Download - Microservices for Enterprises - Consistent Network & Security services for Containers and VMs
![Page 1: Microservices for Enterprises - Consistent Network & Security services for Containers and VMs](https://reader031.vdocument.in/reader031/viewer/2022030306/586e8ce91a28aba0038b867d/html5/thumbnails/1.jpg)
© 2015 VMware Inc. All rights reserved.
Consistent Network & Security services for Containers and VMs
Guru Shetty Sai Chaitanya
![Page 2: Microservices for Enterprises - Consistent Network & Security services for Containers and VMs](https://reader031.vdocument.in/reader031/viewer/2022030306/586e8ce91a28aba0038b867d/html5/thumbnails/2.jpg)
The case for Network Virtualization
CONFIDENTIAL 2
VM1
Traditional Data Center
- Network Architecture
- Layer 3 boundary –
Aggregation Layer
- VLANs in Access Layer
and Virtual Switch
Layer 3
Layer 2
vSwitch
Access Switch
Aggregation Switch / Router
Baremetal DB
![Page 3: Microservices for Enterprises - Consistent Network & Security services for Containers and VMs](https://reader031.vdocument.in/reader031/viewer/2022030306/586e8ce91a28aba0038b867d/html5/thumbnails/3.jpg)
The case for Network Virtualization
CONFIDENTIAL 3
Datacenter Network Tunnels (VXLAN, Geneve, STT)
VM1 VM2 VM3 VM4 VM5 VM6
Drivers for Virtualized Networking
- Cloud – software defined
network
- Multi-tenancy – with
overlapping IP addresses (
typical use cases acquisitions
and mergers)
- Flexible and programmatic
workload placement
![Page 4: Microservices for Enterprises - Consistent Network & Security services for Containers and VMs](https://reader031.vdocument.in/reader031/viewer/2022030306/586e8ce91a28aba0038b867d/html5/thumbnails/4.jpg)
The Case for Microsegmentation
CONFIDENTIAL 4
Data center 1 Perimeter
Security in a Traditional Data Center
- Security configuation at Layer 3
boundary
- Huge surface exposed for attack –
i.e. attack can move laterally
throughout the VLAN domain
![Page 5: Microservices for Enterprises - Consistent Network & Security services for Containers and VMs](https://reader031.vdocument.in/reader031/viewer/2022030306/586e8ce91a28aba0038b867d/html5/thumbnails/5.jpg)
The Case for Microsegmentation
CONFIDENTIAL 5
Datacenter Network Tunnels (VXLAN, Geneve, STT)
VM1 VM2 VM3 VM4 VM5 VM6
Security in a Modern Data Center
- FW per VM or host
- Limits the lateral spread of
an attack
- Distributed Firewall
- In kernel
- Line rate performance
- FW context moves along
with the workload
FW per vNIC
![Page 6: Microservices for Enterprises - Consistent Network & Security services for Containers and VMs](https://reader031.vdocument.in/reader031/viewer/2022030306/586e8ce91a28aba0038b867d/html5/thumbnails/6.jpg)
Virtual Networking constructs
CONFIDENTIAL 6
• Logical Switch
• Logical Port
• Firewall rule (ACL)
• Logical Router
• Logical Router Port
• Distributed Loadbalancer
![Page 7: Microservices for Enterprises - Consistent Network & Security services for Containers and VMs](https://reader031.vdocument.in/reader031/viewer/2022030306/586e8ce91a28aba0038b867d/html5/thumbnails/7.jpg)
The intelligent edge
CONFIDENTIAL 7
Hypervisor
OVS
Openflow
OVSDB
Coke
Pepsi
NSX/OVN
CMS / Container
Orchestrators
![Page 8: Microservices for Enterprises - Consistent Network & Security services for Containers and VMs](https://reader031.vdocument.in/reader031/viewer/2022030306/586e8ce91a28aba0038b867d/html5/thumbnails/8.jpg)
What’s new in the Data Center
CONFIDENTIAL 8
R
VTEP
TOR L3
Hypervisor
Hypervisor
V1 V
2
C1 C
2
C
3
C
4
OVS OVS
VTEP TOR
L2
P1
P2
Datacenter Network (Tunnels)
- Containers running
in VMs
- Containers running
on Baremetal Servers
![Page 9: Microservices for Enterprises - Consistent Network & Security services for Containers and VMs](https://reader031.vdocument.in/reader031/viewer/2022030306/586e8ce91a28aba0038b867d/html5/thumbnails/9.jpg)
Design goals for Container integration
CONFIDENTIAL 9
- Unique IP Address per container
- No NAT based solution – complex to manage at scale
- Avoid overlays on overlays
- Poor Performance
- Lack of visibility for troubleshooting & monitoring
- Security (Firewall) enforcement per container interface
- Protect other workloads from a compromised Container
- Network segment that spans Baremetal, Containers and VMs
- Service Chaining for Containers – e.g. IDS & Distributed Load Balancing
![Page 10: Microservices for Enterprises - Consistent Network & Security services for Containers and VMs](https://reader031.vdocument.in/reader031/viewer/2022030306/586e8ce91a28aba0038b867d/html5/thumbnails/10.jpg)
Docker Integration
CONFIDENTIAL 10
Hypervisor
OVS
Datacenter Network
Docker Host VM
C1
C2
C3
OVS Untrusted
Trusted
![Page 11: Microservices for Enterprises - Consistent Network & Security services for Containers and VMs](https://reader031.vdocument.in/reader031/viewer/2022030306/586e8ce91a28aba0038b867d/html5/thumbnails/11.jpg)
Docker Integration
CONFIDENTIAL 11
Hypervisor
OVS
Datacenter Network
C1
C2
C3
OVS
VM
OVS
C4
C5
C1
C3
C4
S
C2
C5
S
VM
R Extern
al
Logical Space
![Page 12: Microservices for Enterprises - Consistent Network & Security services for Containers and VMs](https://reader031.vdocument.in/reader031/viewer/2022030306/586e8ce91a28aba0038b867d/html5/thumbnails/12.jpg)
Docker Security
CONFIDENTIAL 12
Hypervisor
OVS
Datacenter Network
Docker Host VM
C1
C2
C3
OVS
Distributed
Firewall
![Page 13: Microservices for Enterprises - Consistent Network & Security services for Containers and VMs](https://reader031.vdocument.in/reader031/viewer/2022030306/586e8ce91a28aba0038b867d/html5/thumbnails/13.jpg)
Docker OpenStack Integration
CONFIDENTIAL 13
• docker network create -d openvswitch --subnet=192.168.1.0/24 foo
• docker run --net=foo --name=busybox busybox
![Page 14: Microservices for Enterprises - Consistent Network & Security services for Containers and VMs](https://reader031.vdocument.in/reader031/viewer/2022030306/586e8ce91a28aba0038b867d/html5/thumbnails/14.jpg)
Docker OpenStack Integration
CONFIDENTIAL 14
OVS
HV
C
2
C
3
OV
S
plugin
C
1
Docker
Neutron
OVN
Nova
Tenant
VM
![Page 15: Microservices for Enterprises - Consistent Network & Security services for Containers and VMs](https://reader031.vdocument.in/reader031/viewer/2022030306/586e8ce91a28aba0038b867d/html5/thumbnails/15.jpg)
OVN – VM overlays
CONFIDENTIAL 15
C1 C2 C3 C4
OVS OVS OVS
Tunnels
VM VM VM
![Page 16: Microservices for Enterprises - Consistent Network & Security services for Containers and VMs](https://reader031.vdocument.in/reader031/viewer/2022030306/586e8ce91a28aba0038b867d/html5/thumbnails/16.jpg)
Kubernetes integration
CONFIDENTIAL 16
![Page 17: Microservices for Enterprises - Consistent Network & Security services for Containers and VMs](https://reader031.vdocument.in/reader031/viewer/2022030306/586e8ce91a28aba0038b867d/html5/thumbnails/17.jpg)
Cloud Native Apps in Enterprises
17
- Cloud Native technologies will bring “web-scale” like agility and continuous delivery to the enterprise
- Customers are deploying next generation apps to either PaaS platforms or Container Clusters
- Customers are also refactoring existing apps using Containers and embracing Devops
- NSX will integrate with PaaS and Container Orchestration platforms
NSX NSX
![Page 18: Microservices for Enterprises - Consistent Network & Security services for Containers and VMs](https://reader031.vdocument.in/reader031/viewer/2022030306/586e8ce91a28aba0038b867d/html5/thumbnails/18.jpg)
NSX for cloud-native apps
18
Solution
NSX Kubernetes Plugin NSX Docker Plugin
K8 Spec Docker Compose
Bare metal (Linux) and Virtual Machines (KVM & vSphere)
Containers
Connectivity Availability Security
Enterprise-grade networking and security for cloud-native apps
Enables admin to run apps on any cloud – VMware, OpenStack
and Public Cloud
Single platform for all apps – VM,
bare metal and Containers