VMware NSX Network Essentials

Chapter 1. Introduction to Network Virtualization

Starting from the mainframe days, server virtualization has a long history. However, today's data centers use virtualization features to abstract physical hardware, which would be a pool of resources such as CPU, storage, and memory, to the end users in the form of virtual machines. The easiest way to ensure server resource utilization is improved is through virtualization techniques. Server virtualization success has been hailed as a transformational event in data centers primarily because a single physical machine can run multiple operating systems and each operating system can be managed like a dedicated physical machine. This is a very simple but highly powerful solution. There are different types of virtualization, such as server, storage, application, desktop, and the industry's newest buzzword is network virtualization. Network virtualization has been on the market for a long time. VLANs, VPNs, MPLS, VPLS, and VSS are all widely used examples of network virtualization. If you have worked in a data center, you would agree that networking is always challenging to work with. Network architects are forced to perform manual configuration, which results in configuring VLANs, ACLs, routing, firewall rules, QoS, load balancing, and so on. The drawback for this model is complex and slow, and in a dynamic cloud environment, the complexity would increase.

In this chapter, we will cover the following topics:

The traditional network model
The three pillars of a Software Defined Data Center (SDDC)
Introducing the NSX-V network virtualization platform
The power of server virtualization and network virtualization
How to leverage NSX
VMware NSX features

The three pillars of a Software Defined Data Center

In a SDDC, all elements of infrastructure, that is storage, networking, and compute are fully virtualized and delivered as a service. It is described by VMware as "A unified data center platform that provides unprecedented automation, flexibility, and efficiency to transform the way IT is delivered. Compute, storage, networking, security, and availability services are pooled, aggregated, and delivered as software, and managed by intelligent, policy-driven software". An SDDC is the mechanism through which cloud services can be delivered most efficiently. One of the key goals of an SDDC is to build a cloud-based data center. Vendors such as Amazon, Google, IBM, and VMware all have their own set of public cloud services running on an SDDC stack . Yes, now we have a next-generation data center wherein we could pool all physical servers and let applications run according to IT-defined policies.

As the heading suggests, the three pillars of SDDC are shown in the following screenshot:

The three pillars of a Software Defined Data Center

Let's go through each of them one by one:

In Compute virtualization, CPU and memory are decoupled from physical hardware and each application resides in a software object called a virtual machine. VMware VSphere, Microsoft Hyper-V, Citrix XenServer, Oracle VM are a few examples in that family.
Storage virtualization in a Software Defined Storage (SDS) environment is a hypervisor-based storage abstraction from the heterogeneous model of physical servers. Software that enables an SDS provides most of the traditional storage array features, such as replication, deduplication, thin provisioning, and snapshots. Since this is a completely software-defined storage, we have increased flexibility, ease of management, and cost efficiency. In this way, pooled storage resources can be automatically and efficiently mapped to application needs in a software-defined data center environment. VMware VSAN is a classic example of SDS since it is a distributed layer of software that runs natively as a part of an ESXi hypervisor.
Network virtualization is the third and most critical pillar of a Software Defined Data Center (SSDC) center and gives the full set of Layer 2-Layer 7 networking services such as routing, switching, firewall, load balancing, and QoS at the software layer. Network virtualization is the virtualization of network resources using software and networking hardware that enables faster provisioning and deployment of networking resources. The innovation speed of software is much faster than hardware and the answer for the future is not a hardware-defined data center but a Software Defined Data Center which will let us extend the virtualization layer across physical data centers. What makes Amazon and Google the world's largest data center is the brilliance of Software Defined Data Center. Network virtualization provides a strong foundation by effectively resolving all traditional network challenges to ensure we are getting a fully-fledged SDDC stack. As the cloud consumption model is being rapidly adopted across the industry, the need for on-demand provisioning of compute, storage, and networking resources is greater than ever. Network virtualization decouples the networking and security features from physical hardware and allows us to replicate similar network topology in a logical network.

How to leverage NSX

When it comes to leveraging NSX features, customers have the following three options:

Installing NSX in private cloud and leveraging NSX features.
VMware NSX can be integrated with vSphere, vCloud Director, vCloud Automation Center and VMware Integrated Openstack. A multi-hypervisor environment, such as Xen Server, KVM or VMware ESXi^™ with a choice of cloud management solution such as vCloud Automation Center.
VMware vCloud Air, which is a public cloud, delivers advanced networking service networking and security features powered by NSX.
Customer can secure networking in a public cloud built on the same platform as vSphere. Mirror on-premises networks in the cloud with minimal changes to design and networking topology. Manage at scale with controls and constructs familiar to network security administrators, minimizing operational disruption and need for retraining.
For true network hybridity, a customer can have NSX in a private cloud and VMware vCloud Air as the public cloud.
Cloud networking is an essential component of cloud computing and forms the foundation for the hybrid cloud. Every vCloud Air service includes a connection to the Internet, one or more public IP addresses, and critical networking capabilities such as load balancing, a firewall, Network Address Translation (NAT), and VPN connectivity via the Edge Gateway. NSX in vCloud Air supports Border Gateway Protocol (BGP) and Open Shortest Path First (OSPF) routing to simplify the integration of a customer's public cloud workloads and on-premises applications and resources.

A simple diagram describing the same is shown in the following figure:

Feature-rich networking and security services on both private and public clouds ensure both the environments are secured and, most importantly, no application remodification is required while moving the workloads back and forth. The rest of the integration and design between private cloud with NSX and vCloud Air is beyond the scope of this book. We will have a quick look at NSX features and where they will fit in our current data center deployment scenarios.

It is very important to understand the nature of our application that is driving the network traffic in any data center environment. Traditional network architectures were based on a series of switches and routers, and those types of network architecture would perfectly fit in a client-server environment. Today's application workloads are highly in need of reducing the number of hops when they are communicating in a network. In modern-day application requirements, virtual machines talk to each other sitting in the same rack or a different rack before sending a reply packet to the client which is outside the data center. Workloads are moving from server memory to server flash drives for analysis. Big data, virtualization, and cloud have highly contributed to such types of traffic. Hence, we certainly need an intelligent networking for such big application workloads. Lack of speed and flexibility in provisioning a network is addressed with the help of network virtualization features.

With that said, let's have a look at the following diagram, which explains types of traffic in a data center environment. Networking traffic flow in a data center environment is of two types: East-West and North-South:

Let's have a look at an example. Let's assume we have a private data center and we need to access some applications which are hosted in a virtualized server from outside the data center:

East-West traffic: Traffic between virtual machines in the same data center
North-South traffic: Traffic which is coming into and going out of the data center

VMware NSX features

VMware NSX is the network virtualization platform for the Software Defined Data Center (SDDC), which is a completely non-disruptive solution as it reproduces the entire networking infrastructure in software which includes L2-L7 network services. NSX allows virtual networks to connect to physical networks by maintaining fine-grained security as per virtual NIC:

Let's discuss NSX features:

Logical switching: NSX allows the ability to create logical switches which are nothing but vSphere port groups for workload isolation and separation of IP address space between logical networks. This means you are no longer limited to 4096 physical broadcast domains primarily because of VXLAN overlay networks. We will be discussing VXLAN during logical switch modules in more detail in Chapter 4, NSX Virtual Networks and Logical Router.
Gateway services: The Edge Gateway service interconnects your logical networks with your physical networks. This means a virtual machine connected to a logical network can send and receive traffic directly to your physical network through the gateway. Edge Gateway provides perimeter services such as DHCP, VPN, dynamic/static routing, NAT, firewall, load balancing, DNS relay, and High Availability.
Logical routing: NSX logical routing functionality allows a hypervisor to learn and route between different logical networks by limiting the North-South direction of traditional data center routing. Logical routers also can provide North-South connectivity, allowing access to workloads living in the physical networks. Both static and dynamic routing (OSPF, BGP, ISIS) are supported in NSX Edge.
Logical firewall: Switching from a perimeter-centric security approach to per virtual machine level protection was not achievable till NSX was introduced. This has been of significant impact in on-demand cloud and VDI environments. Instead of sticking with traditional per data center level firewall protection, logical firewall gives per VM level protection and policies can be created, deleted with few clicks and policies remain intact even if virtual machines migrates from one host to another host. VMware NSX allows us to make use of a distributed logical firewall and an Edge firewall for use within your software-defined networking architecture. A distributed logical firewall allows you to build rules based on attributes that include not just IP addresses and VLANs but also virtual machine names and vCenter objects. The Edge Gateway features a firewall service that can be used to impose security and access restrictions on North-South traffic.
Extensibility: Using the NSX extensibility feature, third-party VMware partner solutions can be integrated directly into the NSX platform that allows for a vendor choice in multiple service offerings. There are many VMware partners who offer solutions such as antivirus protection, IPS/IDS, and next-generation firewall services that can integrate directly into NSX, palo-alto for example. In addition to that, NSX admin can manage security polices and rules from a single pane of glass.
Load balancer: NSX Edge offers a variety of network and security services and logical load balancer is one of them. There are two types of logical load balancer that NSX supports:
- Proxy mode load balancer
- Inline mode load balancer
  The logical load balancer distributes incoming requests among multiple servers to allow for load distribution while abstracting this functionality from end users. To ensure your application has the most up-time, we can configure the high availability feature for NSX Edge and that way it would be a highly available load balancer.
Dynamic Host Configuration Protocol (DHCP): NSX Edge offers DHCP services that allows for IP address pooling and also static IP assignments. An administrator can now rely on the DHCP service to manage all IP addresses in your environment rather than having to maintain a separate DHCP service. The DHCP service also can relay DHCP requests to your existing DHCP server as well. The NSX Edge DHCP service can relay any DHCP requests generated from your virtual machines to a pre-existing physical or virtual DHCP server without any interruptions.
Virtual Private Networks (VPN): The Edge offers the VPN service that allows you to create secure encrypted connectivity for end users to your applications and workloads hosted in private and public cloud. Edge VPN service offers SSL-VPN plus that allows for user access and IPSEC-policy-based site-to-site connectivity that allows for two sites to be interconnected securely.
Domain Name System Relay (DNS): NSX Edge offers a DNS service that can relay any DNS requests to an external DNS server.
Service composer: Service composer allows you to provision and assign network security features to the applications hosted in a virtualized infrastructure. Network policies are automatically applied to virtual machines whenever they are added in virtual network.
Data security: NSX data security provides visibility into sensitive data and ensures data protection and reports back on any compliance violations. A data security scan on designated virtual machines allows NSX to analyze and report back on any violations based on the security policy that applies to these virtual machines.
Trace flow: Trace flow is a new feature added to NSX 6.2 which allows us to follow a packet from source to destination. Using the trace flow feature, we can monitor link utilization and troubleshoot network failures.
Flow monitoring: Flow monitoring is a traffic analysis feature which provides a granular level of information in terms of number of packets transmitted per session, ports being used, and so on, and later an administrator can allow or block actions depending upon the output and business requirement.
Activity monitoring: For detailed visibility per application, activity monitoring adds a lot of value. By doing so, an administrator will be able to monitor users and application-level information.

The features are summed up perfectly in the following block diagram:

VMware NSX includes a library of logical networking services - logical switches, logical routers, logical firewalls, logical load balancers, logical VPN, and distributed security. You can create custom combinations of these services in isolated software-based virtual networks that support existing applications without modification, or deliver unique requirements for new application workloads.