Today VMware released the new version of NSX-T, which is VMware’s software defined networking and security solution for datacenters and provides support for VM, Containers as well as BareMetal support.
As part of this version 3 release, VMware introduced a bunch of new features so therefore I wanted to highlight some of the new features here, as well as give a brief introduction into NSX Intelligence which has gone under my radar for some time.
So what’s new in NSX-T v3?
NSX Multi-site/Federation is a new feature which allows for centralized management across multiple NSX deployments. This is mainly for deployments where you have NSX Cloud which you are using for public cloud workloads and NSX-T for datacenter, this will allow you to do centralized management using management plane with a global manager. This will also in a future release to support managemnet of VMware on AWS as well.
Now this feature which has been in Beta for some time, is finally released which allows us to provide IDS features as part of the base in NSX. Essentially providing a software-based IDS/IPS for apps. This provides us the ability Create Zones in software without cost / complexity of air-gapped networks or physical separation with IDS features. Now since the IDS feature is distributed it means that it will scale as the same way as load balancing, firewall troughput would in NSX. You can also leverage this with service chaining meaning that you can attach this to a third party provider as well such as Palo Alto, CheckPoint, Fortinet etc.
This distributed mechanism can be enabled on a per VM and per vNIC of a VM basis with granular rule inspection. As part of this feature set, the NSX Manager is able to download the latest signature packs from the NSX Signature Service. This keeps the NSX Distributed IDS updated with the latest threat signatures in the environment.
This is one of the biggest feature enhancements is that now, you can run NSX straight on top of vSphere Distributed Switches. This means that you can run NSX straight on VDS 7.0 that’s part of vSphere 7.0 and without disrupting VM traffic when deploying NSX. Also making it easier to deploy faster feature releases.
As part of the new release, VMware has also made enhancements to the visualization, which before has been a bit cumbersome. This feature will allow us to easier monitor, troubleshoot and verify the traffic flow
Support for Windows 2016 Bare Metal workloads
Up until now NSX-T has only had support for bare-metal workloads running on Linux based OS such as Ubuntu, RHEL, Cent and Suse so this is the first supported Windows based bare metal workload. Therefor we can use Windows Server as a host transport node, essentially extending the NSX-T traffic to bare metal nodes as well
NSX supports the following use cases for bare-metal
- Connectivity with VLAN-backed virtualized workloads
- Connectivity with overlay-backed virtualized workloads
- Security for communication between virtual and physical workloads
- Security for communication between physical workloads
NSX-T Support for vSphere on Kubernetes
- Container Inventory & Monitoring in User Interface – Container cluster, Namespace, Network Policy, Pod level inventory can be visualized in the NSX-T User Interface. Visibility is also provided into co-relation of Container/K8 objects to NSX-T logical objects.
- IPAM Flexibility – The NSX Policy IP Block API has been enhanced to carve out IP subnets of variable sizes. This functionality helps the NSX Container Plugin carve out variable size subnets for Namespaces using Policy API.
- NCP Component Health Monitoring – The NSX Container Plugin and related component health information like NCP Status, NSX Node Agent Status, NSX Hyperbus Agent Status can be monitored using the NSX Manager UI/API.
NSX-T Policy – Terraform and Ansible
Not a new feature but provides an update provider which provides more features compared to the old providers. You can view the Terraform provider here –> https://www.terraform.io/docs/providers/nsxt/index.html
NSX Intelligence 1.1
As part of this release, VMware also introduced a new version of NSX Intelligence. Now when I started looking at it a while back I noticed that it provides something that has been missing in NSX, a learning engine if you will. NSX Intelligence is essentially an analytics engine which will look at what kind of traffic is running trough NSX and provide recommendation on what kind of Firewall Rules that should be implemented.
So essentially it looks at the traffic flow and based upon what kind of traffic it sees can then provide a set of recommended firewall rules. I wonder why not any of the cloud providers have this kind of learning features as part of their software-defined networking stack.
Anyhow as part of the new release 1.1, VMware has introduced the following new features:
- UI Performance and Layout Improvements – Improves the initial UI load times and immediate refresh as things change.
- Public vs Private IP Range Settings – Allows you to specify the CIDR notations that is used by NSX Intelligence to classify when an IP address is a private or a public IP address. Any IP address that does not belong to any of specified CIDR notations is classified as a public IP address.
- Flow Visualization – Shows L4 port/protocol on the flow line and increased IP to VM mapping visualization.
- Use of Groups in Recommendation Inputs – Provides the ability to start recommendations for a Group, in addition to prior support for VMs. This includes support to start recommendation for a group of effective VM members. Using a group as the recommendation input requires NSX-T Data Center 3.0.0.
- Micro-Segmentation Recommendation Outputs – Provides a choice of a group of IP addresses, in addition to prior support for a group of VMs.
- Continuous Recommendations – Provides a choice of on-demand or continuous monitoring for recommendation sessions. When continuous monitoring is enabled on a group, NSX Intelligence will generate new recommendations upon detecting VM membership changes in the group.