VMworld 2015: Introducing Application Self service with Networking and Security
•Transferir como PPTX, PDF•
2 gostaram•1,515 visualizações
Introducing Application Self service with Networking and Security using vRealize Automation and NSX
Recomendados
Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (20)
Destaque
Destaque (20)
Semelhante a VMworld 2015: Introducing Application Self service with Networking and Security
Semelhante a VMworld 2015: Introducing Application Self service with Networking and Security (20)
Mais de VMworld
Mais de VMworld (20)
Último
Último (20)
VMworld 2015: Introducing Application Self service with Networking and Security
- 1. Introducing Application Self-service with Networking and Security Using vRealize Automation and NSX Andrew Voltmer, VMware, Inc Becky Smith, VMware, Inc MGT5360 #MGT5360
- 2. • This presentation may contain product features that are currently under development. • This overview of new technology represents no commitment from VMware to deliver these features in any generally available product. • Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind. • Technical feasibility and market demand will affect final delivery. • Pricing and packaging for any new technologies or features discussed or presented have not been determined. Disclaimer CONFIDENTIAL 2
- 3. Virtualization ► Accelerate service delivery (weeks days) ► Resource pooling ► HW consolidation IT Automation, The Next Wave of IT Efficiency IT Efficiency Time ► Accelerate service delivery (days min) ► Improve operational efficiency ► Optimize resource utilization ► Reduce complexity via standardization Cloud Automation & Management CONFIDENTIAL 3
- 4. Business Wants Agility. IT Wants Control. Compute Admin Security Admin We want our application on-demand with compute, storage, networking and security! Cloud Users Deliver high-performance networking quickly Ensure secure IT 4 Provide the right VM for the job Network Admin CONFIDENTIAL
- 5. 1 Software Defined Data Center 2 NSX Network and Security Virtualization 3 vRealize Automation for Applications and Infrastructure 4 Application Self-Service with Networking and Security Using vRealize Automation and NSX Agenda 5CONFIDENTIAL
- 6. VMware’s Software Defined Data Center 6
- 7. Infrastructure and Apps Are Subject to Wait 7 WaitWait Infrastructure Service Delivery Days Application and Change Delivery Weeks WorkWaitWaitWaitWorkWait Changes Compute Physical Hardware Private Clouds Public Clouds Hybrid Cloud VMware & vCloud Data Center Partners Virtualized Infrastructure Abstract & Pool Compute Abstraction = Server Virtualization Network Network Abstraction = Virtual Networking Storage Storage Abstraction = Software-Defined Storage CONFIDENTIAL
- 8. Hybrid Cloud (Private / Public) Physical Software-Defined Data Center (SDDC) CONFIDENTIAL 8 Cloud Management Platform enables the One Cloud, Any Application Approach SOFTWARE-DEFINED DATA CENTER Compute Network Storage End-User Computing Extensibility Applications Cloud Management Platform BusinessOperationsAutomation Virtualized Infrastructure Compute Network Storage
- 9. Dynamically Configure Application Services on SDDC CONFIDENTIAL 9 Automated delivery of secure, scalable and high performing multi-tier applications utilizing VMware’s SDDC Wait WorkWait Automated Application Deployment Manual Network Configuration VMware NSX Network Virtualization Minutes “Zero Touch” Deployment vRealize Automation VMware ESX Compute Virtualization Hours or Days
- 10. NSX Network and Security Virtualization 10
- 11. Start With Your Existing Physical Network Infrastructure CONFIDENTIAL 11 Without network virtualization, you are hardware defined Internet
- 13. Data Center Virtualization Layer… CONFIDENTIAL 13 Internet
- 14. A “Network Hypervisor” CONFIDENTIAL 14 Internet
- 15. The Operational Model of a VM for the Networking CONFIDENTIAL 15 Internet
- 16. Provides A Faithful Reproduction of Network & Security Services in Software Switching Routing Firewalling Load Balancing VPN Connectivity to Physical Policies, Groups, Tags Management APIs to program all services 16CONFIDENTIAL
- 17. NSX – Virtual Networking and Security Web App Database VM “Default” Firewall – Access shared services (DNS, AD) Anti-Virus – Scan Daily Security PoliciesSecurity Groups My App Web App Database “Standard Web” Firewall – allow inbound HTTP/S, allow outbound ANY IPS – prevent DOS attacks, enforce acceptable use “Standard App” Firewall – allow inbound ANY, allow outbound ODBC “Standard Database” Firewall – allow inbound ODBC Vulnerability Management – Weekly Scan Support for Detailed, Programmable Application Topologies Logical Switching, Routing, Firewall, Load Balancing CONFIDENTIAL 17
- 18. vRealize Automation for Applications and Infrastructure 18
- 19. VMware’s Automation Solution to Onboard the Cloud CONFIDENTIAL 19 Automation / Infrastructure-as-a-Service Manual provisioning On-demand, automated self – service access Technology sprawl High standardization Initial provisioning Lifecycle management Homogeneous Enterprise wide / heterogeneous ExtensibleOne inflexible approach Virtualized infrastructure Any service from any layer Manual approvals High governance Journey with many starting points and many maturity levels Application Release Automation / DevOps Standardized MW / DB–as-a-Service IT-as-a-Service “Service Broker”
- 20. vRealize Automation Policy Management CONFIDENTIAL 20 Business Groups B A C USERS A C B A Authentication & Role-Based Authorization Authorized Users Resource Reservations Cost Profile A Tier 1 Public Physical Virtual Shared Infrastructure Service Blueprints A Requisition Cost Profile Provision Manage Retire Public Physical Virtual C B B A B A C BA “Who provisions what and where”
- 21. Application Self-Service with Networking and Security Using vRealize Automation and NSX 21
- 22. Traditional Infrastructure Provisioning with Networking CONFIDENTIAL 22 Days - Weeks Wait WorkWaitWait Infrastructure Service FirewallSwitch Router Load Balancer Connect Ethernet cables, configure switch port, VLANs, access control lists, assign IP addresses Configure router interface to connect to switch ports. Configure routing protocols. Connect networks to firewall appliances, configure firewall rules based on physical constructs e.g. IP address and VLANs Connect networks to load balancer appliances, create and populate load balancer pool, assign Virtual IP Address to external interface NETOPS SECOPS LOAD BALANCER ADMIN Manual efforts Network
- 23. Application Centric Network and Security Services CONFIDENTIAL 23 Deployed and managed in the application context Web App Database VM VM VM VM VM VM • Applications configured with dedicated or shared virtual switches and routers depending on needs • Virtual Machines can be moved (vMotion) without changing virtual network configuration • Application specific policies including firewall rules, intrusion detection integration, and agentless anti-virus scanning at each application tier • Dynamic configuration of application specific load balancers • Without expensive physical hardware VM • Networks configured to meet unique performance needs of each application • Shared or dedicated switches, routers and load balancers depending on performance needs VM VM VM VM VM VM VM
- 24. Blueprint of the Modern Application CONFIDENTIAL 24 Define Once – Multiple Use Deployment Time Options for Users Support for Multiple Network Topologies Repeatable Deployments From Single Machine to Multi-Tier Applications
- 25. Catalog of Applications CONFIDENTIAL 25 “One Click” Deployment Order your Application with Networking and Security N+S Built On-Demand via NSX API Automated IP Addressing Automatic Cleanup With App Disposal
- 26. Group into Complete Application Environments or Services CONFIDENTIAL 26 Predefined, Tested, Compliant, Repeatable Logical Load BalancerNetwork ProfilesDefault Gateway Security Groups Security PoliciesSecurity Tags AVAILABILITYSECURITYCONNECTIVITY Catalog Item Complete Application Environment Blueprint
- 27. Top NSX Solutions with vRealize Automation CONFIDENTIAL 27 The Power of NSX and vRealize Automation delivers Application Deployment with . . . On-Demand Networking and Security On-Demand Security Existing Networking and Security
- 28. Application Deployment with On-Demand Network and Security Services The Power of VMware NSX and vRealize Automation
- 29. Application Deployment with On-Demand Networking & Security CONFIDENTIAL 29 Web/App Database VM VM VM Logical switches and routers created by NSX when the user creates an application Single-tier or multi-tier NAT or routed topologies Automated IP addressing of VMs and subnets On-demand security groups built per app and per tier with VMs placed into groups Security policies applied to dynamically created groups Load-balancer dynamically deployed for application
- 30. Application Deployment with On-Demand Micro-Segmentation The Power of VMware NSX and vRealize Automation
- 31. Application Deployment with On-Demand Micro-Segmentation CONFIDENTIAL 31 Web/AppDatabase VM VMVM VMs placed on pre-created logical switches On-demand security groups created when application is deployed Security policies applied to dynamically created groups Micro-segmentation on larger L2 networks Load-balancer configuration dynamically deployed VMs and security groups removed when app destroyed but networking remains
- 32. Application Deployment into Existing Network and Security Services The Power of VMware NSX and vRealize Automation
- 33. Application Deployment into Existing Network and Security Services CONFIDENTIAL 33 Web/App Database VM VM VM Pre-created logical switches and routers defined by the NSX admin - VMs are wired to pre-created switches Security Groups pre-defined to match security tags for each tier of application When a cloud user selects a catalog item VMs are wired to NSX switches and tagged with appropriate security tags Enforcement is based on combining the tag with the rules in the security group Applications can be single tier or multi-tier – typically routed topologies
- 34. Multi-Tier App, Multiple Networks Multi-Tier App, Single Flat Network Application Deployment Topologies CONFIDENTIAL 34 Support for Multiple Network Topologies Web App Database VM VM VM VM VM VM VM VM VM VM VM VM
- 35. Demo 35
- 37. http://www.vmware.com/products/vrealize-automation/ http://www.vmware.com/products/nsx/ Check out: Hands-On Labs: HOL-SDC-1632, HOL-SDC-1624, HOL-SDC- 1603 Session: NET5362 Enabling Automated Network & Security Services with NSX and vRealize Automation
- 40. Introducing Application Self-service with Networking and Security Using vRealize Automation and NSX Andrew Voltmer, VMware, Inc Becky Smith, VMware, Inc MGT5360 #MGT5360
Notas do Editor
- <Click> If you think back to where server virtualization was 10 years ago, it was just starting to get general adoption. The primary motivation for many companies was cap-ex savings generated by hardware consolidation and resource pooling. A side benefit was that virtual machines could be delivered much quicker than physical machines helping accelerate service delivery times from many weeks down to a few days. <Click> Cloud automation and management will drive the next round of IT efficiency improvements. Automation will help accelerate IT service delivery from days and sometimes weeks to hours and even minutes. Policy based governance and controls will assure that business users receive the appropriate level of resources for the tasks they need to perform the job. Performance and health monitoring will make sure that applications continue to operate at peak efficiencies and make the appropriate adjustments to make sure that happens. Financial management capabilities will allow IT to compare costs of internal and external delivery models. Intelligent placement algorithms will help deliver the appropriate service level based on both cost as well as operational policies that control where specific applications and data need to be located. Lets look in a bit more detail where savings are possible.
- Today, the world revolves around applications. Creating, delivering and managing those applications is a formidable challenge for both Development and IT. By virtualizing all aspects of the data center (namely, compute, networking, security and storage), VMware customers are moving to a completely virtualized infrastructure. One that can be dynamically configured to meet specific application needs. <Click> Because a virtualized infrastructure is fully abstracted from hardware, workloads running in your data center, can be deployed seamlessly on the environment of your choosing: private cloud, public cloud or a hybrid cloud. <Click> However, virtualizing all aspects of your infrastructure by itself will not provide the desired efficiency improvements if your infrastructure and applications are still being delivered by siloed manual processes that take days and weeks to deliver the services the business needed yesterday.
- VMware helps to deliver the foundation for IT-as-a-Service with the Software-Defined Data Center (SDDC), enabling the CIO to transition IT to becoming a true Broker of IT Services. The SDDC is the ideal architecture for: building, delivering, and managing business applications, and building and operating private, public, and hybrid clouds, where all infrastructure is virtualized and delivered as a service, and the control of this data center is entirely automated by software and enables the delivery of IT-as-a-Service. The SDDC enables customers to utilize the investments in people, process, and technology that they’ve already made to deliver both legacy and new applications while meeting vital IT responsibilities. It allows businesses to use what they have today to build for change in the future. VMware’s SDDC solutions provide a unified platform across the hybrid cloud, built on VMware’s best-in-class compute, storage, and networking virtualization technologies. It includes the industry-leading cloud-management platform, as well as programmatic management capabilities via OpenStack and infrastructure-level APIs. The Cloud Management Platform (CMP) becomes the key control layer in a SDDC to manage heterogeneous and hybrid environments. With policy-based automation, operations, and business management capabilities, it helps IT to deliver on the new business need for speed, agility, and choice while also delivering the ongoing IT need for control and efficiency. Traditional tools and processes that infrastructure and operations teams are using aren’t optimized to deliver on the promise of the software-defined data center and hybrid cloud. Businesses need a cloud management platform that simplifies and accelerates infrastructure and application delivery and ongoing management onsite in their data center and in the cloud. VMware’s Cloud Management Platform (CMP) is purpose-built for the hybrid cloud. It provides a comprehensive management stack that enables IT to deliver infrastructure and applications quickly on vSphere and other hypervisors, physical infrastructure, and private and public clouds, all with the control IT needs. VMware’s CMP is distinctive, by offering NOT ONLY Automation, BUT ALSO integrating Operations and Business capabilities into a single platform to provide performance and financial insight to improve IT/Business decision-making and alignment. This helps IT to accomplish its mission as a Broker of IT Services, by enabling IT to source, provision, and manage the lifecycle of IT services across the new data center landscape: multi-platform, hybrid cloud, and multiple providers. Automation – self-service provision infrastructure and applications across multiple hypervisors, private and public cloud with both speed and control Operations – manage infrastructure and applications in physical, virtual, and cloud environments with integrated capacity, performance, log, and configuration management Business – align IT spending with business priorities by getting full transparency of infrastructure and application service cost and quality Unified Management – use a common set of tools across on-premises and public clouds with a unified management experience and fast time to value In short, the cloud management platform supports cloud administration, server administration, fabric, and operations teams working with lines of business to ensure agility, application SLAs, and infrastructure efficiency with control. The platform combines automated delivery, intelligent operations, and business insight to deliver a unified cloud management experience across hybrid clouds and heterogeneous environments. [Reference] Background on VMware Strategy These three form the basis of the three strategies for VMware: the Software-Defined Data Center, the hybrid cloud, and end-user computing. A year and a half ago, we laid out this vision of these three components as our strategy, and since then we have been diligently executing upon all three of them. It's gone from vision to instantiation, and now powerful realization across all three of them. These three together are the path to the software-defined enterprise, and we're very proud of the progress that we've made here. There’s much yet to do, but we are on a journey to execute the software-defined enterprise, building on these three components. Overview: The Software-Defined Data Center – An Open, Industry Architecture The architecture that provides the competitive advantage sought by today’s businesses is the Software-Defined Data Center (SDDC). The SDDC is an open architecture that extends the principles of virtualization – abstraction, pooling, and automation – beyond compute to the rest of the data center, bringing deployment and resource management to any infrastructure and cloud environments of your choice. This in turn enables the management and orchestration for all IT services needed in the mobile-cloud era. As the leader in compute virtualization through its industry standard vSphere product, VMware is the company best positioned to extend virtualization solutions to the rest of the data center. VMware’s SDDC solutions deliver cloud service provider economics in the data center, as well as fast and agile application provisioning that responds to ever-changing business demands. VMware’s SDDC solutions offer the right availability and security for each application with policy-based governance, and the ability to run new and existing applications across multiple platforms or clouds. VMware’s Software-Defined Data Center Solutions consists of four components: a completely virtualized infrastructure across compute, network, and storage; delivered on- or off-premises in a hybrid cloud; a comprehensive virtualization and cloud management platform; choice in cloud frameworks, whether a fully integrated VMware stack or OpenStack-based
- Kent add F5 logo between NSX and vCAC in diagram and add a value statement from capabilities on slide 26 If you can’t configure all your network services dynamically in the context of deploying and application, then you will need to add additional manual steps to your partially automated application deployment. vCloud Automation Center can dynamically provision NSX logical services customized to the specific needs of each applications. The combined capabilities of these products empower IT to fully automate the delivery of secure, scalable and high performing multi-tier applications.
- You are all familiar with the existing network in your data center. The number one thing to understand about this is that NSX works on top of it, you don’t have to virtualize the entire network you can virtualize any part of it or all of it. NSX simply uses the existing network as an IP backplane.
- Connected to your data center network is your compute infrastructure.
- Where your hypervisors and virtual switches exist.
- NSX takes advantage of this infrastructure to create, what can be thought of as a Network Hypervisor.
- And like a server hypervisor allows the creation of software Virtual Machines, the NSX Network Hypervisor enables the creation of software Virtual Networks. It’s really as simple as that. These virtual networks can be created, saved, deleted, restored, just like virtual machines but for the network.
- Many of our customers are looking to vCloud Automation Center as the product of choice to on-board the cloud and achieve better business agility. These customers often also look to VMware to provide guidance of how to on-board the cloud. Now, every customer is different, which makes it a bit difficult to provide this guidance. For example, some customers may be highly automated, but they do not have good mechanisms for governance in place. The next customer might be the exact opposite e.g. everything gets provisioned manually, and the manual process comprehensively captures all approvals so that governance is high. However, in the end, we see a pattern how customers on-board the cloud. There are typically a few types of projects customers deploy to make this transition: Automating the virtualized infrastructure Adding the consumption side (self-service catalog) to the automated infrastructure to stand up an IaaS (Infrastructure-as-a-service) Provide more value to the application teams by providing capabilities to deploy simple applications, middleware and databases with standardized configurations Provide application specific capabilities such as Application release automation and DevOps for application organizations And finally to establish IT as a broker of services It is possible to start at any of these steps and then expand the scope of the project later, or it is also possible to start at the top with a broader CIO / CTO driven initiative. For most customers, the immediate first step is to automate the virtualized environment. This is essentially adding the next technology layer on top of the existing virtualized environments. Those projects are often driven by the IT infrastructure organization and they can be accomplished very rapidly.
- vCloud Automation Center has three primary policies used to implement user-centric business aware cloud management. The first are Business Groups vCAC allows administrators to define a multi-level grouping structure and associate users from Active Directory with one or more groups and have specific role based access within those groups Second, we have Resource Reservations Reservations allow administrators to allocate previously discovered (virtual, physical, or cloud ) resources to each group. As part of assigning resources to a group, you can associate costs to those physical resources. Resource reservations can be grouped by service levels as part of the reservation process. When users request machines, the will be charged based on a prorated consumption of these resources And the third are Service Blueprints Blueprints define the policies that will control the provisioning and ongoing management of a vCAC compute service from the initial request, provisioning, ongoing management and decomissioning. This life-cycle management can be unique for every blueprint defined in the system.
- Let us break down the challenge of slow service delivery time by exploring first the challenges for infrastructure service delivery. Creating infrastructure services is typically a time consuming manual task. Based on customers surveys we conducted, we know that the actual work effort is typically around 4 - 6 hours. However, those 4 - 6 hours are spread over days or weeks since this effort involves multiple teams, which often operate in siloes. As a result there are wait times in slow workflows. Moreover, manual tasks lead to inconsistencies and errors in configurations. There is the need for time consuming rework to ensure that systems consistently, i.e. systems need to behave in the same manner. So now, after a few days or weeks, we provided an infrastructure service, but what about the applications? This is ultimately what the business cares most about.
- Applications need much more than appropriately sized virtual machines, an IP address and DNS entries. They also need accurately configured network connectivity, security, availability, scale, and performance. <Click> As part of deploying a multi-tiered application you will need to provision connectivity through deployment of logical switches and routers. <Click> In addition it is important to securely deploy the application through intelligent placement of workloads in security groups, protected by firewall rules. <Click> The use of virtual load balancers ensures that application users will always have access to a highly responsive application without the need for additional expensive hardware. <Click> Performance can be optimized by associating applications with shared or dedicated switches, routers and load balancers based on the specific needs of each application vRealize Automation configures and manages NSX snetwork and security services within the context of delivering an application. all within