What's New VMware NSX Advanced Load Balancer (Avi Networks)

Confidential │ ©2019 VMware, Inc.
Webinar
Ashwin Manekar
Product Line Manager, NSBU, VMware
September 26th 2019
What’s New with
VMware NSX Advanced
Load Balancer (Avi
Networks)

Confidential │ ©2019 VMware, Inc. 2
The Foundation of the Virtual Cloud Network
VMware NSX Portfolio
NETWORK AND SECURITY VIRTUALIZATION
Security Integration Extensibility Automation Elasticity
NSX Data Center NSX Cloud AppDefense SD-WAN by VeloCloud HCX
NSX Service Mesh NSX Advanced Load Balancer
Avi Networks, now part of VMware
• Industry’s only complete L2-L7 software-defined stack
• A leader in the ADC market with multi-cloud LB, WAF and
analytics

VMware NSX Advanced Load Balancer Portfolio
VMware NSX
Integration+Standalone
Multi-cloud
LB & WAF
NSX Data Center NSX Cloud NSX Service
Mesh
VMware Cloud on AWS (VMC)
VMware Horizon & UAG

4Confidential │ ©2019 VMware, Inc.
Avi Networks Product Overview

Load Balancing is the Blocker for Digital Transformation
Drivers
Increased
IT Demands
ON-
PREMISES
Load Balancing is Not
Automated
Network
StorageCompute
CLOUD
Challenges
Scalability
Agility
Flexibility
# Apps
# Changes
#
Env/Infra
Cost
Efficiency
$
Time to
Market
Modern
Apps
Load
Balancers
?

Hardware / Virtual Load Balancer Challenges
DC1 DC2
DEPT1 DEPT2
Standby
0%
Active
15%
Separate control points – operational complexity, hard to automate, painful upgrades
Capacity management – manual VIP placement, costly overprovisioning, no capacity pooling
Not designed for modern new environments
ON-PREMISES CLOUD CONTAINER

BARE METAL VIRTUALIZED CONTAINERSON PREMISES PUBLIC CLOUDVIRTUALIZED CONTAINERS
Modern, Scalable, Multi-Cloud Architecture
CONTROLLER
SERVICE
ENGINE
SEPARATE CONTROL
& DATA PLANE
ELASTICITY
INTELLIGENCE AUTOMATIONMULTI-CLOUD

Comprehensive Application Services Platform
• Web App Firewall
• SSL Termination
• DDoS Protection
• L3-4 ACLs
• L7 Rules/Policies
• Rate Limiting
SECURITY
• Application Map
• Service Health Score
• Network Performance
• App Performance
• Request Logging
• Security Insights
ANALYTICS
• Central Management
• 100% REST API / SDK
• Self-Service
• Multi-Tenancy
• Service Discovery
• IPAM/DNS
PLATFORM
• L7 (HTTP) LB
• L4 (TCP/UDP) LB
• Global Load Balancing
• Content Switching
• Caching/Compression
• Autoscaling
LOAD BALANCING
Features
(K8S, OpenShift, PKS, AKS, GKE,
EKS, ...)
Enterprise-grade Ingress
• Converged LB, Security, Analytics
• Service Discovery & App Map
• Multi-cluster and Multi-cloud
Containers
Use
Cases
(ESXi, x86, NSX, ACI, OpenStack…)
• Central Management
• Real-time Analytics
• SDN Integration and Automation
• Cost Savings
SDDC / On-Prem
(AWS, Azure, GCP, VMC, …)
• Cloud-native Automation
• Enterprise-grade Features
• Real-time Analytics
• Multi-cloud Consistency
Public Cloud

What’s new in 18.2.6
- Positive Security Model
- Learning Mode for WAF

Comprehensive Security Stack
NSX Advanced Load Balancer
Encryption
SSL/TLS
L3/4 Firewall Rules
IP-Port based Security Rules
L7 Firewall Rules
Content (URI) based security rules
DDoS Protection
DDoS detection and mitigation with elastic scaling
Application Rate Limiting
Control and restrict by application or tenants
Security
Insights
Security score
Attack insights
SSL Insights
WAF analytics
Web Application Firewall
OWASP TOP 10, Application protection, Attack Analytics
Centralized Management
Multi-Cloud Elastic Fabric
Automation & Programmability
Real Time Visibility & Analytics
REST API
Data Center Private Cloud Public Cloud

iWAF policy checks
Whitelist
• High performance for trusted traffic
• Match Criteria: Headers, IP, Path and more
• Similar to HTTP policy matching
PSM
• Positive definition of Application behavior
• Zero-day attacks defense and performance
• Rules: Learning, Scanners, Manual
Signatures
• Scans for common attack patterns
• Rules: OWASP Top 10 protection rules

How does Positive Security Model work?
FastPas
s
Deep Inspection
Negative Security
Deny
Allow
Traffic
ML Classifier
Automating Application Security using Machine Learning

Avi’s WAF Capabilities
Application defense in depth
• Application Learning and Positive Security
• OWASP Top 10 Protection
• Signatures and app-specific rules
• HTTP protocol enforcement and input
Validation – XSS, SQLi, etc.
• Virtual patching using scripting for
application logic flaws
• API protection for JSON, XML
• Metrics and statistics about the current
application attack surface
• Bot detection
Backend
Application
Untrusted Trusted
WAN

- Support for modern encryption – TLS
1.3

NSX Advanced LB supports versions SSLv3, TLS
1.0
Starting 18.2.6, TLSv1.3 protocol is supported.
Ciphersuites: Users must select one or more of
the three supported TLSv1.3 ciphers in the list of
ciphers
Enable Early Data:
- Enables TLS terminated applications to send
application data without having to first wait for the
TLS handshake to complete
- Saves one full round trip time between the client
and server before the client requests can be
processed
Terminate SSL connections between the client and the virtual service
Enable encryption between NSX Advanced LB and the back-end servers
SSL/TLS Profile

- Flexible Upgrade

Current Challenges
Everybody needs to get onto the bus!
Upgrade ALL
Validate ALL
Rollback ALL
Need to boil the ocean
for a simple fix for a
single application
Nightmare to coordinate
and cancellation is
common
All or Nothing
No Targeted
Upgrades
Approval
& Scheduling

Segmentation
Per-tenant
Per-app
Per-SE group
Smaller scale & isolated impact
Faster resolution or rollback
Modern approach to upgrade
Need an ability to upgrade LB infrastructure in an isolated manner
Granular Upgrades Selective Upgrades Simplified Upgrades
Unable to deliver flexible upgrades with legacy appliances
Either ALL or NOTHING!!

Separated control plane upgrades from data plane upgrades
Upgrade Control Plane independent from Data Plane
Patch the controller without impacting the data plane
Non-disruptive, headless operations, no failover needed
Allow selective upgrades to the desired assets only
Upgrade individual SE Groups (segmentation)
Push specific features to only the selected SEs associated with that apps
Simpler verification, Faster rollback
Failure impact is on a smaller scale, Faster to resolve and Faster rollback
Delivers higher high time to value to the end users
Flexible Upgrades

How can you use Flexible Upgrades?
Se group X Se group Y
Se group Z
Tenant 1 Tenant 2
V 1
V 1 V 1
V 1
V 2
V 2
V 2
• Sandbox Upgrades
– Upgrade an Se group, validate prior to upgrade remaining
• Introduce new features or patches only for the Apps that need
them
– Meet application demands without impact to others
• Canary Upgrades
– Continue/rollback upgrades based upon analytics engine data
• Flexible Upgrade scheduling
• Self Service Upgrades
• Introduce new features or patches only for the Apps that
need them
• Canary Upgrades
• Introduce new features or patches only for the Apps that need
them
• Canary Upgrades

Thank You

What's New VMware NSX Advanced Load Balancer (Avi Networks)

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a What's New VMware NSX Advanced Load Balancer (Avi Networks)

Semelhante a What's New VMware NSX Advanced Load Balancer (Avi Networks) (20)

Mais de Avi Networks

Mais de Avi Networks (20)

Último

Último (20)

What's New VMware NSX Advanced Load Balancer (Avi Networks)