VMWare NSX Overview
One solution for the SDN buzz word everyone is talking about.
I recently participated in some training around VMWare’s flagship SDN software, NSX. It’s essentially a networking services engine that ties into your existing ESX/VCenter environment. I’ve covered a few highlights below to try and provide an overview to traditional network engineers who have limited exposure to what NSX has to offer.
Why is VMWare NSX important to learn as a Network Engineer?
While the software itself is proprietary to VMWare, the concept as a whole is important as the technology industry shifts to a more cloud-centric role for hosting services. With AWS leading the charge, and Microsoft’s Azure and Google’s GCP following behind, the cloud industry is growing faster than ever before. What does this mean for networking? It means a good chunk of what we used to provide the routing/switching/capabilities for as traditional network engineers is now shifting to this “cloud”. With that, the network components that used to be physical are quickly being replaced by their much faster to deploy virtual equivalents. NSX is a good example of this and an easy target to look at the differences between traditional networking and virtual environments.
Will virtual networks remove the need for network engineers?
Absolutely not. The same IEEE and industry standards that have guided our craft for many years still apply across the board for virtual networking. Routing protocols still behave like routing protocols, and firewalls still do firewall things. This means that network engineering knowledge is still very relevant, as server engineers and software developers have their own areas of expertise and will require infrastructure assistance. However, network engineers need to ensure they are continuously learning the emerging technologies such as virtual networking to remain relevant in industries that head down this path. The standard enterprise network will still exist in most organizations; users still need connectivity, printers still need to jam somewhere. With that said, the train is heading towards the cloud and it is beneficial to grab your tickets early.
Where can you implement NSX?
On premises in your already established virtual environment, or in most cloud environments. Amazon even has a whole site dedicated to discussing installation of NSX on AWS. Anywhere that your virtual environment can live, so can NSX and its networking services.
Advantages of NSX in your environment:
- Increased security (micro-segmentation) – East / West traffic can be granularly controlled and segmented with virtual firewalls at the host or network level. North / South traffic can be protected as well if desired.
- Automation – NSX allows much faster deployment of network services inside the virtual environment, decreasing turn-around time on new services and capabilities or changes.
- Simplified Management – NSX Potentially removes the amount of teams associated with new deployments and changes. Instead of the network team implementing a new VLAN or subnet on the physical infrastructure, whoever oversees the virtual environment can handle it while deploying the new services, all from one location. Even if that happens to be the network team still implementing that change, it will be faster to complete many regular tasks from within the virtual environment than with the physical hardware.
Key Components of NSX:
- Logical switches – Distributed more than a regular esx/vcenter environment, leveraging VXLan to do things like tunnel l2 traffic over l3. The building block of your overlay network.
- Distributed Logical Router – Brings routing within the virtual environment to keep traffic off of your physical infrastructure when not required. Provides OSPF/BGP/Static/Redistribution, DHCP, and a few other services for East/West traffic flows.
- Edge Services Gateway – DLR on steroids, but for a different purpose. Provides edge routing capabilities (OSPF, BGP, Static, Redistribution), Firewall services, NAT, DHCP, Load Balancing, VPN, SSL VPN to your virtual environment. Utilized typically for North/South traffic flows.
- NSX Distributed and Edge Firewalls – Distributed provides micro-segmentation between your hosts East/West traffic, allowing very granular traffic control very easily. Additionally, can become an identity aware firewall and set rules based on AD authenticated user, as one example. Dynamic grouping of objects based on things like AD Security Group, VM Name, OS, etc allow for very dynamic and well defined traffic control.
Overview Video of NSX interface:
Some of the training labs we covered by title to give you an idea of the capabilities of NSX:
- Configuring NSX Manager
- Configure / Deploy NSX Controller Cluster
- Preparing for Virtual Networking (Install VIBs on hosts)
- Configuring logical switch networks
- Configuring and deploying an NSX distributed router
- Deploying an NSX Edge Services Gateway and Configuring Static Routing
- Configuring and Testing dynamic routing on NSX edge appliances
- configuring equal cost multi pathing
- Configuring NSX Edge High Availability
- Configuring L2 Bridging
- Configuring and Testing NAT on an NSX ES
- Configuring Load Balancing
- Configuring Load Balancing 2
- Configuring Layer 2 VPN Tunnel
- Configuring IPSec Tunnels
- Configuring and Testing SSL VPN-Plus
- Using the VMware NSX Distributed Firewall rules to control network traffic
- Using NSX Edge Firewall rules to control network traffic
- Configuring and using SpoofGuard and IP Discovery
- Using VMWare NSX Service Composer
- Configuring an Identity-Aware Firewall
- Micro-segmentation with Application Rule Manager
- Guest Introspection and Endpoint Monitoring
- Configuring Cross-vCenter VMware NSX
Additional NSX Information and Resources: