WHITE PAPER Where Network Virtualization Fits Into Data Center Initiatives
The Role of Network Virtualization in the Modern, Secure Data Center and in Hybrid Cloud Strategies Table of Contents
Supporting the Velocity of Business Change with Network Virtualization ...... 3
What Would You Virtualize in Your Network?...... 4
How Network Virtualization Fits Into Your Existing Physical Network ...... 5 Leverage What You Have Rather Than Rip and Replace . . . . . 5 Physically Fit and Not Locked In ...... 6
How Network Virtualization Fits Into Software-Defined Data Center...... 7 Security with Micro-Segmentation...... 7 IT Automation ...... 8 Application Continuity...... 9
VMware NSX: The Leading Network Virtualization Platform. . . . 10 A True Network Virtualization Platform vs . Virtualization Features...... 10 “Any” Thing Is Possible...... 11 Iron Is Slow to Grow, While NSX Network Virtualization Is Exponentially Speedy ...... 11 Integrated Best-of-Breed Networking and Security Services...... 12
Conclusion...... 13
WHITE PAPER / 2 Supporting the Velocity of Business Change with Network Virtualization
For years, the networking infrastructure has been referred to as the “plumbing” of the enterprise. Certainly routers and switches have become incredibly sophisticated over the years. But increasingly, the constraints of physical networks are being exposed by the management, agility, scalability and security demands required for hybrid cloud strategies and the modern, secure data center.
When you enter the world of network virtualization, the pace of change accelerates. You can transform data center economics and operations. The obstacles of physical networks vanish, while all of your physical transport capacity becomes simpler and easier to use.
The result is a transformative model with service delivery that matches the velocity demands of today’s businesses.
When a technology fundamentally changes an old model to support new strategies, it is natural to ask, “Where does this fit into my data center initiatives?” In this paper, we look at where network virtualization fits with these IT goals:
Reducing the cost Accelerating and complexity (and simplifying) of existing physical private and infrastructure assets hybrid cloud (without disrupting your initiatives existing infrastructure)
Improving data center Moving towards security, automation the Software-Defined and applications Data Center (SDDC) continuity
WHITE PAPER / 3 What Would You Virtualize in Your Network?
Network virtualization is conceptually very similar to server virtualization (see Figure 1).
Application Application Application Workload Workload Workload
x86 Environment Software L2, L3, L4-7 Network Services
Server Hypervisor Decoupled Network Virtualization Platform
Requirement: x86 Requirement: IP Transport
Hardware
Physical Compute and Memory Physical Network
Figure 1: Network virtualization is similar to server virtualization, with equally impressive benefits .
With server virtualization, a software abstraction layer (server hypervisor) reproduces the familiar attributes of an x86 physical server (e.g., CPU, RAM, Disk, NIC) in software, allowing them to be programmatically assembled in any arbitrary combination to produce a unique virtual machine (VM) in a matter of seconds.
With network virtualization, the functional equivalent of a “network hypervisor” reproduces the complete set of Layer 2 to Layer 7 networking services (e.g., switching, routing, access control, firewalling, QoS, and load balancing) in software. As a result, they, too, can be programmatically assembled in any arbitrary combination, this time to produce a unique virtual network in a matter of seconds.
Not surprisingly, similar benefits are also derived. For example, just as VMs are independent of the underlying x86 platform and allow IT to treat physical hosts as a pool of compute capacity, virtual networks are independent of the underlying IP network hardware and allow IT to treat the physical network as a pool of transport capacity that can be consumed and repurposed on demand.
WHITE PAPER / 4 How Network Virtualization Fits Into Your Existing Physical Network
In retrospect, it may seem like compute virtualization happened overnight. But compute virtualization with VMware vSphere® was never an “all or nothing” proposition. IT organizations appreciated the fact that virtualizing servers with VMware was low risk, incremental and non-disruptive. The same tenants—low risk, incremental and nondisruptive— are true with network virtualization as architected by VMware. This is why network virtualization has moved up so quickly on the IT agenda.
Leverage What You Have Rather Than Rip and Replace IT organizations would rather not be forced to rip and replace the physical network in order to realize the benefits of agility, automation, and security. The right network virtualization technology should be a completely non-disruptive solution, which means:
• Requires no changes to existing applications and workloads
• Allows you to incrementally implement virtual networks at whatever pace you choose (without any impact to existing applications and network configurations)
• Extends visibility to existing networking monitoring and management tools to deliver increased visibility into virtualized networks
In addition to being non-disruptive, network virtualization can help increase IT uptime and agility by enabling networking professionals to perform fewer activities that are manual and error-prone (as shown in Figure 2). For example:
• Provisioning: Manipulating a multitude of VLANs, subnets, firewall rules, load balancers and ACL, QoS, VRF and MAC/IP tables; in an enterprise network, provisioning also involves multiple vendor-specific command line interface (CLIs), exacerbating the “time and error” problem.
• Ongoing change management: Painstaking box-by-box tasks required to ensure that changes to the network for the placement and mobility of one application do not adversely impact other applications.
This can free up valuable time for senior networking professionals for strategic data center initiatives, such as global network architecture design and traffic engineering.
WHITE PAPER / 5 Virtual Switch
Hypervisor Virtual Network
Virtual Switch
Hypervisor Existing Physical Network
Simplified IP Backplane, No VLANs, No ACLs, No Firewall Rules
Figure 2: Network virtualization preserves but greatly simplifies the existing physical network . At the virtualization level, you gain the ability to define policies for applications continuity with QoS, uptime and performance . With micro-segmentation, you can create pervasive, granular and adaptable security to protect the data center .
Physically Fit and Not Locked In Network virtualization actually opens up more possibilities for hardware and vendor choices. Because the physical network is only required for reliable high-speed packet forwarding, you have the freedom to pick the right products without being held captive by compatibility restrictions. It gives IT greater freedom in hardware choices going forward—which is not something that traditional network vendors are keen to see.
What does that mean for the future? It means that you can support next-generation fabrics and topologies from any vendor. Imagine the ability to follow your own roadmap for success, rather than letting a single vendor set your agenda or pace.
WHITE PAPER / 6 How Network Virtualization Fits Into Software-Defined Data Center (SDDC)
With network virtualization, you can achieve the operational model of a VM for the entire data center. You can programmatically create, snapshot, store, move, delete and restore entire applications environments with the same simplicity and speed that you spin up a VM. Create any network topology in minutes or even seconds.
Generally, companies have a specific problem to solve when they start down the path of network virtualization. So what might send network virtualization to the top of your agenda? Let’s look at three of the most common problems that network virtualization solves easily.
Security with Micro-Segmentation Data center security is a major concern for IT. Security breaches within the walls of the data center continue to escalate, along with the costs of loss and remediation. The average company experiences two successful attacks each week, according to a global survey by PriceWaterhouseCoopers.1
Security administrators are under pressure to secure workloads faster. The new model for data center security will be: a) software-based, b) use the principle of micro- segmentation, and c) embrace a Zero Trust2 (ZT) model. The ZT model says that in a more virtualized world there should be no distinction between trusted and untrusted networks or segments—protection must be pervasive and granular. In order to build a ZT model, you need a virtualized network that provides micro-segmentation.
Use the principle Embrace a Software- of micro- Zero Trust (ZT) based segmentation model
1 . Global State of Information Security Survey 2015, PriceWaterhouseCoopers, 2014 2 . Leverage Micro-Segmentation to Build a Zero Trust Network, Forrester Research 2015
WHITE PAPER / 7 Micro-segmentation is not about “building up” but “infusing into.” It’s analogous to how plants can be engineered at the molecular or cellular levels for pest and disease resistance. That’s why VMware describes micro-segmentation as the ability to “build security into your network’s DNA.”
Security policies are enforced by firewall controls that are integrated into the hypervisors already distributed throughout the data center. That means you have an instantly ubiquitous security blanket across the data center. And because of its place in the hypervisor, network virtualization is close enough to the applications and workloads to have rich context, yet removed enough to isolate these assets from threats.
Security policies are tied to your virtual network, VMs, and operating system, down to the virtual network interface card. You can create fine-grained policies that simply aren’t possible with conventional physical firewalls. Security policies can be updated in seconds—and even automatically—to respond to security threats or changes in application topologies.
Because policies are tied to VMs, rather than VLANs or IP addresses, policies automatically move with the workload. Keeping policies synchronized with workloads not only simplifies administration, it eliminates gaps that can create vulnerabilities.
You can manage literally thousands of virtual firewalls as one firewall from a single “pane of glass.” Administrators can automate workflows, policies and rules from that single pane of glass and then propagate configuration changes to every virtual firewall in seconds. In other words, network virtualization enables distributed security policy enforcement with centralized management.
WHITE PAPER / 8 IT Automation In large data centers, manual processes for routine tasks drain IT budgets and strain administrators already stretched thin. Manual processes are also prone to human error and variability from one administrator to another. Any task that has to be performed manually is an anchor holding back agility and scalability.
Network virtualization makes automation practical and easy for a variety of labor-intensive tasks, including:
Configuration Provisioning Management Updating security policies when workloads move or are decommissioned
Let’s take a closer look at how automation applied to provisioning can reduce operational expense, accelerate time to-market, and speed IT service delivery: With network virtualization, a network engineer can create a template for a multi-tier application for development purposes. The environment can then be provisioned to an application developer in a matter of seconds via a self-service portal. The same can be done for quality assurance (QA), staging and production environments—across hybrid clouds and multiple applications and services—with consistent configuration and security.
Application Continuity Keeping applications up and running is one of the top mandates of IT organizations. With hardware-based networks, it is cost-prohibitive to completely reproduce the network topology and services in a secondary location. Instead, the current practice is to create a “good enough” version.
With network virtualization, you can snapshot a complete application architecture (with no compromise in functionality), send a copy to the backup site, and use it to restore the virtual network in seconds—on any hardware.
WHITE PAPER / 9 VMware NSX: The Leading Network Virtualization Platform
Where does VMware NSX® fit in the field of vendors offering network virtualization capabilities? VMware has the largest installed base of any network virtualization platform. As more enterprises and service providers adopt the SDDC model, VMware is the company that understands the people, processes, tools and technology implications of network virtualization better than any other vendor.
A True Network Virtualization Platform vs . Virtualization Features As shown in Figure 3, NSX is a full network virtualization platform.
Any Application
Virtual Any Cloud Management Platform Networks
NSX Logical Logical Logical Network Firewall Load Balancer VPN Virtualization Platform Logical L2 Switch Logical L3 Router
Any Hypervisor
Any Network Hardware
Figure 3: VMware NSX reproduces the entire network model in software (e g. ,. switching, routing, firewalling, load-balancing, VPN, etc ),. enabling any network topology—from simple to complex multi-tier networks— to be created and provisioned in minutes or even seconds without modifying the application .
Some solutions that are touted as offering network virtualization only offer virtualization in specific and even restricted ways. Software-Defined Networking (SDN) is a perfect example. SDN is actually an umbrella term for several technologies aimed at better managing hardware boxes, such as switches. SDN accommodates virtualization where necessary, but it is not a network virtualization model. It is hardware that leads the SDN model, and virtualization is a supporting player. Which is why so many of the constraints of physical networks are not solved with SDN.
WHITE PAPER / 10 “Any” Thing Is Possible VMware describes the brave new architecture for IT: One Cloud, Any Application, Any Device™. VMware’s SDDC creates a unified hybrid cloud from private, public and managed clouds and business mobility. All of these resources can be governed from one unified Cloud Management Platform (CMP). Which means you can use this enormous reservoir of resources to rapidly develop, automatically deliver and manage all of your enterprise applications, no matter where they reside. The end goal is to deliver high-value outcomes to your organization.
One of the strengths of the wwVMware NSX platform is the depth and breadth of problems it can solve. No matter what the primary reason might be for adopting network virtualization today, you have a platform that can take you far in the future.
Iron Is Slow to Grow, While NSX Network Virtualization Is Exponentially Speedy The NSX network virtualization is architected for connectivity in the era of cloud computing and the Internet of Things. The economics of this degree of connectivity is simply not feasible when you are dependent upon hardware to scale the network. For example, with NSX:
Virtual network The processing capacity scales linearly required for execution A single (alongside VM capacity) of distributed network NSX Controller™ with the introduction services is only cluster can deliver of each new x86-based incremental to what over 10,000 virtual hypervisor/ host adding the vSwitch is already networks in support 40 Gbps of switching doing for connected of over 100,000 and routing capacity workloads—typically virtual machines and 30 Gbps of between 25% and 50% firewalling capacity of one core on each host
WHITE PAPER / 11 Integrated Best-of-Breed Networking and Security Services The VMware NSX platform is specifically designed to facilitate integration, applications development and services from an ever-expanding ecosystem of networking and security technologies (see Figure 4). These partner solutions ensure that you can quickly adapt to constantly changing conditions in the data center and business demands. For example, Palo Alto Networks’ integration with VMware NSX adds the ability to:
• Efficiently add advanced, next-gen firewalling and IPS security to workloads inside the data center
• Share intelligence with other security products in the VMware NSX ecosystem to adapt to emerging security conditions in the data center
NSX TECHNOLOGY PARTNERS
SDDC PHYSICAL-TO- APPLICATION SECURITY OPERATIONS VIRTUAL (P2V) DATA DELIVERY SERVICES AND VISIBILITY CENTER SERVICES SERVICES
Checkpoint Arkin Arista Citrix Intel EMC Brocade F5 Palo Alto Networks Gigamon Cumulus Networks Rapid 7 NetScout Dell Symantec Riverbed HP Trend Micro Tufin Juniper Networks Hytrust
Figure 4: VMware NSX is a platform that tightly integrates the industry’s leading networking and security solutions into the SDDC . This ever-expanding ecosystem means you can be confident that you can enhance any aspect of your virtualized environment .
WHITE PAPER / 12 Conclusion
Where does network virtualization fit into the data center?
Network virtualization fits with your physical infrastructure. It makes more efficient use of the infrastructure you have, and gives you more choices in hardware vendors going forward.
Network virtualization fits with your vision for SDDC, a data center model that’s more adaptable, simpler to manage, and more responsive to your business. Amazon, Facebook and Google seem to have set the bar high with their mega data centers. But what they have accomplished is more easily attainable today than it was even a year ago. And one of the big things that has changed in that time is the reality of network virtualization. It’s a cornerstone of the modern, secure data center that business executives and lines of business expect IT to deliver.
As an integral part of SDDC, network virtualization fits with your vision for turning hybrid clouds into transparent, unified environments for building, delivering and managing enterprise applications.
Network virtualization fits with your priorities today, whether that’s closing the dangerous gaps in data center security. Or automating processes to make a measurable difference in time-to- market with higher quality and consistency. Or not taking shortcuts on backup, so there’s no half-measures in bringing your complete infrastructure back online to support application continuity.
Network virtualization doesn’t just fit in with data center initiatives. It’s one of the primary engines for expanding what’s possible with those initiatives.
Learn more: vmware.com/products/nsx
WHITE PAPER / 13 VMware, Inc . 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www vmware. .com Copyright © 2016 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies. Item No: 16VM066-Whitepaper 01/16