If you look at the config of any firewall, then most likely we will see a sheet with a bunch of IP addresses, ports, protocols and subnets. This is how network security policies are classically implemented for user access to resources. At first, they try to maintain order in the config, but then employees begin to move from department to department, servers multiply and change their roles, access for different projects appears where they usually cannot, and hundreds of unknown goat trails are obtained.
Near some rules, if you're lucky, the comments "I asked Vasya to do it" or "This is a passage to the DMZ" are written. The network administrator quits, and everything becomes completely incomprehensible. Then someone decided to clean Vasya's config, and SAP crashed, because Vasya once asked for this access to work with combat SAP.
Today I will talk about the VMware NSX solution, which helps to point-to-point apply network communication and security policies without confusion in firewall configurations. I'll show you what new features have appeared compared to what VMware used to have in this part.
VMWare NSX is a virtualization and network services security platform. NSX solves the problems of routing, switching, load balancing, firewall and many other interesting things.
NSX is the successor to VMware's own vCloud Networking and Security (vCNS) product and acquired by Nicira NVP.
From vCNS to NSX
Previously, a customer in a cloud built on VMware vCloud had a separate vCNS vShield Edge virtual machine. It acted as an edge gateway, where you could configure many network functions: NAT, DHCP, Firewall, VPN, load balancer, etc. vShield Edge limited the interaction of the virtual machine with the outside world according to the rules specified in the Firewall and NAT. Inside the network, virtual machines communicated freely among themselves within subnets. If you really want to divide and dominate traffic, you can make a separate network for individual parts of applications (different virtual machines) and prescribe the appropriate rules for their network interaction in the firewall. But this is long, complicated and uninteresting, especially when you have several dozen virtual machines.
In NSX, VMware implemented the concept of micro-segmentation using a distributed firewall built into the hypervisor core. It prescribes security and network interaction policies not only for IP and MAC addresses, but also for other objects: virtual machines, applications. If NSX is deployed within an organization, then a user or group of users from Active Directory can become such objects. Each such object turns into a microsegment in its own security loop, in the right subnet, with its own cozy DMZ :).
Previously, there was only one security perimeter for the entire resource pool, it was protected by an edge switch, and with NSX, you can protect a separate virtual machine from unnecessary interactions even within the same network.
Security and networking policies adapt if an object moves to a different network. For example, if we move the machine with the database to another network segment or even to another associated virtual data center, then the rules prescribed for this virtual machine will continue to operate regardless of its new location. The application server will still be able to communicate with the database.
The vCNS vShield Edge itself has been replaced by NSX Edge. It has all the gentlemen's stuff of the old Edge plus a few cool new features. About them and will be discussed further.
What's new with NSX Edge?
NSX Edge functionality depends on NSX. There are five of them: Standard, Professional, Advanced, Enterprise, Plus Remote Branch Office. Everything new and interesting can only be seen starting with Advanced. Including the new interface, which opens in a new tab until the complete transition of vCloud to HTML5 (VMware promises the summer of 2019).
Firewall. You can select IP addresses, networks, gateway interfaces, and virtual machines as objects to which the rules will apply.
DHCP. In addition to configuring the range of IP addresses that will be automatically issued to virtual machines on this network, NSX Edge has become available functions Binding ΠΈ relay.
The tab bindings you can bind the MAC address of the virtual machine to the IP address if you want the IP address not to change. The main thing is that this IP address is not included in the DHCP Pool.
The tab relay configures relaying of DHCP messages to DHCP servers that are outside your organization in vCloud Director, including DHCP servers of the physical infrastructure.
Routing. vShield Edge could only be configured with static routing. Dynamic routing appeared here with support for OSPF and BGP protocols. ECMP (Active-active) settings have also become available, which means active-active failover to physical routers.
Configuring OSPF
Configuring BGP
Another new thing is setting up the transfer of routes between different protocols,
route redistribution.
L4/L7 Load balancer. Introduced X-Forwarded-For for the HTTPs header. Without him, everyone was crying. For example, you have a website that you are balancing. Without forwarding this header, everything works, but in the statistics of the web server you saw not the IP of the visitors, but the IP of the balancer. Now everything is right.
Also in the Application Rules tab, you can now add scripts that will directly control traffic balancing.
VPN. In addition to IPSec VPN, NSX Edge supports:
- L2 VPN, which allows you to stretch networks between geographically dispersed sites. Such a VPN is needed, for example, so that when moving to another site, the virtual machine remains on the same subnet and retains its IP address.
- SSL VPN Plus, which allows users to connect remotely to a corporate network. There was such a function at the vSphere level, but for vCloud Director this is an innovation.
SSL certificates. Certificates can now be installed on NSX Edge. This is again to the question of who needed a balancer without a certificate for https.
Grouping Objects. This tab just sets the groups of objects for which certain network interaction rules will apply, for example, firewall rules.
These objects can be IP and MAC addresses.
It also contains a list of services (protocol-port combination) and applications that can be used when compiling firewall rules. Only the administrator of the vCD portal can add new services and applications.
Statistics. Connection statistics: traffic that passes through the gateway, firewall and load balancer.
Status and statistics for each IPSEC VPN and L2 VPN tunnel.
Logging. In the Edge Settings tab, you can set the server for recording logs. Logging works for DNAT/SNAT, DHCP, Firewall, Routing, Balancer, IPsec VPN, SSL VPN Plus.
The following types of alerts are available for each object/service:
βDebug
βAlert
βCritical
β error
βWarning
βNotice
β info
NSX Edge Dimensions
Depending on the tasks to be solved and volumes of VMware create NSX Edge in the following sizes:
NSX Edge
(Compact)
NSX Edge
(Wide)
NSX Edge
(quad-large)
NSX Edge
(X-Large)
vCPU
1
2
4
6
Memory
512MB
1GB
1GB
8GB
Disk
512MB
512MB
512MB
4.5GB + 4GB
appointment
One
application, test
data center
Small
or medium
data center
Loaded
firewall
Balancing
loads at level L7
The table below shows the network service performance metrics based on the size of the NSX Edge.
NSX Edge
(Compact)
NSX Edge
(Wide)
NSX Edge
(quad-large)
NSX Edge
(X-Large)
Interfaces
10
10
10
10
Sub Interfaces (Trunk)
200
200
200
200
NAT rules
2,048
4,096
4,096
8,192
ARP Entries
until overwrite
1,024
2,048
2,048
2,048
FW Rules
2000
2000
2000
2000
F.W. Performance
3Gbps
9.7Gbps
9.7Gbps
9.7Gbps
DHCP Pools
20,000
20,000
20,000
20,000
ECMP Paths
8
8
8
8
Static routes
2,048
2,048
2,048
2,048
LB Pools
64
64
64
1,024
LB Virtual Servers
64
64
64
1,024
LB Server/Pool
32
32
32
32
LB Health Checks
320
320
320
3,072
LB Application Rules
4,096
4,096
4,096
4,096
L2VPN Clients Hub to Spoke
5
5
5
5
L2VPN Networks per Client/Server
200
200
200
200
IPSec Tunnels
512
1,600
4,096
6,000
SSL VPN Tunnels
50
100
100
1,000
SSLVPN Private Networks
16
16
16
16
concurrent sessions
64,000
1,000,000
1,000,000
1,000,000
Sessions/Second
8,000
50,000
50,000
50,000
LB Throughput L7 Proxy)
2.2Gbps
2.2Gbps
3Gbps
LB Throughput L4 Mode)
6Gbps
6Gbps
6Gbps
LB Connections/s (L7 Proxy)
46,000
50,000
50,000
LB Concurrent Connections (L7 Proxy)
8,000
60,000
60,000
LB Connections/s (L4 Mode)
50,000
50,000
50,000
LB Concurrent Connections (L4 Mode)
600,000
1,000,000
1,000,000
BGP Routes
20,000
50,000
250,000
250,000
BGP Neighbors
10
20
100
100
BGP Routes Redistributed
No Limit
No Limit
No Limit
No Limit
OSPF Routes
20,000
50,000
100,000
100,000
OSPF LSA Entries Max 750 Type-1
20,000
50,000
100,000
100,000
OSPF Adjacencies
10
20
40
40
OSPF Routes Redistributed
2000
5000
20,000
20,000
Total routes
20,000
50,000
250,000
250,000
β
The table shows that it is recommended to organize balancing on NSX Edge for productive scenarios only starting from the Large size.
For today I have everything. In the following parts, I'll walk through the configuration of each NSX Edge network service in detail.
Source: habr.com