VMware NSX, the leading networking virtualization platform, promises a transformation of the data center network operational model. Benefits include greater agility, security, operational efficiency and workload mobility—while also significantly reducing costs.
But what does a real-world implementation look like?
I recently had the pleasure of working with a global internet service provider on a project for the federal government. VMware NSX enabled our client to address its challenges and meet the strict security and high-availability requirements that the government demanded.
Various government agencies from around the country planned to use the services hosted on the ISP platform. Not all the agencies would have the same level of security requirements.
In a traditional environment, providing each agency with the same level of firewalling, inspection, and detection is cost prohibitive. This requires creating separate physical environments for each agency—thereby increasing cost and complexity.
NSX solves this problem by providing firewall, IDS, and IPS capabilities on every NIC of every virtual machine. This type of network micro-segmentation enables granular firewalling and security policy enforcement for every workload in the data center, independent of the network topology and complexity.
Furthermore, this software-defined approach to microsegmentation is available at a fraction of the cost of a hardware-based approach.
Control of these services is centralized through NSX and implemented using flexible policies. In this case, we implemented these features with minimal administrative overhead.
Before NSX, this security design would have been nearly impossible—it would have required physical hosts with every port plugged into a next-generation firewall.
In addition to the strict security requirements, the government also required that the services be available at all times. Many of the applications provide this type of redundancy themselves, but their supporting services do not.
To solve this problem, the company deployed a highly-available stretched cluster environment. We extended Layer 2 and Layer 3 between the sites using NSX logical switches and logical routers. This allowed the company to split services between the sites for failover and to vMotion virtual machines between sites for continuous availability during site maintenance activities.
A Fully-Engaged NSX Implementation
Altogether, our client implemented every core feature—stretched layer 2, distributed routing, distributed firewalling, service insertion for IDS/IPS, and integrated anti-virus, which is all logged to the Splunk servers and monitored by security engineers.
It’s the most secure, and highly-available environment that I’ve ever worked on. A would-be attacker will have a very difficult time traversing the network at all, let alone without being noticed.
This fully-engaged NSX implementation is a security engineer’s dream, and it’s already providing our ISP client with higher levels of security and availability than would have been possible with a physical network.