1、如何实现云数据中心虚拟网络全自动化快速部署如何实现云数据中心虚拟网络全自动化快速部署11大趋势与如何面对当前挑战2NSX网络虚拟化全自动部署架构3NSX网络虚拟化模版设计4混合云的NSX自动化部署5总结6有奖问答Agenda2各行业都在进行数字化转型中各行业都在进行数字化转型中Digital Transformation3IT仍然滞后业务转型仍然滞后业务转型The business wants their applications now!物理网络设计复杂物理网络设计复杂手动配置手动配置 投入大于产出投入大于产出slowrestrictiveriskyinconsistent大量的即刻应用需求
2、传统的应用部署周期长4传统的应用部署周期传统的应用部署周期长长Spin upVMConfigVLANConfigLBConfigRoutingCreateSecurityPoliciesTimeminsTime days/weeksServerSwitchingRoutingSecurityLoad Bal.Manual Tasks/Multiple Teams Can we automate and orchestrate?Can we maintain the same services-LB,Security?How about application mobility?What abo
3、ut Self Service IT?Multi Tenancy scale-security?5软件定义是云数据中心的必由之路软件定义是云数据中心的必由之路高效高效安全安全基于客户业务及应用需求快速部署安全而高效的云平台软件定义数据中心软件定义数据中心快速快速网络虚拟化网络虚拟化是关键基石是关键基石6Logical SwitchLogical RouterNSXLogical FirewallLogical Load BalancerNSX网络与安全一体化全自动部署网络与安全一体化全自动部署 Dynamic Configuration and Deployment of NSX Logica
4、l ServicesOn Demand Application DeliveryvRealize AutomationResource ReservationBlueprintService CatalogCloud Management PlatformNetwork ProfilesSecurity PoliciesSecurity GroupsWebAppDatabaseVMVMVMVMVMVMNSX网络与安全配置全自动化流程网络与安全配置全自动化流程1.NSX网络虚拟化配置:Initial network configuration in NSXExternal Networks an
5、d Network Profiles in vRA2.NSX安全策略配置:Distributed Firewall RulesSecurity Groups/Policies/Tags3.云架构蓝图设计:Blueprints include NSX Networks,Security components,Load Balancers,VMs,Apps and Cost Profile4.发布蓝图设计5.用户一键式部署:End-to-end provisioning:networks,NAT rules,security and LB configured at deployment网路管理员
6、网路管理员安全管理员安全管理员云架构师云架构师消费者消费者Network ProfilesExternal NetworksSecurity GroupsSecurity PoliciesSecurity TagsConvergedBlueprintsNSX Load Balancer12Service CatalogPublish345DefinesDefinesBuildsDeploys6NApplicationsOne TimeRecurring8网络虚拟化与安全策略一体化蓝图设计网络虚拟化与安全策略一体化蓝图设计Automated connectivity to existing or
7、 on-demand networksAutomated security policy enforcement thru NSX security policies,groups and tagsOn-demand dedicated NSX load balancer Parent component only,not application-levelNSX Integration for Blueprint Authoring&Deployment可视化模版设计,鼠标拖放功能9Multi-Tier App,Multiple NetworksMulti-Tier App,Single F
8、lat Network多层应用网络拓扑结构多层应用网络拓扑结构WebAppDatabaseVMVMVMVMVMVMVMVMVMVMVMVM10Dynamic Routing(OSPF,BGP)with ECMP自动部署模式自动部署模式预先部署预先部署ExternalNetworks2 Tiers of RoutingDistributed Logical Router for Application RouterNSX Edge for Provider RouterDynamic RoutingUse existing LS as external network profilesOne A
9、rm Load Balancing on demandProd-01Logical Switch Dev-01Logical Switch LB LB LBTransit Uplink 192.168.10.0/24(External Network Profile)Scale Out Provider Logical RouterApp 1 VMsApp 2 VMsApp 3 VMsPre-Created model is typically used with Production or more static workloads and the application topology
10、is multi-tier on a single networkProd Web SG AProd App SG AProd DB SG ADev Web SG ADev App SG ADev DB SG ADev Web SG BDev AppSG BDev DB SG BDistributed Logical RouterProd Web SG BProdApp SG BProd DB SG BApp 4 VMs LB172.16.50.0/24(External Network)172.16.60.0/24(External Network)Dynamic Routing(OSPF,
11、BGP)with ECMPProvider LogicalRouterExternalNetworks2 Tiers of RoutingDistributed Logical Router for Application RouterNSX Edge for Provider RouterDynamic Routing externallyDynamic Routing(DLR),NAT internally(Edge)Dynamic Routing(OSPF,BGP)Transit Uplink 192.168.10.0/24(External Network Profile)On Dem
12、and Model is typically used for more dynamic Test/Dev style workloads,particularly when there is a requirement for overlapping IP addressesDynamic Routing(OSPF,BGP)Web Logical Switch(Routed)DB Logical Switch(Routed)App 1RoutedApp LS(Routed)172.16.10.0/29172.16.10.8/29172.16.10.16/29Web Logical Switc
13、h(NAT)App LS(NAT)DB LS(NAT)App 2NAT172.16.100.0/24172.16.101.0/24172.16.102.0/24Web Logical Switch(NAT)App LS(NAT)DB LS(NAT)App 3NAT172.16.100.0/24172.16.101.0/24172.16.102.0/24Distributed Logical Router自动部署模式自动部署模式按需按需部署部署安全策略自动化部署安全策略自动化部署End-Users and Cloud Admins are able to select pre-defined s
14、ecurity policies already approved by the Security Admin in NSXSecurity policies are applied to one or more security groups where workloads are membersThese security groups are created on-demand by vRA at deployment timeUsers can also select pre-definedsecurity groups both ah Reservationand at bluepr
15、int levelsWHAT you want to protectHOW you want to protect itSECURITY GROUPSECURITY POLICYMembers(VM,vNIC)and Context(user identity,security posture)“Standard Web”Firewall allow inbound HTTP/S,allow outbound ANY IPS prevent DOS attacks,enforce acceptable use Services(Firewall,antivirus,IPS etc.)and P
16、rofiles(labels representing specific policies)13多租户环境下的多租户环境下的应用隔离应用隔离Application Isolation provides an optional first level of security.When selected all inbound and outbound application access is blocked,while inter application traffic is permittedComponent level Security Policies are applied at a
17、 higher precedence to permit selected trafficWebAppDatabaseVMVMVMVMVMVMWebAppDatabaseVMVMVMVMVMVM每个租户环境可重复使用相同IP地址14负载均衡自动化设计负载均衡自动化设计One-Arm Load BalancingInline Load BalancingvRA leverages NSX for both on-demand and pre-created Logical Load BalancingIf an NSX Edge is the default gateway for compon
18、ent VMs,Inline Load Balancing is usedIf the component VMs are connected to a network using the Distributed Logical Router or an External Network then Load Balancing is configured for One-Arm modeWebAppDatabaseVMVMVMVMVMVMWebAppDatabaseVMVMVMVMVMVMApplication LevelNSX EdgeExternalGatewayDistributed L
19、ogical Router15网络模版设计网络模版设计Network Profile DesignNetwork Profiles define how new VMs are connected to the networkAllow consumption of existing networks or creation of new VXLAN Logical SwitchesMultiple types of Network Profiles are available in vRA 7:1.External2.Routed3.NAT(1:1 and 1:Many)Multiple t
20、ype of Network Profiles can be used within the same blueprint,i.e.:VMs deployed on NAT networks,but Load Balancer VIP on the external network1:1 NAT for Web tier and 1:Many NAT for App and DB tiersSome VMs deployed on NAT or routed networks,others on an external networkHowever,Routed and NAT Network
21、 Profiles cannot be combined in the same blueprint16外部网络模版外部网络模版External Network ProfilesUsed for pre-created networks(either VLANs or Logical Switches):Can be used with all Blueprint types(Single-and Multi-Machine in vRA 6.2,Converged in 7.0)One-Arm Load Balancer and Security Groups/Policies/Tabs a
22、nd App Isolation are supportedIs the only type of Network Profile supported with vRA+SRM integrationMultiple deployments will share the same networksVMs,ESG LB and App Isolation SG are created on demandAllows efficient management of IP allocation by sharing a common network across deploymentsVMVMVMV
23、MExisting ESG,DLR or physicalExisting VLAN or Logical SwitchWeb SGApp SGDB SGApp 1 One-Arm LBApp Isolation SG(App 1)App 2 One-Arm LBVMVMVMVMApp Isolation SG(App 2)17路由网络模版路由网络模版Routed Network ProfileRouted NPs enable On-Demand network creationLogical Switches are created during Blueprint deployments
24、:Logical Switches are attached to an existing DLRDLR uplinked to existing Edges(HA and ECMP mode supported)Each Logical Switch has a Unique Subnet Range,carved out from a pool:One-Arm Load Balancer and Security Groups/Policies/Tabs and App Isolation are supportedDHCP on ESG is not supported on Route
25、d NPsVMVMVMWeb SGVMDB SGApp SGWeb L.S.App L.S.DB L.S.App Isolation SGTransit L.S.ProviderNSX Edges(HA or ECMP)DLROne-Arm LB181对对1网络网络地址翻译网络模版地址翻译网络模版1:1 NAT Network Profiles1:1 NAT NPs enable On-Demand network creationThe following network components are created during deployment:A dedicated ESG is
26、created for each deploymentLogical Switches are created and attached to the ESGLogical Switches use the same overlapping addressing space across different deploymentsOnly Inline Load Balancing is supported with NAT profilesSecurity Groups/Policies/Tags can be used to limit access to VMs only on spec
27、ific servicesVMVMVMWeb SGVMDB SGApp SGWeb L.S.App L.S.DB L.S.Transit L.S.Provider NSX Edge(HA only)On-Demand NSX Edge(1:1 NAT+Inline LB)App Isolation SG191:Many NAT NPs enable On-Demand network creationOnly Inline Load Balancing is supported with NAT profilesOnly 1 IP address used from the External
28、NP for each networkSNAT rule is configured to allow VMs to communicate externallyNAT rules are applied only on the ESG uplink interface(no NAT between internal networks within a deployment)ESG FW is configured to allow intra-app traffic and outgoing accessVMs can be reached from outside via a Load B
29、alancer VIP onlyIf Load Balancing is configured,a separate IP from the external network is used on the ESGDHCP on ESG is supported on 1:Many NAT NPsVMVMVMWeb SGVMDB SGApp SGWeb L.S.App L.S.DB L.S.Transit L.S.Provider NSX Edge(HA only)On-Demand NSX Edge(1:Many NAT+Inline LB)App Isolation SGPayloadHdr
30、SNATOnlyNAT IPsPayloadHdr172.16.10.0/24172.16.20.0/24172.16.30.0/24.11.11.11.12192.168.100.0/24.801对对多多网络网络地址翻译网络模版地址翻译网络模版1:Many NAT Network Profiles20NSX Cross Cloud Platforms混合云的混合云的NSX自动化部署自动化部署Choice,Flexibility and ControlPolicy based Governance with Automated DeliveryExtensibility Infrastruct
31、ureServices ApplicationsServices Any ITService Self-ServiceGUICLIAPIPublic CloudSoftlayer CloudsVirtualvSpherevSpherevSphere21Key Takeaways and Benefits for CustomersMulti-tenant Infrastructure云服务自动化Developer CloudDMZ Anywhere微分段Secure End UserMetro PoolingHybrid Cloud NetworkingReduce infrastructure provisioning time from weeks to minutesSecure infrastructure at 1/3 the costReduce RTO by 80%灾备与双活数据中心安全快速敏捷应用可持续性Value22Questions23Call to Action Check out these vFORUM sessions12Get Certified with VMware Visit VMware Booth34Join The Conversation#vForumXX24
