In June 2014 me and my cloudfix co-bloggers attended a seminar about network virtualisation in general and VMware NSX specifically. The seminar also contained a deep-dive into the details of VMware NSX. This deep-dive triggered us to do a blog post series on network virtualisation in general and VMware NSX in detail.
This first article in the series will talk about the VMware NSX globally after which the following will start deep-diving into the specifics about this solutions. I hope you find the series useful in understanding what the VMware NSX solution can do for your organization.
As we are shifting more and more to software-defined datacenters and builiding hybrid cloud architectures which allow us to move our workloads from our private clouds to our public clouds or even moving workloads between public cloud-providers, one important aspect ofcourse is the network which has to provide us the ability to do this without anyone knowing (or caring for that matter) where the workload is at a certain moment in time. This is were VMware NSX comes into the picture, by allowing us to build a software-defined network which builds a single logical network which extends beyond our datacenters and the public/hybrid/public clouds we are using in our enterprise as long as we have some kind of Layer 3-connectivity and decouple the logical network from the underlying physical infrastructure.
Let’s start with a short overview of the features VMware is currently providing us with VMware NSX.
NSX gives us the possibility to span logical networks across physical hosts and network switches by using the power of VXLAN and by using this overlay transport to span L2-networks over a L3-infrastructure in which the ESX-hosts are used as VTEP-endpoints. We can also use NSX to connect the virtual world to the physical world (VXLAN-VLAN bridging) by using a supported ToR (top of rack) VTEP or a virtual bridge (provided by NSX Edge)
- Distributed Routing
By doing the routing distributed across the ESX-hosts itself, this allows for buildling highly scalable logical networks and allows for things as minimizing traffic which has to travel through the physical infrastructure when a VM is connected to another logical network but on the same host.
- Distributed Firewalling
NSX provides stateful distributed firewalling, which allows you to do micro-segmentation in your logical networks. This will allow every VM to have it’s own firewall on hypervisor-level and manage these policies globally. vCenter constructs (like VM, Logical Switch and so on) can be used in the firewall ACE, which gives you a clear picture on what you’re allowing/blocking from/inton your virtual infrastructure. Because the firewall is so close to the VM it also prevents traffic from traveling north-bound needlessly (because it will be blocked on the edge firewall for instance) and killing it at it’s source were it should.
- Dynamic Routing
OSPF, IS-IS and BGP can be used to connect the logical networks together and also for peering with the external physical routing infrastructure.
- NSX Manager
Provides us with the single pane of glass which allows us to configure all the underlying goodness and API access for our cloud-management toolings. Also this component deploys the other components needed in this architecture like the virtual appliances (NSX Controller and NSX Edge VA’s) and the VMkernel modules needed on the ESX hosts (VXLAN, Logical Router and Firewall).
- NSX Controller
Provides the control plane for the logical network implementation, pushes out policies, routing updates, etc. to the data-plane.
- NSX vDS
The distributed NSX virtual switch is providing the data plane for the virtual networking, it is implemented as a couple of kernel modules on the ESX host mentioned above and performs the real moving the data from A to B.
- NSX Edge
The edge virtual appliance is used to connect the virtual logic networks to their physical counterparts (VXLAN <-> VLAN). Creates Logical Layer 2 VPN, which allows our logical networks over any ip connected network and so will allow us to create active-active DC’s and also provides our virtual infrasture with L4 – L7 application services (NAT, DHCP, Load-balancing, VPN, FW).
Next up in this article series will be an article about how we implemented NSX on both our robertverdam.nl labs and if we succeeded able to stretch our ‘DataCenters’ between our ‘sites’. In the meantime please read the information below and i really think you will get just as enthusiastic about the product as we are at the moment.
More information on NSX
- Good article about have-to see/do VMworld 2014 NSX HOL Labs: http://blogs.vmware.com/networkvirtualization/2014/09/new-vmworld-2014-hands-labs-vmware-nsx-goodness.html#sf32103128
- Very good collection of links : http://vcdx133.com/2014/10/05/nsx-link-o-rama/