LHC2103BU NSX and VMware Cloud on AWS: Deep Dive … · Session Objectives –NSX and VMware Cloud on AWS: Deep Dive • Cover technical details on how networking and security are

Ray Budavari,Senior Staff Technical Product Manager NSX@rbudavari

LHC2103BU

#VMworld #LHC2103BU

NSX and VMware Cloud on AWS: Deep Dive

VMworld 2017 Content: Not fo

r publication or distri

bution

• This presentation may contain product features that are currently under development.

• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.

• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

• Technical feasibility and market demand will affect final delivery.

• Pricing and packaging for any new technologies or features discussed or presented have not been determined.

Disclaimer

#LHC2103BU CONFIDENTIAL 2



bution

Session Objectives – NSX and VMware Cloud on AWS:Deep Dive

• Cover technical details on how networking and security are implemented in VMware Cloud on AWS

– Including all the gory details ☺

• Learn about how NSX is foundational in enabling the VMC service

– Because everything interesting happens in networking and security ☺

• Allow me to share what I’ve been working on ☺

• Complement other VMC on AWS VMworld sessions:

– LHC2384BU: VMware Cloud on AWS A Technical Deep Dive

– LHC2105BU: NSX and VMware Cloud on AWS: The Path to Hybrid Cloud

3#LHC2103BU CONFIDENTIAL



bution

Agenda – NSX and VMware Cloud on AWS: Deep Dive

1 VMware Cloud on AWS Overview

2 NSX in VMware Cloud on AWS

3 User Experience Walkthrough

4 Technical Deep Dive: Initial Availability

5 Technical Deep Dive: Future Releases

6 Q&A




bution

VMware Cloud on AWS Overview



bution

VMware Cloud on AWS – Enabling Hybrid Cloud

6

Leading compute, storage and

network virtualization capabilities

Support for broad range of

workloads

De-facto standard for the

enterprise DC

Flexible consumption economics

Broadest set of cloud services

Global scale and reach

#LHC2103BU CONFIDENTIAL



bution

AWS Global Infrastructure

VMware Cloud™ on AWS

VMware Cloud on AWS

#LHC2103BU CONFIDENTIAL 7

AWS Global InfrastructureCustomer Data Center

vSphere vSAN NSX

Operational

ManagementNative AWS Services

Amazon

EC2

Amazon

S3

Amazon

RDS

AWS

Direct

Connect

AWS IAMAWS IoT

…

…

…

…

vRealize Suite, vSphere Integrated Containers, ISV Ecosystem

VMware vSphere-based service running on the AWS Cloud

vCentervCenter

• ESXi on Dedicated Hardware

• Support for VMs and Containers

• vSAN on Flash and EBS Storage

• Replication and DR Orchestration

• Advanced Networking & Security Services

• NSX Spanning on-premises and Cloud VMworld 2017 Content: N

ot for publicatio

n or distribution

Key Use Cases for VMware Cloud on AWS

8

NSX is essential for all these use cases

Scenario 1:

Maintain and Expand

ExpandMaintain

Private Cloud Public Cloud

Scenario 2:

Consolidate and Migrate

MigrateConsolidate

Private Cloud Public Cloud Private Cloud

Scenario 3:

Workload Flexibility

Flex as needed




bution

NSX in VMware Cloud on AWSNetworking and Security Details



bution

NSX ENABLES ALL NETWORKING IN VMC

10

NSX Services

Logicalswitching

Logicalrouting

Firewallingand security

EC2 &VPC Networking

VMware NSX



bution

NSX in VMC on AWS Introduction

▪ All VM networking in VMware Cloud on AWS is provided by NSX

▪ Provides compatibility with NSX and vSphere products used on-premises

▪ Jointly engineered solution between VMware and Amazon

▪ Delivered using an ‘as a service’ cloud model




bution

VMC Consumption Models for Networking and Security

12

• Networking Consumption with vSphere Web Client and

VMC Console

• Customers who may not be using full VMware Stack

(vSphere only)

• Public Cloud like consumption experience

• Basic Networking and Security: NAT, Firewall, VPN,

Gateway Management

Simplified Mode (IA)

• VMC Networking Consumption via NSX

• Full VMware Stack

• Multiple Admin Roles in the Org

• Flexibility of Public Cloud with familiarity and

consistency of VMware SDDC

• Advanced Networking and Security: Distributed FW,

Load Balancing, Service Insertion, Cross-VC

Advanced Mode (Future Release)

NSX Manager vSphere Web Client

VMware Cloud on AWS does not have a dependency on NSX in the on-premises

environment, but NSX in both sites will provide enhanced capabilities

vSphere Web ClientVMC Web Console




bution

Simplified Mode Consumption – Initial Availability

13

• Auto-deploy and provision the VMC infrastructure

resources via predefined VMC Portal workflows

• Setup of initial networks and admin access granted

to vCenter

• Deploy a prescriptive network topology

• Establish predefined VPN connectivity

• Provide inbound access to workload VMs

• Control firewall access to workload VMs

• Consume pre-created VMC network services

• Deploy workload VMs

• Attach workload VMs to networks

• Create new networks

• Manage IP addressing for workload VMs

Cloud

Networking

Admin

VMC Web Console

VI Admin

vSphere

Web Client

VMware Cloud on AWS

vSAN NSXvSphere

vCenter




bution

Advanced Mode Consumption – Future Release

14

• Provision network and security for custom data

centers

• Define and establish VPN connectivity with on-

premises locations

• Define security groups and policies for workload

VMs

• Add, modify, or delete network topologies

• Advanced NSX use cases: Distributed firewalls, load

balancing, routing, etc.

• Deploy workload VMs

• Attach workload VMs to networks created by

NSX admins

• Manage IP addressing for workload VMs

Networking

Admin

NSX Manager

Full NSX UI

VI Admin /

Cloud Admin

vSphere Web Client

vSphere API

VMware Cloud on AWS

vSAN NSXvSphere

vCenter




bution

VMC Networking and Security Access Model

▪ VMC is a VMware Managed Service

▪ VMware manages hypervisor and management components

▪ Customer manages VMs

▪ NSX access in Simplified consumption mode provides:

▪ Networking and Security workflows available in the VMC Console

▪ Ability to create, update, delete logical networks via vCenter Server

▪ Advanced mode will provide full NSX access in a future release

▪ There will still restrictions to admin/infrastructure level operations

▪ All VMC users will start in Simplified Mode




bution

User ExperienceVMware Cloud on AWS Networking and Security Walkthrough



bution

Initial AvailabilityVMware Cloud on AWS Networking and Security



bution

DLR

Default 192.168.1.0/24

Compute GW

(NAT, FW, VPN, DHCP, DNS)

AWS Network

Internet GW

VMware Cloud on AWS – Default Networking Topology

18

N-S External Traffic

VMware Cloud on AWS

Networking (NSX)Workloads on

logical networks

Management Infrastructure

Management GW

(NAT, FW, VPN, DNS)

Custom 10.1.2.0/24Custom 10.1.1.0/24 Custom 10.1.3.0/24

Blue = N-S

Red = E-W

VMC SDDC




bution

NSX Implementation Details

• vSphere Distributed Switch provides connectivity to the AWS physical network

• NSX components such as Manager, Controller and Edges are deployed into the Management resource pool

• Management Gateway (MGW) = NSX Edge for Management components

• Compute Gateway (CGW) = NSX Edge and DLR for customer VMs

– A default logical network with SNAT and DHCP enabled is provisioned

– Single CGW supported in Simplified Mode

• Firewall Rules are set to Default Deny

• NSX Edge High Availability is enabled

• NSX Edges are size Large by default




bution

AWS Network

Internet GW

VMware Cloud on AWS – Management Networking Overview

20

Management

Infrastructure

Management Gateway

AWS VPC Router

VMkernel Management (VLAN)

VMkernel vMotion (VLAN)

VMC on AWS ESXi Cluster

VM Management (VLAN)

vCenter Server NSX Manager NSX Controller 1 NSX Controller 2 NSX Controller 3

VMkernel VXLAN (VLAN)

VMkernel VSAN (VLAN)

External Traffic




bution

vSphere Networking on AWS Infrastructure

21

ESXi

ESXi Hosts

(bare metal)

VM VM

VMware

Networks ESXi

ESXi Hosts

(bare metal)

VM VM VM

VMware

Networks

MTU1600+

VMware Cloud on AWS Networking setup is

automated as part of infrastructure provisioning

Multiple Subnets

VSAN vMotion MgmtVXLAN

(VTEP)

vmk3

...

VLAN1, ENI2 VLAN Native, ENI1

10.103.1.0/24 10.100.1.0/2410.101.1.0/2410.102.1.0/24

VLAN Trunk onENA

vmk2 vmk1 vmk0

MgmtPublic

VLAN2, ENI3VLAN3, ENI4VLAN4, ENI5VLAN5, ENI6

Multiple ENIs/VLANs




bution

VMC Connectivity Details

▪ Workload VMs

▪ Use NSX for all networking and security and are decoupled from VPC Networking

▪ ESXi VMkernel interfaces use ENIs (Elastic Network Interfaces)on VPC network

▪ However there are limitations with connecting Management & Edge VMs directly to VPC networks

▪ Solution is to use NSX (of course ☺)

▪ AWS VPC Networking is used provide external connectivity only:

▪ Internet Gateway

▪ Customer VPC access

▪ Direct Connect in future releases




bution

ESXi Host(Repeated on each host in Cluster)

VD

S

VTEP

VMC Connectivity Deep Dive

23

VMC on AWS VPC

vmk3

10.0.152.5/17

GW .128.1

vmk2

10.0.144.5/17

GW .128.1

vmk1

10.0.136.5/17

GW .128.1

vmk0

10.0.128.5/17

GW .128.1

VSAN

dvportgroup

(VLAN 2)

vMotion

dvportgroup

(VLAN 1)

VTEP

dvportgroup

(VLAN 3)

10.0.152.5/21

ENI-nsx

(device id:3)

10.0.144.5/21

ENI-vsan

(device id:2)

10.0.136.5/21

ENI-vmotion

(device id:1)

10.0.128.5/21

default ENI

(device id:0)

Host Mgmt

dvportgroup

(VLAN 0)

10.0.0.5/20

ENI-p

(device id:5)

vCenter

10.0.224.8

NSX Mgr

10.0.224.9

Management dvportgroup

(VLAN 101)10.0.224.0/19 – GW .224.1

10.0.160.5/21

ENI-m

(device id:4)

Management

Gateway

public dvportgroup

(VLAN 100)10.0.192.0/19 – GW .192.1

.218.2

Public Subnet

(10.0.0.0/20 - Router: 10.0.0.1)AWS Network

0/0 route

Internet or

VPN GW

LIF2 10.0.224.1 LIF2 10.0.192.1

LIF1 10.0.0.5

(VLAN 5)Add/Move

Secondary IP

(AWS API)

Add/Remove

routes on DLR

Mgt VM Add/Move

(VMCI callout).224.2

10.0.224.2 10.0.218.2

pnic

ENA device

VMC Agent

LIF1 10.0.160.5

(VLAN 4)

Management Subnet

(10.0.128.0/17 - Router: 10.0.128.1)

hDLR-m hDLR-p

Compute

Gateway

.218.3




bution

IA – Internet and L3VPN Connectivity

24

On-PremGateway

Existing VMs and Management on-premises

VPN Connectivity using NSX ESG(Route selected networks or all traffic

to on-premises over VPN tunnel)

Customer DC

Software Defined Data Center (SDDC)

On-Prem Management

On-Prem

Workloads

Management

Network

Management GW

(NAT, FW, VPN)

VMware Cloud

on AWS

Compute GW

(NAT, FW, VPN, DHCP)

192.168.20.0/24192.168.10.0/24

DLR

Management Traffic

Compute Traffic

InternetInternet GW

IPSec VPN – L3 - Compute




bution

VMC VPN Connectivity Details

25

▪ VMC Console provides streamlined VPN configuration

▪ Policy Based VPN from NSX Edge

▪ IPsec VPN – standards based interoperable with all compliant devices

▪ Enables choice of on-premises gateway




bution

VPN Connectivity Details

26

▪ VMC Supported IPsec VPN Parameters at IA

▪ Settings in Bold are configurable, while others are hard coded

Phase 1 Settings Phase 2 Settings

IKEv1 AES-256

Main mode Diffie-Hellman Group 2

AES-256 SHA-1

Diffie-Hellman Group 2 SA lifetime of 3600 seconds (one

hour)

SHA-1 Perfect forward secrecy (PFS)

Enabled

Pre-shared secret

SA lifetime of 28800 seconds (eight

hours)




bution

VMC and AWS Services

▪ VMware Cloud on AWS provides access to AWS serviceswithin the region of deployment

▪ By default access to AWS Services from VMC VMs will be via the Internet (using AWS IGW)

▪ Provides a base level of capability

▪ Bandwidth limits for IGW do apply

▪ Customer VPC access (using VMware Cloud Endpoint)

▪ Provides higher bandwidth connectivity to selected AWS Services

▪ Requires an existing customer VPC

▪ Direct Connect is planned in Future Releases

27

Access to AWS Services

Amazon

EC2

Amazon

S3

Amazon

RDS

AWS Direct

Connect

AWS IAMAWS IoT

…

…

…

…




bution

IA – Optimized Connectivity to Native AWS Services

28

Compute Gateway

EC2 Instances, Private AWS services

or VPC Endpoints in customers existing VPCs

Direct Connectivity from VMC to Customer VPCs(without VPC Peering)

Customer VPC

Optimized Traffic Flow

AWS Networking

VMware Cloud

on AWS

VPC Endpoints

VPC subnets

Amazon

S3 Distributed Router

VNI 5001

VNI 5000

DLR

EC2 Instances

ENI fromCustomer VPC

VPC route

table

NSX route

table


Internet GWInternet GW

East-WestConnection

192.168.0.0

192.168.1.0

192.168.2.0

172.16.0.0

172.16.1.0

172.16.2.0




bution

VMC and AWS Services Details

29

▪ What actually happens during the Account Connection Process ?

▪ Step 1 – At SDDC Deployment time, connect to your AWS account




bution


30

▪ Step 2 – Run VMC Cloud Formation Template




bution


31

▪ Step 3 – Select Discovered VPC and Subnet

▪ Create ENIs to enable the optimized connectivity




bution


32

▪ Step 4 – SDDC is provisioned and connected to your VPC

▪ Details of connected VPC are available under CGW




bution


33

▪ Step 5 – Routing Tables are updated to enable connectivity

▪ Step 6 – Firewalling for traffic to/from Customer VPC within VMC




bution

Future ReleasesVMware Cloud on AWS Networking and Security



bution

Management

Network

Management GW

(NAT, FW, VPN)

Compute GW

(NAT, FW, VPN, DHCP)

192.168.20.0/24192.168.10.0/24

DLR

Future – L2VPN Connectivity

35

L2VPN for Hybrid use cases (with or without NSX on premises)

Customer VPC

EdgeL2VPN

VLAN 10

VLAN 20

Existing VMs and Management on-premises

L2 Extension

On-Prem Management

VMware Cloud

on AWS

Management Traffic

L2VPN – Compute

Internet GWInternet

On-PremGateway

ComputeTraffic





bution

Future – AWS Direct Connect

36

Direct Connect for high bandwidth connectivity to on-premises from

Customers VMC CDC

Distributed Router

Customer DC

AWSVGW

On-PremGateway

VLAN VXLAN

EdgeGateway

Up to 10Gbps

VMware Cloud

on AWS

On-Prem Management

Amazon

RDS

AWS Services

AWS

Lambda

Amazon

S3

CloudFront Etc…

Private

VIF

Public

VIF

VNI 5001

VNI 5000

DLR

VLAN 10

VLAN 20

AWS Direct Connect (L3)

ComputeTraffic

AWS

AWSVGW

EC2 & RDS Instances

Customer VPC

Private

VIF





bution

Future – Advanced Network and Security features

37

Advanced NSX feature set available for in VMC

- DFW (FW Ruleset and Service composer)

- Load Balancing (one arm and inline)

- Flexible Network Topologies

Distributed Router

Customer Data Center

AWSGWOn-Prem

Gateway

VLAN

VXLAN

DefaultCGW

VMware Cloud

on AWS

On-Prem Management

VLAN 10

VLAN 20

Existing VMs and Management components on-premises

VXLAN

CustomCGW

DFW

LB

NSXServices

Internet





bution

Future – Partner Service Integration

38

Partner Service Integration through NetX and EPSec

• Partner components on overlay network

• Connectivity to vCenter and NSX Manager

• Re-direct rules to partner SVMs

Distributed Router

Customer Data Center

AWSGWOn-Prem

Gateway

VLAN VXLAN

CGW

VMware Cloud

on AWS

On-Prem Management

VLAN 10

VLAN 20

Existing VMs and Management components on-premises

MGW

Service Insertion

VMKNICs

Partner Management

Console

Partner SVM on each host

Mgt/vMotion/VXLAN/VSAN

ESXi Network and Host components

Internet

Management Traffic

Compute N-STraffic

Default LS

3rd Party LS





bution

Future – Cross-VC NSX

39

Customer DC

• NSX both on-premises and in VMCenabling Cross-VC NSX services

• All Local and Universal NSX capabilitiesavailable

• VM Mobility

• Full Multi-Site and DR

• Centralized Management

Internet GW(or DX)

Internet GW(or DX)

EdgeGateway

NSXServices

VMware Cloud

on AWS

NSXServices

Sec-Group-1VNI 5001

Sec-Group-2VNI 6002

EdgeGateway

VNI 9001VNI 9001

Universal Distributed Logical Router

UDLR

Sec-Group-3 Sec-Group-3Universal Logical Switch





bution

VMware Cloud on AWS and NSX – Summary

• VMware Cloud on AWS is a major initiative for VMware

• VMC is designed to support all of VMware’s existing customers

• Extends key SDDC capabilities to Public Cloud:

– Centralized Management

– Enterprise grade Security

– Consistent operational model

– Cross-VC vMotion for VM Mobility

– DR/Multi-Site as a Service

– Compatibility with Automation tools




bution

Questions




bution

Thank YouRay Budavari@rbudavari



bution



bution



bution

Backup



bution

VMware Cloud on AWS User Experience

▪ NSX is front and center in VMware Cloud on AWS Portal

▪ Network Dashboard provides a view of NSX components and connectivity




bution

Simplified mode provides basic networking and security functionality

VMware Cloud on AWS User Experience

47

– Firewall – VPN – Logical – NAT – Public IPs




bution

Documents

LHC2103BU NSX and VMware Cloud on AWS: Deep Dive … · Session Objectives –NSX and VMware Cloud on AWS: Deep Dive • Cover technical details on how networking and security are