All Events Featured Sponsored Tech Note VMware

NSX Cloud: The Power of Combining Policy and Availability

I mentioned in my previous post that one of the things that struck me at this year’s Future:NET, in part because of how powerfully simply it was stated, is that networks are all about policy and availability. Note that this is different than the split between connectivity and security, because routing policy isn’t always about security, and availability has to be about more than just connectivity. We covered the policy part in some detail in that last post, but what happens when you combine the two? What is the result of having a single policy, available everywhere you operate?

VMware and the Cloud

Before we dig in, it’s worth examining the difference in VMware’s expanding cloud offerings. One thing that has been most impressive about VMware in recent years is their embrace of “the cloud” and the many products and services they have introduced to power modern enterprise cloud approaches. Of course, the problem with a broad portfolio of products and solutions is the potential for confusion. Let’s start with a quick overview of what’s available today.

VMware Cloud

Probably the most famous VMware cloud service is, perhaps obviously, VMware Cloud, more accurately referred to as VMware Cloud Foundation. They call this product and service suite “the simplest path to hybrid cloud.” And that’s hard to argue with. Many enterprises already use VMware, specifically vSphere, vCenter, and ESX. These products, along with vSAN, vRealize, and NSX, make up the VMware Software-Defined Data Center (SDDC) and many enterprise IT folks are very familiar with the benefits of building a private cloud with (at least some of) these tools.

It’s worth remembering at this point that “cloud” is a consumption model, not a specific place. Whether you are consuming technology infrastructure resources from bare metal on-premises, as a service in a “public cloud,” somewhere in between, or as a combination of the former, what we are really seeking is the ability to easily automate deployment, provisioning, and lifecycle management. In today’s world of digital transformation, growing security threats, increasing demands to do more with less, expanding regulation, and an ever-quickening pace of change, what all of us IT pros are hunting for is a true IT as a service (ITaaS) methodology.

VMware Cloud Foundations answers that call by accelerating time to market and speeding up application provisioning, while de-risking deployment and lowering overall TCO. It does this by leveraging an integrated stack with a standardized architecture that provides both automated lifecycle management and a simple path to hybrid cloud and even multi-cloud deployments.

That last point is worth digging into a bit. Multi-cloud has become somewhat of an industry buzzword, but in many cases, it’s nothing more than a pipe dream or an empty promise. VMware offers deployment options that can make true multi-cloud operations a reality. You can deploy VMware Cloud Foundation yourself on compatible hardware. You can purchase hardware with Cloud Foundation pre-installed from Dell EMC, Fujitsu, Hitachi Vantara, and QCT. And/or you can get VMware Cloud as a service – the headline offering, of course, is VMware Cloud on AWS but there are many VMware Cloud Providers, such as IBM Cloud, Rackspace, Fujitsu K5, CenturyLink, OVH, and NTT.

No matter how you deploy it, VMware Cloud Foundation provides many features, capabilities, and benefits, not the least of which is consistency; a consistent operational model, consistent tools, consistent processes, and the ability to apply a consistent set of policies – available everywhere you operate.

vCloud Director

I would be remiss not to also mention vCloud Director. This, in some ways, is the other side of the coin. While VMware Cloud allows end-users to deploy a consistent enterprise-grade cloud across locations and providers, vCloud Director is the service delivery platform that allows cloud service providers to offer a VMware-powered cloud service offering to those enterprises (and other) IT teams.

While the list of features and benefits provided by vCloud Director is both long and noteworthy, our focus today is on end-users and enterprises, so I’ll simply encourage cloud service providers out there to check it out for themselves.

Oh, and don’t forget about vCloud NFV, the network function virtualization (NFV) platform for communication service providers, like ISPs and Telcos.

NSX Cloud

The above is just scratching the surface of VMware’s products and services and doesn’t even cover their cloud-specific offerings in any detail. Hopefully, it highlights some of the ways that VMware is making public, private, hybrid, and multi-cloud deployments more enterprise-ready. And beyond that, I hope it provides a good baseline for us to understand the primary topic of this post: NSX Cloud. While NSX is a key component of all flavors of the VMware SDDC, NSX Cloud is itself a distinct and separate offering.

To put it simply, NSX Cloud answers the question: What if I love (or am stuck with) native public cloud workloads and services, but still want the benefits of consistent network and security policy, available across all of my workloads, regardless of where they live?


At this point, hybrid and multi-cloud deployments are unavoidable. Many of us are dealing with the realities of making this work today, and the rest of us know that it is just a matter of time. There are plenty of studies and statistics that show this. But even just the hallway banter at conferences like Future:NET makes it abundantly clear that this eventuality is on everyone’s mind. We need the freedom to capitalize on the various things that each cloud provider does best, and the freedom to place workloads where it makes the most sense, without restriction. And while doing this we need to recognize that the network remains the most foundational layer of our technology infrastructure.

No matter where our workloads live, they have to be able to communicate. They must communicate with each other, and also with our employees, customers, and partners – wherever they may reside. And, as you might have guessed, simple connectivity is not enough for this communication to be effective. We need both availability and policy from our network. This is true for on-premises networks and it remains true as we stretch these networks across hybrid cloud and multi-cloud deployments.

Enter NSX Cloud.

At its core, NSX Cloud provides consistent network and security controls, everywhere. In other words, it delivers on that promise I hinted at above; a single policy, available everywhere you operate. This is right in line with VMware’s promise to “Empower people to access any app on any device, from any cloud, with intrinsic security ‘architected in’ across every layer.”

A Single Policy, Available Everywhere

As the DevOps movement has swept through IT teams the world over, we’ve become comfortable with the need to break down silos. In general, when we think of silos, we think of team structure and opening up communication between various teams and people with different functional roles. But technology silos are just as dangerous. In fact, that’s one of the key challenges of operating a hybrid or multi-cloud infrastructure. This is especially true for the networks that are so fundamental to our operations.

By their very nature, different public cloud operators offer different network and security constructs. This isn’t a shortcoming of any one public cloud. It’s simply a reality of various companies and teams of developers responding to the needs of their customers in different ways. The problem is that when you are trying to tie together your on-premises private cloud, and one or more public clouds, these differences create network and security silos. Areas where the functionality, the tools, the policies, the features, and ultimately the policies are inherently different.

Since its introduction, NSX Cloud has been breaking down these silos with common and consistent methods for connecting and securing all of your workloads, regardless of where they reside – and even as they move in the future.

What’s New? Bimodal Cloud Policy Enforcement

Bimodal? This term is perhaps not as overused as ‘cloud’ these days, but it does have a concrete and simple meaning: Two modes. In this case, we’re talking about two different modes of making a single policy available across your hybrid or multi-cloud infrastructure.

The mode that we’ve had from the beginning is “NSX Enforced Mode.” This mode remains the most powerful, in my opinion. That’s because it provides NSX policies, enforced with NSX tools, to all of your workloads – regardless of what cloud they reside in. This is particularly powerful because it surpasses any limitations of the individual cloud provider’s policies. The only limitation is that an agent is required on each workload. In many scenarios, this is not an issue, but in some cases, it’s simply not possible and in the past that caused a limitation for some.

New with NSX-T version 2.5 is the second mode; “Native Cloud Enforced Mode.” This mode also provides a common policy framework across clouds, but it does this by leveraging the native security policies available in each specific cloud provider. In this way, the need for NSX tools and agents is removed. Of course, the tradeoff is that your policy is limited by what the cloud provider in question makes possible.

If you’ve been doing networking for any amount of time, you are familiar with trade-offs. The nice thing about this particular trade-off is that it creates flexibility in how you make your single NSX policy available, thus allowing it to be more available, in more scenarios… which is great because along with consistent and common policy, NSX cloud provides lots of other benefits like a single pane of glass (and RESTful APIs) for networking across clouds, the ability to quarantine instances and provide service insertion, built-in site-to-site VPN functionality, and plenty more (IPFIX, traceflow, port mirroring (L3 span), and syslog are highlights for me).

What Else is New? Service Discovery and Control

This is a big one. Really, it completes the story – adding cloud-native services to the mix, along with those cloud-native workloads. As of version 2.5, you can now automatically discover services such as S3, ELB, and RDS in both AWS and Azure. See the slide below for a more complete list. Maybe even more exciting, in addition to service discovery (visibility), you also get control! Yes, you can control access to these services through that same single NSX security policy.

That’s how you multi-cloud! That’s what happens when you can make a single policy available everywhere.

So, what are you waiting for? Learn more about the power of NSX Cloud here.


About the author

Chris Grundemann

Chris Grundemann is a passionate, creative technologist and a strong believer in technology's power to aid in the betterment of humankind. In his current role as Managing Director at Grundemann Technology Solutions he is expressing that passion by helping technology businesses grow and by helping any business grow with technology. Chris has been using technology, marketing, and strategy to build businesses and non-profit organizations for two decades. He holds 8 patents in network technology and is the author of two books, an IETF RFC, a personal weblog, and various other industry papers, articles, and posts. Chris is the lead research analyst for all networking and security topics at GigaOm and co-host of Utilizing AI the Enterprise AI podcast. He is also a co-founder and Vice President of IX-Denver and Chair of the Open-IX Marketing committee. Chris often speaks at conferences, NOGs, and NOFs the world over. Chris is currently based in West Texas and can be reached via Twitter at @ChrisGrundemann

Leave a Comment