云數(shù)據(jù)中心網(wǎng)絡(luò)虛擬化全自動快速部署課件

1、如何實現(xiàn)云數(shù)據(jù)中心虛擬網(wǎng)絡(luò)全自動化快速部署11大趨勢與如何面對當(dāng)前挑戰(zhàn)2NSX網(wǎng)絡(luò)虛擬化全自動部署架構(gòu)3NSX網(wǎng)絡(luò)虛擬化模版設(shè)計4混合云的NSX自動化部署5總結(jié)6有獎問答Agenda2各行業(yè)都在進行數(shù)字化轉(zhuǎn)型中Digital Transformation3IT仍然滯后業(yè)務(wù)轉(zhuǎn)型The business wants their applications now!物理網(wǎng)絡(luò)設(shè)計復(fù)雜手動配置 投入大于產(chǎn)出slowrestrictiveriskyinconsistent大量的即刻應(yīng)用需求傳統(tǒng)的應(yīng)用部署周期長4傳統(tǒng)的應(yīng)用部署周期長Spin upVMConfigVLANConfigLBConfigRoutin

2、gCreateSecurityPoliciesTimeminsTime days/weeksServerSwitchingRoutingSecurityLoad Bal.Manual Tasks / Multiple Teams Can we automate and orchestrate ?Can we maintain the same services - LB, Security ?How about application mobility ?What about Self Service IT ? Multi Tenancy scale - security?5軟件定義是云數(shù)據(jù)中

3、心的必由之路高效安全基于客戶業(yè)務(wù)及應(yīng)用需求快速部署安全而高效的云平臺軟件定義數(shù)據(jù)中心快速網(wǎng)絡(luò)虛擬化是關(guān)鍵基石6Logical SwitchLogical RouterNSXLogical FirewallLogical Load BalancerNSX網(wǎng)絡(luò)與安全一體化全自動部署 Dynamic Configuration and Deployment of NSX Logical ServicesOn Demand Application DeliveryvRealize AutomationResource ReservationBlueprintService CatalogCloud M

4、anagement PlatformNetwork ProfilesSecurity PoliciesSecurity GroupsWebAppDatabaseVMVMVMVMVMVMNSX網(wǎng)絡(luò)與安全配置全自動化流程NSX網(wǎng)絡(luò)虛擬化配置:Initial network configuration in NSXExternal Networks and Network Profiles in vRANSX安全策略配置:Distributed Firewall RulesSecurity Groups / Policies / Tags云架構(gòu)藍圖設(shè)計:Blueprints include NSX

5、Networks, Security components, Load Balancers, VMs, Apps and Cost Profile發(fā)布藍圖設(shè)計用戶一鍵式部署:End-to-end provisioning: networks, NAT rules, security and LB configured at deployment網(wǎng)路管理員安全管理員云架構(gòu)師消費者Network ProfilesExternal NetworksSecurity GroupsSecurity PoliciesSecurity TagsConvergedBlueprintsNSX Load Bala

6、ncer12Service CatalogPublish345DefinesDefinesBuildsDeploys6NApplicationsANIMATED SLIDEOne TimeRecurring8網(wǎng)絡(luò)虛擬化與安全策略一體化藍圖設(shè)計Automated connectivity to existing or on-demand networksAutomated security policy enforcement thru NSX security policies, groups and tagsOn-demand dedicated NSX load balancer Pare

7、nt component only, not application-levelNSX Integration for Blueprint Authoring & Deployment可視化模版設(shè)計，鼠標(biāo)拖放功能9Multi-Tier App,Multiple NetworksMulti-Tier App,Single Flat Network多層應(yīng)用網(wǎng)絡(luò)拓撲結(jié)構(gòu)WebAppDatabaseVMVMVMVMVMVMVMVMVMVMVMVM10Dynamic Routing(OSPF, BGP)with ECMP自動部署模式預(yù)先部署ExternalNetworks2 Tiers of Routi

8、ngDistributed Logical Router for Application RouterNSX Edge for Provider RouterDynamic RoutingUse existing LS as external network profilesOne Arm Load Balancing on demandProd-01Logical Switch Dev-01Logical Switch LB LB LBTransit Uplink /24 (External Network Profile)Scale Out Provider Logical RouterA

9、pp 1 VMsApp 2 VMsApp 3 VMsPre-Created model is typically used with Production or more static workloads and the application topology is multi-tier on a single networkProd Web SG AProd App SG AProd DB SG ADev Web SG ADev App SG ADev DB SG ADev Web SG BDev AppSG BDev DB SG BDistributed Logical RouterPr

10、od Web SG BProdApp SG BProd DB SG BApp 4 VMs LB/24 (External Network)/24 (External Network)Dynamic Routing(OSPF, BGP)with ECMPProvider LogicalRouterExternalNetworks2 Tiers of RoutingDistributed Logical Router for Application RouterNSX Edge for Provider RouterDynamic Routing externallyDynamic Routing

11、 (DLR), NAT internally (Edge)Dynamic Routing(OSPF, BGP)Transit Uplink /24 (External Network Profile)On Demand Model is typically used for more dynamic Test/Dev style workloads, particularly when there is a requirement for overlapping IP addressesDynamic Routing(OSPF, BGP)Web Logical Switch (Routed)D

12、B Logical Switch(Routed)App 1RoutedApp LS (Routed)/29/296/29Web Logical Switch (NAT)App LS (NAT)DB LS (NAT)App 2NAT/24/24/24Web Logical Switch (NAT)App LS (NAT)DB LS (NAT)App 3NAT/24/24/24Distributed Logical Router自動部署模式按需部署安全策略自動化部署End-Users and Cloud Admins are able to select pre-defined security

13、policies already approved by the Security Admin in NSXSecurity policies are applied to one or more security groups where workloads are membersThese security groups are created on-demand by vRA at deployment timeUsers can also select pre-definedsecurity groups both ah Reservationand at blueprint leve

14、lsWHAT you want to protectHOW you want to protect itSECURITY GROUPSECURITY POLICYMembers (VM, vNIC) and Context (user identity, security posture)“Standard Web” Firewall allow inbound HTTP/S, allow outbound ANY IPS prevent DOS attacks, enforce acceptable use Services (Firewall, antivirus, IPS etc.) a

15、nd Profiles (labels representing specific policies)13多租戶環(huán)境下的應(yīng)用隔離Application Isolation provides an optional first level of security. When selected all inbound and outbound application access is blocked, while inter application traffic is permittedComponent level Security Policies are applied at a hig

16、her precedence to permit selected trafficWebAppDatabaseVMVMVMVMVMVMWebAppDatabaseVMVMVMVMVMVM每個租戶環(huán)境可重復(fù)使用相同IP地址14負載均衡自動化設(shè)計One-Arm Load BalancingInline Load BalancingvRA leverages NSX for both on-demand and pre-created Logical Load BalancingIf an NSX Edge is the default gateway for component VMs, Inli

17、ne Load Balancing is usedIf the component VMs are connected to a network using the Distributed Logical Router or an External Network then Load Balancing is configured for One-Arm modeWebAppDatabaseVMVMVMVMVMVMWebAppDatabaseVMVMVMVMVMVMApplication LevelNSX EdgeExternalGatewayDistributed Logical Route

18、r15網(wǎng)絡(luò)模版設(shè)計Network Profile DesignNetwork Profiles define how new VMs are connected to the networkAllow consumption of existing networks or creation of new VXLAN Logical SwitchesMultiple types of Network Profiles are available in vRA 7:ExternalRoutedNAT (1:1 and 1:Many)Multiple type of Network Profiles

19、 can be used within the same blueprint, i.e.:VMs deployed on NAT networks, but Load Balancer VIP on the external network1:1 NAT for Web tier and 1:Many NAT for App and DB tiersSome VMs deployed on NAT or routed networks, others on an external networkHowever, Routed and NAT Network Profiles cannot be

20、 combined in the same blueprint16外部網(wǎng)絡(luò)模版External Network ProfilesUsed for pre-created networks (either VLANs or Logical Switches):Can be used with all Blueprint types (Single- and Multi-Machine in vRA 6.2, Converged in 7.0)One-Arm Load Balancer and Security Groups/Policies/Tabs and App Isolation are

21、supportedIs the only type of Network Profile supported with vRA+SRM integrationMultiple deployments will share the same networksVMs, ESG LB and App Isolation SG are created on demandAllows efficient management of IP allocation by sharing a common network across deploymentsVMVMVMVMExisting ESG, DLR o

22、r physicalExisting VLAN or Logical SwitchWeb SGApp SGDB SGApp 1 One-Arm LBApp Isolation SG (App 1)App 2 One-Arm LBVMVMVMVMApp Isolation SG (App 2)17路由網(wǎng)絡(luò)模版Routed Network ProfileRouted NPs enable On-Demand network creationLogical Switches are created during Blueprint deployments:Logical Switches are a

23、ttached to an existing DLRDLR uplinked to existing Edges (HA and ECMP mode supported)Each Logical Switch has a Unique Subnet Range, carved out from a pool:One-Arm Load Balancer and Security Groups/Policies/Tabs and App Isolation are supportedDHCP on ESG is not supported on Routed NPsVMVMVMWeb SGVMDB

24、 SGApp SGWeb L.S.App L.S.DB L.S.App Isolation SGTransit L.S.ProviderNSX Edges(HA or ECMP)DLROne-Arm LB181對1網(wǎng)絡(luò)地址翻譯網(wǎng)絡(luò)模版1:1 NAT Network Profiles1:1 NAT NPs enable On-Demand network creationThe following network components are created during deployment:A dedicated ESG is created for each deploymentLogic

25、al Switches are created and attached to the ESGLogical Switches use the same overlapping addressing space across different deploymentsOnly Inline Load Balancing is supported with NAT profilesSecurity Groups/Policies/Tags can be used to limit access to VMs only on specific servicesVMVMVMWeb SGVMDB SG

26、App SGWeb L.S.App L.S.DB L.S.Transit L.S.Provider NSX Edge(HA only)On-Demand NSX Edge(1:1 NAT + Inline LB)App Isolation SG191:Many NAT NPs enable On-Demand network creationOnly Inline Load Balancing is supported with NAT profilesOnly 1 IP address used from the External NP for each networkSNAT rule i

27、s configured to allow VMs to communicate externallyNAT rules are applied only on the ESG uplink interface (no NAT between internal networks within a deployment)ESG FW is configured to allow intra-app traffic and outgoing accessVMs can be reached from outside via a Load Balancer VIP onlyIf Load Balancing is configured, a separate IP from the external network is used on the ESGDHCP on ESG is supported on 1:Many NAT NPsVMVMVMWeb SGVMDB SGApp SGWeb L.S.App L.S.DB L.S.Tr