Paul Pindell, a senior solutions architect for F5 Networks, works in business development and is tasked with the technical partnership with VMware. Paul has been a speaker at the last six U.S. VMworld conferences and has presented at three EMEA VMworld conferences, and has been invited to speak again at the upcoming VMworld EMEA conference in October. Over the last year, Paul has led the technical efforts related to F5’s partnership with VMware’s Networking and Security Business Unit. Paul recently sat down with SDxCentral to discuss F5’s partnership with VMware and the VMware NSX integration.
SDxCentral: What are the main use cases that you see VMware NSX being deployed in within enterprise customer networks?
Pindell: We see VMware NSX being deployed into enterprise networks for a variety of reasons. The ability of the customer to provision virtual machines (VM) in minutes has been possible for years through server virtualization. However, when operations staff and application architects tell us “the network is in the way,” something has got to change. We shouldn’t inhibit business agility any longer. Many enterprises are looking to NSX to provide those same speed of deployment benefits to the network components and services those almost instantaneously provisioned VMs have enjoyed for years. Another of the main use cases is to take advantage of the security abstraction use cases NSX can enable within a virtualized network. This is commonly referred to as “micro-segmentation,” the ability of the software-defined data center (SDDC) to abstract into a security group the VMs that are being secured, and the movement of the security perimeter closer to the VM itself.
Which F5 product families are relevant to network virtualization?
Pindell: We utilize both our F5 BIG-IP application services platform and our F5 BIG-IQ management and orchestration platform to create a holistic solution within a network virtualization context. With BIG-IP, we can utilize any of the modules our customers have come to rely on for application access, security, and high-availability services in support of their applications. For example, as a full-proxy architecture, BIG-IP, once connected to a virtualized network fabric can provide F5 Local Traffic Manager (LTM) functionality for high availability, SSL processing, data-place scripting and all other LTM features, F5 Application Security Manager (ASM) can provide web access firewall functionality, protecting against the many data theft attacks that network firewalls are oblivious to, and F5 Access Policy Manager (APM) can provide access and authentication services, to mention just a few. All of the F5 BIG-IP functionality and flexibility customers have come to expect from F5 is still available in a network virtualization enabled environment. There is no application services trade-off in this solution, only customer benefit.
What are the key business problems that the combination of VMware NSX and F5 can solve?
Pindell: F5’s BIG-IP and VMware NSX together can bring the same speed of deployment to the network and advanced application services that are experienced in the deployment and provisioning of VMs. Working together, we have built a solution that helps customers get the network “out of the way” of business agility and faster time-to-value for the deployment of applications and services. F5 and VMware can also bring the full BIG-IP functionality and module support to bear within an NSX virtualized network environment to provide the security, high-availability, and performance that F5 is known to deliver in support of all applications be they enterprise-grade critical business applications, or dynamically created dev and test environments.
What’s the nature of integration that customers are looking for between NSX and F5? What are the main flavors?
Pindell: F5 and VMware have developed joint guidance for two main classes of customers. We call these two use cases the integration use case and the interoperability use case. First type of customer wants the SDDC, where software automation and integration bring the speed benefits of VM deployment to virtualized networks and network services. The second type of customer simply wants to know how to move toward using an NSX virtualized network while continuing to utilize all of the flexibility and functionality of F5’s application services platform or how can the two platforms interoperate. This second group doesn’t want to create a new operational workflow model yet, but is planning for the future of virtualized networking. F5 and VMware have developed joint guidance for these two main classes of customers. We have created architectural and operational guidance documents for customers wanting interoperability — to connect their NSX virtualized network fabric to a physical or virtual F5 application services fabric. F5 and VMware have also jointly developed a REST-based API-level integration that handles the automatic creation/connection of F5 BIG-IPs to an NSX virtualized environment, as well as the automated deployment of iApp (application services templates) based policies to those BIG-IPs. This addresses the speed of VM, network, and F5 application services deployment asks for these customers.
Why would customers gravitate toward one type of integration versus another? Can you provide insight into the pros/cons and applicability of one over another?
Pindell: It really comes down to a balance between automation and flexibility. Automation necessarily can limit flexibility. In order to automate a system, many assumptions about the available options are made prior to running the automation. If every option were made available through an automation mechanism the user kicking off that automation would have to make as many choices within the automation system as if they had logged directly into each components management user interface (UI). So a customer who has done the difficult work of standardizing the options made available, will choose to use the integrated and automated REST-Based API-level integration. Those customers who value the flexibility to configure their F5 platform using any and all configuration options, or with any and all F5 modules will choose the detailed interoperability guidance on how to connect these new virtualized networks with their BIG-IP investments.
What are best practices for full integration? What are the main pitfalls and how should customers proceed?
Pindell: The best practices for integration of F5’s advanced application networking services in an NSX virtualized network have a fair bit of policy and business logic decisions that need to be made prior to a successful production deployment. Remember a successful integration requires automation and orchestration which requires making decisions about what can and cannot be done prior to running the automation. Successful companies have taken the time to create predefined standards for which advanced networking controller configuration options are going to be offered at deployment time. F5 iApp technology is the entry point for the administrator to define the application delivery policy defaults, and specify which options will be made available at runtime. These companies have top down support for sliding the scale more toward automation and operational simplicity, away from infinite configurability. This is important so that application owners, and tenants know what is allowed, and within what constraints they must operate.
And when just interoperability is called for, what unseen issues can customers run into and how can these be prevented?
Pindell: When interoperability is called for there is a perception of increased difficulty when connecting the F5 BIG-IP to “see the packets” of the application servers on an NSX virtualized network. We have worked hard to dispel this notion by creating an F5 reference architecture for VMware NSX. Thus taking the time to use the VMware NSX and F5 BIG-IP Design Guide as one makes decisions on which deployment topology best fits the customer networking requirements will help avoid the paralysis that comes with the fear of the unknown. Once an architectural topology choice has been made the VMware NSX and F5 BIG-IP Best Practices Guide will assist the operations staff in configuring both the NSX and BIG-IP components to allow for the “seeing of packets.”
Can you discuss the realized business and technical use case benefits of each type of integration?
Pindell: The use cases we work towards solving are defined through F5 and VMware working closely, as mutually valued partners, in addition to working close with our customers. This ensures that we deliver something of great value right from the initial offering. For example, a joint interoperability type of customer requires the full flexibility and functionality of F5 BIG-IP to handle SIP traffic across multiple data centers, using the F5 application services for DNS based global server load balancing, local traffic management with heavy usage of iRules (data plane scripting) to further customize their service offering and differentiate it from their competitions offerings. This required them to focus initially on interoperability of BIG-IP with NSX, with a goal toward adding integration and automation down the road.
What’s next for the F5 and VMware NSX integration? What further areas of collaboration can the market expect?
Pindell: The F5 and VMware NSX integration continues to build upon the foundations that are available today. We are working jointly together to enhance the experience of the admin and the tenant users of the integration. We are enhancing the iApp underpinnings of the solution as well, making it easier for the administrator to use an iApp to make more granular policy sets that can add functionality and flexibility while still maintaining the standardization that enables operational efficiencies through automation. Common across both historic and future development of the integrated F5 and VMware strategy, we will continue to work closely with customers and remain focused on the simplification of use cases and workflows – not just on features and check boxes – but never at the sacrifice of quality in the pursuit of application performance, high-availability, and security.