The age of virtualization has continued to mature. Today, with the fast pace of businesses and the expectations of customers and business stakeholders, expediency, agility, and flexibility are key. Performing changes or provisioning in software rather than hardware. The network is no exception to this rule!
Network virtualization has brought about a new age of network configuration and provisioning that allows virtualization administrators to configure and provision networks without the need to reconfigure physical network devices. This has allowed flexibility and agility that has not been possible before.
When you consider the network virtualization platforms available, VMware NSX is the solution that stands out. VMware NSX is the network virtualization solution of choice, providing capabilities and solutions that are leading the pack of virtualization offerings.
This post is a two-part series.
In this first part, we’ll look at the following:
- What is VMware NSX?
- How does VMware NSX work?
- VMware NSX components
- What is it used for?
In the second part, we’ll look at the detailed step-by-step process of deploying VMware NSX.
What is VMware NSX?
VMware NSX is a core component of the overall VMware Software-Defined Data Center (SDDC). It is a network virtualization platform that allows virtualizing network components in software so that networks can be provisioned and managed without the need to reconfigure and provision physical network hardware by using a layer of abstraction over the physical network. This allows for flexibility and agility with provisioning the fast-paced network configurations needed with today’s complex IT infrastructures.
With the NSX platform, your network operations are allowed to be independent of the physical network that exists in your environment. In fact, network components and services such as firewalls, load balancers, routers, switches, and VPN networks can be provisioned with NSX with no additional physical hardware.
VMware NSX enables a secure virtual cloud by allowing you as the customer to connect and protect applications across environments including your own data center, public cloud, multi-cloud, bare metal, and container infrastructure. It does this in a way that allows the experience to be seamless and fluid across your environments in such a way that it is presented as a single network environment.
Along with allowing you to provision, manage, and configure your virtual networks, VMware NSX allows effectively bolstering security boundaries in your infrastructure. It does this by delivering a complete L2-L7 networking security virtualization platform that allows your business to effectively implement micro-segmentation, application-based firewalling, and other powerful security features.
How Does VMware NSX Work?
When thinking about how VMware NSX works, it is good to take a step back and look at the benefits of how server virtualization has accelerated IT operations in enterprise IT environments. With server virtualization, it has become apparent that decoupling the software from the physical hardware brings about advantages to legacy infrastructure. Server consolidation has reduced physical complexity and at the same time, increased operational efficiency.
Following on the heels of server virtualization, storage virtualization has brought about the same benefits in the area of storage by allowing the software to drive storage provisioning, management, and troubleshooting. With VMware NSX, virtualization technology brings those same advantages that have already been discovered with compute and storage to the networking layer.
Very similar to server virtualization, VMware NSX can programmatically create, snapshot, delete, and restore software-based virtual networks. This vastly simplified approach to networking allows a much more streamlined model for configuring, managing, and provisioning networking without any changes to the underlying physical network.
VMware makes the analogy of VMware NSX being what they call a network hypervisor that provides the same benefits that customers have grown accustomed to with server virtualization. With network virtualization, the constructs of the network are reproduced in software. This includes being able to virtualize layers 2 through 7 of the networking model. This includes switching, routing, access control, firewalling, QoS, and load balancing.
Using the VMware NSX software and programmatic automation, these can be produced as needed to create unique, isolated virtual networks in a matter of seconds and without any intervention of the physical networking team.
Overlay and Underlay
There is an important conceptual idea that you have to wrap your head around with VMware NSX and really all software-defined networking solutions as they typically implement SDN in very similar ways. The two concepts are the overlay and underlay of the network.
In most documentation related to software-defined networking, you will see the term overlay mentioned. The software-defined network creates networks “on top of” the physical network beneath. This means you can create address spaces and stretch networks between physical locations in a way that is either not possible or very cumbersome to do with physical networks. So, VMware NSX overlays a virtual network on top of the physical network.
The virtual network overlay is made possible by overlay transport “tunnels” created between ESXi hosts in the environment. The underlying physical network is described as the underlay as it is the underlying networking or “plumbing” that makes the software-defined overlay possible with VMware NSX.
VMware NSX Components
What are the various components of the VMware NSX solution? VMware NSX is made up of the following major planes in which various components are housed. The NSX “planes” include:
- Data Plane
- Control Plane
- Management Plane
- Consumption Platform
Each of these categories of components contains various aspects of the VMware NSX ecosystem.
The Data Plane is where the NSX switch resides as well as the vSphere Distributed Switch. Additionally, in the Data Plane, components like the NSX kernel modules, userspace agents, configuration files, and installation script contained in VIBs are housed.
The control plane is where the NSX controller resides which we will describe in the next section.
The NSX Manager resides in the management plane.
The consumption plane includes where the various components of NSX are consumed, notably the vSphere Web Client as well as RESTful API calls.
Let’s look more specifically at some of the major components contained in the major VMware NSX planes of operations described above. These include:
- NSX Manager
- NSX Controller
- NSX vSwitch
When you deploy VMware NSX, the first component that you will deploy in your environment is the NSX Manager. The NSX Manager forms the control plane of the VMware NSX solution. The NSX Manager is the centralized network management component of NSX. The NSX Manager component provides a centralized point for configuring the various NSX components. Additionally, the NSX Manager provides the RESTful API endpoints for programmatic interaction with VMware NSX.
RESTful APIs are used in creating the various NSX components such as the NSX controllers, logical switches, and edge services gateways. Within the NSX Manager GUI, you have an aggregated view of the relationship between the NSX Manager and your vCenter Server integration as well as health statistics, etc.
As related to VMware NSX for vSphere, or NSX-V, there is a relationship formed with the NSX Manager and vCenter Server. There can only be one NSX Manager provisioned per VMware vCenter Server. In a cross-vCenter deployment, there is a primary NSX Manager and a secondary NSX Manager.
The NSX Manager appliance is deployed as a virtual appliance inside the vSphere environment. The NSX Manager is provided as an OVA file download from VMware. Using the OVA file, you can quickly and easily deploy the NSX Manager appliance inside your vSphere environment.
For high-availability, you want to deploy the NSX Manager appliance inside a vSphere cluster running DRS and HA to ensure the virtual machine has the resiliency from an underlying hardware perspective to ensure uptime and availability of NSX management services. Additional best practices for resiliency is to house the NSX Manager in a management cluster so the Manager exists in a VMware cluster that is different than the vSphere environment being managed from an NSX perspective.
The NSX control plane is made possible with the NSX Controller. The NSX Controller provides you with an advanced distributed state management system that controls virtual networks and your overlay transport tunnels. It provides control plane functions for NSX logical switching and routing function.
Then NSX controller provides a centralized point for all logical switches within the NSX network environment. It also keeps track of all hosts, logical switches, VXLANs, and distributed logical routers (DLRs). While other very basic functionality of NSX can be accomplished without controllers, such as firewalling, you need the NSX controller if you want to do any of the following:
- Deploy distributed logical routers
- VXLAN in unicast or hybrid mode
When you deploy the NSX controller(s), they are deployed as a cluster of NSX controllers. VMware only supports NSX controller clusters with a total of three NSX controller nodes in the NSX Controller cluster.
The NSX vSwitch is the software that resides in the ESXi hypervisor that provides the overlay abstraction layer between servers and the physical network. The NSX vSwitch is a unique virtual switch based on the vSphere Distributed Switch (VDS) that provides the uplinks needed for host connectivity to top-of-rack (TOR) physical switches.
You should prepare and deploy your vSphere Distributed Switches in your vSphere environment first before deploying NSX. Additionally, it is important to note that NSX is not supported for use with the vSphere Standard Switch (VSS). For any NSX services and features to be utilized, the vSphere Distributed Switch is required.
What is VMware NSX Used For?
If you are unfamiliar with network virtualization in general and are mainly familiar with how physical networks work in your enterprise data center, you may wonder at first, what would I use VMware NSX for? However, as you learn about the advantages and capabilities of software-defined networking in general, it becomes readily apparent, there are several use cases for technologies like VMware NSX.
VMware NSX is the premier network virtualization solution on the market today with the most diverse and wide-ranging feature set of any other SDN product. There are many new and exciting capabilities in general that VMware NSX allows you to unlock for your organization. What are some of the features and use cases of VMware NSX?
- Extend networks regardless of physical location
- Connect on-premises, public cloud, multi-cloud environments
- Service-defined firewall
Extend Networks Regardless of Physical Location
An extremely challenging aspect of physical networking is IP address space and where these physically exist. This can certainly create challenges especially with legacy applications that may be hard coded to specific IP addresses. If servers need to be moved to a new physical location, in traditional networks, the IP address would most likely need to change. Having the same IP address space span multiple locations is something that is extremely complex if not impossible to do with traditional networks.
With VMware NSX however, the constructs of the network L2-L7 are created entirely in software. This means that network IP address space can exist where you need it to exist. With VMware NSX logical switches, you can essentially have the behavior of a traditional Layer 2 physical network that spans across different sites and locations as well as across routed network boundaries.
This provides valuable use cases including the one mentioned above where traditional applications may be hard coded to a specific IP address. If the server needs to be moved, this same address space can be provisioned using VMware NSX in the new physical location so that the application does not have to be recoded simply due to the move.
An additional use case for extending networks is disaster recovery. In the event of a site-level failure or an event that leads to needing to quickly extend IP subnets to different locations, VMware NSX makes this challenging requirement much easier to accomplish with virtualized networking.
Connect On-Premises, Public Cloud, and Multi-Cloud Environments
Today you may be either contemplating migrating at least a subset of resources to the public cloud or already have a migration underway. Generally, most businesses decide to keep some resources on-premises and then others in a public cloud environment or multiple public cloud environments. This can create network challenges in managing, maintaining, and provisioning networking between the various environments.
With VMware NSX, since the network constructs are formed in software, this allows easily extending networks, provisioning networks, and managing virtual network consistent across the various environments that exist in your organization, including the cloud. You can create IP address space across these boundaries if needed as well. Having this capability with virtual networking opens up a wide range of capabilities and flexibility when it comes to network communication for your workloads regardless of existing on-premises or in the cloud.
Implement Micro-Segmentation for Bolstering Security
Security is arguably one of the most important topics and considerations among IT operations and networking architecture today. Bolstering security is an extremely important challenge faced by virtualization and networking admins alike.
VMware NSX introduces a powerful capability to organizations looking to enhance their security posture. This capability is called micro-segmentation. Micro-segmentation allows you to effectively implement a “zero-trust” model in your network. In traditional networks, once traffic is on the “inside” of your LAN, it is assumed to be “trusted”. Attackers have exploited this idea by infiltrating the perimeter firewall defenses and then having free reign to attack the internal network.
With micro-segmentation, there is no longer a “trusted” network per se. VMware NSX implements the “zero-trust” network model, allowing network endpoints to connect only to those resources they need to connect to. Server VMs can effectively be prevented from being “seen” by any other servers or VMs other than those explicitly allowed.
VMware NSX allows micro-segmentation to be implemented in a very intelligent way. This includes being able to use familiar vSphere constructs such as virtual machine names or IP addresses to build and enforce micro-segmentation firewall policies.
Next-generation security enforcement will need to utilize micro-segmentation to effectively silo traffic between only those devices that are authorized to communicate with specific network resources.
Implement Service-Defined Firewall
VMware NSX and its capabilities have certainly evolved over the last few years. VMware has released a powerful new set of solutions that work hand-in-hand with VMware NSX to enforce intelligent security in the enterprise data center. VMware service-defined firewall is a combination of two VMware products that allow you to have an intelligent security solution based on real network intelligence. Service-defined firewall combines VMware NSX and VMware AppDefense to provide deep application visibility and control, app verification cloud, and also automated and adaptive policies.
With the service-defined firewall, VMware is leveraging machine learning and AI with the ability to provide adaptive responses and security policy based on more than simple firewall rules. A service-defined firewall is able to provide insights into the behaviors of your applications.
Powered by VMware NSX and AppDefense the service-defined firewall is able to establish a baseline of what known good behavior is for your application landscape and then determine whether certain behaviors might be malicious. It creates what you can think of as a fingerprint of the application. When this fingerprint deviates from what it should be, the service-defined firewall takes action by blocking the malicious process or network communication.
Deploying VMware NSX
Let’s take a look at the process of deploying a VMware NSX-V – what is involved, prerequisites, and step-by-step installation. As an overview of the process, we will look at:
- Deploying the NSX Manager appliance
- Deploying NSX Controllers
- ESXi Host Preparation
- Deploying VXLAN
- Setting up transport zones
Before delving into these steps, what are the prerequisites to installing NSX-V in your VMware vSphere environment?
VMware NSX Software, Hardware, and Network Requirements
Before installing VMware NSX in your environment, make sure you check out the VMware interoperability matrix to verify the version of VMware NSX works with all VMware solutions you are currently using in your environment.
Unless there are other factors or reasons for not doing so, it is always recommended to make sure you are running the latest patches and release of vSphere software in your environment to ensure the greatest compatibility and interoperability.
Below are the hardware requirements for installing NSX-V in a VMware vSphere environment.
Additionally, there are network requirements that need to be considered as follows.
Once you have considered the requirements and recommendations for installing VMware NSX, the first step in getting VMware NSX up and running is deploying the NSX Manager.
You can find the detailed steps to deploy VMware NSX in the second part of this blog: VMware NSX Deployment Guide – Part 2Like what you read? Rate us