VMworld 2015: NET6639 – Next Horizon for Cloud Networking and Security

VMworld 2015: NET6639 - Next Horizon for Cloud Networking and Security



ladies and gentlemen may I have your attention please this presentation provides forward-looking statements that are subject to risks and uncertainties actual results may differ materially as a result of various risk factors including those described in the 10 k's 10-qs and 8 k's that vmware files with the SEC thank you for listening and now please welcome chief technology strategy officer of networking and security Guido appenzeller all right very excited to be here today we got a great session prepared for you well we want to give you a glimpse of the future of NSX and unlike the guys on main stage we're going to do all of this with live demos you know from from the system we have running here I hope they work if they work I promise you this will be a fantastic session and we'll have a lot of fun here so before we talk about the future of NSX I briefly want to reflect back on what we achieved so far you know I spent most of my life and startups and I think in in in a Korean startups that have found that I've never seen growth like the one we currently have with NSX when I started here a year ago not even a year ago that we had 250 customers announced today we have 700 customers announced with NSX we have over hundred production deployments where customers some of you in the room are trusting us to run the most mission-critical systems on top of NSX and over 65 organizations have spent at least a million dollars on NSA so these are not small deployments there's some very very large deployments out there and they go across all the different industries government service providers so it's been an incredible success behind the success of NSX is really that networking is going through a huge transition it's fundamentally transforming from a hardware driven industry into a software different industry and that's a that's a very big paradigm shift which I think people haven't even fully realized yet how much double change how we do networking so if you look at the pc industry they went through the same revolution right and none of the players that were top players before you know where major players afterwards you know it more recently happened to video distribution with netflix versus blockbuster you know or retail with Amazon versus barnes and nobles and the what has happened in as part of those revolutions that we've changed the way how we deploy infrastructure so so back in the days the data center was simple we had physical servers and then we have physical physical network underneath whenever I wanted to add capabilities to my data center network and had to buy a new box right never swap this box in and will provide me with you know and you firewall service new type of forwarding whatever i would need and then we started first virtualizing the applications as virtual machines and as we did this so if we it slowly emerged the lay of virtual infrastructure underneath we first said virtual switches and virtual routers virtual firewalls a virtual load balancers and there's more to come and this virtual infrastructure has a couple of great properties when it while getting a new physical device that adds functionality into my data center takes a lot of time after ordered after racquet and snack it and turn it on right providing the same kind of capability with a virtualized device is something I can do in real time it's much easier to automate this this gives you much higher speed in the data center we've seen customers they've gone from two weeks for deploying new firewall rule to doing this in real time or even with self-service it also gives me the necessary ability to react to the constantly changing needs that I have you know my avocation teams they want to plan your technologies my end users are bringing new devices and last but not least it gives you the security the peace of mind that the data and that is behind my network is safe and secure that I'm compliant in today's time that's important because on one side I have constantly changing requirements for my apps teams on the other side there's some major changes undergoing in the hardware and in between we have NSX this layer provides a consistency independently from the harbor and independently of the load still on top of it now you probably know as the market leader is for network virtualization for virtual for the vSphere environment what probably not everybody here knows is that we're also currently the market leader for the open-source virtualization market a very specifically kvm and zen and i wanted to give you a couple of data points to give an idea of what we're doing there so the foundation of everything that we're doing the open source space is open V switch it's a project was originally started by by nasira and I'm incredibly happy about the community that developed around open the switch we now have over 60 organizations you know many of our partners in fact most of our competitors that have contributed code to open these wrecks because this is sort of a foundation that we all need as we can agree on that we need in the linux kernel on in linux distributions so we can build services on top of this to give you a second data point about twenty percent of the current nsx deployments that we have have OpenStack as the orchestration framework right I personally think it's a great choice right and many of our customers value having open api's you know that they can collaborate and some of these deployments actually running in an incredibly massive scale right so I've talked to a customer with a single customer we had hundred thousand kvm virtual machines all managed by an nsx all the networks that were provided by nsx right so these are these are huge deployments so you may have known as the number one never wear cessation for vsphere you know but we also doing extremely well and we think i think we're the market leader for not virtualization for open-source hypervisors having said all that where do we go from here and the first topic I want to talk about our containers so you have heard about containers already in the keynote and when Kidd talked about our cloud native efforts and I want to compliment by telling you how we're tackling this from the network side so containers I think a great idea depending what kind of application you deploy they have structural advantages over using VMs and very specifically you know if you just look at the the diagram here one of the big differences between containers and virtual machines is that for containers I can often share the base operating system so I don't need a separate copy of the operating system in each and every vm instead the operating system is shared then I have kernel level separation between the containers and they're all using same same operating system knowledge and if I'm a CIO that makes my life a lot easier because patching now has just gotten a lot easier I don't need to have patched in five different places anymore can do this in one place you know and it's much much less effort containers also allow me to pack applications more densely in certain some use cases so i think it's it's a really good technology so we today actually have customers that are running containers in production on top of nsx and the first time I visited them you know I looked at the architecture diagrams and this is roughly what they showed me so running the containers inside a virtual machine on top of a hypervisor you know when I was looking at this was like okay clearly these guys are doing it wrong right they have no idea the whole point of containers is not to use hypervisors but but to do this directly on the host and so I started talking to them about why are you doing this and it turns out this actually makes sense and I think this is a live deployment model for containers in the enterprise you know for for years to come and instead of explaining to you why I actually want to show you a live demo of why people are running containers inside the virtual machines and person is going to help me with this demo is Scott Lowe please welcome Scott good morning Greedo when it's gone so we have a very simple setup here we're going to have one container host it runs two applications one application is a website it's just a you know it's brochure we're really there's nothing confidential on this thing just you know says something nice about our company and then we have a second application our vault which holds all of our best guarded corporate secrets rights gone yep and you know running all of this on Darkar directly on a server so I'm a developer and I added a little you know a little extra function to this to this website that allows me to check the disk capacity and it's it's a very short PHP script so if you know PHP you can probably read this basically we're taking the DF commander limits and we're executing it then we're echoing the output to know how much capacity do we have on the server now in itself this grip is fine i'm going to improve this now right right and i'm going to add additional parameter the path parameter which i'm going to concatenate with my command before i execute it this way i can pick which directory I I can get the capacity from sounds like a good idea right spot well at first glance sounds like it might be a good idea but you know as they always say the devil is in the details all right can we switch the laptop please alright so I'm going to take the role of the evil hacker here in this system and so I'm sitting at the terminal prompt from a Linux system and we're just going to try some connectivity commands against this web server that Kito has turned up and this is the script that he has written right and you can see when I run that it's just going to return the results of the DF command and this web 01 by the way is just an alias to save me some typing here in front of all you guys and then if we show the parameter where we can say I want to specify a path you'll see that the output changes so his his extension is working the problem comes in and that's good right the problem comes in that he hasn't properly escaped this so i can use standard bash tricks like a semicolon and another command on the end and as you see here i can actually run arbitrary commands on this web server so i can run the current directory yeah you see Guido wincing there and I see that I'm in this particular directory and then I can check the parent directory I see okay i'm in this path and here's the permissions I know that WWD the user has right permissions to this directory well let's just find out look who I am but this is still isn't bad right i mean okay i made a little mistake here right now he can execute arbitrary shell commands in my little web app but it's still isolated from the rest of the network so there's nothing can happen he writes gone well I don't know about that we can see here that we have writable access to this directory as the user that we're being executed in and if that's the case and I know I can run arbitrary commands well then I can just tell this container to initiate an outbound connection to my system and download a program that will run a shell and kick it back to my system so I run this command in this container initiates an outbound connection to my hacker system downloads this PHP shell right now I'm going to flip over to another terminal window and I'm going to start a net cat listener this is going to catch their shell that we're going to run on that container and then I can just activate the container on the remote system with a simple URL call like this and you'll see now I actually have a shell executing in my terminal on his remote web server and once I have a shell access on this web server then you know I can do all kinds of things like find out what the IP address is I see looks like the system is running standard dr. networking I've got a private IP address here 172 17 0 18 and I could do all kinds of interesting things like I could see if I have some other systems nearby let's just see if we have something okay takes a minute okay nothing running there okay let's try another IP address alright we are this is where the live demo starts to grow a little a little crazy because unify the system so I'm just going to pull down this another utility here and if you're familiar with netcat you know that oh that's because I'm in the wrong directory I'm a pulldown netcat and that's the Swiss Army knife of utilities here and I will just make it executable and now I could run any sort of port scans against variety of utilities or whatever so we go if you want to just flip over to the slides real quick and I'll identify the other IP address we need and then we'll come back and continue the the demo sounds great so go back to the slides Oh super so let me let me well Scott is hacking here literally hacking actually um I wanted to tell you what he's doing so here's the system that we showed you so Scott is the hacker and he used this little application lay a layer of our ability that I introduced to hack into a first container right and these things happen right as long as if humans developing code they will introduce vulnerabilities now once you're broken and into the website in itself that's not a huge issue all right this is a sort of brochure where type website which actually there's nothing particularly secret on there right but what we learn from from traditional virtual machines is that it's all about containing an attacker into particular inside a particular application right you want to make sure there's no ability to move laterally between virtual between different houses right that's what micro segmentation is all about with nsx the problem with a simple container host is that the you know the model of networking that these containers have that they're all running in the same kernel and so there's basically a bridge between them so even though the the ingress networks here coming from the internet are separate right so the the the public the network here and the internal network are our separate internally they're not separate so what's not going to try to do yep we're ready to go is he's gonna we now move inside the container to get inside the container host to move to the second container all right yep let me go back over to the laptop yep so what you've seen is I have run support scans I've identified that we have this address dot 16 running on the same internal doctor network and I've run a net scan against then you actually see that it's also running port 80 and we presume this is probably the vault application that holds all of our secrets so we will just just you know run a few commands to see if indeed this has the same vulnerability as the one that we exploited because well I know Guido and he's nothing if not thorough and comprehensive and we see I can actually run the same executable flaw against the internal container and because I have unfettered access between these two then of course I could do the same sort of thing again and I could once again download a shell on to the internal container alright this will download a shell to the internal container I then flip over to my terminal window window I will open up another netcat listener and then I will invoke that she'll should have them run through Mavis Beacon typing before I came in here alright and now you'll see I actually have a shell on the internal container okay that's not good obviously yeah so we've actually demonstrated this point lateral Network movement unfettered because it can't be it can be segmented there's no controls your lateral Network move it so as soon as I hacker penetrates one system they're not only to move laterally to other systems so while this initial system may be okay the subsequent systems may be far more confidential and I can once again you know look around oh look here some files let's let's just see if greta's got anything interesting in here huh hmm oh this looks interesting let's find out what that is well this is a PHP file that shows me credentials for connecting to a my sequel internal database because it's the database driven PHP application we had to embed that stuff here it's now accessible I wonder if this image has sequel yep it has the my sequel client installed so now I can just do something like this this is standard my sequel command by the way and there we see all of guidos deepest darkest secrets oh boy he's both Hillary Clinton emails at the coca-cola recipe and the Roswell encounter files yeah yeah I'm screwed here interesting stuff here alright so that that's not good it can't go back to the slides here so so basically what Scott did is once he was inside the vault he grabbed the database credentials and one he once he had those he used them to connect to the database every doll of my secret information right now the reason why I could do this is because basically there was no segmentation of the net right just like like a despot virtual machines so we're going to do this one more time exactly the same thing but this time we're actually going to run a preview version of a fan of X that allows us to basically time individual containers as individual endpoints you know into into NSX virtual networks yes ma'am absolutely we switch back to a laptop or a switchback laptop what you're seeing here is the UI for a preview version of NSX and you're seeing here the firewall in section and you can see that we have a rule that specifically calls out these two web containers right because let's be realistic web servers that are accepting traffic don't really need to talk to each other right they need to talk to the outside world so we're we're basically creating a situation here where we can't have peer-to-peer traffic over over a standard web connection so that first rule there just says from this container to that container over TCP port 80 rejected right so with that in place we're going to go back to our evil hacker system here we're going to run through the exact same set of commands again right so I have another system that is protected by nsx that i have alias as web 02 and we'll just run the same piece so you can see that the same flaw exists right same executable flaw that allows me to run programs arbitrarily in the shell so same thing that we're doing here all right Larry the rope he was very thorough so now we're going to just do the same thing again we're going to initiate a connection to the outbound system we're going to download the reverse shell okay I'm going to flip over to here yep so this doesn't prevent him from breaking into the container right you still can do that the application level vulnerability still exists that's correct absolutely and so then i'll just activate the remote show now that i have the net cat listener ready and you see I still have a shell here so we haven't mitigated the web level vulnerability although we could plug in partner solutions with NSX like Palo Alto others like you have to help mitigate some of that but at this point we have information in here and of course I could do the same thing I could look and okay here's the address is right and I've done a better job this time we that the address is here and you can see that I've ping connectivity so we have connectivity to another web server but if as soon as I start to try to initiate traffic to that other system even just running the normal command that he put on there right you're going to see it immediately drops me back to just nothing right and that's because the connection is actually getting rejected the firewall that nsx distributed firewall sees that traffic it falls into the role under just meeting it blocks it which means now we've blocked lateral network movement even though one container might be compromised we are preventing the attacker from compromising other containers on that host or on other host within the data set so it is micro segmented our containers absolutely we just micro segmented dr. containers can we go back to the slides yep great alright thanks great thanks about that was fantastic so lesson learnt if you have an insecure network don't let Scott anywhere near it he's dangerous so let me briefly explain one last times of what we did here right so we're and the same experiment as before but this time we had nsx running underneath right and nsx with micro segmentation and a fully stateful firewall allowed us to essentially put a little fireball behind every single container so every flow going between containers now gets tracked by nsx and we can block it right and this is a couple of advantages i mean the first one as you saw we can just block the traffic and just say these two applications should never talk to each other I'm very very simple but we can actually do more if we want to for example we can alert so we can say let's put a rule in here that says if one container talks to another container on port 22 right this just should never happen if this happens raisin alert and then our forensics team can go in and figure out what went wrong here right or the third thing we can do is we can actually no tie this container in network in with the rest of our data center so for example we could the forensics team could say there's something fishy with this container let's see what this container is trying to do so let's plug this container into a another network which has a honeypot in it and then you know that the attacker goes to the honey quad we can study what the attacker is doing or maybe you know have scanning tools on that actually look at what ports are open on these containers are the other vulnerable URLs what did an attack i do so so basically allows you to tie in your container network with the rest of your data center right now a set at the beginning we actually have some very large customers that are running containers today on top of nsx and we were fortunate here today to have a suneet matwali from ebay who's one of the visionaries and really pioneered this technique so please welcome to need it is great to have you today I think you one of the first to adopt this kind of technology can you share with the audience here what is it that what would you like about containers what is good about them yeah so we were one of the early adopters of NSX you know we have several thousand lambs runnin on nsx and for containers I think the most compelling thing for us was because there's a developer community asking for darker yeah but I think even more interesting is things that are happening in the clustering were like communities so we're looking at coop entities and from just from an application manageability point of view is just very very promising to us and we kind of double down on that effort and we had a co-founding member of CNC F which Google found it for open source and communities so we are very excited about that and definitely looking at containers in a big way for the future that's fantastic so so how does nsx specifically help you with containers why do you just plug them into your your data center network and be done with it yeah it's really interesting so actually for communities it turns out that we have a unique problem that the wig it's been designed every container is routable right has it audible IP and if you look at the number of containers that are running in our communities cluster it's just there's an explosion of ips right and I don't know about you guys but in where I work the networking team just cannot support that loud and that number of IP so this is explosion so one of the things that we did was that we are running all these containers inside we have managed using nsx and we were able to create a private network for all of our communities cluster so all of the containers are now east-west talking on a private network to each other and we were able to fully isolate it all the traffic is contained within plus we don't have to worry about our IP explosion aspect so it's been great for us for I mean we would have been able to do it without nsx our base it makes a lot of sense in putting every like container swarm cloud whatever this cult on a separate virtual network and nsx exactly and if they have duplicate IP addresses for example it doesn't matter anymore yeah yeah so it's all private networks over the private IP space there and then how do you tie the container soft to the rest of your your enterprise network yes and that's also interesting because what we are doing is that we are also running nsx and inside the hypervisor so you're able to bridge or private network which is running the communities cluster to our physical network which is born british network also using OBS controlled by nsns acts so actually it's great because now we have from the cluster to the physical network it's not so traffic but it's happening through are we as management a sec so we're able to solve both those use cases it's great for us fantastic thank you so much for sharing that I really appreciate my pleasure thank you for snead not valid so let me briefly summarize of my thoughts here I mean the you all know the value that nsx can bring for virtual machines right but many things for containers actually exactly the same as they are for virtual machines right you still want the ability to segment your network and soft raid micro segments that are the fire walled off that on your applications you still want to be able to get visibility into your network you know you want it with a stateful firewall we can track every single flow between containers you know we can put it alerts for suspicious behaviour you can put a virtual app that you know you can actually look at individual packets if you want to and then you know last but not least within a sex you can easily tie your container networks into the whole rest of your data center because I can promise you will be a while before you're fully container eyes to hide your data center and there's a lot of integration work that needs to be done here so I started this by talking about how we support virtual machines in the future you can expect NSX also to support containers there's one more thing which is currently disrupting and how we run I T and this that is public clouds and public clouds have a huge amount of promise for us you know this ability to on-demand configure resources anywhere in the world right with the with instant provisioning and a sort of pays in gold consumption model it's great it's clearly the future but also comes with a set of challenges and if I talk to customers they're worried about how do i secure this how do I stay compliant if I move my applications to the cloud how do i connect these applications with my on-premise applications and there's one last item I want to talk about briefly which is I'm hearing people that are worried about cloud lock in and that's a new thing so let me explain to you what I mean with that so the general idea of clouds that i can say i create a workload and now i can deploy it on any cloud if I don't like one anymore I go to the other one as your Amazon Google be called air I can move around right the challenge with this is that each cloud comes with a set of services right typically today an application is no longer a single virtual machine by today an application is something complex with a virtual network around it load balance or firewall storage serve as many other things and if i write this application for specific cloud right it actually it is no longer move i try to take this application move to another cloud it turns out the api is for all these different services look different here right so so it doesn't quite work you know the and this is the same pretty much across all the clouds that the challenges you have to be careful that as you creating teams and applications for clouds you're not just creating new silos right the same thing we used to have the data center why I have my son team that works in Solaris and then my hp-ux team that works on an HP unix in my ax team this all went away with virtualization at the PC revolution but there's the same concern of this not happening again in the cloud all right I talked to one customer they actually internally have a white list of which services you allowed to use on certain clouds because they want to make sure that you don't use services that lock you in so we asked to solve the question what can we do here with NSX right very specifically NSX today decouples you from the hardware underneath right a cisco switch in a piece which HP switch nervousness which they all from an application point of view are starting to look the same because the firewalls the router is the switching that the application sees is just virtual infrastructure that's sitting on top of this physical network so can we do the same thing and basically build a virtual infrastructure layer that you can bring yourself to the cloud that isolates you from the differences in the different clouds on the networking side and today here we want to answer that question and we want to do this by for the first time ever publicly showing nsx on Amazon Web Services and the person is going to help me with that is Mukesh Shira please welcome to cash hey agreed oh hey Bo cash all right so let me explain to you what we're going to do here um we have a very simple setup that we're going to start with we have an on-premise data center has a firewall so but running nsx so we have a virtual firewall will to load balancer virtual virtual switch and you have two systems that are plugged in one is our HR server and the others is little prototype web server that were testing for a new application right and all right hold on does imply get a call coming in here it's from our team my boss hey you know it's 14 hey Martine hey you know that new app that we've deployed it's going crazy people love it I need more capacity I need you to play 15 UVM's now with full at a sex security can you do that sure alright man thanks so much alright so that was my boss Martine right who runs the the GM of the nsp you and said we have to deploy 50 new web servers immediately the problem is I just ran out of capacity in my local data center and we still want them secure both NSX so so what can we do here mom cash is anything we can do yeah certainly we can launch some web server instances in AWS and all secure then connected by nsx this sounds great let's switch to the laptop you and see how this works so I we have here the UI for the preview version of nsx and at this point we have a logical switch in nsx call it the web HR logical switch it has the web server and the HR server it has a very logical ports logged me out can see this is live so by the way this is the same logical switch you just saw on the slide mine has the HR system plugged in this one has the web server plugged in to and then has the load balancer plugged in next week so yeah as we can see at this point we have three logical ports for the on prime web server Leon from HR server and the untrim load balancer and if we look at our web page it's being served only by the on prem web server so every time i refresh the page it's coming from the on-trend web server ok makes sense that's all set up so what can we do here so we go launch some apps instances in AWS I go to the AWS console and this is just the standard Amazon Web Services standard AWS console and I will launch additional instances using the web server am i that i have been AWS and i'm going to pick extra-large instances that give me high network throughput 50 we needed 50 50 Martina and let's go with 50 web server instances I'm going to launch 50 web server instances on the subnets that we have in AWS and the default storage that comes with these instances is good enough for us I'm not tagging the instances at this time security is going to be managed by nsx delegate that yeah so in AWS we're just with I have a simple security group that I call it nsx delegated its mean it's basically delegating security services to nsx and at this point i'm all set to launch my instances i select a key pair i want to use with the instances couple of minutes and we should be all set super can we switch back to the slides so so anybody who's ever used AWS should be very familiar with this console it is just the normal workflow you go through when you deploy a new am I which is how they call their images so what we just saw is that Mukesh you know went to this console and then he deployed a number of virtual machines and these virtual machines are busy standard am is with one small difference we added a little bit of code to it they're busy when they start up they register with nsx they're also Vavi switch on them that basically plug them into the overlay Network you know that we've previously created right this V switch works exactly like a bee switch that you're used to for on-premise deployment so it has the stateful firewall in it is all the routing all the load balancing future will have all the load balancing but all the features that you used to you know 444 nsx today and when these when this driver starts up it busily checks in with nsx and nsx via policy automatically maps it to the right virtual switch all right so we don't have to do anything here just gets gets plugged in the virtual switch we're mapping this tool this time is the same virtual switch that we have defined before right so from a networking point of view all these instances and Amazon they're running exactly as if they would run on premise right all the firewall rules still apply all the routing still applies the IP space is the same right there it's like that really plugged into the same switch and as if they were running on premise and a nice side effect of this is that they all still get a little balance we have our load balancers so we don't even have to change that configuration now it typically takes a couple of minutes for hours and instances to spin up how we're doing everything is like they're coming up all right it's the try can be switched back to the laptop so they are initializing let's go look at port count on the logical switch we should see it go up by 50 since 55 substances connected if this works we should see the port count on the virtual switch increase so I'm going to refresh the port count on the logical switch 30 36 all right so 33 instances are now plugged into the sebi switch this isn't get more 52 52 one last row 53 super all right that's great let's go test our webpage perfect because before I call back Martine tell them this is done let's make sure it works so if the first hit goes to the antrum web server and now so it's being load balanced across the unprimed web server and the AWS instance this is not sir from amazon from amazon and we have the internal IP of the Amazon instance that this one is being served back to dot 1062 dot 98 perfect but acidity yeah the public IP address it's still the same as before right the same public IP address I'm just refreshing the web page because it's all on the same virtual network via nsx that's fantastic so give me the one last check here part of what we're trying to do here is actually firewall off the HR system from the website can we make sure that the firewall is working yeah so I have here on firewall rule on the logical switch the first rule is to drop traffic from all sources to the on-prem HR serological port followed by a default rule that allows all other traffic on the logical switch let's go test if this works so in the left window i'm ssh into the online web server and i try pinging the on prem load balancer that works let's try pinging the on prime HR server that's being blocked by the NSF and in there on the right window I'm ssh into one of the AWS instances that just came up no in Amazon and from here I can ping the on prime web server that works i can ping the on prem load balancer obviously because our web page is being served through the load balancer 3 a.w.s instances and finally let me try the ignores us to be on prem HR server that's being blocked by the NSA firewall so so this is really the power here right there busily all the network configuration you set up for your on-premise network now automatically applies to all those instances that you power up in the public cloud on Amazon here right because at the end of the day all the networking old security is nsx you have exactly the same functionality and we can use all the functions so if you wanted to for example take a power output also networks firewall and insert it here right we can do this thank you for cash that was fantastic yeah can we go back to the slides so I started this by talking about virtual networking for virtual machines both closed source and open source line we then showed you how we can extend this with a preview of nsx to provide networking services for containers so if you are if your internal developers are starting to move to third generation apps we are ready and now we showed you how we will support public clouds of course we're going to support vCloud air our home cloud but the future expect us to support other clouds as well right if you're running an IT organization today you live in really interesting times there's a number of very discontinuous transitions that you have to manage through right you have the existing IT infrastructure that's running on premise your developers are playing around with next-generation technologies like containers and nsx will be with you for the journey you may go to public clouds we hope you come to vCloud air but we've heard from some of you they go into other public clouds and nsx will support that as well and then if you look to it Sanjay poonen the demo that he did in his keynote session he showed you how can use your end users for example running on virtual desktops and integrate them both nsx have them as endpoints and manage their security where you can define firewall rules for example based on your active directory entries right how we can are there first-class citizens so in this network of the future and then we also have vCloud air where you can take your mobile devices and suddenly make rules that are based on geography you know where are people accessing things from what kind of device or they accessing the data from and you can you can apply those so whatever the endpoint is NSX is there for you and like today and as X will provide you but the speed you need through automation so you don't have to configure this manually it'll provide you with the agility to change to the constantly upcoming a new request from all the application teams and your end users and we'll provide you with the security and the peace of mind that you're running a secure network and that you are in compliance with the catalog for compliance requirements that you have and that is the future of NSX thank you I say hook wait stop stop hold on another another call coming in at this time is Pat Gallagher their CEO of the Ember so let's see what that has to say hey Guido this is Pat that that application is just going crazy we know 500 additional servers distributed over all regions all secured by insects they have to be up and running in the next five minutes Thank by Pat ya know okay so now I'm really in trouble right this was Pat gowing the CEO of all of the Emperor and he said I need to get 500 web servers up and running on multiple continents on multiple public clouds and on-premise right all secured with NSX and I have five minutes to do that so how long do this if I'm trying to do this with the virtual machines on some like Amazon they just won't spin up fast enough and we've seen this if I want to do this is containers I don't have any any space on premise so the person's going to show me how to do this is jacob checkers Jacob please so it's actually pretty simple there's only one way we can do this and this is by combining everything we've seen today so we're going to take containers multiple public clouds and NSX and we're going to spin up 500 containers ready yep doing here we go so we just kicked off a scheduler that will spin up five here web servers running in containers across public and private infrastructure AWS Rackspace and our own private cloud across seven data centers three continents wow so so can get a little more detail how do we do that so we have container hosts and all these clouds yep across across three different continents on seven data centers and then we have a container scheduler that basically now this pre-allocated container holds just fires up these containers very very rapidly and as every container spins up just like the Amazon example it phones home to NSX and we then plug it in an nsx virtual switch that originally was just for on-premise so that all the networking settings for these containers are still the same that they were before so how we're doing pork out here so the pork count is going up you can see that the 37's d3 all right okay as the containers are being spun up on these different regions they're being wired by nsx so all the networking and all the security is still there with nsx okay and all the firewalling works just like it before so we need the audience help all right so want to make the slit an active so no one's here everybody in the room we need your help to actually test if this works and here's how it's going to work input of the oil yep 0 so now there's a ul a bit do / drop the mic so if you have like a cell phone or tablet or laptop can you please take that out and and browse to this URL and you should actually see a web page that will tell you which data center that you're in and we're going to make this a little more fun over there you know we have one with it with a t-shirt gun and if you go to a web server please shout out which were observer you're in and then he will sue the t-shirt in your general direction for the first person to find for it to find each each geography I hope dollars ahead palazzo oh we got to practice that one here the Northmen Virginia Australia over there so we're still missing one Hong Kong all right over here I think was it all you can tell we're doing this life here right that that part we need to practice for they're all right you can actually see on the map each huh every all right exactly it's just throw them here I think it's easier so you can see on the map here each and every location you know where there was a well there was a data center that you hit with one of your requests every dot is a request that that came from the audience here awesome Thank You Jacob that was fantastic and I got to keep my job because you know once i'm off stage I can call Pat and tell those 500 webservice they're all running across the world can we go yeah perfect um so here's here's a quick graphic so these are the data centers you know that we hit in this this exercise so that's really all I have to say you know I T is changing many different new types of endpoints on-premise VMs containers public clouds multiple public clouds mobile devices your desktop users and VDI desktops wherever you may go nsx will be there with you for the journey that's the future of nsx thank you

1 Comment

  • Bartłomiej K. says:

    Nice functionality, but what in case when VPN tunnel between Onprem and AWS is broken, are VMs still protected and NSX network segmentation is working ?

    Second thing is that in real world putting 2 network interface to VM for Web Servers (which probably are placed in EDMZ segment) are not best practice and from security perspective it is mostly not allowed and on demo as I saw you used such scenario.

    Is it possible to use NSX in case of filtering traffic which is delivered to public IP of Web Server instances when we are using one NIC ?

Leave a Reply

Your email address will not be published. Required fields are marked *