SDDC and Network Virtualization via VCAN

John Kuan | Senior Systems Engineer | VMware

Cloud Channel Summit 2015 | @rhipecloud #RCCS15

Enterprise business leaders want their IT

to be like Amazon

No ITOutsourced

New IT

Internal/Hybrid

or

Hardware Defined

Data Center (HDDC)

Software Defined

Data Center (SDDC)

or

Data Center Virtualization Layer

Intelligence in SoftwareOperational Model of VM for Data CenterAutomated Configuration & Management

Intelligence in HardwareDedicated, Vendor Specific InfrastructureManual Configuration & Management

Software

Hardware Compute, Network and Storage CapacityPooled, Vendor Independent, Best Price/Performance InfrastructureSimplified Configuration & Management

What is a Software Defined Data Center

(SDDC)?

Taking what we have learned . . .

Software

Hardware

Virtual

Machines

ComputeCapacity Network Storage

Applications

Server virtualization

• Intelligence in the virtualization layer

• Vendor independent x86 capacity

• Transformative operational model

• Automated configuration & management

Intelligence in hardware

Dedicated, vendor specific infrastructure

Manual configuration & management

Manual Operational Model

Automated Operational Model

Programmatically Create,Snapshot,

Store,Move,

Delete,Restore

To deliver a Software Defined Data Center

approach

Software

Hardware

Virtual

Machines

Virtual

Networks

Virtual

Storage

ComputeCapacity

NetworkCapacity

StorageCapacity

Applications

Location Independence

Data Center Virtualization

Pooled compute, network and storage capacity

Vendor independent, best price/performance

Simplified configuration & management

Automated Operational Model

Programmatically Create,Snapshot,

Store,Move,

Delete,Restore

The approach taken by the most agile &

efficient data centers is SDDC

Custom Application

Google / Facebook /

Amazon Data Centers

Custom Platform

Any x86

Any Storage

Any IP network

Software / Hardware Abstraction

Software / Hardware Abstraction

The Choice for “New IT” – SDDC or HDDC

Custom Application

Google / Facebook /

Amazon Data Centers

Custom Platform

Any x86

Any Storage

Any IP network

Software / Hardware Abstraction

Software / Hardware Abstraction

Hardware Defined

Data Center (HDDC)

Any Application

HDDC Platform

Integrated x86

Integrated Storage

Vendor Specific

Network

Vert

ical In

teg

rati

on

Software Defined

Data Center (SDDC)

Any Application

SDDC Platform

Any x86

Any Storage

Any IP network

Data Center Virtualization

8

SDDC Within, Between and Across

Data Centers

Software Defined

Data Center (SDDC)

Any Application

SDDC Platform

Any x86

Any Storage

Any IP network

Data Center Virtualization

Inter- Data Center

Any Application

Any x86

Any Storage

Any IP network

Hybrid- Data Center

Any Application

Any x86

Any Storage

Any IP network

SDDC Platform

9

VMware NSX Momentum: Customers

top investment banks enterprises & service providers

Understanding SDDC Network Virtualization

Cloud Channel Summit 2015 | @rhipecloud #RCCS15

Network Capacity . . .

Internet

Compute Capacity . . .

Internet

Data Center Virtualization Layer . . .

Internet

A “Network Hypervisor”

Internet

The Operational Model of a VM for the

Network

Internet

16

Non-Disruptive Deployment

17

Programmatically Provisioned

18

Services Distributed to the Virtual Switch

Software Defined Data Center Deployed

Web Tier

App Tier

DB Tier

L3 Subnet

L3 Subnet

L3 Subnet

All S

oft

ware

Co

nst

ruct

Physical Network

NAT

Internet

The Power of Distribution

NSX Delivers the Operational Model of a VM

for the Network

• Abstracts, pools, automates networking for the SDDC

• Faithful reproduction of L2/3 networking, L4-7 services

• Runs across existing/any networking hardware

• Scale out/distributed switching, routing, firewalling

• Seamless service insertion for application delivery, security, network security partners

SDDC | A Platform for Industry Innovation

53%Dec. 2013 Gartner Data Center Conference Poll

Who do you see as your primary Software Defined

Infrastructure Vendor?

VMware: 52.56%

Cisco: 21.31%

Red Hat: 6.56%

HP: 4.92%

Microsoft: 4.92%

VCE: 4.92%

IBM: 3.28%

Citrix: 1.64%

Oracle: 0%

“Cisco's ACI delivers tactical benefits,

but lacks strategic value”

Gartner Report

The New Normal

A More Secure Data Center

Cloud Channel Summit 2015 | @rhipecloud #RCCS15

Leveraging the Power of SDDC Network & Security Services

Distribution for Data Center Micro-Segmentation

Problem : Data Center Network Security

Perimeter-centric network security has proven insufficient, and

micro-segmentation is operationally infeasible

Little or no

lateral controls

inside perimeter

Internet Internet

Insufficient OperationallyInfeasible

Solution: Leverage SDDC Approach for

Micro-Segmentation• Hypervisor-based, in kernel distributed firewalling

• Platform-based automated provisioning and

workload adds/moves/changes

Internet

Security Policy

Perimeter Firewalls

CloudManagementPlatform

There is a BIG difference . . .

NSX Distributed Firewalling Performance

20Gbps Per Host of Firewall Performancewith Negligible CPU Impact

NSX Distributed Firewalling Performance

80K CPS with 100+ Rules per Host

A Typical Virtual Appliance does ~6K CPS per VMA Physical Appliance performs 300K – 400K CPS per appliance

SDDC Platform | Native Security Capabilities

Hypervisor-based, in kernel distributed firewalling

• High throughput rates on a per hypervisor basis

• Every hypervisor adds additional east-west firewalling capacity

• Native feature of the VMware NSX platform

Platform-based automation

• Automated provisioning and workload adds/moves/changes

• Accurate firewall policies follow workloads as they move

20 Gbps Firewallingthroughput per host

Data center micro-segmentationbecomes operationally feasible

Dev

Test

Production

Isolation

Web

App

DB

NoCommunication Path

ControlledCommunication Path

Web

App

DB

Advanced Services ControlledCommunication Path

SegmentationSegmentation with Advanced Services

Advanced Services Insertion – Example: Palo

Alto Networks NGFW

Internet

Security Policy

Security Admin

TrafficSteering

Automated Security in a Software-Defined

Data Center > Data Center Micro-

Segmentation

Automated Security in a Software-Defined

Data Center

Data Center Micro-Segmentation

36

Automated Security in a Software Defined Data

Center Quarantine Vulnerable Systems until

RemediatedSecurity Group = Quarantine Zone

Members = {Tag = ‘ANTI_VIRUS.VirusFound’, L2 Isolated

Network}

Security Group = Web TierPolicy Definition

Standard Desktop VM Policy

Anti-Virus – Scan

Quarantined VM Policy

Firewall – Block all except security tools

Anti-Virus – Scan and remediate

37

SDDC Platform Enables a More Secure Data

Center

Micro segmentation now possible in

dynamic, multi-tenant environment

• High performance, in kernel distributed

firewalling

• Platform-based automation

• Integration with best-of-breed security

partners (e.g., Palo Alto Networks)

© 2014 VMware Inc. All rights reserved.@rhipecloud #RCCS15

Thank you!

Enquiries.my@rhipe.com

www.rhipe.com