6. Simplified Application Centric Network and Security
Web
App
Database
VM VM
VM VM VM
VM
6
• Applications configured with dedicated or shared
virtual switches and routers depending on needs
• Application level micro-segmentation security
• Dynamic configuration of application specific
load balancers without expensive physical
hardware
VM
• Networks configured to meet unique performance
needs of each application
VM VM
VM VM
VM VM VM
Dynamically Configure NSX Network and Micro-segmentation unique for each application
7. Application Deployment with On-Demand Networking & Security
• Logical switches and routers are created on
demand by NSX when the user creates an
application
• Single machine, single-tier or multi-tier topologies
• Supports NAT and routed topologies
• Automated IP addressing of both VMs and
subnets
• On-demand security groups built per app and per
tier with VMs placed into groups
• App isolation option
• Security policies applied to dynamically created
groups
• Load-balancer configuration dynamically
deployed and dedicated to application
7
Web/App
Database
VM VM
VM
8. Application Deployment with On-Demand Micro-Segmentation
• Networking is pre-created by NSX admin
• VMs placed on pre-created logical
switches
• On-demand security groups created when
application is deployed
• Security policies applied to dynamically
created groups
• Micro-segmentation on larger L2 networks
• Load-balancer configuration dynamically
deployed
• VMs and security groups removed when
app destroyed but networking remains
8
Web/AppDatabase
VM VMVM
9. Application Deployment into Existing Network and Security Services
• Pre-created logical switches and routers defined
by the NSX admin - VMs are wired to pre-created
switches
• Security Groups pre-defined to match security
tags for each tier of application
• When a cloud user selects a catalog item VMs
are wired to NSX switches and tagged with
appropriate security tags
• Enforcement is based on combining the tag with
the rules in the security group
• Applications can be single tier or multi-tier –
typically routed topologies
9
Web/App
Database
VM VM
VM
11. Unified Service Delivery – Converged Blueprint Desinger
11
• Micro-segmentation for Application stack via automated security policy enforcement
• NSX on-demand and existing security groups and tags
• Automated connectivity to existing or on-demand dynamically created NSX networks
• On-demand dedicated NSX load balancer for application
13. Infrastructure as Code
• Ability to read and create blueprints with a text
editor of choice.
• Save it in source control (e.g. Git)
• Machine blueprint in YAML format
• Application & Software blue prints currently in
JSON format (for beta), moving to YAML by GA
• Import/Export in same or multiple vRA instances
• Complete Blueprint is exported into a zip
compressed format similar to the current ASD
export
Import / Export Complete Blueprints as YAML
14. LifeCycle Extensibility – Centralized Policy Management
• Enable OTB
extensibility for IaaS
and Application
Services dynamically
by leveraging the
Event Broker Service
(EBS)
• Invoke NSX-specific
workflows based on a
policy-based trigger
configured for a
specific event
“Invoke vRO Workflow to build a custom NSX service based on the NAME of a blueprint,
Custom Property Value, Requestor ID, or machine and platform type….GO!”
15. NSX and vRA Extensibility
• The NSX vRealize Orchestrator Plugin covers many common
networking & security operations
• vRO also includes a HTTP-REST Plugin which allows the NSX
vSphere API to be directly consumed
– Allows creation of custom workflows to perform
advanced NSX operations, eg:
• Enable Edge HA
• Modify Edge sizing
• Configure additional LB features
• Create NSX Security Groups, Policies or Tags
• vRA 7.0 LifeCycle Extensibility and the Event Broker provide a
centralized, policy-driven method of invoking workflows based
on any number of trigger events.
• Event Broker Allows for additional NSX operations to be inserted
transparently within the requests
16. Networking-as-a-Service | XaaS Designer
• vRealize Automation XaaS
Designer (previously ASD)
can be leveraged to quickly
deliver standalone
workflows, Day 2
operations, and other
complex services as-a-
service.
• This provides a method of
leveraging vRO workflows
and plugins via the vRA
Self-Service Portal
• XaaS components can also
be dragged and dropped
directly onto a Blueprint
Canvas!
19. vRA HA Deployment on NSX
NSX Load Balancing Policies
19
NSX Edge Services Gateway (ESG)
NSX Distributed Logical Router (DLR)
LB VIP
vrava02
• Core Services
• vPostgres (P)
• vIDM
• vRO
vraiaas04
• Manager Service (P)
• vCenter Agent
vraiaas02
• Web Service (A)
• DEM02
vraiaas01
• Web Service (A)
• DEM01
vraiaas03
• Manager Service (A)
• vCenter Agent
vrava01
• Core Services
• vPostgres (A)
• vIDM
• vRO
App Network
10.10.50.0/24
10.10.50.1
10.10.50.21
10.10.50.20
10.10.50.22
Mgmt Network
192.168.1.0/24
192.168.1.30192.168.1.1
Pool ID vraiaasweb-443
DNS CNAME vraiaasweb.elzein.local
Virtual Server (vip) vraiaasweb-vip
Algorithm Round-Robin
Session Persistence Source IP
Health /wapi/api/status/web = “registered”
Pool ID vraiaasmgr-443
DNS CNAME vraiaasmgr.elzein.local
Virtual Server (vip) vraiaasmgr-vip
Algorithm NONE
Session Persistence NONE
Health /VMPSProvision – “ProvisionService”
Pool ID vrava-443
vrava-8444 (console)
DNS CNAME vra.elzein.local
Virtual Server (vip) vrava-vip
Algorithm Round-Robin
Session Persistence Source IP
Health /vcac/services/api/health = 200 or 204
AD / DNS
MS SQL
vCenter
NSX Mgr
vRA VA (OVA)
vRA IaaS (Windows)
External System
(A)
(P)
Active Node
Passive Node
Last Updated 03/31/16 by Jad El-Zein
20. vRA 7.0.1 and NSX Integration - Product Compatibility Matrix
20
Product Version
vRealize Automation 7.0.x
vRealize Orchestrator 7.0.x
NSX-vRO Plugin 1.0.3
NSX for vSphere 6.2.2
vRealize Orchestrator is a required component for the vRA & NSX Integration:
• The vRO server embedded with vRA VA includes the NSX vRO plugin by default
• The NSX vRO Plugin is available from the
My VMware support portal with NSX under
Drivers & Tools
NSX 6.0.x not supported with vRA 6.2 or later
21. vRA-NSX Extensibility Kit (6.x)
https://communities.vmware.com/docs/DO
C-30791
• For the initial release the documentation
is in draft format, and assumes you have
experience with vRA extensibility (WF
stubs and ASD).
• An updated installation guide will be
available shortly with more detail
• Additional functionality to the extensibility
kit will be added over time
• In addition we are also planning a
TOI/Webinar that covers NSX and vRA
Extensibility and guidelines for use of the
kit.
21
22. Thank You
Q & A
Jad El-Zein
Principal Architect, CMBU
@virtualjad | virtualjad.com