Download - Networking Architecture
Confidential │ ©2021 VMware, Inc.
Networking Architecture
VMC on AWS
November 2021
Confidential │ ©2021 VMware, Inc. 2
Agenda VMC on AWS Networking Design
NSX-T Overview
VMC on AWS SDDC and NSX-T
L3 & L2 in the SDDC
Gateway Services
Intrinsic Security in the SDDC
Visibility & Troubleshooting
Confidential │ ©2021 VMware, Inc. 3
VMC on AWS Networking DesignOverview
Confidential │ ©2021 VMware, Inc. 4
Partition Placement Groups (PPG) Ensure Resiliency
• AWS provides PPGs to control physical host rack placement
• Clusters automatically use these underlying constructs
• Hosts from different clusters may reside in the same rack
• Supports max cluster size (16)
Each physical host is placed in a separate PPG to reduce impact of rack failure
Rack Rack Rack Rack
Cluster-1 Cluster-2
Confidential │ ©2021 VMware, Inc. 5
How are the Hosts connected
VMC on AWS Physical Networking
With VMware Cloud on AWS, Amazon directly administers the physical network that each ESXi host connects to.
AWS network hardware is configured with a minimum maximum transmission unit (MTU) of 1600+ and VLAN trunks.
VMware and AWS engineers work together to optimize the network.
Confidential │ ©2021 VMware, Inc. 6
Host Adapters
VMC on AWS Physical Networking
Amazon provides each host with one Elastic Network Adapter (ENA), instead of the traditional NIC. Each ENA provides 25 or 100 Gbps of bandwidth through multiple physical network connections.
Confidential │ ©2021 VMware, Inc. 7
VMware Cloud on AWS Physical Networking (2)Host Adapters
Amazon provides each host with one Elastic Network Adapter (ENA), instead of the traditional NIC. Each ENA provides 25 Gbps of bandwidth through multiple physical network connections.
Confidential │ ©2021 VMware, Inc. 8
Isolation
VMC on AWS VPC
When a VMware Cloud on AWS SDDC is created, an AWS Virtual Private Cloud (VPC) is created.
Managed by VMware, this VPC is not configurable by administrators.
The VPC enforces logical isolation between VMware Cloud on AWS SDDCs and other AWS resources managed by the administrator.
.
Confidential │ ©2021 VMware, Inc. 9
Reserved IP RangesVMC on AWS
Reserved IPs Description
• 10.0.0.0/15• 172.31.0.0/16
These ranges are reserved within the SDDC management subnet, but can be used in your on-premises networks or SDDC compute network segments
• 100.64.0.0/16 Reserved for carrier-grade NAT per RFC 6598. Avoid using addresses in this range in SDDC networks and others. They are not likely to be reachable within the SDDC or from outside it. See VMware Knowledge Base article 76022 for a detailed breakdown of how SDDC networks use this address range
• 169.254.0.0/19 • 169.254.64.0/24 • 169.254.101.0/30• 169.254.105.0/24• 169.254.106.0/24
Per RFC 3927, all of 169.254.0.0/16 is a link-local range that cannot be routed beyond a single subnet. However, with the exception of these CIDR blocks, you can use 169.254.0.0/16 addresses for your virtual tunnel interfaces.
• 192.168.1.0/24 This the default compute segment CIDR for a single-host starterSDDC and is not reserved in other configurations.
Confidential │ ©2021 VMware, Inc. 10
Local connectivity via ENI
Connected VPC
Confidential │ ©2021 VMware, Inc. 11
How does it work?High-bandwidth, low latency ENI connection between VPC and SDDC
• Traffic flows between VMware SDDC and AWS VPC through ENI
• There are firewalls on both ends of this connection
• By default, no traffic allowed for either direction
• No egress charges across the ENI within the same AZ
Confidential │ ©2021 VMware, Inc. 12
Consuming Native AWS ServicesUse case – Using AWS Application Load balancer to load balance Web server VMs
SDDC
Edge
CGW
MGW
NSX</> HCXvCenter
Connected
VPC
Confidential │ ©2021 VMware, Inc. 13
Consuming Native AWS ServicesEconomical and high throughput service consumption
SDDC
Edge
CGW
MGW
NSX</> HCXvCenter
Connected VPC
14Confidential │ ©2020 VMware, Inc.
NSX-TOverview
Confidential │ ©2021 VMware, Inc. 15
Networking Inside the SDDCPowered by VMware NSX-T
▪ Key features from on-premises brought to the cloud
▪ Networking
▪ Security
▪ Scalable and easy to consume networking
▪ Simplified Interface
▪ API access available
▪ Multiple connectivity options
Confidential │ ©2021 VMware, Inc. 16
Connectivity to physical
Switching
Gateway Firewalling
VPN
NSX-T Networking and Security ServicesComplete Networking and security services in software
RoutingDHCPNAT
URL Filtering
L4 – L7 Firewall
Distributed IDS/IPS
User ID Firewall
Confidential │ ©2021 VMware, Inc.
NSX-T Data Center Architecture View (1)
NSX-T Data Center components provide internal networking to the VMware Cloud on AWS SDDC.
Confidential │ ©2021 VMware, Inc.
NSX-T Data Center Architecture View (2)
NSX-T Data Center uses Tier 0 router to provide external networking to VMware Cloud on AWS SDDC.
Confidential │ ©2021 VMware, Inc.
NSX-T Data Center Architecture View (3)
NSX-T Data Center uses Tier 0 router to provide connectivity between VMware Cloud on AWS SDDC and other AWS services through ENIs.
Confidential │ ©2021 VMware, Inc. 20
NSX-T Distributed Firewall
Enforces FW rules for all VMC on AWS workloads
Static & Dynamic grouping based on Compute object, Tags and User
Stateful enforcement based on 5-tuple
Micro-Segmentation for Overlay-backed workloads
Context-aware firewall
User ID Firewall Policies
FQDN Filtering
Stateful Distributed L2-L7 Services for all workloads
ESXi ESXi
Virtual Distributed Switch
Distributed Firewall
Confidential │ ©2021 VMware, Inc. 21
NSX-T Distributed Firewall
App
DMZ
Services
DB
Perimeterfirewall
AD NTP DHCP DNS CERT
Insidefirewall
Finance EngineeringHR
Zero Trust/Least Privilege Model
Each VM can now be its own perimeter
Policies align with logical groups
Prevents threats from spreading
Network Topology Agnostic
Micro-segmentation Simplifies Network Security
Confidential │ ©2021 VMware, Inc. 22
VMC on AWS and NSX-TOverview
Confidential │ ©2021 VMware, Inc. 23
Agenda VMC on AWS Networking Design
NSX-T Overview
VMC on AWS SDDC and NSX-T
L3 & L2 in the SDDC
Gateway Services
Intrinsic Security in the SDDC
Visibility & Troubleshooting
Confidential │ ©2021 VMware, Inc. 24
Quick & Simple Connectivity
Default Network Logical Topology
Default Network & Security Topology for every SDDC
• 1x Edge Router (HA Pair) - T0
• 1x Management Gateway (MGW) (HA Pair) – T1
• 1x Compute Gateway (CGW) (HA Pair) – T1
• Firewall policy created automatically based on the default topology and blocked to the outside world
• i.e. vCenter access only after firewall policy is created
MGW
CGW
Edge
SDDC
NSX</>vCenter
192.168.1.0/24
Connected VPC
S3 EP RDS EC2
Internet
FSx ELB
Confidential │ ©2021 VMware, Inc. 25
Networking Inside the SDDC A Closer Look
MGW
CGW
Edge
SDDC
NSX</>
vCenter
Edge Router
• All connectivity to workloads flows through the Edge
• Configured for Active/Standby to provide High Availability (HA)
Management Gateway
• Management traffic for vCenter, NSX, ESXi hosts, etc.
Compute Gateway
• Workload traffic, including network to network
Programmatic route configuration
• No routing protocol overhead
Pervasive security
• Edge firewall
• Distributed firewall
Confidential │ ©2021 VMware, Inc. 26
NSX User InterfaceOverview
Simplified, easy to use interface
No need to be a network guru
Confidential │ ©2021 VMware, Inc. 27
Segments Inside the SDDCOverlay Networks
Confidential │ ©2021 VMware, Inc. 28
DHCP Server
Networking & Security – DHCP Server Profiles
Confidential │ ©2021 VMware, Inc. 29
DHCP Relay
Networking & Security – DHCP Server Profiles
Confidential │ ©2021 VMware, Inc. 30
Networking & Security – Segments - Set DHCP Config
Confidential │ ©2021 VMware, Inc. 31
Networking and Security – Segment Statistics
Confidential │ ©2021 VMware, Inc. 32
Agenda VMC on AWS Networking Design
NSX-T Overview
VMC on AWS SDDC and NSX-T
L3 & L2 in the SDDC
Gateway Services
Intrinsic Security in the SDDC
Visibility & Troubleshooting
Confidential │ ©2020 VMware, Inc. 33
Management Gateway Compute Gateway
Gateway ServicesFirewall
Confidential │ ©2021 VMware, Inc. 34
Firewall – Predefined & User Defined Groups
Gateway Services
Confidential │ ©2021 VMware, Inc. 35
Firewall – vCenter Access Policy
Gateway Services
Confidential │ ©2021 VMware, Inc. 36
Quick & Simple Connectivity
Accessing vCenter
Confidential │ ©2021 VMware, Inc. 37
Gateway ServicesRoute-based IPSec VPN
Route-Based is the recommended L3 VPN in VMC on AWS
Uses BGP (Dynamic routing Protocol)
We will discuss further in Module 4
Confidential │ ©2021 VMware, Inc. 38
Gateway ServicesPolicy-Based IPSec VPN
Policy-Based IPsec is favored when BGP isn’t an option due to:
• Hardware
• Corporate policy
• Technical proficiency
• Etc…
We will discuss this further in Module 4
Confidential │ ©2021 VMware, Inc. 39
NAT
Gateway Services
Confidential │ ©2021 VMware, Inc. 40
Agenda VMC on AWS Networking Design
NSX-T Overview
VMC on AWS SDDC and NSX-T
L3 & L2 in the SDDC
Gateway Services
Intrinsic Security in the SDDC
Visibility & Troubleshooting
Confidential │ ©2021 VMware, Inc. 41
Intrinsic SecurityGateway Firewall (N/S Security)
Multiple layers of native security within the SDDC
Two levels of firewalling
• Gateway (perimeter) firewalls
• One for management
• One for compute
• Distributed firewalling
Confidential │ ©2021 VMware, Inc. 42
Establishing a Security Baseline
Distributed Firewall Design Topology
Internet
CGW
Edge
SDDC
172.16.10.10
172.16.10.11
172.16.10.12
Web Tier App Tier DB Tier
Micro-Segmentation - DFW
172.16.10.13
Confidential │ ©2021 VMware, Inc. 43
Establishing a Security Baseline
Group Definition
Group Options
Confidential │ ©2021 VMware, Inc. 44
Establishing a Security Baseline
Dynamic Membership in Distributed Firewall
Where do tags come from?
Confidential │ ©2021 VMware, Inc. 45
Establishing a Security Baseline
Distributed Firewall Rule
Internet
CGW
Edge
SDDC
Development Production
Confidential │ ©2021 VMware, Inc. 46
Networking and Security – DFW Time Based Policy
Confidential │ ©2021 VMware, Inc. 47
Agenda VMC on AWS Networking Design
NSX-T Overview
VMC on AWS SDDC and NSX-T
L3 & L2 in the SDDC
Gateway Services
Intrinsic Security in the SDDC
Visibility & Troubleshooting
Confidential │ ©2021 VMware, Inc. 48
Operations – IPFIX
Collect stats on network traffic
Confidential │ ©2021 VMware, Inc. 49
Tools for Better Visibility
Firewall Logging in VMware Cloud on AWS
Configuration of logging can be done per-rule by clicking the gear icon to the right of the rule
Compute Gateway Rule
Distributed Firewall Rule
Confidential │ ©2021 VMware, Inc. 50
vRealize Log Insight Cloud for VMware Cloud on AWSTools for Better Visibility
vRealize Log Insight Cloud(Firewall Logs)
• Identify Traffic Patterns – Monitor traffic being allowed or dropped
• Maintain Security – Identify, monitor and tune the firewall policies being serviced from the traffic patterns
Confidential │ ©2021 VMware, Inc. 51
LABLab 3: SDDC Networking & Native AWS Integration
1. Enable Photo App access to Native AWS Services
2. Enable Public (internet) access to Photo App
3. Configure Photo App to Consume AWS RDS
4. Test the Photo App Application
5. Configure Photo App consumption of AWS EFS (Shared File System) ***OPTIONAL
6. Configure AWS ApplicationLoad Balancer (ALB) to Loadbalance Photo App VMs ***OPTIONAL
SDDC
Edge
CGW
MGW
Connected VPC
NSX</> HCXvCenter
Desktop-Net
Demo-Net
Thank You
Confidential │ ©2021 VMware, Inc.