2. Growing NSX Momentum
A rapid journey of customer adoption across industries
1700+ Customers
8 out of VMware’s
top 10 deals in Q216
included NSX
100% YoY
growth
Consistent year-to-year Q216
CONFIDENTIAL
3. Security
Inherently secure infrastructure
Automation
IT at the speed of business
Application continuity
Data center anywhere
NSX customer use cases
Micro-segmentation
DMZ anywhere
Secure end user
IT automating IT
Multi-tenant infrastructure
Developer cloud
Disaster recovery
Cross cloud
Multi data center pooling
CONFIDENTIAL
4. • This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these
features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or
sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not
been determined.
Disclaimer
CONFIDENTIAL 4
5. Agenda
1 Set the Scene
2 Firewall / Security Services
3 Load Balancing Services
4 VPN Services
5 Key Takeaways
6 Q & A
CONFIDENTIAL 5
6. What is NSX overall goal
• NSX goal is to reproduce all Network and Security services in logical space:
Switching
DHCP Server or Relay, DNS
Routing / NAT
Distributed or centralized
Firewall
Distributed or centralized
Load Balancing
Inline or OneArm
L2 & L3 VPN
L2VPN, Site to Site, SSL VPN
Application XYZ
VMWEB APP DB
WEB APP
CONFIDENTIAL 6
7. Why services in logical space is key!
• Services in logical space (hypervisor) versus "appliances" bring the following benefits:
– Speed
• Faster to deploy
– Agility
• Networks can be placed anywhere in your data center
– Security
• Deeper security with micro-segmentation
– Performance
• Power of distribution
– Management and Troubleshooting
• Central Management and Visibility of the entire Network & Security stack
• Backup/Restore/Upgrade
• Advanced tools like Traceflow (allow simulation of specific traffic and highlight if traffic is dropped in
logical/physical space)
CONFIDENTIAL 7
8. Let's focus now on the Advanced Network & Security Services
Switching
DHCP Server or Relay, DNS
Routing / NAT
Distributed or centralized
Firewall
Distributed or centralized
Load Balancing
Inline or OneArm
L2 & L3 VPN
L2VPN, Site to Site, SSL VPN
Application XYZ
VMWEB APP DB
WEB APP
CONFIDENTIAL 8
9. Agenda
1 Set the Scene
2 Firewall / Security Services
3 Load Balancing Services
4 VPN Services
5 Key Takeaways
6 Q & A
CONFIDENTIAL 9
10. Firewall / Security Services
i. NSX Security Services
ii. Benefits
iii. Performance
iv. What's New
v. Integration with 3rd party services
More info on Security in VMworld 2016 session:
SEC7836R - Introduction to Security with VMware NSX
11. What do we offer?
Intra-Subnet Security Security Attached to the VMStateful L4 FirewallNative NSX
Security Services
Enhanced Security
Services with 3rd
party eco-system
L7 Firewall
Agentless Anti-Virus
Malware Protection
IPS/IDS
CONFIDENTIAL 11
12. Firewall / Security Services
i. NSX Security Services
ii. Benefits
iii. Performance
iv. What's New
v. Integration with 3rd party services
13. Pros
Distributed, High Performance
Security with NSX
• Unified configuration for central and distributed
firewalling
• Hypervisor-based, in-kernel distributed firewalling
• Independent of transport network
– VXLAN or VLAN
• Policy independent of location
Web-LS1
App-LS1
Micro-segmentation
Security between VMs in the same subnet
CONFIDENTIAL 13
14. Firewall – Configuration
• L2 MAC addresses and L3 IP addresses can be used
• In addition any vCenter and NSX object names can be
used
• Port numbers and protocol names
Note: ALG (Application-Level Gateway) support for TFTP, FTP, CIFS,
ORACLE TNS, MS-RPC, and SUNRPC
Pros
Easy / Fast Learning Curve
Simplicity, Ease-of-use
Virtual Machine
Datacenter
Cluster
Distributed Portgroup
Logical Switch
…
IP
Subnets
IP Range
CONFIDENTIAL 14
15. Service Composer
Distributed Firewall Rules
Guest Introspection Rules
Network Introspection Rules
Security Policy
Anti-Malware / Anti-Virus
Data Security
Vulnerability Management
File Integrity Monitoring
L3 / L4 Firewall Rules
IDS / IPS Services
Firewall Services (L7)
Security
Group
Dynamic Inclusion
Static Inclusion
Static Exclusion
VM-Centric
Infrastructure-Centric
HOW you
want to protect
WHAT you
want to protect
Pros Agility, Service Compliance CONFIDENTIAL 15
16. Firewall / Security Services
i. NSX Security Services
ii. Benefits
iii. Performance
iv. What's New
v. Integration with 3rd party services
17. Firewalling/Security – Performance
The Power of Distribution
20Gbps Per Host of Firewall Performance
with Negligible CPU Impact
Throughput Measurement
10G 10G 10G 10G
VM3 VM4VM1 VM2
10G Switch
Two Hypervisors with two VMs each
Two 10G Physical NICs per server
VM1 talks to VM3 & VM2 talks to VM4
PERFORMANCE TEST SCENARIO
Check the NSX Performance Deep Dive (NET8030)
session to learn more about NSX performancesCONFIDENTIAL 17
18. Firewall / Security Services
i. NSX Security Services
ii. Benefits
iii. Performance
iv. What's New
v. Integration with 3rd party services
19. Security with NSX – What’s New?
Enhanced security
SYN Flood Protection
Serviceability Improvements
TFTP ALG
Increased Application Visibility
Copy Packet Support for Network
Introspection
Simplified Operations & Troubleshooting
Distributed Firewall Granular Rule Filtering
Increased Compatibility
Windows 10 support for Guest
Introspection
CONFIDENTIAL 19
20. Firewall / Security Services
i. NSX Security Services
ii. Benefits
iii. Performance
iv. What's New
v. Integration with 3rd party services
21. Advanced Firewall Integration with Partners
Next-generation IPS Malware Protection
Vulnerability Management
Malware ProtectionNext-Generation Firewall
NSX is the platform for
integrating advanced
security services.
Next-Generation Firewall Next-Generation Firewall
CONFIDENTIAL 21
22. Demo – Distributed Firewall
Source Destination Service Action
Any SG - Web HTTP Allow
SG - Web SG - App HTTP Allow
SG - App SG - DB MySQL Allow
Any Any Any Block
Web-LS1
App-LS1
SSH
DB-LS1
Source Destination Service Action
Admin-Laptop Cluster A SSH Allow
Any SG - Web HTTP Allow
SG - Web SG - App HTTP Allow
SG - App SG - DB MySQL Allow
Any Any Any Block
SG-WEB
SG-APP
SG-DB
CONFIDENTIAL 22
23. Agenda
1 Set the Scene
2 Firewall / Security Services
3 Load Balancing Services
4 VPN Services
5 Key Takeaways
6 Q & A
CONFIDENTIAL 23
24. Load Balancing Services
i. NSX Load Balancing Services
ii. Benefits
iii. Performance
iv. What's New
v. Integration with 3rd party services
More info on LB in VMworld 2016 session:
NET9029 - NSX Logical Load Balancing: From Basics to Fine Art
25. NSX Load Balancing Services
• From Basic Load Balancing
– Offers scale up of any UDP/TCP applications
– Offers high-availability of applications
CONFIDENTIAL 25
27. NSX Load Balancing Services
• To Advanced Load Balancing
– Multiple SSL options
• SSL Offload
• SSL Passthrough
• SSL End-to-End
External
Networks
SSL Offload:
• Edge terminates Client HTTPS (SSL
sessions)
• Edge load balances the clients on
HTTP to the servers
Note: L7 Application Rules can be
applied.
Edge
Service
Router
https
http
SSL Passthrough:
• Edge do NOT terminates Clients
HTTPS (SSL sessions)
• Edge load balances TCP sessions
to the servers
Note: Client SSL sessions are
terminated to the servers (not the
Edge).
Note2: L7 Application Rules can NOT
be applied.
Edge
Service
Router
https
https
SSL End-to-End:
• Edge terminates Client HTTPS (SSL
sessions)
• Edge load balances the clients on
NEW HTTPS to the servers
Note: L7 Application Rules can be
applied.
Edge
Service
Router
https
https
CONFIDENTIAL 27
28. Load Balancing Services
i. NSX Load Balancing Services
ii. Benefits
iii. Performance
iv. What's New
v. Integration with 3rd party services
29. Benefits
• NSX offers that service with the following benefits
– Same place to configure all needed Networks & Security services
– Very simple learning curve
• Create a Pool, Healthchecks, VIP
– Simpler configuration
• Ability to use NSX and vCenter objects
– Cost-effective
CONFIDENTIAL 29
30. Load Balancing Services
i. NSX Load Balancing Services
ii. Benefits
iii. Performance
iv. What's New
v. Integration with 3rd party services
32. Load Balancing Services
i. NSX Load Balancing Services
ii. Benefits
iii. Performance
iv. What's New
v. Integration with 3rd party services
33. What’s New?
Increase number of supported LB applications
LB Port Range
Increase the number of VIP per logical load balancers
Up to 1024 Virtual IP
Increase security
Support of FIPS
Distributed Load Balancing (Tech Preview)
CONFIDENTIAL 33
34. Goal of Distributed Load Balancing
• Goal
– Offer a very scalable and distributed load balancing service
– Optimized packet flow
Load Balancer
.1
.1
.1
.1
web-01 web-02 app-01 db-01app-02
Web-Tier-01
10.0.1.0/24
App-Tier-01
10.0.2.0/24
DB -Tier-01
10.0.3.0/24
Logical View
Classical View
Web App DBWeb App
CONFIDENTIAL 34
35. Goal of Distributed Load Balancing
• Goal
– Offer a very scalable and distributed load balancing service
– Optimized packet flow
Load Balancer
.1
.1
.1
.1
web-01 web-02 app-01 db-01app-02
Web-Tier-01
10.0.1.0/24
App-Tier-01
10.0.2.0/24
DB -Tier-01
10.0.3.0/24
Logical View
View Option2
Web App DBWeb App
Service-Group_Web Service-Group_App
CONFIDENTIAL 35
37. Load Balancing Services
i. NSX Load Balancing Services
ii. Benefits
iii. Performance
iv. What's New
v. Integration with 3rd party services
38. Enhancements with 3rd party LB vendors
• Why supporting 3rd party LB vendors
– Customers want to go to Network Virtualization in baby-steps
– Customers has a specific load balancing requirement not currently supported by NSX LB
CONFIDENTIAL 38
39. Agenda
1 Set the Scene
2 Firewall / Security Services
3 Load Balancing Services
4 VPN Services
5 Key Takeaways
6 Q & A
CONFIDENTIAL 39
40. VPN Site-to-Site (IPSEC)
CORPORATE NETWORK
CRM
FILE
SERVER
ROBO
VPNVPN
PARTNER
Pros
Interoperability
Cost-effective
Hardware independent, Software-only solution
Features
Interoperable IPsec tested with major vendors
AES-NI H/W Offload
ESP Tunnel Mode, NAT Traversal, Dead Peer Detection
Use Cases
Connect different entities (ROBO, etc.)
Cloud to Corporate
CONFIDENTIAL 40
41. L2VPN
CORPORATE NETWORK
172.16.10.0/24
172.16.20.0/24
CLOUD
VPNVPN
Pros
Features
No specialized hardware required
Independent of vCenter Server boundaries
Use Cases
Brownfield NSX deployments
Data Center Migrations
Cloud Bursting & Onboarding
L2 EXTENSIONS
172.16.10.0/24
172.16.20.0/24
Cost-effective
Hardware independent, Software-only solution
SSL Secured L2 Extensions
Over any IP network
CONFIDENTIAL 41
42. Pros
Secure & Cost-Effective Remote
User Access over HTTPS
NSX User Access VPN (SSL-VPN)
Flexible, Software-only Solution
Hardware independent
VPN VPN
CORPORATE NETWORK
CRM
FILE
SERVER
Features
Client based & Web based Access Mode
Support for Major OS (Windows, Mac OS, Linux)
Multiple Authentication Options (AD, Radius, LDAP, RSA)
AES-NI Acceleration (Hardware Offload)
Configuration via UI and API
Use Cases
Access to servers running in private environment over
VPN.
Remote access for administrators
CONFIDENTIAL 42
43. Agenda
1 Set the Scene
2 Firewall / Security Services
3 Load Balancing Services
4 VPN Services
5 Key Takeaways
6 Q & A
CONFIDENTIAL 43
44. Key Takeaways
NSX reproduce all Network and Security services of Data Centers.
All services are available in logical space for best speed, agility and
deeper security.
(Almost) NSX services are available in distributed mode for massive
scale.
A rich eco-system is available to enhance native services with
partners.
CONFIDENTIAL 44
45. Find Out More
• Hands on Labs:
– HOL-SDC-1603 – VMware NSX Introduction
– HOL-SDC-1625 – VMware NSX Advanced
– HOL-PRT-1672 – Deploying Palo Alto Networks Next-Generation Security Platform with VMware NSX
– Check if others make sense
• Other Sessions
– Security: “Introduction to Security with VMware NSX”, [SEC7836R] / “Deploying Security in a
Brownfield Environment”, [SEC8348]
– Load Balancing: “NSX Logical Load Balancing: From Basics to Fine Art”, [NET9029]
– Automation: “How to Easily Become a Cool Automation NSX Cloud Network Engineer”, [NET7701]
• VMware Communities NSX:
– https://communities.vmware.com/community/vmtn/nsx
CONFIDENTIAL 45
46. Agenda
1 Set the Scene
2 Firewall / Security Services
3 Load Balancing Services
4 VPN Services
5 Key Takeaways
6 Q & A
CONFIDENTIAL 46
48. NSX partner ecosystem
Physical Infrastructure
Security
Application Delivery
Operations and Visibility
DYNAMIC INSERTION OF
PARTNER SERVICES
CONFIDENTIAL 48
49. Learn
Connect & Engage
communities.vmware.com
NSX Product Page & Technical Resources
vmware.com/products/nsx
Network Virtualization Blog
blogs.vmware.com/networkvirtualization
VMware NSX on YouTube
youtube.com/user/vmwarensx
Where to get started
Experience
70+ Unique NSX Sessions
Spotlights, breakouts, quick talks & group discussions
Visit the VMware Booth
Use case demos, chat with NSX experts
Visit NSX Technical Partner Booths
Integration demos – EPSec & NetX, Hardware VTEP,
Ops & Visibility
Test Drive NSX with free Hands-on Labs
Expert-led or Self-paced. labs.hol.vmware.com
Use
NSX Proactive Support Service
Optimize performance based on data monitoring
and analytics to help resolve problems, mitigate
risk and improve operational efficiency.
vmware.com/consulting
Take
Training and Certification
Several paths to professional certifications. Learn
more at the Education & Certification Lounge.
vmware.com/go/nsxtraining
CONFIDENTIAL 49