Well-Architected Design: Network Security Considerations
Introduction
VMware Cloud provides organizations the ultimate flexibility to deploy their applications wherever they choose, on the public cloud provider that best fits their needs, with consistent VMware Cloud infrastructure and operations.
VMware Cloud delivers a new cloud operations model with a more efficient and automated datacenter and hybrid operations that leverage the same tools, processes, skills, and teams across multiple public clouds and the edge. Organizations achieve consistent operations across any cloud with a more robust infrastructure to run their apps. It also allows you to operate your cloud securely and efficiently.
As part of the VMware Cloud SDDC stack, NSX enables organizations to implement a cloud smart network at scale with networking and security that facilitates consistent security policy, operations, and automation across multiple cloud environments.
Scope of the Document
The NSX Advanced Firewall provides advanced security features such as distributed and centralized ransomware protection, centralized IDS/IPS, URL filtering, extensive next-generation firewall app identification, and identity firewall. This document will focus on NSX security considerations, providing a consistent foundation for VMware Cloud on public cloud SDDCs and enabling organizations to expand on it by leveraging NSX's advanced firewall capabilities.
Considerations for NSX Security
VMware Cloud enables organizations to increase agility and efficiencies to remain competitive and to drive faster business growth. However, as the organization scale and grow, enterprise-scale NSX implementation on VMware Cloud necessitates the customer to deploy and operate their hybrid and multi-cloud environments more securely and simplify operations.
The following sections will focus on the essential considerations for organizations to build and deploy their applications anywhere on VMware Cloud while maintaining consistent operations with standardized automation and enabling robust governance across all environments.
Network Automation
As organizations' scope and speed increase, automating VMware Cloud networking and security ensures that services and apps are developed and delivered at the speed of business. By removing manual, error-prone network provisioning tasks through automation, the speed of application deployment substantially increases. Automation not only saves time and heavy lifting with repetitive manual configuration, but it also decreases security risk.
NSX Policy API Framework
NSX Policy API framework provides a declarative API that provides an outcome-driven configuration for NSX security policies, which enables the automation of multiple NSX networking and security objects for application deployment with a single API call. Organizations that use automation frameworks and CMP plugins can leverage the NSX API for network automation. The following are some of the main benefits of a declarative API framework:
Benefits | Description |
Outcome driven | Reduces the number of configuration steps by allowing a user to describe desired end goal (the "what") and letting the system figure out "how" to achieve it, which enables users to utilize user-specified names, not system-generated IDs |
Order Independent | Create/update/delete in any order and always arrive at the same consistent result |
Prescriptive | Reduces potential for user error with built-in dependency checks |
Policy Life Cycle Management | Simpler with a single API call. Toggle the marked-to-delete flag in the JSON request body to manage the life cycle of the entire application topology. |
Simplified and Performant Scripting | Because there is no need to iterate through arrays, this simplifies the scripting and troubleshooting. |
NSX Policy API Example
This section describes building a complete example topology using the Policy API model. The example topology provides how Policy API helps the user to create the reusable code template for deploying a 3-Tier APP shown in the figure, which includes Networking, Security & Services needed for the application.
Figure 1 - Typical 3-tier Topology
The above topology consists of an existing Tier-0 gateway that provides North-South connectivity. The three segments (Web, App, and DB) connect to the Tier-1 Gateway. There are DFW rules specified on each Segment Port to fulfill the need for micro-segmentation to provide a zero-trust security model. DFW rules use Dynamic Groups to group VMs with similar tags.
The desired outcome for deploying the application can be defined using JSON. Once the JSON request body is defined to reflect the desired outcome, then it can be leveraged to automate the following operational workflows:
- Deploy the entire topology with a single API and JSON request body.
- The same API/JSON can be leveraged to templatize and reuse to deploy the same application in different environments (dev, test, staging, and production pods).
- Handle life cycle management of the entire application topology by toggling the "marked_for_delete" flag in the JSON body to true or false.
PATCH /policy/api/v1/infra/ { “resource_type”: “infra”, “children”: [ { “resource_type”: “ChildTier1”, “Tier1”: { ... Define Tier-1 Gateway object parameters ... “children”: [ { ... Define Segment WEB as child Segment object ... }, { ... Define Segment APP as child Segment object ... }, { ... Define Segment DB as child Segment object ... }, ] } }, { “resource_type”: “ChildDomain”, “Domain”: { "id”: “default”, “resource_type”: “Domain”, “children”: [ { ... Define GROUP WEB VM as ChildGroup object ... }, { ... Define GROUP APP VM as ChildGroup object ... }, { ... Define GROUP DB VM as ChildGroup object ... }, { ... Define Security Policy as ChildSecurityPolicy object ... } ] } } ] } |
NSX Policy APIs give an order-independent method to define the intent of the entire topology in just one API call, making operations very easy. Please refer to the NSX Policy API Getting Started Guide for detailed API samples in this example workflow.
Modern Automation Frameworks for NSX
NSX is extensible with all major automation frameworks, including PowerCLI, Ansible, and Terraform. As a result, you can deliver infrastructure as code and enable self-service environments for developers and others. This change helps increase automation efficiency across the organization. NSX also supports creating automation tools using standard programming languages through SDKs.
This section describes the various tools available for NSX and provides an overview of those tools, such as SDKs, PowerCLI, Ansible, and Terraform with NSX.
Figure 2 - NSX Automation Frameworks
Tools | Description |
SDKs | Open-sourced SDKs such as Python and Java are readily available as any other Python or Java library. You first connect to the NSX manager and invoke the required method to perform NSX automation. The API spec generates these SDKs, so when a new API is introduced or an API changes, it automatically reflects them. |
NSX Ansible modules | The NSX Ansible module is a fully open-sourced tool, and you can use these modules to create complete end-to-end automation and deploy a fully functional production–ready NSX environment. |
NSX Terraform provider | NSX Terraform provides an infrastructure provisioning tool, which has become synonymous with "Infrastructure as Code (IaC)," to manage the entire infrastructure lifecycle, including provisioning the SDDC, NSX networking, and security, such as setting up distributed firewall rules. |
NSX PowerCLI | VMware PowerCLI provides a command-line scripting tool for interacting with NSX utilizing Windows PowerShell. NSX PowerCLI works similarly to Java or Python SDK. You first make a connection and then interact with the NSX objects. |
VMware Aria Automation | VMware Aria Automation is a modern infrastructure automation platform that enables rapid implementation of powerful self-service VMware cloud environments, which provides an easy, fast setup and integrates with other automation frameworks such as Terraform and Ansible with centralized governance policies for better insight and control. |
Please refer to VMware Developer centers to find Developer and DevOps Resources for APIs, SDKs, docs, code samples, tools, workshops, and other resources for VMware Cloud products and platforms.
VMware Aria Automation
This section explains the use cases and benefits of the VMware Aria Automation solution. It provides a low-code graphical interface approach that is easy to learn and leverages existing skillsets enabling organizations to ramp up their Infrastructure as Code skills.
VMware network automation solution automates NSX with VMware Aria Automation to manage the provisioning, deployment, operations, and retirement of networking and security infrastructure and applications from a central control pane.
Figure 3 - Rapid and repeatable deployments with automated NSX networking and security.
As the scope and pace of organizations continue to grow and accelerate, the manual management of network configurations and security policies becomes increasingly expensive and error-prone, which can introduce significant security and operational risks.
The table below summarizes the key use cases and benefits of utilizing VMware Aria Automation to accelerate application rollout with enhanced networking and security services.
Description | |
Self-service automation and centralized governance |
|
Cloud Landing Zones Automation |
|
Infrastructure as code and Kubernetes automation |
|
The table below summarizes the key differentiating capabilities of automating NSX with VMware Aria Automation.
Key Differentiators | Description |
VMware Cloud Templates and Landing Zones |
|
Security automation |
|
Extensible framework and fine-grained governance |
|
DevOps for infrastructure and application lifecycle |
|
By leveraging the VMware network automation solution, organizations increase business agility, consistent infrastructure, and consistent operations to enable faster delivery of applications while reducing CapEx and OpEx.
With VMware NSX automation, organizations can establish consistent networking and security services across applications environments on VMware Clouds, helping speed infrastructure and application provisioning from weeks to minutes while ensuring standardized environments and avoiding configuration drift.
Network Visibility
As organizations scale infrastructure and application deployments across VMware cloud environments, the volume of machine-generated data grows tremendously. Because of the cloud traffic behavior across multiple deployment zones, analyzing and extracting actionable insights from the data at scale can be challenging.
The table below summarizes the typical challenges of enterprise-scale organizations for unified visibility across VMware Cloud SDDCs.
Design Consideration | Design Justification | Design Implication |
Log visibility and analytics
|
|
|
Network visibility and analytics
|
|
|
The following section explains the use cases and benefits of the VMware Aria Operations for Logs and Networks solution, which enables organizations to monitor, discover and analyze networks and applications to build an optimized, highly available, and secure network infrastructure across VMware Clouds.
VMware Aria Operations for Logs
VMware Aria Operations for Logs, the modern log management and analysis solution under VMware Aira Multi-Cloud Management solutions, manages data at scale with centralized log management, deep operational visibility, and intelligent analytics for troubleshooting and auditing across VMware Clouds and multi-cloud environments. It addresses unstructured log data through predictive analytics, machine learning, and root-cause analysis techniques for intelligent log management and faster problem resolution.
Figure 4 - End-to-end Centralized Log Management at Scale
The table below summarizes the key use cases and benefits of utilizing VMware Aria Operations for Logs, providing unified visibility into VMware Cloud's NSX networks and security packet logs.
Use Cases | Benefits |
|
|
|
|
| VMware Aria Operations for Logs provides audit logs and alerts when a NAT rule is created, changed, or deleted in VMware Cloud SDDC. |
VMware Aria Operations for Networks
VMware Aria Operations for Networks delivers intelligent operations for cloud networking and security. It helps organizations build an optimized, highly available, secure network infrastructure across VMware Cloud environments. It accelerates micro-segmentation planning and deployment, enables visibility across virtual and physical networks, and provides operational views to manage and scale VMware NSX deployments.
Figure 5 - VMware Aria Operations for Networks provides security planning and visibility across the virtual cloud networks.
Many network administrators have a visibility gap between the virtual and physical network when managing, troubleshooting, and securing the network at Scale across VMware Cloud deployments. Those challenges necessitate organizations to have a simple, easy-to-use, end-to-end management tool to troubleshoot and get best practices compliance for NSX and VMware Cloud deployments.
The table below summarizes the key use cases and benefits of utilizing VMware Aria Operations for Networks, providing unified visibility across VMware hybrid and multi-cloud environments.
Design Consideration | Description |
Manage and scale NSX |
|
Optimize and troubleshoot virtual and physical networks |
|
Plan application security and migration |
|
The table below summarizes the key differentiating capabilities of intelligent network and application monitoring with VMware Aria Operations for Networks.
Design Consideration | Design Justification |
Niche and legacy network management tools do not provide converged visibility across virtual and physical networks to optimize performance. |
|
Traditional tools for monitoring the data flow for optimum east-west traffic can be challenging and time-consuming because they involve manual processes. |
|
Traditional network performance and security management practices force network professionals to scramble when troubleshooting and understanding the root cause. It involves spending too much time troubleshooting the network without proactively identifying network performance issues and poor visibility into performance across the network. They still rely on conducting manual checks like traceroutes, pings, and opening up browsers. |
|
By leveraging the VMware Aria Operations for Logs and Networks solution, organizations accelerate application discovery, migration, network segmentation planning, and deployment; enable visibility across virtual and physical networks; and provide operational views to manage and scale NSX and VMware Cloud deployments.
With VMware Aria Operations for Logs and Networks, organizations benefit from optimized, highly available, and secure network infrastructure across VMware multi-cloud environments, simplifying cloud adoption and eliminating all the complexities that come with it.