A few weeks ago at Dell Technologies World, VMware announced their Virtual Cloud Network with the updated VMware NSX portfolio. I am not a complete networking newbie, but feel best at home with storage systems and hypervisors. Many years ago, I would convert a pile of boxes on a pallet into a running hypervisor platform with shared storage. For me, networking was making sure that platform was reachable from the company network. I would extend all VLANs to the platform, and leave the more interesting firewalling, routing and WAN setups to my colleagues.
A few things have changed over time. VMs are no longer running exclusively on a private, in-house stack of hardware. Many customers entrust the running of VMs and services to a cloud service provider. Which means CSPs end up with hundreds of customer IaaS environments. Some will run on dedicated platforms, others on shared platforms. All of them need to be completely isolated from each other, but might use some shared systems in our back-end.
And many of these customer environments are the same from a high-level perspective. All of them have domain controllers, database servers, web front-ends, desktops, etc. IP addresses may be different, but services connect to each other over the same well-known ports.
VMware Cloud Network Demo at Dell Technologies World 2018
At Dell Technologies World, Nick Furman from the VMware NSX team showed us a demo of Virtual Cloud Network, covering SD-WAN, branch office segmentation and firewalling inside the datacenter. Go check the demo recording as soon as you can!
It starts with a NSX SD-WAN by Velocloud demo, optimizing bad links that might result in a bad user experience. By pulling physical WAN links into the software-defined sphere, it enables you to make much smarter, more dynamic decisions on how to route traffic. Either to more efficiently leverage your WAN investments, but also to make sure that the user experience is as good as it can possibly be. With more and more people working outside of the office or traveling around the globe for work, this sounds like a no-brainer.
As a cloud/VM person, I found the branch and datacenter segregation part of the demo the most interesting part. First, there is segmentation. The demo uses a branch office within a multinational company. You could just as easily translate this to individual customers within a shared platform though. Since each network segment has its own separate NSX logical switches, routers and edge services gateway, you could quickly stand up a new network for a new customer. There are also plenty of automation options if you do not want to click. This should drastically reduce the time to build the networking part of a new IaaS platform for a customer.
It is All About Tagging
Once you start building the customer’s servers (either VMs or containers), you want to design it with security in mind. Instead of a big ‘permit any-any’ rule, you only want to allow the needed traffic, and deny the rest to limit the attack surface. Unfortunately, that means there are a LOT of rules to manage. Some of these rules might be the same between systems from a port perspective.
With NSX you can assign tags to objects, e.g. domain controller, SQL database, web server, etc. NSX allows AWS and Azure hybrid cloud tags as well. These tags enable you to keep network configurations identical across all similar objects, and efficiently update all these configurations if something changes.
My Thoughts on VMware NSX and the VMware Cloud Network
It is easy enough to spin up a VM or container: it takes only a few clicks of the mouse. Making sure that a VM can communicate to only the right parties though, especially if you have to traverse a few firewalls that need to have a few ports opened, is more difficult. It is a constant process of gathering IP addresses, ports, protocols, etc. Duck and cover if these configurations change over time, or if you need to ensure that all these configurations stay identical across platforms or application chains.
The Virtual Cloud Network demo at Dell Technologies World showed me that VMware is working hard on products that offer a complete solution to these challenges. One that doesn’t just look at private clouds, but also AWS and Azure public clouds. For someone that builds cloud platforms, VMware NSX looks like the product that can speed up these deployments and can make all these different clouds communicate securely.