Microservices for Enterprises - Consistent Network & Security services for Containers and VMs
0 likes1,275 views
The document discusses the case for network virtualization in data centers, highlighting the benefits of a microsegmentation approach for enhancing security by limiting lateral movement of attacks. It outlines the integration of cloud-native technologies, such as Docker and Kubernetes, into traditional data center architectures and the need for unique IP management and security enforcement for containers. The advantages of using VMware's NSX for cloud-native applications and the unified management of VMs, bare metal, and containers across platforms are also emphasized.
Microservices for Enterprises - Consistent Network & Security services for Containers and VMs
- 1. © 2015 VMware Inc. All rights reserved. Consistent Network & Security services for Containers and VMs Guru Shetty Sai Chaitanya
- 2. The case for Network Virtualization CONFIDENTIAL 2 VM1 Traditional Data Center - Network Architecture - Layer 3 boundary – Aggregation Layer - VLANs in Access Layer and Virtual Switch Layer 3 Layer 2 vSwitch Access Switch Aggregation Switch / Router Baremetal DB
- 3. The case for Network Virtualization CONFIDENTIAL 3 Datacenter Network Tunnels (VXLAN, Geneve, STT) VM1 VM2 VM3 VM4 VM5 VM6 Drivers for Virtualized Networking - Cloud – software defined network - Multi-tenancy – with overlapping IP addresses ( typical use cases acquisitions and mergers) - Flexible and programmatic workload placement
- 4. The Case for Microsegmentation CONFIDENTIAL 4 Data center 1 Perimeter Security in a Traditional Data Center - Security configuation at Layer 3 boundary - Huge surface exposed for attack – i.e. attack can move laterally throughout the VLAN domain
- 5. The Case for Microsegmentation CONFIDENTIAL 5 Datacenter Network Tunnels (VXLAN, Geneve, STT) VM1 VM2 VM3 VM4 VM5 VM6 Security in a Modern Data Center - FW per VM or host - Limits the lateral spread of an attack - Distributed Firewall - In kernel - Line rate performance - FW context moves along with the workload FW per vNIC
- 6. Virtual Networking constructs CONFIDENTIAL 6 • Logical Switch • Logical Port • Firewall rule (ACL) • Logical Router • Logical Router Port • Distributed Loadbalancer
- 7. The intelligent edge CONFIDENTIAL 7 Hypervisor OVS Openflow OVSDB Coke Pepsi NSX/OVN CMS / Container Orchestrators
- 8. What’s new in the Data Center CONFIDENTIAL 8 R VTEP TOR L3 HypervisorHypervisor V1 V 2 C1 C 2 C 3 C 4 OVS OVSVTEP TOR L2 P1 P2 Datacenter Network (Tunnels) - Containers running in VMs - Containers running on Baremetal Servers
- 9. Design goals for Container integration CONFIDENTIAL 9 - Unique IP Address per container - No NAT based solution – complex to manage at scale - Avoid overlays on overlays - Poor Performance - Lack of visibility for troubleshooting & monitoring - Security (Firewall) enforcement per container interface - Protect other workloads from a compromised Container - Network segment that spans Baremetal, Containers and VMs - Service Chaining for Containers – e.g. IDS & Distributed Load Balancing
- 10. Docker Integration CONFIDENTIAL 10 Hypervisor OVS Datacenter Network Docker Host VM C1 C2 C3 OVS Untrusted Trusted
- 11. Docker Integration CONFIDENTIAL 11 Hypervisor OVS Datacenter Network C1 C2 C3 OVS VM OVS C4 C5 C1 C3 C4 S C2 C5 S VM R Extern al Logical Space
- 12. Docker Security CONFIDENTIAL 12 Hypervisor OVS Datacenter Network Docker Host VM C1 C2 C3 OVS Distributed Firewall
- 13. Docker OpenStack Integration CONFIDENTIAL 13 • docker network create -d openvswitch -- subnet=192.168.1.0/24 foo • docker run --net=foo --name=busybox busybox
- 14. Docker OpenStack Integration CONFIDENTIAL 14 OVS HV C 2 C 3 OV S plugin C 1 Docker Neutron OVN Nova Tenant VM
- 15. OVN – VM overlays CONFIDENTIAL 15 C1 C2 C3 C4 OVS OVS OVS Tunnels VM VM VM
- 17. Cloud Native Apps in Enterprises 17 - Cloud Native technologies will bring “web-scale” like agility and continuous delivery to the enterprise - Customers are deploying next generation apps to either PaaS platforms or Container Clusters - Customers are also refactoring existing apps using Containers and embracing Devops - NSX will integrate with PaaS and Container Orchestration platforms NSX NSX
- 18. NSX for cloud-native apps 18 Solution NSX Kubernetes Plugin NSX Docker Plugin K8 Spec Docker Compose Bare metal (Linux) and Virtual Machines (KVM & vSphere) Containers Connectivity Availability Security Enterprise-grade networking and security for cloud-native apps Enables admin to run apps on any cloud – VMware, OpenStack and Public Cloud Single platform for all apps – VM, bare metal and Containers