So let’s talk network virtualization. Most of the cloud installations that I have accompanied in recent years in my position as architect and project manager really started to pick up as they moved toward the finishing line: The classic network components! Yes, that’s right: The world of Cisco routers, Palo Alto firewalls and Sophos UTMs. I believe that using VMware NSX is key to successful transformation into a dynamic data center. I will explain why, in my book, it is the way to go.
An article by Thomas Rupp, Principal Consultant
Network virtualization: a special case
It doesn’t matter whether it’s Citrix , VMware or Microsoft Cloud. Quite frequently you’ll hear: “We haven’t installed a DHCP in that network” or: “Wait up, there’s still a firewall in there” and “Don’t ask me who has access to this router.” The “complete registration of all systems involved” can sometimes resemble a personal quest for utopia, especially in enterprise environments. Many of the projects will be so protracted that other activities – for instance the implementation of a new firewall or the replacement of a hardware router – will be prioritized somewhere along the line.
All of a sudden one might encounter a network path that until yesterday had been open, and now is blocked by a firewall or has disappeared entirely because new hardware changed or wiped the routing completely. This could certainly be problematic, especially in respect to traditional network issues. “Networkers” are a special breed in almost all companies. In some cases they may even be under separate management. So a quick, pragmatic solution might not be immediately evident or even wanted, as the systems form the basis for the entire IT infrastructure. Quick fixes would be fatal here!
So how is it possible to create a modern cloud data center with dynamic load and resource distribution? Of course it will need backup systems at a number of locations, and it might even require various computing systems on other convergent setups. Therefore, a network virtualization solution should always be considered. VMware NSX can be key to the successful transformation into a dynamic data center.
VMware NSX technologies virtualize the network topology within the data center (i.e. network virtualization), making this aspect the next logical step following hardware virtualization in the areas of servers and storage. This kind of development is called Software Defined Networking (SDN).
A brief technological detour
Classic data centers are autonomous network systems that need to be installed and managed in an independent setting away from the provision of computing and storage resources. Network connections are managed via switches, while routers link logical network segments and firewalls protect the flow of data between systems (external and internal).
The existing systems need to be registered and configured when additional components are installed, for instance a new SAP solution or a terminal server farm. The relevant ports are then opened in the firewalls. In most cases the firewalls will only point outward as the effort involved in installation and configuration within the infrastructure systems would otherwise be too high. This aspect is shown under Traditional Data Centers in Figure 1. It would be entirely misleading to call this kind of data center architecture dynamic. But it can be made dynamic. VMware NSX is used to create a largely virtualized network infrastructure. Figure 1 again shows the comparison, this time under VMware NSX Data Center.
Software routers replace the hardware routers, while hardware firewalls also make way for their software counterparts. None of this is actually new, but now these software components are fully integrated. New, distributed workloads can be provided directly with routing information and firewall rules, which helps to save time and hardware.
From then on, the switch infrastructure is only needed to establish a physical connection to the systems. Routing takes place within the virtualized infrastructure, and the data center itself no longer requires hardware routers. Dedicated firewall systems can also be tied in with the respective workloads, therefore protecting all systems, even inside the data center.
Fig. 1: Software defined networking with VMware NSX (Source: VMware)
Micro-segmenting with VMware
Naturally, it is not necessary to immediately remove all routers, switches or firewalls from the data center and summarily dismiss half the networking team. What it comes down to here is that with the network virtualization the deployment, change and terminate processes are cut from days to minutes. DHCP, VPN, routing, load balancing and firewall services are just a few of the features that in future will be virtualized and operated directly as parts of the workload and provided within an automated setting.
A practical example
The plan is to provide highly available terminal server systems within a data center connected via VPN. The systems will include personal data, which means of course that they will need effective protection behind a firewall. This kind of project means a huge amount of effort simply within the network team.
VMware NSX can be used to create a workload comprising ten virtual machines provided within a highly available setting, thanks to a software load balancer. It will have a configured VPN tunnel access in a dedicated subnet. What’s more, all systems will be protected behind firewalls, which can be tied in with an anti-virus solution to ensure that compromised systems are isolated directly and automatically!
Fig. 2: Simplified model of network virtualization using VMware NSX (Source: VMware)
It goes without saying that it would be virtually impossible to do justice to an extremely complex topic such as network virtualization in just one article. But operators of larger data centers in particular will understand the problems associated with a dynamic center involving traditional, active network components.
Unfortunately, an active Microsoft Windows firewall that is supplied with policies and is completely configured on the server systems will be insufficient in this instance, as the available features are simply too rudimentary.
A modern cloud data center will not manage without cutting-edge technologies in respect to its network components. In VMware NSX, the vendor has released a key technology that currently ranges among the market leaders in network virtualization. The solution is entirely heterogeneous and can be combined with the entire scope of virtualization technologies: VMware vSphere, Microsoft Hyper-V, Citrix XenServer etc.
What's more, VMware maintains a large ecosystem of strategic partners, ensuring that the current NSX features are expanded: Palo Alto Firewall, Redhat, Trend Micro, Juniper, Riverbed, f5, RSA … to name just a few. For instance, Trend Micro provides the option of automatically isolating a compromised system within a quarantine environment, where it is cleaned and then re-integrated within the network. This feature is particularly interesting for VDA solutions.
The Trend Micro feature “Virtual Patching” is another area of use. Its purpose is to add security features to block exposed vulnerabilities when Windows OS are still needed, but can no longer be supported or patched. Naturally, this eases strain on the purse strings by cutting back on cash that would otherwise be invested in costly “Extended Support” contracts, for instance for a current Windows 2003 server. Riverbed and Palo Alto provide interfaces with which VMware NSX can automatically modify physical firewalls and load balancers, a particularly attractive solution for physical DMZ firewall systems.
The key functions of VMware NSX
- Logical Switching: Reproduction of the complete L2 and L3 switching functions in a virtual environment, independent of the underlying hardware
- VMware NSX Gateway: L2 gateway for seamless connections with physical workloads and older VLANs
- Logical Routing: Routing between logical switches that enables dynamic routing between a number of virtual networks
- Logical Firewall: Distributed firewall; kernel-activated, optimized performance, virtualization and identity-based, with activity monitoring
- Logical Load Balancing: Fully functional load balancing and SSL termination
- Logical VPN: Site-to-site VPN and remote access VPN as software
- VMware NSX -API: RESTful API for integration of in any platform for cloud management
About the author
As Principal Consultant / Architect at COMPAREX, Thomas Rupp is responsible for strategies and concepts in virtualization and cloud solutions.
He is a recognized expert for products by the strategic market leaders in this segment. In addition, he manages and controls progress within complex customer projects as the dedicated project manager. Initially in charge of an individual expert team specialized in technological issues, Thomas Rupp has looked after the strategies by all major American players in the area of cloud and data center computing since the start of 2016. Describing his personal motivation, he says: “Unlike individual vendors, COMPAREX can provide customers with a perfectly tailored solution to meet precise requirements.”
COMPAREX expert Thomas Rupp recommends network virtualization platform VMware NSX
Thomas Rupp acquired the qualifications for his current position by completing a Chamber of Industry and apprenticeship as IT specialist before going on to obtain vendor certifications. He has been a member of the COMPAREX family since the start of 2013 and has many years of expertise in the virtualization market and the data center segment. In addition, he is deeply involved in the control of complex data center and cloud projects, an area in which he been completed training and certification according to the benchmark industry standard.