Petya Petrova - Fotolia


Pick up the pace with VMware NSX network virtualization

NSX network virtualization enables users to take advantage of the speed, efficiency and security of the software-defined data center.

The software-defined data center has been a popular phrase in the IT world for a number of years, and many customers have already acknowledged the benefits of embracing server and storage virtualization. By contrast, the data center network has not kept pace and remains rigid, complex and proprietary.

These days, servers and storage can be quickly provisioned, are easy to manage and are flexible in changing resource requirements on demand. However, these advantages are erased when placed in the full context of the data center because the virtual machine is still bound to the physical network and security device, anchoring you to vendor-specific hardware and topologies.

Network services still require manual provisioning, which can take a long time. This directly impacts application deployment times because applications need compute, storage and networking resources. The need to ensure that changes to the network for one application do not adversely impact other applications further compounds complexity and risk.

The bottom line is that the network is usually the last barrier to fully leveraging virtualization.

VMware NSX network virtualization

All intelligence within a software-defined data center (SDDC) resides in the software layer, which makes you less dependent on hardware devices. This gives you a lot more flexibility and allows you to start automating your data center by creating software policies to deploy resources or workloads.

The VMware NSX network virtualization platform allows data center operators to treat their physical network as a pool of transport capacity that can be consumed and repurposed on demand. Just as a VM is a software container that presents logical CPU, memory and storage to an application, a virtual network is a software container that presents logical network components to connected workloads -- logical switches, routers, firewalls, load balancers, virtual private networks (VPNs) and more.

Virtual networks are programmatically created, provisioned and managed, utilizing the underlying physical network as a simple packet forwarding backplane. Network services are distributed to each VM independent of the underlying network hardware or topology. This means workloads can be dynamically added or moved, and all of the network and security services attached to the VM move with it, anywhere in the data center.

Under a legacy approach to security, policies are applied to static and rigid groups that are defined by the network topology and expressed as security zones, IP subnets or virtual local area networks (VLAN). The problem with this approach is that it assumes very little -- if any -- change is going to take place in the data center, either through provisioning new applications, moving workloads or changing IP addresses. Because workloads in the data center do, in fact, change frequently, this legacy approach is slow to adapt and often leads to security vulnerabilities due to the time it takes for manual intervention.

VMware NSX network virtualization allows you to decouple the network control plane from the underlying physical hardware, which means each workload or VM is no longer chained to the physical switch port through which it communicates. Traditional networks require VLAN configuration and all other network services to be tied to a switch port. When a VM migrates between hosts, this network information must be manually configured on every switch through which the VM can communicate. NSX ties network configuration to the actual VM and, as this VM transitions across hosts, the network settings follow without the need for configuration of the physical switch ports.

NSX can understand a customers' workload because the network services reside within the hypervisors' kernel. This means that NSX has visibility into the physical compute and network as well as the virtual environment. This deeper understanding of workload attributes enables end users greater granular control with a dynamic and more intelligent way of applying network and security policies. Now, instead of grouping based on where something resides in the network -- for example, which switch port it's connected to -- we can group based on how it's used or on the specific characteristics of that workload such as the OS version, hostname, the services provided or who needs access to it.

Additionally, NSX creates policies to automatically remediate or determine a course of action if certain security attributes are detected. For example, if a virus or malware is detected on a VM, then NSX can automatically quarantine that VM by placing a firewall around it. Without NSX, this would require a manual scan and manual firewall rule changes to isolate the security risk, which could take hours or days. Another example would be managing unsupported OSes; traditionally, it could take weeks or months to access each individual server manually, identify the OS installed and create a policy to restrict access for each server. With NSX, a policy can be created to identify a group based on which OS is running on a VM and then secure that group immediately, all within a couple of minutes.

Key features of VMware NSX

NSX network virtualization use cases

VMware recently made changes to NSX's licensing model. Originally, NSX was only available as a single edition -- it was an all-or-nothing approach to software-defined networking which customers found too restricting. VMware has taken feedback from customers and partners into consideration and has amended their licensing model so that NSX is available in three editions, based on three main use cases. The Standard Edition automates IT workflows, bringing agility to the data center network and reducing network operating costs and complexity. Standard Edition includes virtual networking and multi-tenant cloud capabilities, and automatically deploys network services via vRealize Automation.

The Advanced Edition provides all of the same capabilities as the Standard Edition plus a fundamentally more secure data center with the addition of microsegmentation. Microsegmentation ensures data center and virtual desktop infrastructure security to the highest level. The Advanced Edition also automates IT provisioning of security and allows for third-party integration with the likes of Trend Micro, Palo Alto Networks, Check Point and others. The Enterprise Edition offers the same features as the Advanced Edition, as well as networking and security across multiple domains. This enables the data center network to extend across multiple sites and connect to high-throughput physical workloads. The Enterprise Edition includes multisite NSX deployments, disaster recovery and hybrid cloud networking.

If you're only interested in virtual network benefits like collapsing the switching and routing into the kernel, shortening network provisioning times and automating network configuration, the Standard Edition should be sufficient. In reality, the majority of customers will likely purchase the Advanced Edition to gain access to security features such as distributed firewall, which allows them to implement microsegmentation. Third-party integration is another perk that will drive customers to the Advanced Edition.

Microsegmentation is currently the driving force behind NSX adoption because most traditional data centers still rely on a perimeter firewall for defense. Though this may prevent the majority of attacks, once a perimeter firewall is breached there is limited lateral control to prevent malicious traffic from traversing a data center. Over half of data traffic now runs east-west within a data center, and NSX provides visibility and control to this type of traffic movement.

Over the past year VMware has dedicated much of its focus to NSX, and recent software licensing changes have helped entice customers by introducing a lower entry point. Since NSX is an overlay product, it does not require users to make major changes to their existing network infrastructure, giving customers a shortcut to adopting a software-defined network.

In summary, customers adopt NSX because they want the agility, efficiency and security of the SDDC. They want to bring the benefits of compute and storage virtualization to the entire data center, and virtualizing the network has helped customers move the SDDC from concept to reality.

Next Steps

Building the foundation for VMware SDDC

Why are SDDC adoption rates lagging?

VMware's NSX roadmap charts a course for SDDC

Dig Deeper on VMware and networking