VMware NSX features
VMware NSX is the network virtualization platform for the Software Defined Data Center (SDDC), which is a completely non-disruptive solution as it reproduces the entire networking infrastructure in software which includes L2-L7 network services. NSX allows virtual networks to connect to physical networks by maintaining fine-grained security as per virtual NIC:
Let's discuss NSX features:
- Logical switching: NSX allows the ability to create logical switches which are nothing but vSphere port groups for workload isolation and separation of IP address space between logical networks. This means you are no longer limited to
4096physical broadcast domains primarily because of VXLAN overlay networks. We will be discussing VXLAN during logical switch modules in more detail in Chapter 4, NSX Virtual Networks and Logical Router. - Gateway services: The Edge Gateway service interconnects your logical networks with your physical networks. This means a virtual machine connected to a logical network can send and receive traffic directly to your physical network through the gateway. Edge Gateway provides perimeter services such as DHCP, VPN, dynamic/static routing, NAT, firewall, load balancing, DNS relay, and High Availability.
- Logical routing: NSX logical routing functionality allows a hypervisor to learn and route between different logical networks by limiting the North-South direction of traditional data center routing. Logical routers also can provide North-South connectivity, allowing access to workloads living in the physical networks. Both static and dynamic routing (OSPF, BGP, ISIS) are supported in NSX Edge.
- Logical firewall: Switching from a perimeter-centric security approach to per virtual machine level protection was not achievable till NSX was introduced. This has been of significant impact in on-demand cloud and VDI environments. Instead of sticking with traditional per data center level firewall protection, logical firewall gives per VM level protection and policies can be created, deleted with few clicks and policies remain intact even if virtual machines migrates from one host to another host. VMware NSX allows us to make use of a distributed logical firewall and an Edge firewall for use within your software-defined networking architecture. A distributed logical firewall allows you to build rules based on attributes that include not just IP addresses and VLANs but also virtual machine names and vCenter objects. The Edge Gateway features a firewall service that can be used to impose security and access restrictions on North-South traffic.
- Extensibility: Using the NSX extensibility feature, third-party VMware partner solutions can be integrated directly into the NSX platform that allows for a vendor choice in multiple service offerings. There are many VMware partners who offer solutions such as antivirus protection, IPS/IDS, and next-generation firewall services that can integrate directly into NSX, palo-alto for example. In addition to that, NSX admin can manage security polices and rules from a single pane of glass.
- Load balancer: NSX Edge offers a variety of network and security services and logical load balancer is one of them. There are two types of logical load balancer that NSX supports:
- Proxy mode load balancer
- Inline mode load balancer
The logical load balancer distributes incoming requests among multiple servers to allow for load distribution while abstracting this functionality from end users. To ensure your application has the most up-time, we can configure the high availability feature for NSX Edge and that way it would be a highly available load balancer.
- Dynamic Host Configuration Protocol (DHCP): NSX Edge offers DHCP services that allows for IP address pooling and also static IP assignments. An administrator can now rely on the DHCP service to manage all IP addresses in your environment rather than having to maintain a separate DHCP service. The DHCP service also can relay DHCP requests to your existing DHCP server as well. The NSX Edge DHCP service can relay any DHCP requests generated from your virtual machines to a pre-existing physical or virtual DHCP server without any interruptions.
- Virtual Private Networks (VPN): The Edge offers the VPN service that allows you to create secure encrypted connectivity for end users to your applications and workloads hosted in private and public cloud. Edge VPN service offers SSL-VPN plus that allows for user access and IPSEC-policy-based site-to-site connectivity that allows for two sites to be interconnected securely.
- Domain Name System Relay (DNS): NSX Edge offers a DNS service that can relay any DNS requests to an external DNS server.
- Service composer: Service composer allows you to provision and assign network security features to the applications hosted in a virtualized infrastructure. Network policies are automatically applied to virtual machines whenever they are added in virtual network.
- Data security: NSX data security provides visibility into sensitive data and ensures data protection and reports back on any compliance violations. A data security scan on designated virtual machines allows NSX to analyze and report back on any violations based on the security policy that applies to these virtual machines.
- Trace flow: Trace flow is a new feature added to NSX 6.2 which allows us to follow a packet from source to destination. Using the trace flow feature, we can monitor link utilization and troubleshoot network failures.
- Flow monitoring: Flow monitoring is a traffic analysis feature which provides a granular level of information in terms of number of packets transmitted per session, ports being used, and so on, and later an administrator can allow or block actions depending upon the output and business requirement.
- Activity monitoring: For detailed visibility per application, activity monitoring adds a lot of value. By doing so, an administrator will be able to monitor users and application-level information.
The features are summed up perfectly in the following block diagram:
VMware NSX includes a library of logical networking services - logical switches, logical routers, logical firewalls, logical load balancers, logical VPN, and distributed security. You can create custom combinations of these services in isolated software-based virtual networks that support existing applications without modification, or deliver unique requirements for new application workloads.
Note
NSX 6.2.3 is the current NSX version at time of writing.
