As businesses evaluate their applications in the constantly evolving world of IT, new strategies are emerging for delivery. These strategies include keeping applications on-premises or moving them to one or more public cloud providers.
These public clouds come with their own networking and security constructs and policy management. This results in a new set of technology siloes that increases expense, complexity and risk:
This blog series will discuss the challenges of providing consistent networking and security policies for native cloud workloads, the value of VMware NSX Cloud, and walk through the process of securing and connecting applications running natively in the public cloud.
VMware NSX Cloud
VMware’s strategy is to enable businesses to create and deliver applications. To support new delivery strategies, VMware NSX Cloud provides consistent networking and security for native applications running in multiple public and private clouds. Utilizing a single management console and a common application programming interface, VMware NSX Cloud offers numerous benefits:
- Unified Micro-Segmentation Security Policies – VMware NSX Cloud provides control over East-West traffic between native workloads running in public clouds. Security policies are defined once and applied to native workloads. These policies are supported in multiple AWS accounts, regions, and VPCs. Policies are dynamically applied based on a rich set of constructs, such as workload attributes and user-defined tags. Rogue or compromised workloads can also be automatically quarantined.
- Network Control and Portability – VMware NSX Cloud provides consistency and control over network policies, while also offering portability. Precise control is given over networking topologies and addressing, providing capabilities such as stretching subnets across availability zones. Provisioning and management of networking and security policies across cloud accounts can be greatly simplified and standardized through the use of templates.
- Increased Visibility Across Clouds – VMware NSX Cloud improves the visibility and analytics for native workloads in public clouds using existing and familiar network management tools. Flow, packet and event information is available via standard tools and interfaces such as IPFIX, syslog, port mirroring and Traceflow.
- Consistent operations – VMware NSX Cloud brings a standardized and consistent operational model to applications running natively in public clouds. A single management console and common APIs allows cloud teams to simplify their operations and scale across a growing number of public cloud environments leveraging existing automation tools. Existing Day 2 operations tools can be used to provide end-to-end monitoring, troubleshooting and auditing.
VMware NSX Cloud is offered as a service to enable customers to quickly deploy and secure their native cloud workloads. To provide these capabilities, VMware NSX Cloud uses NSX-T components (NSX Manager and Controllers) and integrates them with public cloud providers.
Additional components are part of a VMware NSX Cloud deployment:
- NSX Cloud Service Customer Dashboard provides a single User Interface for customers to see the status of their deployment, high level inventory, and maintenance notifications.
- NSX Cloud Services Manager (CSM) integrates with NSX Manager and public cloud accounts to provide a unified view of cloud inventory, onboard cloud environments by automating the deployment of the NSX Public Cloud Gateway, and manages quarantine policies. NSX Cloud Services Manager also layers NSX status over the cloud inventory.
- NSX Public Cloud Gateway (PCG) acts as a local NSX control plane within each public cloud VPC, provides Edge Gateway functions for North-South traffic, and enforces quarantine policy.
- NSX Public Cloud Agent provides the distributed data path functions for workloads managed by NSX. It enforces distributed firewall policies and performs logical routing and switching for overlay traffic.
Each customer gets their own dedicated NSX Cloud management infrastructure, which is managed by VMware. Customers bring their own AWS accounts and VPCs to be managed by NSX Cloud network and security policies.
VMware will ensure the uptime of the service and is responsible for the installation and upgrade of the NSX Cloud service. The NSX Cloud Service Customer Dashboard is activated for each customer after installation. NSX Manager and NSX Cloud Services Manager access is available through the dashboard.
The next step is to add a customer cloud account to CSM to provide access to the public cloud inventory. In the case of AWS, a CloudFormation template is available to quickly configure the necessary account permissions. This policy creates two AWS roles that are used by NSX Cloud, one to support the gathering of AWS inventory and another to support the deployment of the Public Cloud Gateway in a VPC.
The account inventory is displayed after the AWS account has been successfully added. At this point the customer cloud environment (AWS VPC) is ready to be configured for NSX Cloud network and security management.
In the next blog, we’ll dig into how to setup your AWS VPC for management by VMware NSX Cloud.