With this release, NSX-T 2.3 continues to enable VMware’s vision of delivering consistent, pervasive connectivity and intrinsic security for applications and data across any environment. These new advancements help customers implement a more secure, end-to-end software-based network architecture – a Virtual Cloud Network – that supports their multi-cloud enterprises and advanced security in new and compelling ways.
NSX-T Data Center 2.3 extends advanced multi-cloud networking and security capabilities to AWS, in addition to Microsoft Azure and on-premises environments, and adds support for bare metal hosts as well.
Here are a few highlighted features among what’s new in this release.
Extending NSX-T Data Center support for Bare-Metal
NSX-T Data Center 2.3 introduces support for bare metal hosts, in addition to hypervisor and container environments. This includes Linux-based workloads running on bare-metal servers, as well as containers running on bare-metal servers without a hypervisor. To support this new capability, NSX-T leverages the Open vSwitch, allowing any Linux host to be an NSX-T transport node.
Bare-Metal Server Support
This release introduces support for Bare-Metal native compute workloads running RHEL 7.4, 7.5, CentOS 7.4, and Ubuntu 16.0.4 operating systems that allows users to network Bare-Metal compute workloads over VLAN, overlay-backed connections, and enforce micro-segmentation policies (stateful Layer 4 enforcement) for Virtual-to-Physical and Physical-to-Physical communication flows.
Support for Bare-Metal Linux Containers
Since NSX-T 2.0, NSX-T has been supporting IPAM, Logical Networking, Load Balancing, Micro-segmentation & Monitoring for Kubernetes & Cloud Foundry Containers based apps running on virtualized container hosts – vSphere, RHEL, and Ubuntu-based KVM.
Starting with this release, NSX-T now supports bare-metal Linux container hosts – starting with RHEL 7.4 and RHEL 7.5. The application platforms supported with bare-metal containers will be upstream Kubernetes and RedHat OpenShift Container platform.
Extending Networking and Security Capabilities to Public Cloud
Support for AWS workloads
NSX-T Data Center 2.3 now extends support for native AWS deployments. This is a big step towards VMware’s pursuit of a truly Hybrid Cloud NSX Solution. You can now simplify and scale operations across a growing number of accounts, subscriptions, virtual networks, availability zones and regions in AWS, Azure and private cloud. Furthermore, this opens the doors for solving the network and security restrictions that AWS has such as lack of support for transitive routing. Look out for more information on this in our future blogs.
VPN Support Between On-Premises to Public Cloud
NSX Cloud now provides any-to-any VPN functionality thereby eliminating the need for a VGW in the cloud and reducing your TCO since you would not have to use the VPN services provided by public cloud providers. In addition, users are not bound by any VPN scale restrictions of public cloud providers if they use NSX Cloud for VPN. Support for built-in VPN capabilities within the NSX Cloud Public Cloud Gateway (PCG) is now available through APIs. This opens up multiple use-cases, such as creating IPSEC links between managed to compute Amazon VPCs / Azure VNets and 3rd party service VMs in transit Amazon VPCs/ Azure VNets, or creating an IPSEC link between the managed Amazon VPC / Azure VNET and an on-premises VPN device.
Zero-Touch Deployment for the NSX Agent in Microsoft Azure
Once VMs are tagged with NSX, PCG which is an NSX component installed in the VNET identifies the VM and uses VM extensions in Azure to push an agent in the VM. The end user will not have to do anything. This ability to push NSX agents to all existing and new VMs in the VNet is configurable on a per VNET basis.
Improving support for NFV Workloads
In conjunction with vSphere 6.7, N-VDS introduced a high-performance mode called ‘Enhanced data path’ in NSX-T release 2.2, which supported NFV style workloads requiring high-performance data path for VLAN-backed networks. With this release of NSX-T 2.3, the ‘Enhanced data path’ mode in N-VDS will now support NFV style workloads requiring high-performance data path for overlay-backed networks.
Advancing Network & Security Services
Service Insertion at the Edge
NSX-T Data Center as a key networking platform provides a rich set of capabilities that enable you to create network topologies that connect & secure application endpoints (VMs, Containers, Bare-metal servers). With this release, NSX now has the ability to deploy your choice of partner security solutions at the edge of NSX-T network topologies i.e at the Tier 0 and Tier 1 routing boundaries. NSX-T Data Center will have the ability to onboard and catalog the partner services enabling the NSX Admin to deploy and consume the cataloged services.
As 3rd-party security solutions become certified, they will be listed on the VMware Compatibility Guide – Network and Security.
NSX Admin can deploy and insert partner security solutions via Web UI or API and Service Insertion policy allows the NSX admin to define granular policies to redirect only selective traffic to partner security solutions.
Rule Usage Tracking for Distributed Firewall
NSX Distributed Firewall now provides a count of the number of times the traffic is filtered by the firewall rule. This can be seen via the user interface or APIs. Users can reset the rule hits to restart rule hit count. In addition to rule hit count – NSX provides a popularity index that provides information on the rules that were hit in the last one hour. This will help the user understand the type of traffic in their NSX environment quickly at any given time of the day. Both rule hit counts and popularity index will help the user manage rules as well as gain visibility on the east-west traffic that is going through the data center. Users can quickly clean up rules that are no longer in use or see hit counters for denied traffic.
Firewall Section Locking
Firewall rule sections can now be locked while making modifications, to prevent multiple users from simultaneously making changes to the same sections. You can easily see who has locked the section, at what time, and any comments relevant to why they have locked the section.
Load Balancing Enhancements
One key enhancement with NSX-T 2.3 is the ability to deploy multiple load balancing instances on a network segment. With this ability, you can scale out load balancing services easily without having to break up the network segment. For example, a network segment can host thousands of workloads for production services that may require hundreds of virtual services on the load balancer. By deploying multiple load balancing instances instead of one, virtual servers can be distributed to provide better performance and scalability.
Another enhancement with NSX-T 2.3 is related to ease-of-use for TLS cipher configuration. Instead of having to assess the security and the compatibility impact of individual cipher suites of your choice, now, you can configure cipher suites by simply selecting one of the pre-defined lists: High security, Balanced, and High compatibility.
Lastly, Layer 7 load balancing is at the core of the NSX platform. With this release of NSX-T Data Center, we have added the following abilities in load balancer rules:
- Delete HTTP headers
- Match SSL information
- Set a variable based on match that can be used for another match condition
Simplifying NSX-T Data Center Deployment, Management & Use
New Language Support
With this release, the NSX user interface is now available in English, German, French, Japanese, Simplified Chinese, Korean, Traditional Chinese, and Spanish.
Enhanced Home Page with Search
The new NSX home page includes a simplified left-hand navigation bar and provides an at-a-glance summary of the system. Search is easily accessible from the NSX home page and has been enhanced to include type-ahead suggestions. For example, you can now type “Navigate to…” to easily jump to a page of interest, or type in more complex search queries.
Support for NSX-T Data Center in a Stateless vSphere Environment
To simplify and shorten the amount of time it takes to install NSX across hundreds of hosts, NSX-T Data Center now enables more deployment options by providing support for Stateless ESXi Hosts using vSphere Auto Deploy and Host Profiles. The feature support will require ESXi version 6.7U1 or higher.
Modular Upgrade of NSX Components
NSX-T Upgrade Coordinator was further enhanced to add modular upgrade functionality. With this feature, the Upgrade Coordinator will only perform an upgrade of those NSX components that have changed in the new version of the software. This helps significantly reduce the operational overhead of patching an NSX environment.
Enhancing NSX-T Data Center Consumption in OpenStack
The NSX Neutron plugin for NSX-T Data Center now adds support for the Neutron VPNaaS extension. This enables you to add VPN to your Private Cloud environment without having to configure any external equipment. This offers a new networking service based on NSX capabilities, i.e. NSX IPsec VPN, in addition to those already available such as L2, L3, Security Group, LBaaS and so on.