Download - Microservices for Enterprises - Consistent Network & Security services for Containers and VMs
© 2015 VMware Inc. All rights reserved.
Consistent Network & Security services for Containers and VMs
Guru Shetty Sai Chaitanya
The case for Network Virtualization
CONFIDENTIAL 2
VM1
Traditional Data Center
- Network Architecture
- Layer 3 boundary –
Aggregation Layer
- VLANs in Access Layer
and Virtual Switch
Layer 3
Layer 2
vSwitch
Access Switch
Aggregation Switch / Router
Baremetal DB
The case for Network Virtualization
CONFIDENTIAL 3
Datacenter Network Tunnels (VXLAN, Geneve, STT)
VM1 VM2 VM3 VM4 VM5 VM6
Drivers for Virtualized Networking
- Cloud – software defined
network
- Multi-tenancy – with
overlapping IP addresses (
typical use cases acquisitions
and mergers)
- Flexible and programmatic
workload placement
The Case for Microsegmentation
CONFIDENTIAL 4
Data center 1 Perimeter
Security in a Traditional Data Center
- Security configuation at Layer 3
boundary
- Huge surface exposed for attack –
i.e. attack can move laterally
throughout the VLAN domain
The Case for Microsegmentation
CONFIDENTIAL 5
Datacenter Network Tunnels (VXLAN, Geneve, STT)
VM1 VM2 VM3 VM4 VM5 VM6
Security in a Modern Data Center
- FW per VM or host
- Limits the lateral spread of
an attack
- Distributed Firewall
- In kernel
- Line rate performance
- FW context moves along
with the workload
FW per vNIC
Virtual Networking constructs
CONFIDENTIAL 6
• Logical Switch
• Logical Port
• Firewall rule (ACL)
• Logical Router
• Logical Router Port
• Distributed Loadbalancer
The intelligent edge
CONFIDENTIAL 7
Hypervisor
OVS
Openflow
OVSDB
Coke
Pepsi
NSX/OVN
CMS / Container
Orchestrators
What’s new in the Data Center
CONFIDENTIAL 8
R
VTEP
TOR L3
Hypervisor
Hypervisor
V1 V
2
C1 C
2
C
3
C
4
OVS OVS
VTEP TOR
L2
P1
P2
Datacenter Network (Tunnels)
- Containers running
in VMs
- Containers running
on Baremetal Servers
Design goals for Container integration
CONFIDENTIAL 9
- Unique IP Address per container
- No NAT based solution – complex to manage at scale
- Avoid overlays on overlays
- Poor Performance
- Lack of visibility for troubleshooting & monitoring
- Security (Firewall) enforcement per container interface
- Protect other workloads from a compromised Container
- Network segment that spans Baremetal, Containers and VMs
- Service Chaining for Containers – e.g. IDS & Distributed Load Balancing
Docker Integration
CONFIDENTIAL 10
Hypervisor
OVS
Datacenter Network
Docker Host VM
C1
C2
C3
OVS Untrusted
Trusted
Docker Integration
CONFIDENTIAL 11
Hypervisor
OVS
Datacenter Network
C1
C2
C3
OVS
VM
OVS
C4
C5
C1
C3
C4
S
C2
C5
S
VM
R Extern
al
Logical Space
Docker Security
CONFIDENTIAL 12
Hypervisor
OVS
Datacenter Network
Docker Host VM
C1
C2
C3
OVS
Distributed
Firewall
Docker OpenStack Integration
CONFIDENTIAL 13
• docker network create -d openvswitch --subnet=192.168.1.0/24 foo
• docker run --net=foo --name=busybox busybox
Docker OpenStack Integration
CONFIDENTIAL 14
OVS
HV
C
2
C
3
OV
S
plugin
C
1
Docker
Neutron
OVN
Nova
Tenant
VM
OVN – VM overlays
CONFIDENTIAL 15
C1 C2 C3 C4
OVS OVS OVS
Tunnels
VM VM VM
Kubernetes integration
CONFIDENTIAL 16
Cloud Native Apps in Enterprises
17
- Cloud Native technologies will bring “web-scale” like agility and continuous delivery to the enterprise
- Customers are deploying next generation apps to either PaaS platforms or Container Clusters
- Customers are also refactoring existing apps using Containers and embracing Devops
- NSX will integrate with PaaS and Container Orchestration platforms
NSX NSX
NSX for cloud-native apps
18
Solution
NSX Kubernetes Plugin NSX Docker Plugin
K8 Spec Docker Compose
Bare metal (Linux) and Virtual Machines (KVM & vSphere)
Containers
Connectivity Availability Security
Enterprise-grade networking and security for cloud-native apps
Enables admin to run apps on any cloud – VMware, OpenStack
and Public Cloud
Single platform for all apps – VM,
bare metal and Containers