed vSwitch is a mandatory requirement for VMware NSX Services for VxLAN and Distributed Firewall. If unused Ethernet ports are not available, then additional network adapters may be added and used as physical uplinks for VMware Distributed vSwitch. Supported network adapters are denoted in the HC 380 QuickSpecs documentation found in the “Resources and additional links” section. HPE HC 380 standard networking must not be modified and factory deployed HPE VMs must not be migrated to VMware Distributed Virtual Switch.
Figure 4. Configuring VMware Distributed Virtual Switch with unused NICs (vmnic2 and vmnic3) as uplinks.
Key point To configure Enhanced LACP for the VMware Distributed Virtual Switch Uplinks refer to VMware KB 2051826.
Technical white paper Page 8
• Using the VMware NSX Administration Guide, from the VMware NSX for vSphere Documentation, the VxLANs were configured for the Customer/Production or Workload VM Networks. A distributed router was deployed between the Workload VxLANs and Transit VLANs while edge gateways were deployed in the Transit VxLANs and external edge VLANs.
Key point VxLAN Overlay VMkernel Interfaces will be created automatically once the HPE HC380 ESXi Servers are prepared using the VMware NSX Administration Guide from the VMware NSX for vSphere documentation.
• From the vSphere Web Client, VxLANs for the workload VMs were created as shown in figure 5. The transit VxLAN was configured for enabling north-south traffic to the customer network via the edge network VLANs. Refer to the “Resources and additional links” section for documentation on VMware NSX deployment in brownfield data center.
Figure 5. Configuring the VxLAN for workload deployment while transit VxLAN is consumed by edge devices
• Before creating a firewall policy to protect the workload VMs, a firewall exception must be configured for the HPE Hyper Converged 380 management VMs, (HPE-HC-mgmt-USE6277842 and HPE-HC-mgmtui) and all of the HPE StoreVirtual VSA VMs (SVVSA-USE6277842 to SVVSA-USE6277845). Figure 6 shows the list of management and StoreVirtual VSA VMs excluded from the firewall policy.
Figure 6. Configure firewall exception for HPE Hyper Converged 380 management VMs and HPE StoreVirtual VSA VMs
Key point When adding HPE HC 380 expansion nodes, the VMware NSX firewall exception rule must be updated with the new HPE StoreVirtual VSA VMs.
Technical white paper Page 9
Key point Ensure that all HPE Hyper Converged 380 management VMs (including VMware vCenter Server) and HPE StoreVirtual VSA VMs are added to the exclusion list to prevent blocking of HPE management services.
• Configure a Firewall rule as shown in figure 7 to protect workload VMs on the HPE Hyper Converged 380 ESXi nodes. This will be used in Use Cases 2 and 3.
Figure 7. Configure firewall rules for the workload VMs deployed in the workload VxLANs in the HPE Hyper Converged 380 deployment
• At this stage, users will be able to deploy workload VMs from the HPE HC 380 Management UI and consume the advanced network services that were configured using VMware NSX.
Technical white paper Page 10
Use Case validation Use Case 1: Deploy workload VMs from HPE HC 380 Management UI in VxLAN backed virtual networks • This use case validated that the workload VMs can be deployed from HPE HC 380 Management UI in virtual networks backed by VxLANs
created with VMware NSX using the vSphere Web Client.
• Using HPE HC 380 Management UI we deployed two VMs (NGINX web servers) in the “HC380 Workload Network 1 (VxLAN)(dvSwitch-HC380)” network and one (MySQL) database VM in the “HC380 Workload Network 2 (VxLAN)(dvSwitch-HC380)” network.
• Figure 10 shows the steps used to deploy the first web server VM, namely fd14wp01, in the “HC380 Workload Network 1 (VxLAN)(dvSwitch-HC380)” network. This step was repeated to deploy the second web server, fd14wp02, in the same network, and the MySQL Database VM, fd14sql01, in the “HC380 Workload Network 2 (VxLAN)(dvSwitch-HC380)” network.
Figure 10. Sample workload VM deployed using HPE HC 380 Management UI in the network backed by a VxLAN port group in vCenter Server
Technical white paper Page 11
• All VMs were successfully deployed from HPE HC 380 Management UI and obtained DHCP IP addresses. Figure 11 shows the details of the fd14wp01 VM deployed using HPE HC 380 Management UI.
Figure 11. VM details of the first web server deployed in VxLAN network and IPv4 obtained using DHCP
• Use Case 1 was successfully validated by showing that HPE HC 380 Management UI can enable an IT generalist to easily deploy VMs and consume VxLAN backed networks and therefore remove the frequent need for modifications to the underlying physical network configuration.
Technical white paper Page 12
Use Case 2: Protect workload VMs using centralized and stateful distributed firewall policies • This use case validated that the security policies can be configured in VMware NSX and applied directly to the workload VMs as they are
deployed from HPE HC 380 Management UI.
• In this example, the VMs deployed in Use Case 1, i.e., fd14wp01, fd14wp02 and fd14sql01, are protected by the firewall policy configured in the “Deployment and configuration guidance for the solution” section. The firewall policy is configured to allow SSH and MySQL connections while blocking all other protocols as shown in figure 12.
Figure 12. Validating the VMware NSX firewall rule – SSH: Allowed, All others: Blocked
• Use Case 2 was successfully validated by showing that HPE HC 380 Management UI combined with VMware NSX can enable IT to configure and apply stateful security policies directly to the workload VM.
Technical white paper Page 13
Use Case 3: Distributed routing for workload VMs between VxLANs and external networks • This use case validated that the workload VMs deployed from the HPE HC 380 Management UI can connect to resources across different
VxLANs, VLANs or external networks by using VMware NSX Distributed Logical Router (DLR) and Edge Services Gateway (ESG).
• In the previous Use Case 2, an SSH connection was initiated from the users workstation, fd14js01.hpe.local, to the web server, fd14wp01.hpe.local. To achieve this, a VMware NSX Edge Gateway was configured with BGP protocol to enable routing between virtual and physical networking (north-south) while OSPF protocol was configured on the VMware NSX DLR for inter-VxLAN (east-west) routing.
• Figure 13 shows that the MySQL connection was established from the web server fd14js01.hpe.local to MySQL VM fd14sql01.hpe.local using the VMware DLR inter-VxLAN (east-west) routing.
Figure 13. Validating the firewall rule and distributed routing from a web server (fd14wp01.hpe.local) to MySQL server (fd14sql01.hpe.local)
• Use Case 3 was successfully validated by showing that the workload VMs deployed from HPE HC 380 Management UI can be easily isolated with a combination of firewall rules and logical routing between virtual and physical networks using VMware NSX Advanced services.
Technical white paper Page 14
Use Case 4: Provide application HA and scaling using VMware NSX load balancing • This use case validated that application HA and scaling was configured using a VMware NSX load balancer for the workload VMs deployed
using HPE HC 380 Management UI.
• In this example, a standalone VMware NSX Edge device was deployed with one interface with IP address 172.31.100.10 in the Workload VxLAN Network 1. The load balancer was configured to load balance the HTTP protocol between the workload VMs, i.e., fd14wp01.hpe.local and fd14wp02.hpe.local. Figure 14 shows the load balancing between the two NGINX web servers.
Figure 14. Validating the load balancing between NGINX web servers using the load balancing VIP fd14wp.hpe.local
• Use Case 4 was successfully validated by showing that application HA can be configured using a VMware NSX load balancer for the workload VMs deployed using HPE HC 380 Management UI.
Summary The top benefit of HPE Hyper Converged 380 lies in its simplicity and operational efficiency. As business needs change, simplicity, and not complex technology, is key to scaling IT resources. HPE Hyper Converged infrastructure simplifies the deployment of servers, storage and virtualization resources while the VMware NSX solution provides logical network and security services which can be deployed in seconds. HPE Hyper Converged 380 combined with VMware NSX provide all the elements for the infrastructure, i.e., software-defined compute, storage and networking forming the three key pillars of a software-defined data center.
The key benefits of this solutions are:
• Deploy applications and services at cloud speed leveraging the simplicity of HPE Hyper Converged 380 and the fully automated provisioning of network services from VMware NSX.
• Overcome limitations of traditional hardware-defined network and security solutions by enforcing security policies right at the VM, thus reducing the risk and impact of data breaches
• Micro-segmentation and simplified physical network topology
The software-defined security and networking solution from VMware NSX combined with the HPE Hyper Converged 380 platform enable an IT organization to seamlessly transform into an internal IT service provider.
This Reference Configuration describes solution testing performed in December 2016.
Technical white paper Page 15
Sign up for updates
© Copyright 2017 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
VMware, vCenter and VMware NSX are registered trademarks or trademarks of VMware, Inc. in the United States and/or other jurisdictions. Intel and Xeon are trademarks of Intel Corporation in the U.S. and other countries.
a00001464enw, June 2017, Rev. 1
Resources and additional links HPE Reference Architectures hpe.com/info/ra
HPE Hyper Converged Infrastructure hpe.com/info/hyperconverged
HPE Hyper Converged 380 Installation Guide http://h20565.www2.hpe.com/hpsc/doc/public/display?docId=c05102727
HPE Hyper Converged 380 Release Notes http://h20565.www2.hpe.com/hpsc/doc/public/display?docId=c05102821
HPE Hyper Converged 380 QuickSpecs http://h20195.www2.hpe.com/V2/GetDocument.aspx?docname=c04790439
HPE Technology Consulting Services hpe.com/us/en/services/consulting.html
VMware vSphere Networking Guide vmware.com/support/pubs/vsphere-esxi-vcenter-server-6-pubs.html
VMware NSX for vSphere Documentation vmware.com/support/pubs/nsx_pubs.html
VMware NSX Brownfield Deployment Guide vmware.com/products/nsx.html
To help us improve our documents, please provide feedback at hpe.com/contact/feedback.
