Cover
Introduction
1. What Does This Book Cover?
2. Additional Resources
Chapter 1: Abstracting Network and Security
1. Networks: 1990s
2. Data Centers Come of Age
3. VMware
4. Virtualize Away
5. The Bottom Line
Chapter 2: NSX Architecture and Requirements
1. NSX Network Virtualization
2. Competitive Advantage: IOChain
3. NSX Role-Based Access Control
4. The Bottom Line
Chapter 3: Preparing NSX
1. NSX Manager Prerequisites
2. Installing NSX Manager
3. Linking Multiple NSX Managers Together (Cross-vCenter NSX)
4. Creating a Universal Transport Zone on the Primary NSX Manager
5. The Bottom Line
Chapter 4: Distributed Logical Switch
1. vSphere Standard Switch (vSS)
2. Virtual Distributed Switch (vDS)
3. Virtual eXtensible LANs (VXLANs)
4. Employing Logical Switches
5. Three Tables That Store VNI Information
6. We Might as Well Talk about ARP Now
7. Understanding Broadcast, Unknown Unicast, and Multicast
8. The Bottom Line
Chapter 5: Marrying VLANs and VXLANs
1. Shotgun Wedding: Layer 2 Bridge
2. Hardware Switches to the Rescue
3. The Bottom Line
Chapter 6: Distributed Logical Router
1. Distributed Logical Router (DLR)
2. Control Plane Smarts
3. Let's Get Smart about Routing
4. Deploying Distributed Logical Routers
5. The Bottom Line
Chapter 7: NFV: Routing with NSX Edges
1. Network Function Virtualization: NSX Has It Too
2. Let's Do Routing Like We Always Do
3. Routing with the DLR and ESG
4. The Bottom Line
Chapter 8: More NVF: NSX Edge Services Gateway
1. ESG Network Placement
2. Network Address Translation
3. ESG Load Balancer
4. Configuring an ESG Load Balancer
5. Layer 2 VPN (If You Must)
6. Secure Sockets Layer Virtual Private Network
7. Internet Protocol Security VPN
8. Round Up of Other Services
9. The Bottom Line
Chapter 9: NSX Security, the Money Maker
1. Traditional Router ACL Firewall
2. I Told You about the IOChain
3. Adding DFW Rules
4. Why Is My Traffic Getting Blocked?
5. Distributing Firewall Rules to Each ESXi Host: What's Happening?
6. The Bottom Line
Chapter 10: Service Composer and Third-Party Appliances
1. Security Groups
2. Service Insertion
3. Service Insertion Providers
4. Security Policies
5. The Bottom Line
6. Note
Chapter 11: vRealize Automation and REST APIs
1. vRealize Automation Features
2. vRA Editions
3. Integrating vRA and NSX
4. vRealize Orchestrator Workflows
5. Deploying a Blueprint that Consumes NSX Services
6. REST APIs
7. The Bottom Line
Appendix: The Bottom LineThe Bottom Line
1. Chapter 1: Abstracting Network and Security
2. Chapter 2: NSX Architecture and Requirements
3. Chapter 3: Preparing NSX
4. Chapter 4: Distributed Logical Switch
5. Chapter 5: Marrying VLANs and VXLANs
6. Chapter 6: Distributed Logical Router
7. Chapter 7: NFV: Routing with NSX Edges
8. Chapter 8: More NVF: NSX Edge Services Gateway
9. Chapter 9: NSX Security, the Money Maker
10. Chapter 10: Service Composer and Third-Party Appliances
11. Chapter 11: vRealize Automation and REST APIs
Index
End User License Agreement

List of Illustrations

Chapter 1
1. FIGURE 1.1 Simplex, half duplex, and full duplex compared
2. FIGURE 1.2 Colocated space rented in provider data centers
3. FIGURE 1.3 Traditional provisioning involves numerous teams and is time-cons...
4. FIGURE 1.4 The move to company-built data centers
5. FIGURE 1.5 Manhattan city grid designed in 1811
6. FIGURE 1.6 The hypervisor is a virtualization layer decoupling software from...
7. FIGURE 1.7 Virtualization creates an abstraction layer that hides the comple...
8. FIGURE 1.8 Physically storing data
9. FIGURE 1.9 VMware vMotion is a benefit that would not be possible without vi...
10. FIGURE 1.10 In the event of a physical host failing, the workload can be mov...
11. FIGURE 1.11 Allocating storage
12. FIGURE 1.12 Virtualization can now go beyond only servers.
13. FIGURE 1.13 NSX is a hypervisor for the network.
14. FIGURE 1.14 Traditional security relies on external security.
15. FIGURE 1.15 NSX microsegmentation moves the security rules to the VMs, secur...
16. FIGURE 1.16 Workloads are isolated from one another, with security applied t...
Chapter 2
1. FIGURE 2.1 Network virtualization decoupling network functions from the phys...
2. FIGURE 2.2 Traditional three planes of operation found in each networking de...
3. FIGURE 2.3 Network planes of operation compared with company job roles
4. FIGURE 2.4 Each networking device in traditional networking making decisions...
5. FIGURE 2.5 NSX architecture
6. FIGURE 2.6 Accessing NSX Manager using the same web client used for vSphere...
7. FIGURE 2.7 Deploying and controlling NSX components through automation
8. FIGURE 2.8 Primary NSX Manager at Site A managing secondary NSX Manager at S...
9. FIGURE 2.9 Compute clusters separated from management clusters, increasing a...
10. FIGURE 2.10 NSX Manager can only be registered to one vCenter Server.
11. FIGURE 2.11 Individual vSphere Standard Switches
12. FIGURE 2.12 A vSphere Distributed Switch spanning several ESXi hosts
13. FIGURE 2.13 The data plane for the overlay network, provided by the NSX Virt...
14. FIGURE 2.14 VMs on separate hosts but members of the same 10.1.1.0 subnet
15. FIGURE 2.15 vSphere Installation Bundles used to create the NSX virtual envi...
16. FIGURE 2.16 IOChain with customizable slots for adding third-Party functions...
17. FIGURE 2.17 The NSX controller Cluster controls routing and switching for ea...
18. FIGURE 2.18 NSX Controllers deployed three to a cluster, each on a different...
19. FIGURE 2.19 Dividing the workload into slices/shards, assigned across the th...
20. FIGURE 2.20 Job of two roles, VXLAN Logical Switches and Logical Router, div...
21. FIGURE 2.21 NSX Edge routes traffic between your virtual and physical networ...
22. FIGURE 2.22 NSX Edge services
23. FIGURE 2.23 RBAC pre-built roles for assigning access to NSX
24. FIGURE 2.24 VXLANs tunnel through the physical network to allow traffic to o...
25. FIGURE 2.25 A 50-byte header containing VXLAN information is added to the fr...
26. FIGURE 2.26 VTEPs are the tunnel endpoint IP addresses assigned to each host...
27. FIGURE 2.27 Multicast mode relies on multicast routing to be configured in t...
28. FIGURE 2.28 Unicast mode does not require the physical network to be configu...
29. FIGURE 2.29 Hybrid mode multicasting to members of the same group, unicastin...
Chapter 3
1. FIGURE 3.1 TCP and UDP ports needed for NSX communication
2. FIGURE 3.2 Major NSX components requiring resources
3. FIGURE 3.3 Cross-vCenter design spanning multiple sites
4. FIGURE 3.4 Separate compute and management clusters
5. FIGURE 3.5 Home ➢ Networking
6. FIGURE 3.6 Deploy OVF Template
7. FIGURE 3.7 Manage vCenter Registration
8. FIGURE 3.8 vCenter Server name and login
9. FIGURE 3.9 vSphere Web Client
10. FIGURE 3.10 Manage Appliance Settings
11. FIGURE 3.11 NTP Time Settings
12. FIGURE 3.12 Syslog Server name or IP address
13. FIGURE 3.13 Installation and Upgrade
14. FIGURE 3.14 NSX Controller Nodes
15. FIGURE 3.15 Add a Controller Node
16. FIGURE 3.16 Cross-vCenter design
17. FIGURE 3.17 Cross-vCenter with universal objects
18. FIGURE 3.18 Selecting the primary NSX Manager
19. FIGURE 3.19 Host Preparation
20. FIGURE 3.20 Transport Zones
21. FIGURE 3.21 Logical Switches
22. FIGURE 3.22 Logical Switch naming and replication mode
23. FIGURE 3.23 Add Secondary Manager
Chapter 4
1. FIGURE 4.1 Switch dynamically learning MAC addresses and ports
2. FIGURE 4.2 A vSS can only span a single ESXi host.
3. FIGURE 4.3 Traffic shaping is a mechanism for controlling a VM's network ban...
4. FIGURE 4.4 Port group C has been created on a separate vSS for each ESXi hos...
5. FIGURE 4.5 vMotion not only migrates the virtual machine, but the VM's port ...
6. FIGURE 4.6 Connecting the virtual switch to two physical NICs on the ESXi ho...
7. FIGURE 4.7 The vDS is created and managed centrally but spans across multipl...
8. FIGURE 4.8 Traffic from ESXi-1 to ESXi-2 in this topology must now traverse ...
9. FIGURE 4.9 Two VMs on the same subnet but located on different hosts communi...
10. FIGURE 4.10 The original frame generated from the source VM is encapsulated ...
11. FIGURE 4.11 Using the analogy of a subway stop, for VM1 to send traffic to V...
12. FIGURE 4.12 Each Logical Switch created receives an ID from the segment pool...
13. FIGURE 4.13 The VLAN ID field is 12 bits long, which indicates that over 400...
14. FIGURE 4.14 Each VTEP, indicated here with an IP address starting with 192.1...
15. FIGURE 4.15 VM-A is attached to VXLAN 5001. When it is powered on, informati...
16. FIGURE 4.16 VTEPs send their local VNI information to the Controller cluster...
17. FIGURE 4.17 Walkthrough to find the VNI information needed to send traffic t...
18. FIGURE 4.18 VNI information added when VM-B is powered up
19. FIGURE 4.19 VNI information added when VM-D is powered up
20. FIGURE 4.20 Powering on VM-F adds VNI information to a new table.
21. FIGURE 4.21 The three Controller nodes divide the workload of tracking VNI i...
22. FIGURE 4.22 The PC, 10.1.1.3/24, wants to send packets to the server, 30.1.1...
23. FIGURE 4.23 The PC knows the default gateway IP address 10.1.1.4 through DHC...
24. FIGURE 4.24 Once R1 (the PC's default gateway) receives the packet, it check...
25. FIGURE 4.25 The destination network, 30.1.1.0, is directly attached.
26. FIGURE 4.26 VM-A needs to send packets to VM-E.
27. FIGURE 4.27 Selecting a Replication Mode (Multicast, Unicast, Hybrid) when c...
28. FIGURE 4.28 Troubleshooting connectivity
Chapter 5
1. FIGURE 5.1 Adding a Logical Switch
2. FIGURE 5.2 Configuring a Logical Switch
3. FIGURE 5.3 Adding a DLR
4. FIGURE 5.4 Configuring DLR Basic Details
5. FIGURE 5.5 Configuring DLR Settings
6. FIGURE 5.6 DLR Deployment Configuration
7. FIGURE 5.7 Configuration options for the Edge Appliance VM
8. FIGURE 5.8 DLR Management Interface configuration
9. FIGURE 5.9 Selecting the Distributed Virtual Port Group
10. FIGURE 5.10 Verifying the DLR configured options
11. FIGURE 5.11 DLR option to Configure Interfaces
12. FIGURE 5.12 DLR option to specify Default Gateway
13. FIGURE 5.13 DLR review of Deployment Configuration
14. FIGURE 5.14 DLR Deployment Status
15. FIGURE 5.15 vSphere Flex Web Client
16. FIGURE 5.16 Selecting the new DLR
17. FIGURE 5.17 DLR Manage Bridging
18. FIGURE 5.18 Naming the Bridge
19. FIGURE 5.19 Selecting the Logical Switch
20. FIGURE 5.20 Browsing to the Distributed Virtual Port Group
21. FIGURE 5.21 Selecting the Distributed Virtual Port Group
22. FIGURE 5.22 Publishing the changes
23. FIGURE 5.23 Verification that the bridge has been deployed
24. FIGURE 5.24 Verifying that the dvPortGroup is backed by VLAN 10
25. FIGURE 5.25 Selecting the Logical Switch created previously
26. FIGURE 5.26 Verifying which VMs are attached to the Logical Switch
27. FIGURE 5.27 Confirming that Server1 is not connected to LogicalSwitch, but i...
28. FIGURE 5.28 Verifying that App-VM can ping Server1 via the L2 Bridge
29. FIGURE 5.29 Selecting the Logical Switch
30. FIGURE 5.30 Choices in the Actions drop-down
31. FIGURE 5.31 Network And Security (NSX) menu options
Chapter 6
1. FIGURE 6.1 ESXi host learning routes
2. FIGURE 6.2 Following the routing path with an analogy
3. FIGURE 6.3 Active/standby LR Control VMs
4. FIGURE 6.4 Two VMs on same ESXi host and an external router
5. FIGURE 6.5 Two VMs on same ESXi host with NSX
6. FIGURE 6.6 The DLR is distributed to the kernel of each ESXi host.
7. FIGURE 6.7 Two VMs on different ESXi hosts and an external router
8. FIGURE 6.8 Two VMs on different ESXi hosts with NSX
9. FIGURE 6.9 Representing a DLR in NSX diagrams
10. FIGURE 6.10 Packet walk from end user to web server VM on ESXi Host8
11. FIGURE 6.11 Transit segment shared by DLR, NSX Edge, and LR Control VM
12. FIGURE 6.12 Edge participating in external and internal routing
13. FIGURE 6.13 For scalability, Area 0 is designated as the Backbone with all o...
14. FIGURE 6.14 Four organizations, each assigned its own AS number
15. FIGURE 6.15 Simple Cisco router BGP example for R1 to peer with R2
16. FIGURE 6.16 New DLR step 1: Basic Details
17. FIGURE 6.17 Within NSX, navigate to NSX Edges to create a DLR.
18. FIGURE 6.18 Providing basic details for the DLR
19. FIGURE 6.19 New DLR step 2: Settings
20. FIGURE 6.20 New DLR step 3: Deployment Configuration
21. FIGURE 6.21 Assigning resources to the Control VM
22. FIGURE 6.22 New DLR returning to step 3: Deployment Configuration
23. FIGURE 6.23 Selecting a network for LR Control VM connectivity
24. FIGURE 6.24 New DLR step 4: Interface
25. FIGURE 6.25 Adding an Uplink interface for the DLR to communicate with the E...
26. FIGURE 6.26 Selecting a network shared by the DLR, ESG, and Control VM
27. FIGURE 6.27 Configuring an Uplink IP address on the DLR
28. FIGURE 6.28 Checking the Deployment Status column for the DLR
29. FIGURE 6.29 Viewing the IP addresses of the Uplink and Internal interfaces
30. FIGURE 6.30 Verifying connectivity from a web server VM to its gateway, the ...
Chapter 7
1. FIGURE 7.1 Network functions virtualized and offered by an NSX Edge
2. FIGURE 7.2 With HA enabled, a copy of the Edge VM is created.
3. FIGURE 7.3 The DLR routes E-W traffic, and the ESG routes N-S.
4. FIGURE 7.4 Distributed vs. centralized routing
5. FIGURE 7.5 Distributed and centralized routing approach host failure differe...
6. FIGURE 7.6 Routing between different transport zones
7. FIGURE 7.7 Routing options available for the DLR and the NSX Edge
8. FIGURE 7.8 Identifying ESG and DLR Internal LIFs and Uplink LIFs
9. FIGURE 7.9 NSX Edge name and description
10. FIGURE 7.10 NSX Edge Settings
11. FIGURE 7.11 NSX Edge Configure Deployment
12. FIGURE 7.12 NSX Edge Cluster and Datastore selection
13. FIGURE 7.13 NSX Edge Configure Interfaces
14. FIGURE 7.14 Adding an NSX Edge interface
15. FIGURE 7.15 NSX Edge Default Gateway Settings
16. FIGURE 7.16 NSX Edge Firewall and High Availability
17. FIGURE 7.17 DLR Routing Global Configuration
18. FIGURE 7.18 A Router ID is required when configuring OSPF or BGP.
19. FIGURE 7.19 Configuring BGP
20. FIGURE 7.20 Enabling BGP and configuring the Autonomous System number
21. FIGURE 7.21 Adding the ESG as the DLR's BGP neighbor
22. FIGURE 7.22 OSPF Configuration
23. FIGURE 7.23 Configuring the Protocol and Forwarding Addresses
24. FIGURE 7.24 Adding a Static Route
25. FIGURE 7.25 DLR with pathways to the physical router via two ESGs
26. FIGURE 7.26 ECMP routing between the ESGs and the physical network
Chapter 8
1. FIGURE 8.1 Separating edge services from compute
2. FIGURE 8.2 ESG providing Network Address Translation
3. FIGURE 8.3 Configuring NAT on the NSX ESG
4. FIGURE 8.4 Adding a Source NAT rule
5. FIGURE 8.5 Configuring the translated address
6. FIGURE 8.6 Publishing the changes
7. FIGURE 8.7 Adding a Destination NAT rule
8. FIGURE 8.8 Configuring the translated address
9. FIGURE 8.9 One‐armed load‐balancing design
10. FIGURE 8.10 Inline load‐balancing design
11. FIGURE 8.11 Selecting the ESG
12. FIGURE 8.12 Load Balancer tab
13. FIGURE 8.13 Enabling the load‐balancer service
14. FIGURE 8.14 Creating a pool of servers to load balance across
15. FIGURE 8.15 Selecting the load‐balancing algorithm
16. FIGURE 8.16 Adding members to the server pool
17. FIGURE 8.17 Configuring each member of the pool
18. FIGURE 8.18 Selecting the default http monitor for the pool
19. FIGURE 8.19 Verifying the status of the pool
20. FIGURE 8.20 Load balancer application profiles
21. FIGURE 8.21 Selecting a preconfigured application profile
22. FIGURE 8.22 Creating a virtual server to be the front end
23. FIGURE 8.23 Selecting an IP address and port number for the virtual server
24. FIGURE 8.24 Implementing an L2VPN as a temporary solution to connect two sit...
25. FIGURE 8.25 SSL VPNs allowing remote mobile users to connect
26. FIGURE 8.26 Configuring the SSL VPN service on the ESG
27. FIGURE 8.27 Choosing the IP address and port users will VPN to
28. FIGURE 8.28 Creating an IP pool
29. FIGURE 8.29 Configuring a range of addresses to assign to VPN users
30. FIGURE 8.30 Selecting which networks the user can access
31. FIGURE 8.31 Enabling TCP optimization when using the tunnel
32. FIGURE 8.32 Authenticating VPN users
33. FIGURE 8.33 Configuring password rules for VPN access
34. FIGURE 8.34 Creating VPN client installation packages for download
35. FIGURE 8.35 Creating and customizing packages for different platforms
36. FIGURE 8.36 Creating credentials for VPN users
37. FIGURE 8.37 Adding a VPN user
38. FIGURE 8.38 Starting the SSL VPN service
39. FIGURE 8.39 Site‐to‐site IPsec VPN
40. FIGURE 8.40 Deploying a site‐to‐site IPsec VPN
41. FIGURE 8.41 Configuring tunnel endpoints and peer subnets
42. FIGURE 8.42 Publishing the changes
43. FIGURE 8.43 Starting the IPsec tunnel service
44. FIGURE 8.44 The exchange of DHCP messages
45. FIGURE 8.45 Adding a DCHP pool of addresses
46. FIGURE 8.46 Defining the address range of the DHCP pool
47. FIGURE 8.47 Starting the DHCP server service
48. FIGURE 8.48 Configuring a DHCP reservation
49. FIGURE 8.49 Ensuring a server is always allocated the same IP based on MAC a...
50. FIGURE 8.50 VM‐A powered off and without an assigned DHCP address
51. FIGURE 8.51 DHCP Relay to forward IP requests to a DHCP server on a differen...
52. FIGURE 8.52 Pointing the DHCP Relay Agent to the DHCP server
53. FIGURE 8.53 Adding the DHCP Relay Agent
54. FIGURE 8.54 Selecting which interface will be the DHCP Relay Agent
55. FIGURE 8.55 Relaying DNS requests to a DNS server on a different segment
56. FIGURE 8.56 Configuring DNS forwarding on the ESG
57. FIGURE 8.57 Directing the ESG to forward DNS requests to 8.8.8.8
Chapter 9
1. FIGURE 9.1 Traditional firewall design is best suited for N-S traffic.
2. FIGURE 9.2 NSX IOChain slots 0–2
3. FIGURE 9.3 Native DFW rules are based on Layers 2 through 4.
4. FIGURE 9.4 Firewall services distributed to the kernel of every ESXi host
5. FIGURE 9.5 Three-tier application separated by a traditional router ACL fire...
6. FIGURE 9.6 Single Layer 2 domain microsegmented by the DFW
7. FIGURE 9.7 Matching ACL rules based on datagram header fields
8. FIGURE 9.8 Adding a new rule to the DFW
9. FIGURE 9.9 Three rules present by default
10. FIGURE 9.10 Final default rule action can be modified, not deleted.
11. FIGURE 9.11 Creating a new rule
12. FIGURE 9.12 Choosing the destination object to match on
13. FIGURE 9.13 Selecting a specific server from the list of VMs
14. FIGURE 9.14 Selecting the specific service to match on
15. FIGURE 9.15 Adding sections to your DFW rule set
16. FIGURE 9.16 Adding a previous rule to the new section
17. FIGURE 9.17 After publishing the change, the section is now lockable.
18. FIGURE 9.18 Comparison of a regular ARP and a gratuitous ARP
19. FIGURE 9.19 ARP poisoning example
20. FIGURE 9.20 DFW firewall timeout settings
21. FIGURE 9.21 Icon to add or remove columns
22. FIGURE 9.22 AMQP protocol is built for exchanging messages reliably.
23. FIGURE 9.23 NSX Distributed Firewall architecture
Chapter 10
1. FIGURE 10.1 Defining group membership dynamically
2. FIGURE 10.2 Adding a new security group with Service Composer
3. FIGURE 10.3 Naming the security group
4. FIGURE 10.4 Listing Available Objects by type
5. FIGURE 10.5 Selecting an object from the available list
6. FIGURE 10.6 Service Composer security group created
7. FIGURE 10.7 Dynamic membership criteria
8. FIGURE 10.8 Customizing and combining multiple criteria groups
9. FIGURE 10.9 Using AND between criteria blocks
10. FIGURE 10.10 Creating exceptions by excluding objects
11. FIGURE 10.11 Applying the created security group
12. FIGURE 10.12 Navigating to the Security Tags menu
13. FIGURE 10.13 Moving VMs to the Selected Objects pane
14. FIGURE 10.14 Verifying group membership
15. FIGURE 10.15 Adding a DFW rule to the WebDevs section
16. FIGURE 10.16 Specifying source IP addresses
17. FIGURE 10.17 Security group object available for DFW rule
18. FIGURE 10.18 Adding a new firewall rule
19. FIGURE 10.19 Rules added but in wrong order
20. FIGURE 10.20 IOChain service insertion within the kernel
21. FIGURE 10.21 IDS and IPS are examples of third-party network introspection s...
22. FIGURE 10.22 Partial list of NSX partners for best-of-breed integration
23. FIGURE 10.23 Creating a security policy in Service Composer
24. FIGURE 10.24 Steps within Service Composer to create a security policy
25. FIGURE 10.25 Options to change weight and inheritance when naming policy
26. FIGURE 10.26 Adding a firewall rule to the security policy
27. FIGURE 10.27 Choosing ICMP Echo as the service to match
28. FIGURE 10.28 Firewall rule created within the security policy
29. FIGURE 10.29 Applying the policy (finally!)
30. FIGURE 10.30 Security policy created and applied
Chapter 11
1. FIGURE 11.1 vRealize Easy Installer components
2. FIGURE 11.2 vRA Advanced and Enterprise editions compared
3. FIGURE 11.3 Accessing the vRealize Automation console
4. FIGURE 11.4 Selecting vSphere as the endpoint
5. FIGURE 11.5 Entering general details for the endpoint
6. FIGURE 11.6 Testing the connection
7. FIGURE 11.7 Associating NSX with the vCenter endpoint
8. FIGURE 11.8 Three subnets in blocks of 16 for the three-tiered application
9. FIGURE 11.9 Selecting the network profile type
10. FIGURE 11.10 Configuring an external network profile
11. FIGURE 11.11 Configuring supporting DNS information
12. FIGURE 11.12 Configuring the start and end IP range within the existing netw...
13. FIGURE 11.13 Under the General tab of a NAT network profile
14. FIGURE 11.14 Under the General tab of a routed network profile
15. FIGURE 11.15 Creating a reservation policy
16. FIGURE 11.16 Creating a vRA reservation
17. FIGURE 11.17 Configuring the General tab of a new reservation
18. FIGURE 11.18 Selecting compute, memory, and resources for the reservation
19. FIGURE 11.19 Creating a blueprint
20. FIGURE 11.20 Blueprint general configuration settings
21. FIGURE 11.21 Configuring NSX settings within the blueprint
22. FIGURE 11.22 Drag objects from the left to the design canvas grid on the rig...
23. FIGURE 11.23 vSphere (vCenter) component placed on the design canvas
24. FIGURE 11.24 Configuring the design canvas component
25. FIGURE 11.25 Adding the build information
26. FIGURE 11.26 Configuring CPU, memory, and storage for the VMs
27. FIGURE 11.27 Clicking the component brings up the configuration panel.
28. FIGURE 11.28 Creating a new service for the catalog
29. FIGURE 11.29 Configuring a new service for the catalog
30. FIGURE 11.30 Using search to find matching users and groups
31. FIGURE 11.31 Enabling the Manage Catalog Items option
32. FIGURE 11.32 Catalog item published after clicking OK
33. FIGURE 11.33 Creating a new entitlement
34. FIGURE 11.34 Users & Groups pane
35. FIGURE 11.35 Using the search function to find the SED general users group
36. FIGURE 11.36 Defining entitled services, items, and actions
37. FIGURE 11.37 Defining what actions can be taken by the end user
38. FIGURE 11.38 Verifying the catalog with a non-admin account
39. FIGURE 11.39 Catalog view using a vanilla user account
40. FIGURE 11.40 Entering the request form to provision
41. FIGURE 11.41 Tracking the progress of requests
42. FIGURE 11.42 Postman desktop REST API client
43. FIGURE 11.43 Adding NSX Manager credentials to the REST API header
44. FIGURE 11.44 Issuing a GET request to retrieve controller status
45. FIGURE 11.45 Additional header required for POST request
Appendix
1. FIGURE 4.28 Troubleshooting connectivity
2. FIGURE 5.31 Network And Security (NSX) menu options

Introduction

The advantages of server virtualization in data centers are well established. From the beginning, VMware has led the charge with vSphere. Organizations migrating physical servers to virtual immediately see the benefits of lower operational costs, the ability to pool CPU and memory resources, server consolidation, and simplified management.

VMware had mastered compute virtualization and thought, “Why not do the same for the entire data center?” Routers, switches, load balancers, firewalls … essentially all key physical networking components, could be implemented in software, creating a Software-Defined Data Center (SDDC). That product, VMware NSX, is the subject of this book.

In 1962, Sir Arthur Clarke published an essay asserting three laws. His third law stated, “Any sufficiently advanced technology is indistinguishable from magic.” If you're not familiar with NSX, the abilities you gain as a network administrator almost seem like magic at first, but we'll dive into the details to explain how it all works. It doesn't matter if you don't have a background in vSphere. There are plenty of analogies and examples throughout, breaking down the underlying concepts to make it easy to understand the capabilities of NSX and how to configure it.

The way NSX provides network virtualization is to overlay software on top of your existing physical network, all without having to make changes to what you have in place. This is much like what happens with server virtualization. When virtualizing servers, a hypervisor separates and hides the underlying complexities of physical CPU and memory resources from the software components (operating system and application), which exist in a virtual machine. With this separation, the server itself just becomes a collection of files, easily cloned or moved. An immediate benefit gained is the time and effort saved when deploying a server. Instead of waiting for the order of your physical servers to arrive by truck, then waiting for someone to rack and stack, then waiting for someone else to install an operating system, then waiting again for network connectivity, security, installation, and configuration of the application … you get the picture. Instead of waiting on each of those teams, the server can be deployed with a click of a button.

NSX can do the same and much more for your entire data center. The agility NSX provides opens new possibilities. For instance, a developer comes to you needing a temporary test server and a NAT router to provide Internet connectivity. The admin can use NSX to deploy a virtual machine (VM) and a virtual NAT router. The developer completes the test, the VM and NAT router are deleted, and all of this occurs before lunch. NSX can do the same thing for entire networks.

The same developer comes to you in the afternoon requesting a large test environment that mimics the production network while being completely isolated. She needs routers, multiple subnets, a firewall, load balancers, some servers running Windows, others running Linux: all set up with proper addressing, default gateways, DNS, DHCP, and her favorite dev tools installed and ready to go. It's a good bet that setting this up in a physical lab would take a lot of time and may involve several teams.

With NSX, that same network could be deployed by an administrator with a few clicks, or even better, it can be automated completely, without having to involve an administrator at all. VMware has a product that works with NSX called vRealize Automation (vRA) that does just that. It provides our developer with a catalog portal, allowing her to customize and initiate the deployment herself, all without her needing to have a background in networking.

If you're a security admin, this might seem like chaos would ensue, with anyone being able to deploy whatever they want on the network. NSX has that covered as well. As a security administrator, you still hold the keys and assign who can do what, but those keys just got a lot more powerful with NSX.

Imagine if you had an unlimited budget and were able to attach a separate firewall to every server in the entire network, making it impossible to bypass security while significantly reducing latency. Additionally, what if you didn't have to manage each of those firewalls individually? What if you could enter the rules once and they propagate instantly to every firewall, increasing security dramatically while making your job a lot easier and improving performance. It's not magic; that's the S in NSX.

The N in NSX is for networking, the S is for security. The X? Some say it stands for eXtensibility or eXtended, but it could just as well be a way to make the product sound cool. Either way, the point is that both networking and security get equal treatment in NSX, two products in one. At the same time, instead of these additions adding more complexity to your job, you'll find just the opposite. With the firewall example or the example of the developer deploying the large test network, as a security administrator, you set the rules and permissions and you're done. Automation takes care of the tedious legwork, while avoiding the typical mistakes that arise when trying to deploy something before having your morning coffee. Those mistakes often lead to even more legwork with more of your time drained troubleshooting.

Wait, the title of the book says NSX-V. What does the V for? Since NSX is tightly integrated with vSphere, its legal name is NSX for vSphere, but we'll just refer to it as NSX for short. NSX-V has a cousin, NSX-T, with the T standing for transformers. In a nutshell, that product is made to easily integrate with environments using multiple hypervisors, Kubernetes, Docker, KVM, and OpenStack. If all that sounds like a lot to take in, not to worry, we'll save that for another book.

Welcome to NSX.

What Does This Book Cover?

Chapter 1: Abstracting Network and Security We often learn how to configure something new without really understanding why it exists in the first place. You should always be asking, “What problem does this solve?” The people armed with these details are often positioned to engineer around new problems when they arise. This chapter is a quick read to help you understand why NSX was created in the first place, the problems it solves, and where NSX fits in the evolution of networking, setting the stage for rest of the book's discussions on virtualization.
Chapter 2: NSX Architectures and Requirements This chapter is an overview of NSX operations. It details the components that make up NSX, their functions, and how they communicate. Equally important, it introduces NSX terminology used throughout the book, as well as virtualization logic.
Chapter 3: Preparing NSX In this chapter, you will find out everything you need to have in place before you can deploy NSX. This includes not only resources like CPU, RAM, and disk space, but it also covers ports that are necessary for NSX components to communicate, and prepping your ESXi hosts for NSX.
Chapter 4: Distributed Logical Switch It's helpful if you are already familiar with how a physical switch works before getting into the details of a Distributed Logical Switch. Don't worry if you're not. In this chapter, we'll look at how all switches learn, and why being distributed and logical is a dramatic improvement over centralized and physical. You'll also find out how NSX uses tunnels as a solution to bypass limitations of your physical network.
Chapter 5: Marrying VLANs and VXLANs On the virtual side, we have VMs living on VXLANs. On the physical side, we have servers living on VLANs. Rather than configuring lots of little subnets and routing traffic between logical and physical environments, this chapter goes into how to connect the two (physical and logical), making it easy to exchange information without having to re-IP everything.
Chapter 6: Distributed Logical Router In Chapter 4, we compared a physical switch and a Distributed Logical Switch. We do the same in this chapter for physical routers vs. Distributed Logical Routers, covering how they work, how they improve performance while making your job easier, and the protocols they use to communicate.
Chapter 7: NFV: Routing with NSX Edges In this chapter, we talk about network services beyond routing and switching that are often provided by proprietary dedicated physical devices, such as firewalls, load balancers, NAT routers, and DNS servers. We'll see how these network functions can be virtualized (Network Function Virtualization, or NFV) in NSX.
Chapter 8: More NFV: NSX Edge Services Gateway This chapter focuses on the Edge Services Gateway, the Swiss Army knife of NSX devices, that can do load balancing, Network Address Translation (NAT), DHCP, DHCP Relay, DNS Relay, several flavors of VPNs, and most importantly, route traffic in and out of your NSX environment.
Chapter 9: NSX Security, the Money Maker When it's said that NSX provides better security, you'll find out why in this chapter. Rather than funneling traffic through a single-point physical firewall, it's as if a police officer were stationed just outside the door of every home. The NSX Distributed Firewall provides security that is enforced just outside the VM, making it impossible to bypass the inspection of traffic in or out. We also look at how you can extend NSX functionality to incorporate firewall solutions from other vendors.
Chapter 10: Service Composer and Third-Party Appliances This chapter introduces Service Composer. This built-in NSX tool allows you to daisy-chain security policies based on what is happening in real time. You'll see an example of a virus scan triggering a series of security policies automatically applied, eventually leading to a virus-free VM. You'll also learn how to tie in services from other vendors and explain the differences between guest introspection and network introspection.
Chapter 11: vRealize Automation and REST APIs Saving the best time-saving tool for last, this chapter covers vRealize Automation (vRA), a self-service portal containing a catalog of what can be provisioned. If a non-admin needs a VM, they can deploy it. If it needs to be a cluster of VMs running Linux with a load balancer and NAT, they can deploy it. As an admin, you can even time bomb it, so that after the time expires, vRA will keep your network clean and tidy by removing what was deployed, automatically. You will also see how administrative tasks can be done without going through a GUI, using REST APIs.

Additional Resources

Here's a list of supporting resources that augment what is covered in this book, including the authorized VCP6-NV NSX exam guide, online videos, free practice labs, helpful blogs, and supporting documentation.

VCP6-NV Official Cert Guide (NSX exam #2V0-642) by Elver Sena Sosa:
www.amazon.com/VCP6-NV-Official-Cert-Guide-2V0-641/dp/9332582750/ref=sr_1_1?keywords=elver+sena+sosa&qid=1577768162&sr=8-1
YouTube vSAN Architecture 100 Series by Elver Sena Sosa:
www.youtube.com/results?search_query=vsan+architecture+100+series
Weekly data center virtualization blog posts from the Hydra 1303 team:
www.hydra1303.com
Practice with free VMware NSX Hands-on Labs (HOL):
www.vmware.com/products/nsx/nsx-hol.html
VMUG – VMware User Group:
www.vmug.com
VMware NSX-V Design Guide:
www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/products/nsx/vmw-nsx-network-virtualization-design-guide.pdf
VMware authorized NSX classes (classroom and online):
mylearn.vmware.com/mgrReg/courses.cfm?ui=www_edu&a=one&id_subject=83185

How to Contact the Publisher

If you believe you've found a mistake in this book, please bring it to our attention. At John Wiley & Sons, we understand how important it is to provide our customers with accurate content, but even with our best efforts, an error may occur.

In order to submit your possible errata, please email it to our Customer Service Team at wileysupport@wiley.com with the subject line “Possible Book Errata Submission.”

Mastering VMware NCX^® for vSphere^®

About the Authors

About the Technical Editor

Acknowledgments

Introduction

What Does This Book Cover?

Additional Resources

How to Contact the Publisher