TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
VMworld 2015: Introducing Application Self service with Networking and Security
1. Introducing Application Self-service
with Networking and Security
Using vRealize Automation and NSX
Andrew Voltmer, VMware, Inc
Becky Smith, VMware, Inc
MGT5360
#MGT5360
2. • This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these
features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or
sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not
been determined.
Disclaimer
CONFIDENTIAL 2
3. Virtualization
► Accelerate service delivery
(weeks days)
► Resource pooling
► HW consolidation
IT Automation, The Next Wave of IT Efficiency
IT
Efficiency
Time
► Accelerate service delivery
(days min)
► Improve operational efficiency
► Optimize resource utilization
► Reduce complexity via
standardization
Cloud
Automation &
Management
CONFIDENTIAL 3
4. Business Wants Agility. IT Wants Control.
Compute Admin Security Admin
We want our application on-demand with compute,
storage, networking and security!
Cloud Users
Deliver high-performance
networking quickly
Ensure secure IT
4
Provide the right VM for the job
Network Admin CONFIDENTIAL
5. 1 Software Defined Data Center
2 NSX Network and Security Virtualization
3
vRealize Automation for Applications and
Infrastructure
4
Application Self-Service with Networking and
Security Using vRealize Automation and NSX
Agenda
5CONFIDENTIAL
16. Provides
A Faithful Reproduction of Network & Security Services
in Software
Switching Routing Firewalling Load
Balancing
VPN Connectivity
to Physical
Policies,
Groups,
Tags
Management APIs to
program all services
16CONFIDENTIAL
17. NSX – Virtual Networking and Security
Web
App
Database
VM
“Default”
Firewall – Access shared
services (DNS, AD)
Anti-Virus – Scan Daily
Security PoliciesSecurity Groups
My App
Web
App
Database
“Standard Web”
Firewall – allow inbound
HTTP/S, allow outbound ANY
IPS – prevent DOS attacks,
enforce acceptable use
“Standard App”
Firewall – allow inbound ANY,
allow outbound ODBC
“Standard Database”
Firewall – allow inbound
ODBC
Vulnerability Management –
Weekly Scan
Support for Detailed, Programmable Application Topologies
Logical Switching, Routing, Firewall, Load Balancing
CONFIDENTIAL 17
19. VMware’s Automation Solution to Onboard the Cloud
CONFIDENTIAL 19
Automation / Infrastructure-as-a-Service
Manual provisioning
On-demand, automated self –
service access
Technology sprawl High standardization
Initial provisioning Lifecycle management
Homogeneous Enterprise wide / heterogeneous
ExtensibleOne inflexible approach
Virtualized infrastructure Any service from any layer
Manual approvals High governance
Journey with many starting points and
many maturity levels Application Release Automation / DevOps
Standardized MW / DB–as-a-Service
IT-as-a-Service
“Service Broker”
20. vRealize Automation Policy Management
CONFIDENTIAL 20
Business
Groups
B
A
C
USERS
A
C
B
A
Authentication &
Role-Based
Authorization
Authorized
Users
Resource
Reservations
Cost Profile
A
Tier 1
Public
Physical
Virtual
Shared Infrastructure
Service
Blueprints
A
Requisition
Cost Profile
Provision
Manage
Retire
Public
Physical
Virtual
C
B
B
A
B
A
C
BA
“Who provisions what and where”
22. Traditional Infrastructure Provisioning with Networking
CONFIDENTIAL 22
Days - Weeks
Wait WorkWaitWait
Infrastructure
Service
FirewallSwitch Router Load Balancer
Connect Ethernet
cables,
configure switch
port, VLANs, access
control lists, assign
IP addresses
Configure router
interface to
connect to switch
ports. Configure
routing protocols.
Connect networks to
firewall appliances,
configure firewall rules
based on physical
constructs e.g. IP
address and VLANs
Connect networks to load
balancer appliances, create
and populate load balancer
pool, assign Virtual IP
Address to external
interface
NETOPS SECOPS LOAD BALANCER ADMIN
Manual efforts
Network
23. Application Centric Network and Security Services
CONFIDENTIAL 23
Deployed and managed in the application context
Web
App
Database
VM VM
VM VM VM
VM
• Applications configured with dedicated or shared
virtual switches and routers depending on needs
• Virtual Machines can be moved (vMotion) without
changing virtual network configuration
• Application specific policies including firewall
rules, intrusion detection integration, and
agentless anti-virus scanning at each application
tier
• Dynamic configuration of application specific
load balancers
• Without expensive physical hardware
VM
• Networks configured to meet unique performance
needs of each application
• Shared or dedicated switches, routers and load
balancers depending on performance needs
VM VM
VM VM
VM VM VM
24. Blueprint of the Modern Application
CONFIDENTIAL 24
Define Once – Multiple Use
Deployment Time Options for Users
Support for Multiple Network Topologies
Repeatable Deployments
From Single Machine to Multi-Tier
Applications
25. Catalog of Applications
CONFIDENTIAL 25
“One Click” Deployment
Order your Application with Networking
and Security
N+S Built On-Demand via NSX API
Automated IP Addressing
Automatic Cleanup With App Disposal
26. Group into Complete Application Environments or Services
CONFIDENTIAL 26
Predefined, Tested, Compliant, Repeatable
Logical Load BalancerNetwork ProfilesDefault Gateway Security Groups Security PoliciesSecurity Tags
AVAILABILITYSECURITYCONNECTIVITY
Catalog
Item
Complete Application Environment
Blueprint
27. Top NSX Solutions with vRealize Automation
CONFIDENTIAL 27
The Power of NSX and vRealize Automation delivers Application
Deployment with . . .
On-Demand Networking and Security
On-Demand Security
Existing Networking and Security
29. Application Deployment with On-Demand Networking & Security
CONFIDENTIAL 29
Web/App
Database
VM VM
VM
Logical switches and routers created by NSX when
the user creates an application
Single-tier or multi-tier NAT or routed topologies
Automated IP addressing of VMs and subnets
On-demand security groups built per app and per tier
with VMs placed into groups
Security policies applied to dynamically created
groups
Load-balancer dynamically deployed for application
31. Application Deployment with On-Demand Micro-Segmentation
CONFIDENTIAL 31
Web/AppDatabase
VM VMVM
VMs placed on pre-created logical switches
On-demand security groups created when
application is deployed
Security policies applied to dynamically
created groups
Micro-segmentation on larger L2 networks
Load-balancer configuration dynamically
deployed
VMs and security groups removed when app
destroyed but networking remains
33. Application Deployment into Existing Network and
Security Services
CONFIDENTIAL 33
Web/App
Database
VM VM
VM
Pre-created logical switches and routers defined by
the NSX admin - VMs are wired to pre-created
switches
Security Groups pre-defined to match security tags
for each tier of application
When a cloud user selects a catalog item VMs are
wired to NSX switches and tagged with appropriate
security tags
Enforcement is based on combining the tag with the
rules in the security group
Applications can be single tier or multi-tier – typically
routed topologies
34. Multi-Tier App,
Multiple Networks
Multi-Tier App,
Single Flat Network
Application Deployment Topologies
CONFIDENTIAL 34
Support for Multiple Network Topologies
Web
App
Database
VM VM
VM VM VM
VM
VM VM VM VM VM VM
40. Introducing Application Self-service
with Networking and Security
Using vRealize Automation and NSX
Andrew Voltmer, VMware, Inc
Becky Smith, VMware, Inc
MGT5360
#MGT5360
Notas do Editor
<Click> If you think back to where server virtualization was 10 years ago, it was just starting to get general adoption. The primary motivation for many companies was cap-ex savings generated by hardware consolidation and resource pooling. A side benefit was that virtual machines could be delivered much quicker than physical machines helping accelerate service delivery times from many weeks down to a few days.
<Click> Cloud automation and management will drive the next round of IT efficiency improvements. Automation will help accelerate IT service delivery from days and sometimes weeks to hours and even minutes. Policy based governance and controls will assure that business users receive the appropriate level of resources for the tasks they need to perform the job. Performance and health monitoring will make sure that applications continue to operate at peak efficiencies and make the appropriate adjustments to make sure that happens. Financial management capabilities will allow IT to compare costs of internal and external delivery models. Intelligent placement algorithms will help deliver the appropriate service level based on both cost as well as operational policies that control where specific applications and data need to be located.
Lets look in a bit more detail where savings are possible.
Today, the world revolves around applications. Creating, delivering and managing those applications is a formidable challenge for both Development and IT. By virtualizing all aspects of the data center (namely, compute, networking, security and storage), VMware customers are moving to a completely virtualized infrastructure. One that can be dynamically configured to meet specific application needs.
<Click> Because a virtualized infrastructure is fully abstracted from hardware, workloads running in your data center, can be deployed seamlessly on the environment of your choosing: private cloud, public cloud or a hybrid cloud.
<Click> However, virtualizing all aspects of your infrastructure by itself will not provide the desired efficiency improvements if your infrastructure and applications are still being delivered by siloed manual processes that take days and weeks to deliver the services the business needed yesterday.
VMware helps to deliver the foundation for IT-as-a-Service with the Software-Defined Data Center (SDDC), enabling the CIO to transition IT to becoming a true Broker of IT Services. The SDDC is the ideal architecture for:
building, delivering, and managing business applications, and
building and operating private, public, and hybrid clouds, where all infrastructure is virtualized and delivered as a service, and the control of this data center is entirely automated by software and enables the delivery of IT-as-a-Service.
The SDDC enables customers to utilize the investments in people, process, and technology that they’ve already made to deliver both legacy and new applications while meeting vital IT responsibilities. It allows businesses to use what they have today to build for change in the future.
VMware’s SDDC solutions provide a unified platform across the hybrid cloud, built on VMware’s best-in-class compute, storage, and networking virtualization technologies. It includes the industry-leading cloud-management platform, as well as programmatic management capabilities via OpenStack and infrastructure-level APIs.
The Cloud Management Platform (CMP) becomes the key control layer in a SDDC to manage heterogeneous and hybrid environments. With policy-based automation, operations, and business management capabilities, it helps IT to deliver on the new business need for speed, agility, and choice while also delivering the ongoing IT need for control and efficiency.
Traditional tools and processes that infrastructure and operations teams are using aren’t optimized to deliver on the promise of the software-defined data center and hybrid cloud. Businesses need a cloud management platform that simplifies and accelerates infrastructure and application delivery and ongoing management onsite in their data center and in the cloud.
VMware’s Cloud Management Platform (CMP) is purpose-built for the hybrid cloud. It provides a comprehensive management stack that enables IT to deliver infrastructure and applications quickly on vSphere and other hypervisors, physical infrastructure, and private and public clouds, all with the control IT needs.
VMware’s CMP is distinctive, by offering NOT ONLY Automation, BUT ALSO integrating Operations and Business capabilities into a single platform to provide performance and financial insight to improve IT/Business decision-making and alignment. This helps IT to accomplish its mission as a Broker of IT Services, by enabling IT to source, provision, and manage the lifecycle of IT services across the new data center landscape: multi-platform, hybrid cloud, and multiple providers.
Automation – self-service provision infrastructure and applications across multiple hypervisors, private and public cloud with both speed and control
Operations – manage infrastructure and applications in physical, virtual, and cloud environments with integrated capacity, performance, log, and configuration management
Business – align IT spending with business priorities by getting full transparency of infrastructure and application service cost and quality
Unified Management – use a common set of tools across on-premises and public clouds with a unified management experience and fast time to value
In short, the cloud management platform supports cloud administration, server administration, fabric, and operations teams working with lines of business to ensure agility, application SLAs, and infrastructure efficiency with control. The platform combines automated delivery, intelligent operations, and business insight to deliver a unified cloud management experience across hybrid clouds and heterogeneous environments.
[Reference]
Background on VMware Strategy
These three form the basis of the three strategies for VMware: the Software-Defined Data Center, the hybrid cloud, and end-user computing.
A year and a half ago, we laid out this vision of these three components as our strategy, and since then we have been diligently executing upon all three of them.
It's gone from vision to instantiation, and now powerful realization across all three of them.
These three together are the path to the software-defined enterprise, and we're very proud of the progress that we've made here.
There’s much yet to do, but we are on a journey to execute the software-defined enterprise, building on these three components.
Overview: The Software-Defined Data Center – An Open, Industry Architecture
The architecture that provides the competitive advantage sought by today’s businesses is the Software-Defined Data Center (SDDC). The SDDC is an open architecture that extends the principles of virtualization – abstraction, pooling, and automation – beyond compute to the rest of the data center, bringing deployment and resource management to any infrastructure and cloud environments of your choice. This in turn enables the management and orchestration for all IT services needed in the mobile-cloud era.
As the leader in compute virtualization through its industry standard vSphere product, VMware is the company best positioned to extend virtualization solutions to the rest of the data center. VMware’s SDDC solutions deliver cloud service provider economics in the data center, as well as fast and agile application provisioning that responds to ever-changing business demands. VMware’s SDDC solutions offer the right availability and security for each application with policy-based governance, and the ability to run new and existing applications across multiple platforms or clouds.
VMware’s Software-Defined Data Center Solutions consists of four components:
a completely virtualized infrastructure across compute, network, and storage;
delivered on- or off-premises in a hybrid cloud;
a comprehensive virtualization and cloud management platform;
choice in cloud frameworks, whether a fully integrated VMware stack or OpenStack-based
Kent add F5 logo between NSX and vCAC in diagram and add a value statement from capabilities on slide 26
If you can’t configure all your network services dynamically in the context of deploying and application, then you will need to add additional manual steps to your partially automated application deployment. vCloud Automation Center can dynamically provision NSX logical services customized to the specific needs of each applications. The combined capabilities of these products empower IT to fully automate the delivery of secure, scalable and high performing multi-tier applications.
You are all familiar with the existing network in your data center. The number one thing to understand about this is that NSX works on top of it, you don’t have to virtualize the entire network you can virtualize any part of it or all of it. NSX simply uses the existing network as an IP backplane.
Connected to your data center network is your compute infrastructure.
Where your hypervisors and virtual switches exist.
NSX takes advantage of this infrastructure to create, what can be thought of as a Network Hypervisor.
And like a server hypervisor allows the creation of software Virtual Machines, the NSX Network Hypervisor enables the creation of software Virtual Networks. It’s really as simple as that. These virtual networks can be created, saved, deleted, restored, just like virtual machines but for the network.
Many of our customers are looking to vCloud Automation Center as the product of choice to on-board the cloud and achieve better business agility. These customers often also look to VMware to provide guidance of how to on-board the cloud.
Now, every customer is different, which makes it a bit difficult to provide this guidance. For example, some customers may be highly automated, but they do not have good mechanisms for governance in place. The next customer might be the exact opposite e.g. everything gets provisioned manually, and the manual process comprehensively captures all approvals so that governance is high.
However, in the end, we see a pattern how customers on-board the cloud. There are typically a few types of projects customers deploy to make this transition:
Automating the virtualized infrastructure
Adding the consumption side (self-service catalog) to the automated infrastructure to stand up an IaaS (Infrastructure-as-a-service)
Provide more value to the application teams by providing capabilities to deploy simple applications, middleware and databases with standardized configurations
Provide application specific capabilities such as Application release automation and DevOps for application organizations
And finally to establish IT as a broker of services
It is possible to start at any of these steps and then expand the scope of the project later, or it is also possible to start at the top with a broader CIO / CTO driven initiative.
For most customers, the immediate first step is to automate the virtualized environment. This is essentially adding the next technology layer on top of the existing virtualized environments. Those projects are often driven by the IT infrastructure organization and they can be accomplished very rapidly.
vCloud Automation Center has three primary policies used to implement user-centric business aware cloud management.
The first are Business Groups
vCAC allows administrators to define a multi-level grouping structure and associate users from Active Directory with one or more groups and have specific role based access within those groups
Second, we have Resource Reservations
Reservations allow administrators to allocate previously discovered (virtual, physical, or cloud ) resources to each group. As part of assigning resources to a group, you can associate costs to those physical resources. Resource reservations can be grouped by service levels as part of the reservation process. When users request machines, the will be charged based on a prorated consumption of these resources
And the third are Service Blueprints
Blueprints define the policies that will control the provisioning and ongoing management of a vCAC compute service from the initial request, provisioning, ongoing management and decomissioning. This life-cycle management can be unique for every blueprint defined in the system.
Let us break down the challenge of slow service delivery time by exploring first the challenges for infrastructure service delivery.
Creating infrastructure services is typically a time consuming manual task. Based on customers surveys we conducted, we know that the actual work effort is typically around 4 - 6 hours.
However, those 4 - 6 hours are spread over days or weeks since this effort involves multiple teams, which often operate in siloes. As a result there are wait times in slow workflows.
Moreover, manual tasks lead to inconsistencies and errors in configurations. There is the need for time consuming rework to ensure that systems consistently, i.e. systems need to behave in the same manner.
So now, after a few days or weeks, we provided an infrastructure service, but what about the applications? This is ultimately what the business cares most about.
Applications need much more than appropriately sized virtual machines, an IP address and DNS entries. They also need accurately configured network connectivity, security, availability, scale, and performance.
<Click> As part of deploying a multi-tiered application you will need to provision connectivity through deployment of logical switches and routers.
<Click> In addition it is important to securely deploy the application through intelligent placement of workloads in security groups, protected by firewall rules.
<Click> The use of virtual load balancers ensures that application users will always have access to a highly responsive application without the need for additional expensive hardware.
<Click> Performance can be optimized by associating applications with shared or dedicated switches, routers and load balancers based on the specific needs of each application
vRealize Automation configures and manages NSX snetwork and security services within the context of delivering an application. all within