0

Demo: Cloud Networking with Overlapping CIDR, L7 Firewalls, Segmentation, and Flow visibility

I created a live demo showing some cool capabilities of the Aviatrix Cloud Networking Platform. In this demo I play the role of a SaaS provider that onboards new customers via VPN, and needs to meet the following requirements:

• Easily onboard new customers even if their IP addressing overlaps with the SaaS provider.

• Provide secure segmentation and isolation between customers.

• Easily insert next gen firewalls between the customers and the SaaS for deep packet inspection and threat analysis.

• Have complete flow level visibility of customer network traffic, and operation tools to diagnose and troubleshoot problems.

• Provide end-to-end encryption to secure sensitive data in flight.

• And be able to meet all of these requirements using any cloud provider.

In the demo I show how easy it is to meet requirements like this using Aviatrix. And best of all, no matter which cloud provider(s) you’re using, the solution and architecture is exactly the same. This SaaS provider can use the services and global footprint of any or all cloud providers, and do it with consistent repeatable architecture.

You can leave comments on this post here: where I posted this on LinkedIN.

Is there a particular scenario you want to see in a Continue reading

0

Notes on Aviatrix

Miscellaneous notes on Aviatrix.
Usually updated on Fridays.
New and updated notes are placed at the top.

---

Updating the Aviatrix Controller IAM Policy:
When deploying the Aviatrix controller in AWS for the first time, the AWS CloudFormation template that launched your controller may not have the most current IAM policy definitions for the IAM roles it creates for the controller to use. To remedy this, right after your controller is launched and you’ve logged on for the first time, do the following:

1. Define your Primary access account. Go to Onboarding > AWS > Create Primary Access Account. This is the AWS account that your controller lives in.
2. Now go to Accounts > Access Accounts. Highlight the Primary access account you just created and click “Update Policy”. This will update the IAM policy applied to the IAM roles your controller will be using to the latest and greatest.

---

How to use an AWS ACM Certificate with your Aviatrix controller:
To apply an ACM public certificate to your UI sessions with the Aviatrix controller you’ll need to use a Load Balancer and attach your certificate to it. Here’s what I did:

1. Create a Network Load Balancer (NLB)
2. Create a TLS:443 listener on Continue reading

0

It’s time for Enterprise Cloud Networking

It’s time to get things cranking here again and a big topic is going to be enterprise cloud networking. What I mean by that in simple terms is how an enterprise can use the networking services of cloud providers to build, migrate, and run their most important applications in the cloud.

Over the last 6 years a lot has happened in the shift to public cloud. I don’t need to explain that to you. We already know that building and migrating applications in/to the cloud is what the world is doing – and for reasons that no longer need explaining.

What’s more interesting now is that the term “the cloud” used to mean one thing: Amazon Web Services. Six years ago, when you said to somebody, “Yeah, so, we are going to migrate this application to the cloud.” – nobody asked what cloud you were talking about and why.

And in the very same stride “cloud networking” implied AWS Networking. If you told somebody that you were a cloud network architect, nobody questioned that either. It meant that you knew AWS VPC, Direct Connect, Route 53, NAT Gateways, Security Groups, VPC subnets and route tables, the various AWS instances Continue reading

0

Going Over the Edge with your VMware NSX and Cisco Nexus

Hey! Cisco Nexus peeps! What could possibly be more fun than connecting your awesome new NSX gear to your Cisco Nexus gear? For the life of me I really don’t know. All right then. Lets do it!

Lets kick things off with this email question I received from a reader.

Hi Brad, In our environment we have two prevailing server standards, rackmounts and UCS. I read your excellent NSX on UCS and 7K design guide and the section on not running routing protocols over the VPC links makes sense. My related question concerns how we can achieve a routing adjacency from the NSX Distributed Router to the N7K with a rack mount with 2x10gbe interfaces connecting to 2x7Ks via VPC? (we don’t use the NSX Edge Router).

This reader has politely pointed out that my VMware NSX on Cisco UCS and Nexus 7000 design guide could have provided a bit more detail on NSX Edge design. I totally agree. There’s no time like the present, so let’s dive into that now and stir up some content that might end up in the next version of the guide.

All right. We won’t worry too much about the form factor of the Continue reading

0

Going Over the Edge with your VMware NSX and Cisco Nexus

Hey! Cisco Nexus peeps! What could possibly be more fun than connecting your awesome new NSX gear to your Cisco Nexus gear? For the life of me I really don’t know. All right then. Lets do it!

Lets kick things off with this email question I received from a reader.

Hi Brad, In our environment we have two prevailing server standards, rackmounts and UCS. I read your excellent NSX on UCS and 7K design guide and the section on not running routing protocols over the VPC links makes sense. My related question concerns how we can achieve a routing adjacency from the NSX Distributed Router to the N7K with a rack mount with 2x10gbe interfaces connecting to 2x7Ks via VPC? (we don’t use the NSX Edge Router).

This reader has politely pointed out that my VMware NSX on Cisco UCS and Nexus 7000 design guide could have provided a bit more detail on NSX Edge design. I totally agree. There’s no time like the present, so let’s dive into that now and stir up some content that might end up in the next version of the guide.

All right. We won’t worry too much about the form factor of the Continue reading

0

Going Over the Edge with your VMware NSX and Cisco Nexus

What could possibly be more fun than connecting your awesome new NSX gear to your Cisco Nexus gear? For the life of me I really don’t know. All right then. Lets do it!

Lets kick things off with this email question I received from a reader.

Hi Brad, In our environment we have two prevailing server standards, rackmounts and UCS. I read your excellent NSX on UCS and 7K design guide and the section on not running routing protocols over the VPC links makes sense. My related question concerns how we can achieve a routing adjacency from the NSX Distributed Router to the N7K with a rack mount with 2x10gbe interfaces connecting to 2x7Ks via VPC? (we don’t use the NSX Edge Router).

This reader has politely pointed out that my VMware NSX on Cisco UCS and Nexus 7000 design guide could have provided a bit more detail on NSX Edge design. I totally agree. There’s no time like the present, so let’s dive into that now and stir up some content that might end up in the next version of the guide.

All right. We won’t worry too much about the form factor of the servers right now. Whether Continue reading

0

Going Over the Edge with your VMware NSX and Cisco Nexus

Hey! Cisco Nexus peeps! What could possibly be more fun than connecting your awesome new NSX gear to your Cisco Nexus gear? For the life of me I really don’t know.  All right then. Lets do it! Lets kick things off with this email question I received from a reader. “Hi Brad, In our environment […]

0

A tale of two perspectives: IT Operations with NSX

This year I had the honor and privilege to co-present a session at VMworld 2014 with my esteemed colleague Scott Lowe.  As many of you know, Scott is a celebrity at VMworld.  He’s one of the most famous virtualization bloggers and the author of many best selling books on VMware vSphere. Together, we presented what […]

0

A tale of two perspectives: IT Operations with NSX

This year I had the honor and privilege to co-present a session at VMworld 2014 with my esteemed colleague Scott Lowe. As many of you know, Scott is a celebrity at VMworld and one of the most famous virtualization bloggers and the author of many best selling books on VMware vSphere.

In this session Scott and I pretended to be colleagues at a company that decided to deploy VMware NSX for their software-defined data center. I played the role of the “Network Guy”, and of course Scott played the role of the “Server Guy”. So then, how do we work together in this environment?

• How do we gain operational visibility into our respective disciplines using existing tools?
• How do we preserve existing roles and responsibilities?
• What opportunities exist to converge operational data for cross-functional troubleshooting?
• How does the Network team gain hop-by-hop visibility across virtual and physical switches?
• How can the Network and Server teams work together to troubleshoot issues?

These are just some of the questions we attempt to role play and answer in this 35 min session:

***Update: this VMworld session video was removed from YouTube by VMware and is no longer available.***

0

A tale of two perspectives: IT Operations with NSX

This year I had the honor and privilege to co-present a session at VMworld 2014 with my esteemed colleague Scott Lowe. As many of you know, Scott is a celebrity at VMworld and one of the most famous virtualization bloggers and the author of many best selling books on VMware vSphere.

In this session Scott and I pretended to be colleagues at a company that decided to deploy VMware NSX for their software-defined data center. I played the role of the “Network Guy”, and of course Scott played the role of the “Server Guy”. So then, how do we work together in this environment?

• How do we gain operational visibility into our respective disciplines using existing tools?
• How do we preserve existing roles and responsibilities?
• What opportunities exist to converge operational data for cross-functional troubleshooting?
• How does the Network team gain hop-by-hop visibility across virtual and physical switches?
• How can the Network and Server teams work together to troubleshoot issues?

These are just some of the questions we attempt to role play and answer in this 35 min session:

***Update: this VMworld session video was removed from YouTube by VMware and is no longer available.***

0

A tale of two perspectives: IT Operations with NSX

This year I had the honor and privilege to co-present a session at VMworld 2014 with my esteemed colleague Scott Lowe. As many of you know, Scott is a celebrity at VMworld and one of the most famous virtualization bloggers and the author of many best selling books on VMware vSphere.

In this session Scott and I pretended to be colleagues at a company that decided to deploy VMware NSX for their software-defined data center. I played the role of the “Network Guy”, and of course Scott played the role of the “Server Guy”. So then, how do we work together in this environment?

• How do we gain operational visibility into our respective disciplines using existing tools?
• How do we preserve existing roles and responsibilities?
• What opportunities exist to converge operational data for cross-functional troubleshooting?
• How does the Network team gain hop-by-hop visibility across virtual and physical switches?
• How can the Network and Server teams work together to troubleshoot issues?

These are just some of the questions we attempt to role play and answer in this 35 min session:

***Update: this VMworld session video was removed from YouTube by VMware and is no longer available.***

0

On choosing VMware NSX or Cisco ACI

Are you stuck in the middle of a battle to choose VMware NSX or Cisco ACI?  In this post I’ll attempt to bring some clarity and strategic guidance in first choosing the right path, then propose how the two technologies can co-exist.  I’ll start with the message below from a reader asking for my opinion […]

0

On choosing VMware NSX or Cisco ACI

Are you stuck in the middle of a battle to choose VMware NSX or Cisco ACI? In this post I’ll attempt to bring some clarity and strategic guidance in first choosing the right path, then propose how the two technologies can co-exist. I’ll start with the message below from a reader asking for my opinion on the matter:

Hi Brad,

I’m involved in a new Data Center networking project where Cisco is proposing the Cisco ACI solution. I am starting to dig-in to the technology, but my immediate “gut reaction” is to use Cisco for a standard Clos-type Leaf and Spine switch network and use NSX for providing Layer 3 to Layer 7 services.

I am interested in hearing your opinion about Cisco ACI versus VMware NSX, since you have worked for both companies. If you have time, it would be great to share your views on this subject.

As you can imagine, this is a highly political discussion and our network team are Cisco-centric and resisting my ideas. We are a VMware/Cisco shop and I want the best fit for our SDDC strategy.

For the sake of discussion, lets assume that your IT organization wants to optimize for better Continue reading

0

On choosing VMware NSX or Cisco ACI

Are you stuck in the middle of a battle to choose VMware NSX or Cisco ACI? In this post I’ll attempt to bring some clarity and strategic guidance in first choosing the right path, then propose how the two technologies can co-exist. I’ll start with the message below from a reader asking for my opinion on the matter:

Hi Brad,

I’m involved in a new Data Center networking project where Cisco is proposing the Cisco ACI solution. I am starting to dig-in to the technology, but my immediate “gut reaction” is to use Cisco for a standard Clos-type Leaf and Spine switch network and use NSX for providing Layer 3 to Layer 7 services.

I am interested in hearing your opinion about Cisco ACI versus VMware NSX, since you have worked for both companies. If you have time, it would be great to share your views on this subject.

As you can imagine, this is a highly political discussion and our network team are Cisco-centric and resisting my ideas. We are a VMware/Cisco shop and I want the best fit for our SDDC strategy.

For the sake of discussion, lets assume that your IT organization wants to optimize for better Continue reading

0

On choosing VMware NSX or Cisco ACI

Are you stuck in the middle of a battle to choose VMware NSX or Cisco ACI? In this post I’ll attempt to bring some clarity and strategic guidance in first choosing the right path, then propose how the two technologies can co-exist. I’ll start with the message below from a reader asking for my opinion on the matter:

Hi Brad,

I’m involved in a new Data Center networking project where Cisco is proposing the Cisco ACI solution. I am starting to dig-in to the technology, but my immediate “gut reaction” is to use Cisco for a standard Clos-type Leaf and Spine switch network and use NSX for providing Layer 3 to Layer 7 services.

I am interested in hearing your opinion about Cisco ACI versus VMware NSX, since you have worked for both companies. If you have time, it would be great to share your views on this subject.

As you can imagine, this is a highly political discussion and our network team are Cisco-centric and resisting my ideas. We are a VMware/Cisco shop and I want the best fit for our SDDC strategy.

For the sake of discussion, lets assume that your IT organization wants to optimize for better Continue reading

0

Demo: End to end, hop by hop, physical and virtual network flow visibility with NSX

You’ve probably heard it before. The myth goes something like this: “With software based overlays, troubleshooting in real-time where a flow is going with ECMP hashing on the fabric is going to be a real problem.” The implied message being that this can only be possible with special hardware in a new proprietary fabric switch.

I’ve heard this one a number times, usually while seated comfortably in a session presented by a vendor who’s invested in the failure of software-centric network virtualization such as VMware NSX. As if this person has never heard of Netflow? Or maybe they assume you won’t bother to do the research, connect the dots, and in fact discover all that is possible.

Well, guess what? I decided to do the research :-) And I put together a short demo showing you just how simple it is to get this troubleshooting capability with generally available software, using any standard network switch, constructed in any standard fabric design (routed Leaf/Spine, L2 with MLAG, etc).

I presented this demo to the VMworld TV crew and embedded it here for your convenience:

How does it work?

It’s really simple, actually. Here’s what I explain in the video:

The Continue reading

0

Demo: End to end, hop by hop, physical and virtual network flow visibility with NSX

You’ve probably heard it before. The myth goes something like this: “With software based overlays, troubleshooting in real-time where a flow is going with ECMP hashing on the fabric is going to be a real problem.” The implied message being that this can only be possible with special hardware in a new proprietary fabric switch.

I’ve heard this one a number times, usually while seated comfortably in a session presented by a vendor who’s invested in the failure of software-centric network virtualization such as VMware NSX. As if this person has never heard of Netflow? Or maybe they assume you won’t bother to do the research, connect the dots, and in fact discover all that is possible.

Well, guess what? I decided to do the research :-) And I put together a short demo showing you just how simple it is to get this troubleshooting capability with generally available software, using any standard network switch, constructed in any standard fabric design (routed Leaf/Spine, L2 with MLAG, etc).

I presented this demo to the VMworld TV crew and embedded it here for your convenience:

How does it work?

It’s really simple, actually. Here’s what I explain in the video:

The Continue reading

0

Demo: End to end, hop by hop, physical and virtual network flow visibility with NSX

You’ve probably heard it before. The myth goes something like this: “With software based overlays, troubleshooting in real-time where a flow is going with ECMP hashing on the fabric is going to be a real problem.” The implied message being that this can only be possible with special hardware in a new proprietary fabric switch.

I’ve heard this one a number times, usually while seated comfortably in a session presented by a vendor who’s invested in the failure of software-centric network virtualization such as VMware NSX. As if this person has never heard of Netflow? Or maybe they assume you won’t bother to do the research, connect the dots, and in fact discover all that is possible.

Well, guess what? I decided to do the research :-) And I put together a short demo showing you just how simple it is to get this troubleshooting capability with generally available software, using any standard network switch, constructed in any standard fabric design (routed Leaf/Spine, L2 with MLAG, etc).

I presented this demo to the VMworld TV crew and embedded it here for your convenience:

How does it work?

It’s really simple, actually. Here’s what I explain in the video:

The Continue reading

0

Demo: End to end, hop by hop, physical and virtual network flow visibility with NSX

You’ve probably heard it before.  The myth goes something like this:  “With software based overlays, troubleshooting in real-time where a flow is going with ECMP hashing on the fabric is going to be a real problem.”  The implied message being that this can only be possible with special hardware in a new proprietary fabric switch. I’ve […]

0

An introduction to Zero Trust virtualization-centric security

This post will be the first in a series that examine what I think are some of the powerful security capabilities of the VMware NSX platform and the implications to the data center network architecture.  In this post we’ll look at the concepts of Zero Trust (as opposed to Trust Zones), and virtualization-centric grouping (as opposed to network-centric grouping). Note: […]