Transcription
Improve Existing Disaster RecoverySolutions with VMware NSXKevin ReedSr Manager, VMwareFederal Networking & Security Teamkreed@vmware.com703.307.3253Don PoormanManager – Solutions 7
2Revisiting Disaster Recovery everybody’s FAVORITE topic!
What is Disaster Recovery & Business Continuity? at least for the purposes of this webinar?Primary (Active) DatacenterAlternate (Passive) DatacenterWAN/InternetN-S ConnectivityN-S enter-BWebSRMSRMLocal StorageLocal Storage3
What is Disaster Recovery & Business Continuity? at least for the purposes of this webinar?Primary (Active) DatacenterWAN/InternetN-S ConnectivityWebvCenter-AAppDBSomething bad happens hereDBAppAlternate (Passive) DatacenterWebN-S ConnectivityWebAppDBvCenter-BForcing you to run workloads hereAppWebSRMSRMLocal StorageLocal Storage4
Traditional Workflow for Virtual Workload Failovers Get called at 2:32 AM Diagnose outage – begin executing runbook for site failover and reach for luckyhorseshoe keychain. Get halfway through powering up recovery VMs and realize ALL of their networksettings are configured for the PRIMARY datacenter subnets. Grumble and addchanging IP addresses to the list of things to do. Get halfway through reconfiguring recovery VM IP addresses before realizing yourDNS entries are all pointing at the PRIMARY datacenter subnets. Bang head ontable and plan to script those changes in future failover tests. Finish networking reconfiguration and application consistency checks just asPrimary site comes back online.5
Always Remember It has, and always will be, about workload SLA.6
7Application Continuity
Traditional Challenges for DR Solutions Change application IP addresses Re-create/Re-configure physical networkfor L2-L3 connectivity requirements Re-create security policies Update other physical device configurationEx: load balancer Additional update/re-configuration (ACLs,DNS, Application IP Dependencies, etc.)Traditional Solutions::Ex:§ L2 Over Dark Fiber§ VPLS Over MPLS Back Bone§ Hardware-Based Solution (OTV)Expensive, hardware-based, complex, operationallychallenging, and/or long lead times requiredSite 2: King’s LandingWinter is coming.Protect the workloads!Site 1: WinterfellNot holistic solutions –only focused on thenetwork and per-deviceconfiguration and lackautomation and flexibility8
NSX Networking and Security for DR SolutionsWhat’s needed is a software based approach which can provide:ØØØØØØØØØØØDecoupling from physical hardwareEase of deploymentEase of useBetter security with micro-segmentationLeverage higher-level security constructsFlexibilityHigh degree of automationRapid deployment/recovery and productivityEase of testing DR PlanExtensive partner ecosystem for servicesIntegration with other DR & SDDC components (SRM, vSphere hypervisor, vRealize Suite, etc.)9
Traditional Disaster Recovery: Manual, Unreliable, ComplexInfrastructure Challenges: Compute, Networking and StorageWAN / InternetComputeDeployment/RecoveryManual, Complex, Error ated and ed and ReliableAppComputeStorageNetworkNetworkWAN / Internet10
Traditional Disaster Recovery: Requires L2 ExtensionInfrastructure Challenges: Site ConnectivityProtectedRecoveryWAN / InternetWAN / InternetNetwork FabricNetwork FabricComplex and Expensive Connectivity Options at the WAN EdgeRecreate FW, LB PoliciesRecreate L3Recreate L2 (Re-IP/Preserve IP Space)VMVMVMVMVMVM10.1.2.0/24DC ExtensionVMVMVM10.1.3.0/24VPLS, Overlay Transport,L2 10.1.1.0/2410.1.1.0/2411
The Solution: VMware etworkingSecurity
The Solution: VMware NSXAPPComputeReduce hardwarecomplexity and OpEx costsAPPNetworkingAPPStorageImprove applicationavailability and resiliencySecurityExpedite recovery anddecrease downtime
VMware NSXThe Next-Generation Networking ModelSwitchingRoutingEast-west firewallingHigh throughput ratesHardware independentLoad balancingFirewalling/ACLsNetwork andsecurity servicesnow in thehypervisor
Applying Network and Security Virtualization to IT sSecurity:Inherently SecureInfrastructureAutomation:IT at the Speedof BusinessMicro-segmentationIT Automating ITEnhanced MissionSecurity at reduced costTime to Mission: Reduceinfrastructure provisioningtime from weeks to minutesApplication Continuity:DatacenterAnywhereDisaster RecoveryMission Resilience andAgilityData SegmentationDeveloper CloudData CenterConsolidation andMigrationSecure End UserMulti-tenantInfrastructureNSX in Public Cloud15
VMware NSX – Networking & Security CapabilitiesAny Application(without modification)Virtual NetworksAny Cloud Management PlatformVMware NSX Network Virtualization PlatformLogicalFirewallLogicalLoad BalancerLogical L2LogicalVPNLogical L3Any HypervisorAny Network HardwareLogical Switching– Layer 2 over Layer 3, decoupled fromthe physical networkLogical Routing– Routing between virtual networks withoutexiting the software containerDistributed Firewall (DFW) – Logical Firewall, KernelIntegrated, High PerformanceLogical Load Balancer – Application Load Balancing insoftwareLayer 2 and Layer 3 VPN – Site-to-Site & Remote AccessVPN in softwareNetwork Address Translation (NAT) – translate privateIPs to public IPsDHCP - Server and RelayNSX API – RESTful API for integration into any CloudManagement PlatformPartner Eco-System
NSX Multi-Site Deployment Options Active-Active Data Centers– Logical Network Connectivity (L2-L7) that enables resources in different physical locations to bepooled together as a unified set of compute resources. Also supports workload mobility betweensites using Logical Networks and Security– Solution: Single or Multi VC Logical Networks across Datacenters Disaster Recovery– An active and stand-by application deployed in two different locations that are NOT in the samegeographical fault domain– Only one instance of application is active and passing traffic at any time– Solution: SRM Protected Applications L2 Extension– Extending L2 between sites and admin boundaries over L3 with or without encryption– Solution: NSX L2 VPN17
NSX Current Federal Certification Status Army CON (July 2015)– Certification # 201519393 approved on 7/27/2015 DISA STIG (July 2016)– Completed and published to IASE. ICSA Certification (January 2017)– Both NSX for vSphere Distributed Firewall and Edge Firewall are certified against ICSA CorporateFirewall criteria. FIPS 140-2 (February 2017)– NSX for vSphere 6.3.0 has a FIPS mode that uses only those cipher suites that comply with FIPS. NSXManager and NSX Edge have a FIPS Mode that can be enabled via the vSphere Web Client or theNSX REST API. Common Criteria (May 2017)– NSX for vSphere 6.3.0 testing has been completed and is in compliance with the EAL2 level ofassurance.
NSX for Disaster Recovery ResourcesWhitepapers / Design GuidesDisaster Recovery with NSX and SRMNSX-V Multi-site Options and Cross-VC NSX Design GuideVMware NSX-V: Control Plane Resiliency with CDO ModeEnterprise Hybrid CloudilandNetwork Virtualization Blog:Enhanced Disaster Recovery with Cross-VC NSX and SRMCross-VC NSX for Multi-site SolutionsNSX-V: Multi-site Options and Cross-VC NSX Design GuideCross-VC NSX: Multi-site Deployments with Ease and FlexibilityMulti-site with Cross-VC NSX: Consistent Security and Micro-segmentation Across SitesMulti-site with Cross-VC NSX and Palo Alto Networks SecurityVMware NSX and SRM: Disaster Recovery Overview and DemoNSX-V 6.3: Cross-VC NSX Security EnhancementsNSX-V 6.3: Control Plane Resiliency with CDO ModeMulti-site Active-Active Solutions with NSX-V and F5 BIG-IP DNSDisaster Recovery with VMware NSX-V and ZertoVideos (NSX YouTube Channel):Multi-site with Cross-VC NSX: Workload Mobility and Consistent Security Across SitesMulti-site with Cross-VC NSX and Palo Alto Networks SecurityVMware NSX and SRM - Disaster Recovery Overview and Demo19
20NSX DR In Action
DR Solutions with NSXDell EMC Enterprise Hybrid CloudEnterprise Hybrid Cloud23
Business value NSX with EHC delivered to our customers25% time saved fromoperational activitiesProvisioning timereduced from daysto minutesIncreased resourceutilizationReduced provisioningtimes from 2–3 weeksto minutes4X fasterprovisioning time90% reductionDecreased total ITspend by 60%in downtimeReduced time to marketfor new businessservices by 65%in data center costs50% reductionConsolidated datacenters by 71%Reduced resourceprovisioning time frommonths to hoursUnification ofentire IT departmentvs. siloed teams25
NSX Simplifies EHC DR add-onRecoverPoint forVirtual Machines(RP4VM) VM-level disaster recoverygranularity Virtual Appliance Replication vSphere web clientintegration26
12 Sites, 2 vCenters423Active workloadsBi-directional DRUse Case: Requirements5Consistent securityConsistent networks andtraffic engineering6DR Consumptionthrough CMP27
Building the NetworkSite 1ControllerClustervCenterNSXManagerSite 2Cross vCenter NSXvCenterNSXManager15Blue uDLRWebAppDBBlue App012Green uDLRWebAppDBGreen App0128
Replicating the VMsSite 1ControllerClustervCenterSite 2Cross vCenter NSXNSXManagervCenterNSXManagerRecoverpoint for VMRP4VMvRPARP4VMvRPA3Blue uDLRWebAppWebDBAppDBBlue App01Blue App01RP4VM CGGreen uDLRWebAppDBGreen App01WebAppDBGreen App01RP4VM CG29
Securing the ApplicationsSite 1ControllerClustervCenterSite 2Cross vCenter NSXNSXManagervCenterUniversalSecurityGroups, tagsand DFWrulesRP4VMvRPANSXManagerRecoverpoint for VMUniversal Security GroupsRP4VMvRPA4Static InclusionBlue Blue App01Blue App01RP4VM CGDynamic InclusionGreen uDLRWebAppDBGreen App01RP4VM CG6WebAppDBGreen App01
Summary NSX decouples networking services form the physical infrastructure allowingfor a resilient DR solution Cross-VC NSX and SRM together provide an enhanced DR solution Consistent networking across sites with NSX prevents the need tomanually map different networks and change application IP addresses NSX also provides consistent security policies across vCenter sites whichenables automatic correct security for applications when a DR event occurs Cross-VC NSX component and site recovery is fully supported Automation can be leveraged in a NSX / SRM environment foradditional requirements/needs: vRO, NSX REST API29
Kevin Reed Don Poorman Sr Manager, VMware Manager – Solutions Engineering Federal Networking and Security Team dpoorman@govplace.com kreed@vmware.com 301.678.3667 703.307.325330
Improve Existing Disaster Recovery Solutions with VMware NSX Improve Existing Disaster Recovery Solutions with VMware NSX Kevin Reed SrManager, VMware Federal Networking & Security Team kreed@vmware.com 703.307.3253 Don Poorman Manager -Solutions Enginering Govplace dpoorman@govplace.com 301.678.3667 2 Revisiting Disaster Recovery
