Introducing Application Self-servicewith Networking and Security

Using vRealize Automation and NSXAndrew Voltmer, VMware, Inc

Becky Smith, VMware, Inc

MGT5360

#MGT5360

• This presentation may contain product features that are currently under development.

• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.

• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

• Technical feasibility and market demand will affect final delivery.

• Pricing and packaging for any new technologies or features discussed or presented have not been determined.

Disclaimer

CONFIDENTIAL 2

CONFIDENTIAL 3

Virtualization► Accelerate service delivery

(weeks days)► Resource pooling► HW consolidation

IT Automation, The Next Wave of IT Efficiency

IT

Effic

ienc

y

Time

► Accelerate service delivery (days min)

► Improve operational efficiency► Optimize resource utilization► Reduce complexity via

standardization

CloudAutomation & Management

CONFIDENTIAL 4

Business Wants Agility. IT Wants Control.

Compute Admin Security Admin

We want our application on-demand with compute, storage, networking and security!

Cloud Users

Deliver high-performance networking quickly

Applications

Infrastructure

Ensure secure ITProvide the right VM for the job

Network Admin

CONFIDENTIAL 5

1 Software Defined Data Center

2 NSX Network and Security Virtualization

3 vRealize Automation for Applications and Infrastructure

4 Application Self-Service with Networking and Security Using vRealize Automation and NSX

Agenda

VMware’s Software Defined Data Center

6

CONFIDENTIAL 7

Infrastructure and Apps Are Subject to Wait

WaitWait

Infrastructure Service DeliveryDays

Application and Change DeliveryWeeks

WorkWaitWaitWaitWorkWait

Changes

Compute

Physical Hardware

Private Clouds

Public Clouds

Hybrid CloudVMware &

vCloud Data Center Partners

Virtualized InfrastructureAbstract & Pool

Compute Abstraction =

Server Virtualization

Network

Network Abstraction =

Virtual Networking

Storage

Storage Abstraction =

Software-Defined Storage

CONFIDENTIAL 8

Hybrid Cloud(Private / Public)

Physical

Software-Defined Data Center (SDDC) Cloud Management Platform enables the One Cloud, Any Application Approach

SOFTWARE-DEFINED DATA CENTER

Compute Network Storage

End-User Computing

Extensibility

Applications

Cloud Management Platform

Business OperationsAutomation

Virtualized Infrastructure

Compute Network Storage

CONFIDENTIAL 9

Dynamically Configure Application Services on SDDCAutomated delivery of secure, scalable and high performing multi-tier applications utilizing VMware’s SDDC

Wait WorkWait

AutomatedApplicationDeployment

ManualNetwork

Configuration

VMware NSXNetwork

Virtualization

Minutes

“Zero Touch”Deployment

vRealizeAutomation

VMware ESXCompute

Virtualization

Hours or Days

NSX Network and Security Virtualization

10

CONFIDENTIAL 11

Start With Your Existing Physical Network InfrastructureWithout network virtualization, you are hardware defined

Internet

Physical Network Topology

CONFIDENTIAL 12

Compute Capacity…

Internet

Physical Network Topology

CONFIDENTIAL 13

Data Center Virtualization Layer…

Internet

Physical Network Topology

CONFIDENTIAL 14

A “Network Hypervisor”

Internet

Network Hypervisor

Physical Network Topology

CONFIDENTIAL 15

The Operational Model of a VM for the Networking

Internet

Virtual NetworksSoftware Containers, Like VMs

Virtual Network Topology

Physical Network Topology

Network Hypervisor

CONFIDENTIAL 16

ProvidesA Faithful Reproduction of Network & Security Services in Software

Switching Routing Firewalling LoadBalancing

VPN Connectivityto Physical

Policies, Groups,

Tags

Management APIs to program all services

CONFIDENTIAL 17

NSX – Virtual Networking and Security

Web

App

DatabaseVM

“Default” Firewall – Access shared services (DNS, AD) Anti-Virus – Scan Daily

Security PoliciesSecurity Groups

My App

Web

App

Database

“Standard Web” Firewall – allow inbound HTTP/S, allow outbound ANY IPS – prevent DOS attacks, enforce acceptable use

“Standard App” Firewall – allow inbound ANY,

allow outbound ODBC

“Standard Database” Firewall – allow inbound

ODBC Vulnerability Management –

Weekly Scan

Support for Detailed, Programmable Application Topologies

Logical Switching, Routing, Firewall, Load Balancing

vRealize Automation for Applications and Infrastructure

18

CONFIDENTIAL 19

VMware’s Automation Solution to Onboard the Cloud

Automation / Infrastructure-as-a-Service

Manual provisioning On-demand, automated self – service access

Technology sprawl High standardizationInitial provisioning Lifecycle management

Homogeneous Enterprise wide / heterogeneousExtensibleOne inflexible approach

Virtualized infrastructure Any service from any layerManual approvals High governance

Journey with many starting points and many maturity levels Application Release Automation / DevOps

Standardized MW / DB–as-a-Service

IT-as-a-Service“Service Broker”

CONFIDENTIAL 20

vRealize Automation Policy Management

BusinessGroups

BA

C

USERS

A

C

B

A

Authentication & Role-Based

Authorization

AuthorizedUsers

ResourceReservations

Cost Profile

A

Tier 1

Public

Physical

Virtual

Shared Infrastructure

ServiceBlueprints

A

Requisition

Cost Profile

Provision

Manage

Retire

Public

Physical

Virtual

CB

B

A

B

A

CBA

“Who provisions what and where”

Application Self-Service with Networking and Security Using vRealize Automation and NSX

21

CONFIDENTIAL 22

Traditional Infrastructure Provisioning with NetworkingDays - Weeks

Wait WorkWaitWait

Infrastructure Service

FirewallSwitch Router Load Balancer

Connect Ethernet cables,

configure switch port, VLANs, access control lists, assign

IP addresses

Configure router interface to

connect to switch ports. Configure

routing protocols.

Connect networks to firewall appliances,

configure firewall rules based on physical constructs e.g. IP

address and VLANs

Connect networks to load balancer appliances, create and populate load balancer

pool, assign Virtual IP Address to external

interface

NETOPS SECOPS LOAD BALANCER ADMIN

Manual effortsNetwork

CONFIDENTIAL 23

Application Centric Network and Security ServicesDeployed and managed in the application context

Web

App

Database

VM VM

VM VM VM

VM

• Applications configured with dedicated or shared virtual switches and routers depending on needs

• Virtual Machines can be moved (vMotion) without changing virtual network configuration

• Application specific policies including firewall rules, intrusion detection integration, and agentless anti-virus scanning at each application tier

• Dynamic configuration of application specific load balancers

• Without expensive physical hardwareVM

• Networks configured to meet unique performance needs of each application

• Shared or dedicated switches, routers and load balancers depending on performance needs

VM VM

VM VM

VM VM VM

CONFIDENTIAL 24

Blueprint of the Modern Application

Define Once – Multiple Use

Deployment Time Options for Users

Support for Multiple Network Topologies

Repeatable Deployments

From Single Machine to Multi-Tier Applications

CONFIDENTIAL 25

Catalog of Applications

“One Click” Deployment

Order your Application with Networking and Security

N+S Built On-Demand via NSX API

Automated IP Addressing

Automatic Cleanup With App Disposal

CONFIDENTIAL 26

Group into Complete Application Environments or ServicesPredefined, Tested, Compliant, Repeatable

Logical Load BalancerNetwork ProfilesDefault Gateway Security Groups Security PoliciesSecurity Tags

AVAILABILITYSECURITYCONNECTIVITY

Catalog Item

Complete Application Environment

Blueprint

CONFIDENTIAL 27

Top NSX Solutions with vRealize Automation

The Power of NSX and vRealize Automation delivers Application Deployment with . . .

On-Demand Networking and Security

On-Demand Security

Existing Networking and Security

Application Deployment with On-Demand Network and Security ServicesThe Power of VMware NSX and vRealize Automation

CONFIDENTIAL 29

Application Deployment with On-Demand Networking & Security

Web/App

Database

VM VM

VM

Logical switches and routers created by NSX when the user creates an application

Single-tier or multi-tier NAT or routed topologies

Automated IP addressing of VMs and subnets

On-demand security groups built per app and per tier with VMs placed into groups

Security policies applied to dynamically created groups

Load-balancer dynamically deployed for application

Application Deployment with On-Demand Micro-SegmentationThe Power of VMware NSX and vRealize Automation

CONFIDENTIAL 31

Application Deployment with On-Demand Micro-Segmentation

Web/AppDatabase

VM VMVM

VMs placed on pre-created logical switches

On-demand security groups created when application is deployed

Security policies applied to dynamically created groups

Micro-segmentation on larger L2 networks

Load-balancer configuration dynamically deployed

VMs and security groups removed when app destroyed but networking remains

Application Deployment into Existing Network and Security ServicesThe Power of VMware NSX and vRealize Automation

CONFIDENTIAL 33

Application Deployment into Existing Network and Security Services

Web/App

Database

VM VM

VM

Pre-created logical switches and routers defined by the NSX admin - VMs are wired to pre-created switches

Security Groups pre-defined to match security tags for each tier of application

When a cloud user selects a catalog item VMs are wired to NSX switches and tagged with appropriate security tags

Enforcement is based on combining the tag with the rules in the security group

Applications can be single tier or multi-tier – typically routed topologies

CONFIDENTIAL 34

Multi-Tier App,Multiple Networks

Multi-Tier App,Single Flat Network

Application Deployment TopologiesSupport for Multiple Network Topologies

Web

App

Database

VM VM

VM VM VM

VM

VM VM VM VM VM VM

Demo

35

CONFIDENTIAL 36

Questions

http://www.vmware.com/products/vrealize-automation/

http://www.vmware.com/products/nsx/

Check out: Hands-On Labs: HOL-SDC-1632, HOL-SDC-1624, HOL-SDC-1603

Session: NET5362 Enabling Automated Network & Security Services with NSX and vRealize Automation

Introducing Application Self-servicewith Networking and Security

Using vRealize Automation and NSXAndrew Voltmer, VMware, Inc

Becky Smith, VMware, Inc

MGT5360

#MGT5360