The VMware NSX platform delivers the entire networking and security model in software, decoupled from traditional networking hardware, representing a transformative leap forward in data center networking architecture.
Overview: Today’s data center is largely virtualized from a compute perspective, and has unleashed unprecedented benefits of agility, efficiency and capex/opex savings. What is less known is that virtual network access ports have exceeded physical network access ports in number, and this trend is accelerating. In fact, today, 40% of vAdmins manage virtual networks. Beyond virtual switching, the time is ripe to virtualize the rest of the networking stack, and accelerate our customer’s journey to the software-defined data center.
At VMware, we’ve put together an all-star team, the Networking & Security Business Unit (NSBU), to address this opportunity, and bring virtualization-centric innovation to networking. This team has been responsible for many key foundational innovations toward network virtualization. We started with the best of Nicira, vSphere networking and vCloud networking and security technologies, and embarked on a mission to build a unified solution that will transform networking and security in the virtualized data center. Today, VMware CEO Pat Gelsinger will be launching VMware NSX™, the platform for network virtualization, in his keynote at VMworld 2013 San Francisco.
Challenges: Businesses need to be more agile and resource-efficient, in order to remain competitive in a rapidly evolving global market. Meanwhile, IT organizations have hit limits of scale, complexity, and operations.
Current data centers are an agglomeration of several generations of networking and security products. Today’s data center networking team faces significant challenges:
- Manual, complex provisioning of hardware devices & agents
- Limited placement, mobility & efficiency due to silos
- VLAN sprawl, firewall rule sprawl, static IP inflexibility
- Several networking & security blind spots
- Performance choke points due to traffic hair-pinning
- Lack of seamless, instant integration with CMPs & applications
Solution requirements: Businesses need to deploy applications with greater speed, efficiency, and security.
Our mission was to overcome this challenge, and deliver secure network services to applications running in the data center, that meet the following criteria…
- Instant and programmatic provisioning
- Fast and highly available infrastructure
- Secure i.e. isolated from the provider & other tenants
… under the following conditions:
- Should support any compute platform, virtual or physical
- Should provide instant gateways to the internet, WAN and LAN
- Should decouple network services from underlying hardware
- Should ensure that services are coupled with, and move with VMs
- Should provide a platform for partners to integrate into
- Should provide unified services to major cloud management platforms
Introducing VMware NSX
Today, we are announcing the VMware NSX platform and products that deliver on the above mission, unleashing the power of network virtualization. The team has re-created the network and security model in software, taking advantage of the benefits of virtualization. This realizes a significant leap forward in capability across the stack, and includes several industry firsts. Before delving into the product itself, here are the key highlights:
Logical switching & routing: Routing functions have been integrated with switching in the hypervisor, enabling direct one-hop connectivity for east-west traffic in the data center, and decoupled from the underlying network fabric using overlays. Also included are optimizations to decouple multicast, unknown unicast and ARP broadcasts from the network. Net effect is efficient, fast packet delivery in the logical plane, and minimizing control traffic in the physical fabric.
Bridging to physical: A logical view of virtual and physical devices is presented, leveraging integration between the NSX Controller and agents in Arista, Brocade, Cumulus, Dell, HP and Juniper network devices. Also included are translational bridging between logical overlays and VLANs to enable seamless interconnection of physical and virtual without re-addressing.
Distributed Firewall: Stateful firewall capability is built into the hypervisor, delivering distributed, scale-out, high-performance firewall inspection at each virtual switch port, while tracking VM adds, moves and changes. Firewall management is dramatically simplified by enabling rules, audits and monitoring based on virtual infrastructure containers, applications, AD users/identity, and yet richer, using network virtualization and VM introspection. The distributed firewall capability also enables stateful, logical insertion of partner devices/agents e.g. F5, McAfee, Palo Alto Networks, Symantec and Trend.
Logical Edge Services: The NSX Edge Services router provides the critical network services required to on-ramp/off-ramp traffic to/from the data center, including perimeter routing (BGP, OSPF, IS-IS), firewalls, user & site VPNs, elastic load balancers and DNS/DHCP/IP services. We also take advantage of virtualization to provide flexible placement, N+1 redundancy, runtime load balancing, and per-tenant resource management. These logical, scale-out services are programmatically deployed on a per-tenant or app basis, solving the choke point and provisioning issues commonly seen in current architectures.
VMware NSX – The Platform for Network Virtualization
For the first time, switching, bridging, routing and firewall capability are built into the hypervisor, and realized in an integrated, distributed fashion at each virtual switch port. This delivers unprecedented granularity of visibility, security and control. The scale out, integrated architecture combined with eliminating traffic hair-pinning, results in aggregate performance above 1 Tbps! NSX Controller clusters and the NSX Management layer abstract, logically centralize, pool and automate these functions, to enable real-time consumption by cloud management platforms and applications.
Overlays are used to decouple logical network services from the underlying network infrastructure. In addition, the VMware NSX platform leverages the broad adoption of VXLAN in commercial switching silicon to provide logical views of workloads and services attached to existing VLANs. We expect to continue to leverage partnerships with network vendors to create smart overlays that take advantage of additional capabilities in the network.
Applications can now take advantage of these abstractions to build logical networks to support their needs, as depicted here:
VMware NSX Architecture and Design
The VMware NSX solution resides in the virtualization layer, providing L2-L7 network services to the cloud consumption layer above, and mapping these services onto the physical infrastructure below. Independence between the cloud and virtualization layers is achieved by providing a REST API exposing the network services to any upstream provisioning platform. Likewise, vSwitch overlays such as VXLAN provide independence to deploy NSX on any physical IP network infrastructure.
This brings us to the network virtualization layer. For each capability, be it switching, routing or firewall, the services are provided via NSX APIs, and realized using a three-tiered design pattern encompassing the management plane, control plane and data plane. The NSX Manager internally maps the APIs onto the control plane. The controller cluster is the work horse of the system, handling real time mapping between the system’s desired state and the running state, which it communicates to the control plane agent(s) present per hypervisor. The local information is now used to set up the appropriate switching, routing, or firewall tables and contexts. The appropriate data plane function now proceeds with high-performance, in a scale out fashion across the virtual plane. The following picture depicts the NSX architectural context and design pattern.
Cloud Management Platforms or applications consume services logically i.e. without awareness of the physical network
The REST API abstracts underlying services; the Manager cluster maps services to the control plane
The control plane consists of a master controller cluster delegating tasks to control plane agents in each hypervisor
The agent performs the local task of activating the data plane action in the hypervisor e.g. switching, routing or firewalls
Overlays de-couple the virtual plane from the underlying physical network fabric
The network fabric provides connectivity to physical servers, hosting multiple VMs connected to a programmable vSwitch. IP connectivity is the only requirement of the physical network fabric
VMware NSX – Delivering Network Services in the Software-Defined Data Center
Using the design pattern and architecture depicted above, we now have a unified network virtualization platform supporting several different stacks, including vSphere, vCloud Suites and OpenStack. It is now possible for application developers or cloud management platforms to leverage the power of network virtualization in real-time, to build n-tier apps on existing compute racks and network infrastructure. VMware NSX handles the underlying complexity, and solves key problems including VLAN/IP sprawl and manual provisioning, inflexible silos, security blind spots and end-of-row or perimeter choke points, while delivering high-performance network services.
The VMware NSX platform represents a major leap forward in the realization of the software-defined data center vision. VMware NSX network virtualization, leveraging advancement in x86 processors, server virtualization, distributed systems and cloud application development frameworks, is ushering in a new generation of networking in the data center.
There’s has been a tremendous amount of work and innovation going into VMware NSX. Thanks and kudos to the several teams that have worked tirelessly to bring the VMware NSX platform to market, including early design partners who have helped shape this product.
Network virtualization is a profound development – as we begin to exploit virtualization further, more traditions will be challenged. We strongly encourage you to get started on the network virtualization journey with VMware NSX today. There are several sessions and labs at VMworld to gain further understanding and insight into the benefits of NSX and network virtualization, and more importantly – how customers are using these capabilities.
On behalf of the entire NSBU team at VMware, we look forward to seeing you all at VMworld, or in a data center near you!
Allwyn Sequeira, CTO/VP R&D, NSBU, VMware