net1523bu integrating nsx and cloud foundry or distribution · usha ramachandran staff product...
TRANSCRIPT
Usha RamachandranStaff Product Manager, Pivotal
Sai ChaitanyaProduct Line Manager, VMware
NET1523BU
#VMworld #NET1523BU
Integrating NSX and Cloud Foundry
VMworld 2017 Content: Not fo
r publication or distri
bution
• This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not been determined.
Disclaimer
#NET1523BU CONFIDENTIAL 2
VMworld 2017 Content: Not fo
r publication or distri
bution
AGENDA
IntroductionPivotal Cloud
Foundry
NSX-V integration
with Cloud
Foundry
New Features in
Cloud Foundry
Networking
NSX-T with Cloud
Foundry
Networking
1 2 3 4 5
#NET1523BU CONFIDENTIAL 3
VMworld 2017 Content: Not fo
r publication or distri
bution
Changing Model for Application Delivery
Development Deployment
Sparingly at
designated times
ArchitectureAbstraction
Layer“Day 2” Ops
App Server on
MachineLinear / SequentialMany tools, ad
hoc automationMonolithic App
#NET1523BU CONFIDENTIAL 4
Ready for prod at
any time
App on
“disposable”
infrastructure
Microservices /
Composite appShort cycles, test
driven, iterative
Manage services,
not servers
VMworld 2017 Content: Not fo
r publication or distri
bution
Cloud Native Model for Application Delivery
Contin
uous Delivery
Microservices
Release #1
Microservices
Release #2
#NET1523BU CONFIDENTIAL 5An idea in the morning can ship by evening
VMworld 2017 Content: Not fo
r publication or distri
bution
“High performing organizations
do not trade off agility
for safety.
In fact, high performance is
characterized by consistent
improvements in levels
of both agility and
safety.”
#NET1523BU CONFIDENTIAL 6
VMworld 2017 Content: Not fo
r publication or distri
bution
Customer Personas and Needs
Application Developer
DEVELOPER
Create applications to
meet business goals
Different applications types
• Micro-services
• Clustering Apps
• Latency-sensitive or secure services
Focus on business logic
• Tools and frameworks for easy development
• Write once, run anywhere
Speed and Agility
• Self-Service – no tickets!
• Minimal impact during upgrades
#NET1523BU CONFIDENTIAL 7
VMworld 2017 Content: Not fo
r publication or distri
bution
Customer Personas and Needs
Platform Operator
Security
• Network Security
• Authorization and Authentication
• Platform Security
Platform Stability
• Day-2 operations
• Faster patching and upgrades
Visibility
• Billing and auditing
• Triage and debugging
OPERATOR
Keep the platform
running smoothly
#NET1523BU CONFIDENTIAL 8
VMworld 2017 Content: Not fo
r publication or distri
bution
Operating
System
Cloud API
Container Orchestration
Multiple
Languages
Microservices
Support
Services
Marketplace
DEVELOPMENT
NativeUser
Provided Partner
App Deployment
& Management
Availability
Visibility &
Administration
CI/CD Tools,
ID, Security
Health, Metrics,
Patching
Apps & Platform
Dashboards
OPERATIONS
#NET1523BU CONFIDENTIAL 10
VMworld 2017 Content: Not fo
r publication or distri
bution
PCF Technical Primer
Cloud
ControllerDiego
cell
cell_1
Go
Router
Simplified view
1 Deploy app
2Uploads app and invokes scheduler
4
App scheduled to a container host
6
CF Services for
persistent storage
3
CF app instance ( Container) – stateless, aka state persisted externally
5 Register route:
app_a.cfapps.cloud.com
cell_1_ip : port_num
Go
RouterApp access
cf push app_a
N
A
T
Load Balancer
*.cfapps.cloud.com
GoRouters
7
#NET1523BU CONFIDENTIAL 11Pivotal Ops Manager and Ops Manager Director are used to install, maintain and upgrade PCF
VMworld 2017 Content: Not fo
r publication or distri
bution
Network Security in Cloud Foundry
PCI - Space
PCF Prod
Non PCI - Space
ASGs
Collection of egress allow rules that specify {IP CIDR,
Port, Protocol} that an app can access
Applied to entire foundation or at CF space level
PCF Services -
PCI Net
Challenges
Cannot specify policy at app granularity
PCI and non PCI containers can share some container host
Apps cannot be identified by IP or Subnet to apply ingress security
Source Destination Port and
Proto
Action
Any PCI Services tcp, 3306 Allow
Any Any any Deny
PCF Services –
non PCI Net
Using CF Application Security Groups
#NET1523BU CONFIDENTIAL 12
VMworld 2017 Content: Not fo
r publication or distri
bution
PCF Infra Networking and Load Balancing requirements
PCF Deployment Network - 192.168.20.0/22
cellcell
2
Other External Services - 192.168.24.0/224
Ops Man
Director brainbrain
Go
Router
Go
Router
PCF Infra Network - 192.168.10.0/261
Ops
ManagerCC
Four Private Networks
PCF Services Network - 192.168.28.0/223
#NET1523BU CONFIDENTIAL 14
VMworld 2017 Content: Not fo
r publication or distri
bution
PCF and NSX-V Logical Networking & Load Balancing
VPN
NSX LS Infra - 192.168.10.0/26
NSX LS Deployment - 192.168.20.0/22NSX LS Services
- 192.168.28.0/22
NSX LS External Services
- 192.168.24.0/22
Go
Routerbrain Ops
Manager
External Network – 10.114.214.0/24
Service Source Destination
Source NAT 192.168.10.0/16 External IP 1
Dest NAT External IP 2 Ops Man IP
NSX LB can either terminate
SSL or be configured as pass-
through (Go router terminates
SSL)
Service VIP Pool
Load Balancing External IP 3 Go Router IPs
Load Balancing External IP 4 Diego Brain IPsNSX ESG
Basic Routing Design
#NET1523BU CONFIDENTIAL 15
VMworld 2017 Content: Not fo
r publication or distri
bution
PCF Infrastructure Security Requirements
VPN
NSX LS Infra - 192.168.10.0/26
NSX LS Deployment - 192.168.20.0/22
NSX LS Ext Services
- 192.168.24.0/22
Go
Routerbrain Ops
Manager
External Network – 10.114.214.0/24
NSX ESG
Source Destin Service Actio
n
Any Ops_Manager SSH, HTTP,
HTTPS
Allow
any VIP_Go_Router HTTP,
HTTPS
Allow
… …… …… Allow
… …… …… Allow
Any Any Deny Deny
http://docs.pivotal.io/pivotalcf/1-
11/refarch/vsphere/vsphere_nsx_cookbook.html#load
_balancer
ESG Firewall to protect the PCF foundation
NSX LS Services - 192.168.28.0/22 #NET1523BU CONFIDENTIAL 16
VMworld 2017 Content: Not fo
r publication or distri
bution
Cloud Foundry Isolation Segments
bbs
Diego
brain
cell
cell_1
brain
cellcell_1
PCI Isolation
SegmentNon PCI Isolation
Segment
Isolation Segments
Dedicated set of diego cells to enable compute
isolation of apps
Can be assigned to CF org or space
Apps (and instances) in org or space will only be
scheduled to their own dedicated cells
Benefits
Apps of different kinds can be deployed with
compute isolation on shared foundation – e.g.
PCI and non-PCI, Retail Banking and Investment
Banking etc
Save operational and cost overhead of
maintaining multiple foundations#NET1523BU CONFIDENTIAL 17
VMworld 2017 Content: Not fo
r publication or distri
bution
PCF Isolation Segments and NSX-V
Ops Manager and NSX integration for CF Isolation Segments
Deploy Isolation Segment
Ops Manager
deploys
dedicated Diego
cells for IS
Ops Manager
adds Diego cells
to NSX-V SG
If SG with same name as
Isolation segment, exists
VMs are added to SG
If SG with name of
Isolation Segment is not
found, create SG and
adds VMs
As Diego Cells are added / deleted, NSX SG membership is maintained#NET1523BU CONFIDENTIAL 18
VMworld 2017 Content: Not fo
r publication or distri
bution
PCF Isolation Segments and NSX-V
Compute Isolation and Network Segmentation
Create NSX SG for PCI & Non-PCI
Create Segmentation Policy
Create Isolation Segments
Assign to Space or Org
Deploy app
Source Destin Service Action
SG_PCI PCI_Services HTTP, HTTPS Allow
SG_non_PCI Non_PCI_Services HTTP, HTTPS Allow
SG_PCI and
SG_non_PCI
Shared Services …… Allow
Any Any Deny Deny
DFW segmentation policy
cell_1 cell_1cell_n cell_n
Isolation Segment : PCIIsolation Segment :
Non-PCI
NSX SG - PCI NSX SG – Non-PCI
Stateful Network Segmentation & Monitoring at the Org / Space granularity#NET1523BU CONFIDENTIAL 19
VMworld 2017 Content: Not fo
r publication or distri
bution
DEMO : Isolation Segments and DFW
#NET1523BU CONFIDENTIAL 20
VMworld 2017 Content: Not fo
r publication or distri
bution
NEW FEATURES IN CLOUD FOUNDRY NETWORKING
VMworld 2017 Content: Not fo
r publication or distri
bution
LEGACY CLOUD FOUNDRY NETWORKING
#NET1523BU CONFIDENTIAL 22
VMworld 2017 Content: Not fo
r publication or distri
bution
DESIRED STATE
#NET1523BU CONFIDENTIAL 23
VMworld 2017 Content: Not fo
r publication or distri
bution
PCF 1.11 Networking Features
Policies
App to App
Dynamic
CLI or API
Self Service
c2c Connectivity
CNI
Silk CNI plugin
Unique IP on
overlay
3rd party plugins
Existing Features
Application
Security Groups
Egress Cell
IP:SNAT
Ingress Cell
IP:DNAT
#NET1523BU CONFIDENTIAL 24
VMworld 2017 Content: Not fo
r publication or distri
bution
Container Networking Interface (CNI) is an
industry standard API for container runtimes
to call third party networking plugins
#NET1523BU CONFIDENTIAL 25
VMworld 2017 Content: Not fo
r publication or distri
bution
PCF 1.11 Networking
cell
2 PCF Deployment Network - 192.168.20.0/22
cell
2 PCF Container Network – 10.255.0.0/1610.255.10.0/24
Single Overlay network for all containers in a single foundation
Defaults to a /16 range to allow for ~250 cells with ~250 containers per cell
Access to external services and through GoRouter continue to use the PCF Deployment Network
10.255.11.0/24
#NET1523BU CONFIDENTIAL 26
VMworld 2017 Content: Not fo
r publication or distri
bution
PCF 1.11 Policy
APP 1 APP 2
Container Network
Deployment Network
Cell
APP 3
Cell
cf allow-access APP1 -> APP 2
Policy
Ingress
traffic
Egress
traffic
Cell
#NET1523BU CONFIDENTIAL 27
VMworld 2017 Content: Not fo
r publication or distri
bution
POLICY CONFIGURATION
Allow two apps to talk to each other
$ cf allow-access SOURCE_APP DEST_APP --protocol <tcp|udp> --port <1-65535>
List policies
$ cf list-access
Revoke the policy for two apps to talk to each other
$ cf remove-access SOURCE_APP DEST_APP --protocol <tcp|udp> --port <1-65535>
#NET1523BU CONFIDENTIAL 28
VMworld 2017 Content: Not fo
r publication or distri
bution
USE CASES
APP 1APP 1frontend
billingbilling
billing
CheckoutCheckout
Auth
inventoryinventory
inventoryinventory
Secure Microservices
Direct east-west communication
Private microservices do not need public routes
Fine-grained application level policies
boot
peer
peerClustering Applications
Same source and destination in policy
Communicate on an TCP or UDP port
#NET1523BU CONFIDENTIAL 29
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX-T & PCF
Physical Network
& Security
Network & Security platform for cloud native & traditional apps
NSX Network & Security
CNI Integration with Cloud Foundry
Common operational model for
traditional and cloud native
Integrated with data center network,
tools & processes
Native “Container” Networking & Security
Leverage existing investments
#NET1523BU CONFIDENTIAL 31
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX-T CONTAINER NETWORKING
Container Network integrated with Data
Center Network with routing (BGP)
Automated creation / deletion of
container network – in response to CF
Org create / delete
Two modes – routed & private container network
PCF Foundation 1
Network Mode : Routed
172.20.1.0/24 172.20.2.0/24
10.4.0.128/27
Org 1
SNAT IP
172.19.0.6
172.20.0.0/27
Org 1
Conserve IP address space in core
DC network
Maintain isolation between core
network & container network
Private Container Network
App identified using SNAT IP address
in core network
PCF Foundation 2
Network Mode : Private
#NET1523BU CONFIDENTIAL 32
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX-T & PCF SECURITY
Cloud Native App Platform –
Instance 1
Namespace
shopping_cart
Namespace
notifications
Cloud Native App Platform –
Instance n
Namespace
payments
Namespace
auth
Apps & Databases
1Inter Microservice – same cloud
native platform instance
2Inter Microservice – multiple
instances of CNA platform/s
3Microservice to VM or Database
app
1 23
Use Cases
Configuration approaches
1 CF Network Policy
2 NSX APIs – DFW, Section
#NET1523BU CONFIDENTIAL 33
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX-T & CLOUD NATIVE APPS
NSX-T
Native Container
Networking
Microsegmentation
for Containers
Load Balancing
Monitoring &
Troubleshooting
Containers
Integration with
existing tools &
processes
Reference Designs
Provision & manage network like cloud native apps
#NET1523BU CONFIDENTIAL 34
VMworld 2017 Content: Not fo
r publication or distri
bution
SUMMARY
Cloud Foundry and NSX together provide the agility and security required for
digital transformation
NSX-V with CF isolation segments provides stateful network segmentation at the
org/space level
Cloud Foundry has a secure and extensible networking stack that enables direct
container communication based on app level policies
NSX-T and Cloud Foundry CNI integration provides native container networking and
security, and a common operational model across cloud native and traditional apps
Cloud Foundry CNI enables third party SDN integration
#NET1523BU CONFIDENTIAL 35
VMworld 2017 Content: Not fo
r publication or distri
bution