VMUGIT Meeting a Napoli - 6 aprile 2016 vRA + NSX Technical Deep-Dive Jad El Zein, VMware

1. © 2015 VMware Inc. All rights reserved.
vRealize Automation 7.0
vRA + NSX Deep-Dive
Jad El-Zein
Principal Architect, CMBU
@virtualjad | virtualjad.com
#VMUGIT

2. 1 About me
2 NSX + vRA Use Cases
3 Unified Service Delivery in CBP
4 Extensibility
5 Q&A
Agenda
2

3. About me…
3
Washington, DC
Napoli, IT

4. My time in Napoli….
4

5. My time in Napoli (so far)….
5

6. Simplified Application Centric Network and Security
Web
App
Database
VM VM
VM VM VM
VM
6
• Applications configured with dedicated or shared
virtual switches and routers depending on needs
• Application level micro-segmentation security
• Dynamic configuration of application specific
load balancers without expensive physical
hardware
VM
• Networks configured to meet unique performance
needs of each application
VM VM
VM VM
VM VM VM
Dynamically Configure NSX Network and Micro-segmentation unique for each application

7. Application Deployment with On-Demand Networking & Security
• Logical switches and routers are created on
demand by NSX when the user creates an
application
• Single machine, single-tier or multi-tier topologies
• Supports NAT and routed topologies
• Automated IP addressing of both VMs and
subnets
• On-demand security groups built per app and per
tier with VMs placed into groups
• App isolation option
• Security policies applied to dynamically created
groups
• Load-balancer configuration dynamically
deployed and dedicated to application
7
Web/App
Database
VM VM
VM

8. Application Deployment with On-Demand Micro-Segmentation
• Networking is pre-created by NSX admin
• VMs placed on pre-created logical
switches
• On-demand security groups created when
application is deployed
• Security policies applied to dynamically
created groups
• Micro-segmentation on larger L2 networks
• Load-balancer configuration dynamically
deployed
• VMs and security groups removed when
app destroyed but networking remains
8
Web/AppDatabase
VM VMVM

9. Application Deployment into Existing Network and Security Services
• Pre-created logical switches and routers defined
by the NSX admin - VMs are wired to pre-created
switches
• Security Groups pre-defined to match security
tags for each tier of application
• When a cloud user selects a catalog item VMs
are wired to NSX switches and tagged with
appropriate security tags
• Enforcement is based on combining the tag with
the rules in the security group
• Applications can be single tier or multi-tier –
typically routed topologies
9
Web/App
Database
VM VM
VM

10. Application-Centric Service Design
NSX and the Converged Blueprint Designer

11. Unified Service Delivery – Converged Blueprint Desinger
11
• Micro-segmentation for Application stack via automated security policy enforcement
• NSX on-demand and existing security groups and tags
• Automated connectivity to existing or on-demand dynamically created NSX networks
• On-demand dedicated NSX load balancer for application

12. App-Centric Service Design
12

13. Infrastructure as Code
• Ability to read and create blueprints with a text
editor of choice.
• Save it in source control (e.g. Git)
• Machine blueprint in YAML format
• Application & Software blue prints currently in
JSON format (for beta), moving to YAML by GA
• Import/Export in same or multiple vRA instances
• Complete Blueprint is exported into a zip
compressed format similar to the current ASD
export
Import / Export Complete Blueprints as YAML

14. LifeCycle Extensibility – Centralized Policy Management
• Enable OTB
extensibility for IaaS
and Application
Services dynamically
by leveraging the
Event Broker Service
(EBS)
• Invoke NSX-specific
workflows based on a
policy-based trigger
configured for a
specific event
“Invoke vRO Workflow to build a custom NSX service based on the NAME of a blueprint,
Custom Property Value, Requestor ID, or machine and platform type….GO!”

15. NSX and vRA Extensibility
• The NSX vRealize Orchestrator Plugin covers many common
networking & security operations
• vRO also includes a HTTP-REST Plugin which allows the NSX
vSphere API to be directly consumed
– Allows creation of custom workflows to perform
advanced NSX operations, eg:
• Enable Edge HA
• Modify Edge sizing
• Configure additional LB features
• Create NSX Security Groups, Policies or Tags
• vRA 7.0 LifeCycle Extensibility and the Event Broker provide a
centralized, policy-driven method of invoking workflows based
on any number of trigger events.
• Event Broker Allows for additional NSX operations to be inserted
transparently within the requests

16. Networking-as-a-Service | XaaS Designer
• vRealize Automation XaaS
Designer (previously ASD)
can be leveraged to quickly
deliver standalone
workflows, Day 2
operations, and other
complex services as-a-
service.
• This provides a method of
leveraging vRO workflows
and plugins via the vRA
Self-Service Portal
• XaaS components can also
be dragged and dropped
directly onto a Blueprint
Canvas!

17. Networking-as-a-Service | XaaS Designer
17

18. vRA on NSX
HA Deployment Architecture with NSX

19. vRA HA Deployment on NSX
NSX Load Balancing Policies
19
NSX Edge Services Gateway (ESG)
NSX Distributed Logical Router (DLR)
LB VIP
vrava02
• Core Services
• vPostgres (P)
• vIDM
• vRO
vraiaas04
• Manager Service (P)
• vCenter Agent
vraiaas02
• Web Service (A)
• DEM02
vraiaas01
• Web Service (A)
• DEM01
vraiaas03
• Manager Service (A)
• vCenter Agent
vrava01
• Core Services
• vPostgres (A)
• vIDM
• vRO
App Network
10.10.50.0/24
10.10.50.1
10.10.50.21
10.10.50.20
10.10.50.22
Mgmt Network
192.168.1.0/24
192.168.1.30192.168.1.1
Pool ID vraiaasweb-443
DNS CNAME vraiaasweb.elzein.local
Virtual Server (vip) vraiaasweb-vip
Algorithm Round-Robin
Session Persistence Source IP
Health /wapi/api/status/web = “registered”
Pool ID vraiaasmgr-443
DNS CNAME vraiaasmgr.elzein.local
Virtual Server (vip) vraiaasmgr-vip
Algorithm NONE
Session Persistence NONE
Health /VMPSProvision – “ProvisionService”
Pool ID vrava-443
vrava-8444 (console)
DNS CNAME vra.elzein.local
Virtual Server (vip) vrava-vip
Algorithm Round-Robin
Session Persistence Source IP
Health /vcac/services/api/health = 200 or 204
AD / DNS
MS SQL
vCenter
NSX Mgr
vRA VA (OVA)
vRA IaaS (Windows)
External System
(A)
(P)
Active Node
Passive Node
Last Updated 03/31/16 by Jad El-Zein

20. vRA 7.0.1 and NSX Integration - Product Compatibility Matrix
20
Product Version
vRealize Automation 7.0.x
vRealize Orchestrator 7.0.x
NSX-vRO Plugin 1.0.3
NSX for vSphere 6.2.2
vRealize Orchestrator is a required component for the vRA & NSX Integration:
• The vRO server embedded with vRA VA includes the NSX vRO plugin by default
• The NSX vRO Plugin is available from the
My VMware support portal with NSX under
Drivers & Tools
NSX 6.0.x not supported with vRA 6.2 or later

21. vRA-NSX Extensibility Kit (6.x)
https://communities.vmware.com/docs/DO
C-30791
• For the initial release the documentation
is in draft format, and assumes you have
experience with vRA extensibility (WF
stubs and ASD).
• An updated installation guide will be
available shortly with more detail
• Additional functionality to the extensibility
kit will be added over time
• In addition we are also planning a
TOI/Webinar that covers NSX and vRA
Extensibility and guidelines for use of the
kit.
21

22. Thank You
Q & A
Jad El-Zein
Principal Architect, CMBU
@virtualjad | virtualjad.com