sddc and network virtualization via vcan - rhipe€¦ · sddc platform | native security...
TRANSCRIPT
![Page 1: SDDC and Network Virtualization via VCAN - rhipe€¦ · SDDC Platform | Native Security Capabilities Hypervisor-based, in kernel distributed firewalling • High throughput rates](https://reader033.vdocument.in/reader033/viewer/2022052718/5f0562447e708231d412b12b/html5/thumbnails/1.jpg)
Cloud Channel Summit 2015 | @rhipecloud #RCCS15
SDDC and Network Virtualization via VCAN
Ahmed Ansar | Senior Network Virtualization Engineer | VMware
![Page 2: SDDC and Network Virtualization via VCAN - rhipe€¦ · SDDC Platform | Native Security Capabilities Hypervisor-based, in kernel distributed firewalling • High throughput rates](https://reader033.vdocument.in/reader033/viewer/2022052718/5f0562447e708231d412b12b/html5/thumbnails/2.jpg)
Enterprise business leaders want their IT
to be like Amazon
No ITOutsourced
New IT
Internal/Hybrid
or
Hardware Defined
Data Center (HDDC)
Software Defined
Data Center (SDDC)
or
![Page 3: SDDC and Network Virtualization via VCAN - rhipe€¦ · SDDC Platform | Native Security Capabilities Hypervisor-based, in kernel distributed firewalling • High throughput rates](https://reader033.vdocument.in/reader033/viewer/2022052718/5f0562447e708231d412b12b/html5/thumbnails/3.jpg)
Data Center Virtualization Layer
Intelligence in SoftwareOperational Model of VM for Data CenterAutomated Configuration & Management
Intelligence in HardwareDedicated, Vendor Specific InfrastructureManual Configuration & Management
Software
Hardware Compute, Network and Storage CapacityPooled, Vendor Independent, Best Price/Performance InfrastructureSimplified Configuration & Management
What is a Software Defined Data Center
(SDDC)?
![Page 4: SDDC and Network Virtualization via VCAN - rhipe€¦ · SDDC Platform | Native Security Capabilities Hypervisor-based, in kernel distributed firewalling • High throughput rates](https://reader033.vdocument.in/reader033/viewer/2022052718/5f0562447e708231d412b12b/html5/thumbnails/4.jpg)
Taking what we have learned . . .
Software
Hardware
Virtual
Machines
ComputeCapacity Network Storage
Applications
Server virtualization
• Intelligence in the virtualization layer
• Vendor independent x86 capacity
• Transformative operational model
• Automated configuration & management
Intelligence in hardware
Dedicated, vendor specific infrastructure
Manual configuration & management
Manual Operational Model
Automated Operational Model
Programmatically Create,Snapshot,
Store,Move,
Delete,Restore
![Page 5: SDDC and Network Virtualization via VCAN - rhipe€¦ · SDDC Platform | Native Security Capabilities Hypervisor-based, in kernel distributed firewalling • High throughput rates](https://reader033.vdocument.in/reader033/viewer/2022052718/5f0562447e708231d412b12b/html5/thumbnails/5.jpg)
To deliver a Software Defined Data Center
approach
Software
Hardware
Virtual
Machines
Virtual
Networks
Virtual
Storage
ComputeCapacity
NetworkCapacity
StorageCapacity
Applications
Location Independence
Data Center Virtualization
Pooled compute, network and storage capacity
Vendor independent, best price/performance
Simplified configuration & management
Automated Operational Model
Programmatically Create,Snapshot,
Store,Move,
Delete,Restore
![Page 6: SDDC and Network Virtualization via VCAN - rhipe€¦ · SDDC Platform | Native Security Capabilities Hypervisor-based, in kernel distributed firewalling • High throughput rates](https://reader033.vdocument.in/reader033/viewer/2022052718/5f0562447e708231d412b12b/html5/thumbnails/6.jpg)
The approach taken by the most agile &
efficient data centers is SDDC
Custom Application
Google / Facebook /
Amazon Data Centers
Custom Platform
Any x86
Any Storage
Any IP network
Software / Hardware Abstraction
Software / Hardware Abstraction
![Page 7: SDDC and Network Virtualization via VCAN - rhipe€¦ · SDDC Platform | Native Security Capabilities Hypervisor-based, in kernel distributed firewalling • High throughput rates](https://reader033.vdocument.in/reader033/viewer/2022052718/5f0562447e708231d412b12b/html5/thumbnails/7.jpg)
The Choice for “New IT” – SDDC or HDDC
Custom Application
Google / Facebook /
Amazon Data Centers
Custom Platform
Any x86
Any Storage
Any IP network
Software / Hardware Abstraction
Software / Hardware Abstraction
Hardware Defined
Data Center (HDDC)
Any Application
HDDC Platform
Integrated x86
Integrated Storage
Vendor Specific
Network
Vert
ical In
teg
rati
on
Software Defined
Data Center (SDDC)
Any Application
SDDC Platform
Any x86
Any Storage
Any IP network
Data Center Virtualization
![Page 8: SDDC and Network Virtualization via VCAN - rhipe€¦ · SDDC Platform | Native Security Capabilities Hypervisor-based, in kernel distributed firewalling • High throughput rates](https://reader033.vdocument.in/reader033/viewer/2022052718/5f0562447e708231d412b12b/html5/thumbnails/8.jpg)
8
SDDC Within, Between and Across
Data Centers
Software Defined
Data Center (SDDC)
Any Application
SDDC Platform
Any x86
Any Storage
Any IP network
Data Center Virtualization
Inter- Data Center
Any Application
Any x86
Any Storage
Any IP network
Hybrid- Data Center
Any Application
Any x86
Any Storage
Any IP network
SDDC Platform
![Page 9: SDDC and Network Virtualization via VCAN - rhipe€¦ · SDDC Platform | Native Security Capabilities Hypervisor-based, in kernel distributed firewalling • High throughput rates](https://reader033.vdocument.in/reader033/viewer/2022052718/5f0562447e708231d412b12b/html5/thumbnails/9.jpg)
9
VMware NSX Momentum: Customers
top investment banks enterprises & service providers
![Page 10: SDDC and Network Virtualization via VCAN - rhipe€¦ · SDDC Platform | Native Security Capabilities Hypervisor-based, in kernel distributed firewalling • High throughput rates](https://reader033.vdocument.in/reader033/viewer/2022052718/5f0562447e708231d412b12b/html5/thumbnails/10.jpg)
Understanding SDDC Network Virtualization
Cloud Channel Summit 2015 | @rhipecloud #RCCS15
![Page 11: SDDC and Network Virtualization via VCAN - rhipe€¦ · SDDC Platform | Native Security Capabilities Hypervisor-based, in kernel distributed firewalling • High throughput rates](https://reader033.vdocument.in/reader033/viewer/2022052718/5f0562447e708231d412b12b/html5/thumbnails/11.jpg)
Network Capacity . . .
Internet
![Page 12: SDDC and Network Virtualization via VCAN - rhipe€¦ · SDDC Platform | Native Security Capabilities Hypervisor-based, in kernel distributed firewalling • High throughput rates](https://reader033.vdocument.in/reader033/viewer/2022052718/5f0562447e708231d412b12b/html5/thumbnails/12.jpg)
Compute Capacity . . .
Internet
![Page 13: SDDC and Network Virtualization via VCAN - rhipe€¦ · SDDC Platform | Native Security Capabilities Hypervisor-based, in kernel distributed firewalling • High throughput rates](https://reader033.vdocument.in/reader033/viewer/2022052718/5f0562447e708231d412b12b/html5/thumbnails/13.jpg)
Data Center Virtualization Layer . . .
Internet
![Page 14: SDDC and Network Virtualization via VCAN - rhipe€¦ · SDDC Platform | Native Security Capabilities Hypervisor-based, in kernel distributed firewalling • High throughput rates](https://reader033.vdocument.in/reader033/viewer/2022052718/5f0562447e708231d412b12b/html5/thumbnails/14.jpg)
A “Network Hypervisor”
Internet
![Page 15: SDDC and Network Virtualization via VCAN - rhipe€¦ · SDDC Platform | Native Security Capabilities Hypervisor-based, in kernel distributed firewalling • High throughput rates](https://reader033.vdocument.in/reader033/viewer/2022052718/5f0562447e708231d412b12b/html5/thumbnails/15.jpg)
The Operational Model of a VM for the
Network
Internet
![Page 16: SDDC and Network Virtualization via VCAN - rhipe€¦ · SDDC Platform | Native Security Capabilities Hypervisor-based, in kernel distributed firewalling • High throughput rates](https://reader033.vdocument.in/reader033/viewer/2022052718/5f0562447e708231d412b12b/html5/thumbnails/16.jpg)
16
Non-Disruptive Deployment
![Page 17: SDDC and Network Virtualization via VCAN - rhipe€¦ · SDDC Platform | Native Security Capabilities Hypervisor-based, in kernel distributed firewalling • High throughput rates](https://reader033.vdocument.in/reader033/viewer/2022052718/5f0562447e708231d412b12b/html5/thumbnails/17.jpg)
17
Programmatically Provisioned
![Page 18: SDDC and Network Virtualization via VCAN - rhipe€¦ · SDDC Platform | Native Security Capabilities Hypervisor-based, in kernel distributed firewalling • High throughput rates](https://reader033.vdocument.in/reader033/viewer/2022052718/5f0562447e708231d412b12b/html5/thumbnails/18.jpg)
18
Services Distributed to the Virtual Switch
![Page 19: SDDC and Network Virtualization via VCAN - rhipe€¦ · SDDC Platform | Native Security Capabilities Hypervisor-based, in kernel distributed firewalling • High throughput rates](https://reader033.vdocument.in/reader033/viewer/2022052718/5f0562447e708231d412b12b/html5/thumbnails/19.jpg)
Software Defined Data Center Deployed
Web Tier
App Tier
DB Tier
L3 Subnet
L3 Subnet
L3 Subnet
All S
oft
ware
Co
nst
ruct
Physical Network
NAT
Internet
![Page 20: SDDC and Network Virtualization via VCAN - rhipe€¦ · SDDC Platform | Native Security Capabilities Hypervisor-based, in kernel distributed firewalling • High throughput rates](https://reader033.vdocument.in/reader033/viewer/2022052718/5f0562447e708231d412b12b/html5/thumbnails/20.jpg)
Non-Disruptive Deployment | Network
Services Distribution
![Page 21: SDDC and Network Virtualization via VCAN - rhipe€¦ · SDDC Platform | Native Security Capabilities Hypervisor-based, in kernel distributed firewalling • High throughput rates](https://reader033.vdocument.in/reader033/viewer/2022052718/5f0562447e708231d412b12b/html5/thumbnails/21.jpg)
The Power of Distribution
![Page 22: SDDC and Network Virtualization via VCAN - rhipe€¦ · SDDC Platform | Native Security Capabilities Hypervisor-based, in kernel distributed firewalling • High throughput rates](https://reader033.vdocument.in/reader033/viewer/2022052718/5f0562447e708231d412b12b/html5/thumbnails/22.jpg)
NSX Delivers the Operational Model of a VM
for the Network
• Abstracts, pools, automates networking for the SDDC
• Faithful reproduction of L2/3 networking, L4-7 services
• Runs across existing/any networking hardware
• Scale out/distributed switching, routing, firewalling
• Seamless service insertion for application delivery, security, network security partners
![Page 23: SDDC and Network Virtualization via VCAN - rhipe€¦ · SDDC Platform | Native Security Capabilities Hypervisor-based, in kernel distributed firewalling • High throughput rates](https://reader033.vdocument.in/reader033/viewer/2022052718/5f0562447e708231d412b12b/html5/thumbnails/23.jpg)
SDDC | A Platform for Industry Innovation
![Page 24: SDDC and Network Virtualization via VCAN - rhipe€¦ · SDDC Platform | Native Security Capabilities Hypervisor-based, in kernel distributed firewalling • High throughput rates](https://reader033.vdocument.in/reader033/viewer/2022052718/5f0562447e708231d412b12b/html5/thumbnails/24.jpg)
53%Dec. 2013 Gartner Data Center Conference Poll
Who do you see as your primary Software Defined
Infrastructure Vendor?
VMware: 52.56%
Cisco: 21.31%
Red Hat: 6.56%
HP: 4.92%
Microsoft: 4.92%
VCE: 4.92%
IBM: 3.28%
Citrix: 1.64%
Oracle: 0%
“Cisco's ACI delivers tactical benefits,
but lacks strategic value”
Gartner Report
![Page 25: SDDC and Network Virtualization via VCAN - rhipe€¦ · SDDC Platform | Native Security Capabilities Hypervisor-based, in kernel distributed firewalling • High throughput rates](https://reader033.vdocument.in/reader033/viewer/2022052718/5f0562447e708231d412b12b/html5/thumbnails/25.jpg)
The New Normal
A More Secure Data Center
Cloud Channel Summit 2015 | @rhipecloud #RCCS15
Leveraging the Power of SDDC Network & Security Services
Distribution for Data Center Micro-Segmentation
![Page 26: SDDC and Network Virtualization via VCAN - rhipe€¦ · SDDC Platform | Native Security Capabilities Hypervisor-based, in kernel distributed firewalling • High throughput rates](https://reader033.vdocument.in/reader033/viewer/2022052718/5f0562447e708231d412b12b/html5/thumbnails/26.jpg)
Problem : Data Center Network Security
Perimeter-centric network security has proven insufficient, and
micro-segmentation is operationally infeasible
Little or no
lateral controls
inside perimeter
Internet Internet
Insufficient OperationallyInfeasible
![Page 27: SDDC and Network Virtualization via VCAN - rhipe€¦ · SDDC Platform | Native Security Capabilities Hypervisor-based, in kernel distributed firewalling • High throughput rates](https://reader033.vdocument.in/reader033/viewer/2022052718/5f0562447e708231d412b12b/html5/thumbnails/27.jpg)
Solution: Leverage SDDC Approach for
Micro-Segmentation• Hypervisor-based, in kernel distributed firewalling
• Platform-based automated provisioning and
workload adds/moves/changes
Internet
Security Policy
Perimeter Firewalls
CloudManagementPlatform
![Page 28: SDDC and Network Virtualization via VCAN - rhipe€¦ · SDDC Platform | Native Security Capabilities Hypervisor-based, in kernel distributed firewalling • High throughput rates](https://reader033.vdocument.in/reader033/viewer/2022052718/5f0562447e708231d412b12b/html5/thumbnails/28.jpg)
There is a BIG difference . . .
![Page 29: SDDC and Network Virtualization via VCAN - rhipe€¦ · SDDC Platform | Native Security Capabilities Hypervisor-based, in kernel distributed firewalling • High throughput rates](https://reader033.vdocument.in/reader033/viewer/2022052718/5f0562447e708231d412b12b/html5/thumbnails/29.jpg)
NSX Distributed Firewalling Performance
20Gbps Per Host of Firewall Performancewith Negligible CPU Impact
![Page 30: SDDC and Network Virtualization via VCAN - rhipe€¦ · SDDC Platform | Native Security Capabilities Hypervisor-based, in kernel distributed firewalling • High throughput rates](https://reader033.vdocument.in/reader033/viewer/2022052718/5f0562447e708231d412b12b/html5/thumbnails/30.jpg)
NSX Distributed Firewalling Performance
80K CPS with 100+ Rules per Host
A Typical Virtual Appliance does ~6K CPS per VMA Physical Appliance performs 300K – 400K CPS per appliance
![Page 31: SDDC and Network Virtualization via VCAN - rhipe€¦ · SDDC Platform | Native Security Capabilities Hypervisor-based, in kernel distributed firewalling • High throughput rates](https://reader033.vdocument.in/reader033/viewer/2022052718/5f0562447e708231d412b12b/html5/thumbnails/31.jpg)
SDDC Platform | Native Security Capabilities
Hypervisor-based, in kernel distributed firewalling
• High throughput rates on a per hypervisor basis
• Every hypervisor adds additional east-west firewalling capacity
• Native feature of the VMware NSX platform
Platform-based automation
• Automated provisioning and workload adds/moves/changes
• Accurate firewall policies follow workloads as they move
20 Gbps Firewallingthroughput per host
Data center micro-segmentationbecomes operationally feasible
![Page 32: SDDC and Network Virtualization via VCAN - rhipe€¦ · SDDC Platform | Native Security Capabilities Hypervisor-based, in kernel distributed firewalling • High throughput rates](https://reader033.vdocument.in/reader033/viewer/2022052718/5f0562447e708231d412b12b/html5/thumbnails/32.jpg)
Dev
Test
Production
Isolation
Web
App
DB
NoCommunication Path
ControlledCommunication Path
Web
App
DB
Advanced Services ControlledCommunication Path
SegmentationSegmentation with Advanced Services
![Page 33: SDDC and Network Virtualization via VCAN - rhipe€¦ · SDDC Platform | Native Security Capabilities Hypervisor-based, in kernel distributed firewalling • High throughput rates](https://reader033.vdocument.in/reader033/viewer/2022052718/5f0562447e708231d412b12b/html5/thumbnails/33.jpg)
Advanced Services Insertion – Example: Palo
Alto Networks NGFW
Internet
Security Policy
Security Admin
TrafficSteering
![Page 34: SDDC and Network Virtualization via VCAN - rhipe€¦ · SDDC Platform | Native Security Capabilities Hypervisor-based, in kernel distributed firewalling • High throughput rates](https://reader033.vdocument.in/reader033/viewer/2022052718/5f0562447e708231d412b12b/html5/thumbnails/34.jpg)
Automated Security in a Software-Defined
Data Center > Data Center Micro-
Segmentation
![Page 35: SDDC and Network Virtualization via VCAN - rhipe€¦ · SDDC Platform | Native Security Capabilities Hypervisor-based, in kernel distributed firewalling • High throughput rates](https://reader033.vdocument.in/reader033/viewer/2022052718/5f0562447e708231d412b12b/html5/thumbnails/35.jpg)
Automated Security in a Software-Defined
Data Center
Data Center Micro-Segmentation
![Page 36: SDDC and Network Virtualization via VCAN - rhipe€¦ · SDDC Platform | Native Security Capabilities Hypervisor-based, in kernel distributed firewalling • High throughput rates](https://reader033.vdocument.in/reader033/viewer/2022052718/5f0562447e708231d412b12b/html5/thumbnails/36.jpg)
36
Automated Security in a Software Defined Data
Center Quarantine Vulnerable Systems until
RemediatedSecurity Group = Quarantine Zone
Members = {Tag = ‘ANTI_VIRUS.VirusFound’, L2 Isolated
Network}
Security Group = Web TierPolicy Definition
Standard Desktop VM Policy
Anti-Virus – Scan
Quarantined VM Policy
Firewall – Block all except security tools
Anti-Virus – Scan and remediate
![Page 37: SDDC and Network Virtualization via VCAN - rhipe€¦ · SDDC Platform | Native Security Capabilities Hypervisor-based, in kernel distributed firewalling • High throughput rates](https://reader033.vdocument.in/reader033/viewer/2022052718/5f0562447e708231d412b12b/html5/thumbnails/37.jpg)
37
SDDC Platform Enables a More Secure Data
Center
Micro segmentation now possible in
dynamic, multi-tenant environment
• High performance, in kernel distributed
firewalling
• Platform-based automation
• Integration with best-of-breed security
partners (e.g., Palo Alto Networks)