Archive

Category Archives for "VMware Network Virtualization Blog"

Antrea Egress on vSphere 8 with Tanzu

Welcome to this new new blog post series about Container Networking with Antrea. In this blog, we’ll take a look at the Egress feature and show how to implement it on vSphere with Tanzu.

According to the official Antrea documentation Egress is a Kubernetes Custom Resource Definition (CRD) which allows you to specify which Egress (SNAT) IP the traffic from the selected Pods to the external network should use. When a selected Pod accesses the external network, the Egress traffic will be tunneled to the Node that hosts the Egress IP if it’s different from the Node that the Pod runs on and will be SNATed to the Egress IP when leaving that Node. You can see the traffic flow in the following picture.

Antrea Egress

When the Egress IP is allocated from an externalIPPool, Antrea even provides automatic high availability; i.e. if the Node hosting the Egress IP fails, another node will be elected from the remaining Nodes selected by the nodeSelector of the externalIPPool.

Note: The standby node will not only take over the IP but also send a layer 2 advertisement (e.g. Gratuitous ARP for IPv4) to notify the other hosts and routers on the Continue reading

Network Modernization Unlocks the Power of Modern Cloud Applications  

This is a guest post from IDC Analyst Brad Casemore.

Modern applications are more distributed than ever before, deployed variously across on-premises data centers, public clouds (IaaS), private clouds, and edge locations, and sometimes delivered as SaaS. While the primacy of these data-centric applications is undeniable and will only grow with the rise of artificial intelligence (AI), a failure to ensure the modernization of underlying network infrastructure can compromise and constrain an organization’s application-driven digital strategies. 

Needs of today 

Network modernization, especially within the context of cloud-native architectures and multi-cloud strategies, cannot be an afterthought for rapidly digitizing enterprises. As applications become the powerhouse behind digital success and competitive differentiation, organizations should consider investing in software-defined network infrastructure.  

A software-defined network infrastructure provides consistent network and security policies, operational simplicity, elastic scale, and ubiquitous visibility, with support for traditional and cloud-native applications spanning on-premises environments and clouds. 

Preparing for tomorrow 

Special consideration also must be given to the future networking needs of the organization, particularly in relation to how modern network infrastructure will provide inherent portable application layer networking for cloud-native applications through functionality such as ingress controllers, service meshes, and visibility into workloads Continue reading

Reference Architecture and Easy Deployment Design Guides – NSX 3.2 Update

We are excited to announce an updated version of the NSX Reference Design and the NSX Easy Adoption Design guide based on the generally available NSX-T release 3.2. NSX-T 3.2 is part of the recently released VCF 4.5 software bundle, making it a very popular release among our customers.

To support you in your network and security virtualization journey, we introduced the NSX-T reference architecture design guide on the NSX-T 2.0 release, showing how you should design your data centers with NSX-T. Over time we introduced additional design guides such as the NSX-T Multi-Location Design Guide (Federation + Multisite), the Easy Adoption Design guide, and the NSX-T Data Center and EUC Design Guide for more specific use cases.

These latest updates cover the new features included in the 3.2 versions and the design and implementation guidelines we developed working tightly with our customers on their NSX projects.

The NSX Reference Design guide version 3.2

This document is the most essential document for any NSX practitioner. Whether you are just starting with NSX or have already successfully implemented NSX in your environment, the NSX Reference Design guide provides a clear and detailed description Continue reading

Networking and Security in VMware Cloud on AWS: New Video Series

VMware Cloud on AWS provides a range of powerful security and networking capabilities. From enforcing granular security rules for traffic using NSX Advanced Firewall, to managing complex routes between your AWS environment and external resources via Transit Connect, there’s no shortage of tools available for supporting your business’s unique requirements when you leverage AWS as part of a VMware-based SDDC strategy. 

To showcase some of the most powerful security and networking features of VMware Cloud on AWS, we’ve prepared a set of short videos where Ron Fuller, Senior Technical Product Manager at VMware, explains how the features work and how to get started using them. If you’re looking for a quick introduction to key security and networking concepts that impact VMware Cloud on AWS workloads, these videos are for you. 

Keep reading for links to the videos, along with summaries of what you’ll learn from each one. We recommend watching the videos in order because Ron explains core Software-Defined Data Center (SDDC) concepts as he progresses through the videos, although viewers who are already familiar with SDDC may prefer to skip ahead. 

Video 1: Introduction to Security Tools in VMware Cloud on AWS 

Continue reading

Announcing Networking and Advanced Security Enhancement in NSX 4.0.1.1

We’re thrilled to announce the general availability of VMware NSX 4.0.1.1, another exciting release with updates in networking, security, and operations for private, public, and multi-clouds.

With this release, VMware NSX customers will be able to leverage accelerated NSX networking and security performance, enhanced network observability, and new network monitoring and troubleshooting features for increased flexibility.

NSX 4.0.1.1 will also deliver enhanced threat detection and prevention capabilities, helping customers bolster network defenses to block advanced threats from moving laterally across multi-cloud environments.

Read on to get the details on our latest NSX release.

Distributed Malware Prevention

The NSX Distributed Firewall has added malware detection and prevention support for Linux guest endpoints (VMs). Linux has become the most common operating system across multi-cloud environments, powering more than 78% of the most popular websites. With the recent emergence of more Linux-specific threats, and current malware countermeasures being mostly focused on addressing Windows-based threats, there is an imperative to address the specific security needs of Linux machines. Adding Linux to our prevention solution enables the NSX Distributed Firewall to provide more effective prevention coverage and fewer false positives across multi-cloud environments.

In addition, we expanded the Continue reading

Enhanced NSX Edge and Networking Services in NSX 4.0.1.1

VMware NSX 4.0.1.1 introduces exciting new capabilities and enhancements for virtualized networking and security for private, public, and multi-clouds. Check out the release blog for an overview of the new features.

Among these new features is NSX Gateway Stateful Active/Active Services. This feature delivers a key security enhancement, giving you the full power of the NSX Edge cluster for your services without worrying about bandwidth and CPU limitations. In this blog post, we’ll cover all the terminology you need to know for this new feature, as well as configuration and architecture, and design considerations.

Stateful Active/Active Services

Prior to VMware NSX 4.0.1.0, configuring NSX using any of the variety of NSX services offered by VMware required you to set up NSX Edge Gateways in Active/Standby High Availability mode. Under this configuration, traffic is forwarded through a single (Active) NSX Edge Node. So, when designing the architecture, you needed to be aware of the limits imposed by the Active/Standby mode on the bandwidth and CPU (Central Processing Unit) utilization of the node.

With the NSX 4.0.1.0 release of NSX Stateful Active/Active Services, this consideration no longer applies. This new feature makes it Continue reading

TLS Handshake Acceleration with Tanzu Service Mesh

Performance and Security Optimizations on Intel Xeon Scalable Processors – Part 2

Contributors

Manish Chugtu — VMware

Ramesh Masavarapu, Saidulu Aldas, Sakari Poussa, Tarun Viswanathan  — Intel

Introduction

Intel and VMware have been working together to optimize and accelerate the microservices middleware and infrastructure with software and hardware to ensure developers have the best-in-class performance and low latency experience when building distributed workloads with a focus on improving the performance, crypto accelerations, and making it more secure.

In Part 1 of this blog series, we looked at how Tanzu Service Mesh uses eBPF (in a non-disruptive manner) to achieve network acceleration by bypassing the TCP/IP networking stack in the Linux kernel and we loved the interest shown and feedback we got for that. In this Part 2, we will deep dive and showcase how Intel and VMware have been working together to accelerate Tanzu Service Mesh (/Istio) crypto use-cases (mutual TLS use-case) and improve the performance of asymmetric crypto operations by using Intel AVX-512 Crypto instruction set that is available on 3rd Generation Intel Xeon Scalable processors.

Security is one of the key areas that service mesh addresses. In Tanzu Service Mesh, there are multiple security features that are Continue reading

Announcing Project Northstar: SaaS delivered Multi-Cloud Networking and Security

Multi-cloud architectures are becoming an increasingly central part of enterprise strategies delivering applications reliably. In a VMware Digital Momentum Study of enterprise technology decision-makers, nearly 73% report they are standardizing on multi-cloud foundations to operate applications and infrastructure1.

Multi-cloud infrastructure offers many benefits – such as the ability to scale quickly and increase reliability. By extension, multi-cloud deployments can help businesses:

  • Innovate and transform the customer experience
  • Scale and grow the business
  • Empower employee engagement and productivity

Yet, from an operational and technology perspective the multi-cloud presents a major challenge: Complexity. Rapid innovation and growth require the ability to deploy and manage workloads in any public cloud while providing the required service availability and scale. However, managing workloads and infrastructure on multiple clouds at once significantly increases the complexity of the network architecture connecting these applications and clouds. It also requires businesses to deploy complex security rules to protect lateral network traffic while having to rely on limited workload mobility and visibility and threat detection capabilities that do not scale.

Successfully adopting a multi-cloud infrastructure requires a means of taming the complexity that is inherent to multi-cloud.

Timeline Description automatically generated with low confidence

Introducing Project Northstar

We are introducing Project Northstar, a new technology preview, Continue reading

Announcing DPU-based Acceleration for NSX

We’re delighted to announce that VMware NSX can now leverage DPU-based acceleration using SmartNICs. This new implementation allows VMware customers to run NSX networking and security services on DPUs, providing accelerated NSX networking and security performance for applications that need high throughput, low latency connectivity and security. The DPU-based implementation also enhances network observability across different workload types while simultaneously increasing the host resources available to applications.

DPU-based Acceleration for NSX is a result of Project Monterey, an initiative that VMware began two years ago. VMware is delivering on Project Monterey with VMware vSphere 8, announced this week at VMware Explore. Combined with other future innovations introduced by Project Monterey, such as the ability to support VMware Cloud Foundation (VCF) networking and storage for bare-metal workloads, DPU-based NSX acceleration will free up networking and security teams and developers more than ever from depending on generic host computing resources to power operations.

Diagram Description automatically generated

Figure 1: Solution Overview

While we’ll continue to offer full support for hypervisor-based NSX architectures, the option of running NSX on a DPU offers several major advantages for industries such as financial services, healthcare, government, and telecom providers that require accelerated network performance.

What is a DPU or Continue reading

VMware NSX Achieves Common Criteria Certification for Network Devices (NDcPP 2.2e)

We are excited to share that as of July 2022, VMware NSX-T version 3.1 has passed Common Criteria certification for Network Devices under Collaborative Protection Profile 2.2e, also known as NDcPP 2.2e. This is one of many testaments to our commitment to providing industry-leading certified solutions for customers from federal departments and agencies, international governments and agencies, and other highly regulated industries and sectors. Along with FIPS, DISA-STIG, ICSA Labs firewall certification, and several other independent evaluations, the NDcPP 2.2e certification validates NSX as a reliable network virtualization platform that satisfies rigorous government security standards.

VMware NSX 3.1 is now listed:

From the NIAP Security Evaluation Summary:

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the VMware NSX-T Data Center 3.1 was evaluated are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 5.  The evaluation methodology used by the evaluation team Continue reading

Tanzu Service Mesh Acceleration using eBPF

Performance and Security Optimizations on Intel Xeon Scalable Processors – Part 1

Contributors

Manish Chugtu — VMware

Ramesh Masavarapu, Saidulu Aldas, Sakari Poussa, Tarun Viswanathan  — Intel

Introduction

VMware Tanzu Service Mesh built on open source Istio, provides advanced, end-to-end connectivity, security, and insights for modern applications—across application end-users, microservices, APIs, and data—enabling compliance with Service Level Objectives (SLOs) and data protection and privacy regulations.

Service Mesh architecture pattern solves many problems, which are well known and extensively documented – so we won’t be talking about those in this blog. But it also comes with its own challenges and some of the top focus areas that we will discuss in this series of blogs are around:

  1. Performance
  2. Security

Intel and VMware have been working together to optimize and accelerate the microservices middleware and infrastructure with software and hardware to ensure developers have the best-in-class performance and low latency experience when building distributed workloads with a focus on improving the performance, crypto accelerations, and making it more secure.

In Part 1 of this blog series, we will talk about one such performance challenge (with respect to service mesh data path performance) and discuss our solution around that.

The current implementation Continue reading

Announcing VMware HCX 4.4

VMware HCX continues to evolve with the release of HCX 4.4 which includes several key enhancements in multiple different areas. These enhancements are going to address new requirements, stabilize the current feature set and provide additional security. This blog aims to highlight the major changes in HCX 4.4.

Transport Analytics

Following the release of HCX 4.1, the HCX team undertook an effort to better understand how various aspects of a network underlay (including bandwidth, packet loss and latency conditions) affect migration outcomes. We called this effort the Network Underlay Characterization for HCX.

During the 4.2 release, the characterization exercise enabled us to officially support services over VPN/SD-WAN, along with the Network Underlay minimum requirements to support any underlay agnostically. We also published detailed tech paper (See Network Underlay Requirements and HCX Performance Outcomes). This document guides the reader through the characterization exercise (manually using command line tooling).

HCX 4.4 adds Transport Analytics the HCX, allowing the user to execute performance baselining for the HCX service transport on-demand and visualizes transport performance in real-time and as time-series graphs.

This enables the migration administrator to understand the network underlay conditions reflected in the transport and plan Continue reading

10 Reasons Why Customers Choose VMware NSX to Automate Networking and Security

By now, you’ve probably heard about why you should automate network management. Not only does automation save time and effort, but it also reduces risk. As Gartner notes, for instance, organizations that automate about 70 percent of their network change management operations will see a 50 percent reduction in outages. They’ll also cut in half the time it takes to roll out new services.

The bigger question many teams face surrounding network automation, however, is how to automate. With so many tools on the market that promise to help automate networking and security, which solution is the best fit for your needs? What should you look for from an automation lens when considering a networking platform?

To provide clarity on those questions, we’ve put together a list of the reasons why customers choose VMware NSX in order to deploy applications at scale with greater speed, efficiency, and security. VMware NSX, the platform for network virtualization, provides instant and programmatic provisioning for fast, highly available, and secure infrastructure. The automation capabilities of NSX listed below maximize time savings and minimize risk when managing distributed, multi-cloud environments.                            Continue reading

Navigating NSX Module in PowerCLI 12.6

With the release of PowerCLI 12.6, a new module VMware.Sdk.Nsx.Policy was added to provide PowerShell binding for NSX Policy Manager APIs. This new module is auto generated from the NSX Policy API spec exposing all the features related to policy objects in NSX. The module also exposes cmdlets to Create/Edit/Delete NSX objects. This blog explains the use of PowerCLI NSX module, goes through all the different ways new cmdlets can be found and shows how to view documentation on the cmdlets with examples.

Navigating the new cmdlets

Along with the cmdlets to connect, disconnect and modify the NSX objects, there are a few helper cmdlets that make looking up new relevant cmdlets very easy.

The first one is Get-NsxOperation. This is a new feature in VMware.Sdk.Nsx.Policy and is ideal with you need to find the PowerCLI command that corresponds to an API operation and vice versa. You can also narrow down the search result using Where-Object and Select-Object filters.

Example:

Get-NsxOperation -Method GET -Path '/infra/segments'

Since the cmdlets by default returns all paths that start with /infra/segments you can also limit the search to exact match with client-side filter:

Get-NsxOperation -Method get  Continue reading

NSX-T 3.2.1: Rolling Upgrade for NSX Management Plane

VMware NSX 3.2.1 continues to deliver enhancements for improving the VMware NSX upgrade process, including rolling upgrades that shorten upgrade maintenance windows and improved visibility into the NSX upgrade progress.

During the upgrade, the management plane will always be available, normal operation, ie, API calls, configuration changes, adding and removing Transport Nodes can be performed. If there’s an issue that occurred during the upgrade, users can roll back to the previous release without deploying a new NSX cluster and restoring the backup. The rolling upgrade feature applies to only the NSX Manager upgrade portion of the upgrade. In other words, the sequence of the NSX components upgrade remains in the following order: NSX Upgrade Coordinator upgrade, NSX Edge upgrade, Host upgrade, then the NSX Manager upgrade.

How Rolling Upgrade works

Prior to NSX 3.2.1 release, we upgrade all the manager nodes in the management cluster simultaneously. The advantage of the parallel upgrade is that it takes less time to upgrade the management plane. The tradeoff is that the management plane will not be available for a period during the upgrade process. With the rolling upgrade, the manager nodes will be upgraded sequentially. During the management upgrade Continue reading

Migrate from Cross-VC to Federation using NSX-T Migration Coordinator

NSX-T 3.2.1

With the VMware NSX-T 3.2.1 release, Migration Coordinator adds one more game changing feature: migrating from multisite NSX for vSphere deployments directly to NSX Federation. This feature builds on top of the User Defined Topology mode of migration. Folks familiar with the User Defined Topology will find the workflow similar and following the same simple model.

In this blog post, we will look at this new feature and how to leverage it. Please check out the resource links for more information on Migration Coordinator. Here, we will start with a high-level overview before digging into the details.

Migration Coordinator

Migration Coordinator is a tool that was introduced around 3 years ago, with NSX-T 2.4, to enable customers to migrate from NSX for vSphere to NSX-T. It is a free fully supported tool that is built into NSX-T. Migration Coordinator is flexible with multiple options enabling multiple ways to migrate based on customer requirements.

With the NSX-T 3.2 release, Migration Coordinator offered three primary modes for migration:

  1. Migrate Everything: From edges, to compute, to workloads — in an automated fashion and with a workflow that is like an in-place upgrade on existing hardware. This mode only needs enough resources to host NSX-T manager appliances and edges along Continue reading

Business Agility and Continuity with NSX Federation and Traceflow

Resilient application architectures have evolved quite significantly over the years.  It is increasingly more common for Enterprises to deploy multiple data centers to support flexible workload placement and redundancy to achieve application and network high availability.

Here, we discuss key reasons to deploy multiple data centers and how NSX Federation and the recently introduced traceflow support simplify associated infrastructure strategy and implementation.

Workload Placement and Mobility

Applications and the associated infrastructure (compute, storage, networking, and security) are deployed in multiple locations to support workload mobility between these locations for use cases such as Data Center migration and Disaster Recovery testing.

    Figure: Multi-Cloud Mobility

Data Center Expansion

In this scenario, IT runs out of capacity at a location (rack, building, site) and wants additional capacity at a different location for hosting new applications. Capacity can be of different types such as compute (servers), and/or storage, and/or network (bandwidth).

    Figure: Multi-Cloud Growth

Disaster Avoidance / Disaster Recovery

This is a scenario where you lose one of your locations completely (rack, building, site) and you need to maintain the availability of your application services (compute, storage, network and security).

    Figure: Multi-Location DR

Simplifying Deployment and Operations with NSX Federation

Continue reading

Tips for Putting Zero Trust into Practice in Kubernetes-Based Environments

If you work in IT, you’ve probably heard lots of talk in recent years about “zero trust,” a security strategy that requires all resources to be authenticated and authorized before they interact with other resources, rather than being trusted by default.

The theory behind zero trust is easy enough to understand. Where matters tend to get tough, however, is actually implementing zero-trust security and compliance, especially in complex, cloud-native environments.

Which tools are available to help you enforce zero-trust security configurations? What does zero trust look like at different layers of your stack – nodes, networks, APIs and so on? What does it mean to enforce zero trust for human users, as compared to machine users?

To answer questions like these, we’ve organized a webinar, titled “Zero Trust Security and Compliance for Modern Apps on Multi-Cloud,” that will offer practical guidance on configuring a zero-trust security posture in the real world.

The one-hour session will focus in particular on enforcing zero-trust in Kubernetes-based environments, with deep dives into the following:

  • How to protect human and machine users in Kubernetes using a zero-trust model.
  • Meeting Kubernetes data privacy and compliance requirements through zero trust.
  • Securing user-to-app communications with zero-trust networking policies Continue reading

VMware named a Leader in Cloud Networking in GigaOm Radar Report

We’re delighted to report that GigaOm, a global provider of technology industry insights and analysis, has placed VMware in the leader ring in the GigaOm Radar Report for Cloud Networking 2022. In the leader ring, VMware is placed in the Platform Play and Maturity quadrant. This is a testament to the robustness of VMware’s cloud networking solution and its leading position in the cloud networking space. Click here to download the complete report.

Chart, radar chart, sunburst chart Description automatically generated

 

Noting VMware’s broad portfolio of networking solutions, which covers the entire network stack and includes native network features for observability, micro-segmentation, and beyond, GigaOm says that VMware is in a leading position to help enterprises with complex networking requirements “modernize and optimize their infrastructure.”

Cloud Network Evaluation Criteria

The report evaluates 11 vendors that provide tools or platforms to help build and operate cloud networks. They include major enterprises like VMware, as well as several smaller companies.

GigaOm assessed the vendors on a variety of criteria, including:

  • Network traffic security and micro-segmentation.
  • Observability.
  • Troubleshooting and diagnostics.
  • Optimization and autoscaling.
  • APIs and IaC integration.
  • Application-aware infrastructure.
  • Solution management.

VMware received a triple-plus score – the highest evaluation possible – for most of the categories given above.

Continue reading

Multi-Tenancy Datacenter with NSX EVPN

The data center landscape has radically evolved over the last decade thanks to virtualization.

Before Network Virtualization Overlay (NVO), data centers were limited to 4096 broadcast domains which could be problematic for large data centers to support a multi-tenancy architecture.

Virtual Extensible LAN (VXLAN) has emerged as one of the most popular network virtualization overlay technologies and has been created to address the scalability issue outlined above.

When VXLAN is used without MP-BGP, it uses a flood and learns behavior to map end-host location and identity. The VXLAN tunneling protocol encapsulates a frame into an IP packet (with a UDP header) and therefore can leverage Equal Cost Multi-Path (ECMP) on the underlay fabric to distribute the traffic between VXLAN Tunneling Endpoints (VTEP).

Multi-Protocol BGP (MP-BGP) Ethernet VPN (EVPN) allows prefixes and mac addresses to be advertised in a data center fabric as it eliminates the flood and learns the behavior of the VXLAN protocol while VXLAN is still being used as an encapsulation mechanism to differentiate the traffic between the tenants or broadcast domains.

A Multi-Tenancy infrastructure allows multiple tenants to share the same computing and networking resources within a data center. As the physical infrastructure is shared, the physical Continue reading

1 2 3 26