 Hi, folks. My name is Sachin Thakkar. I'm one of the engineering leads here at the Networking and Security Business Unit at VMware. Today, we're going to talk about virtualizing advanced networking and security services. I want to just do a quick apology from us from the OpenStack team. We actually had a bit of a technical glitch, so we're doing a re-record here for the summit that was in Portland a couple of weeks ago. I want to touch on what the agenda we're going to cover here in this talk. Specifically, I want to set the expectation of what we're going to talk about with network virtualization, advanced networking and security services virtualization, and some of the trends we're seeing in the data center today. Let's jump right into it. What do we see in data center design patterns out in the industry today? Well, we're seeing this trend towards fast, flat, fat L2 networks. We have larger L2s. We have leaf and spine networks. We have L3 to the rack. The reason for this is actually to decouple the physical, infrastructural network changes from what an operational admin would need to do on a day-to-day basis as VM workloads spin up and spin down in their data center. This is kind of a blend of the traditional networking and security views with some of the new advanced revolutionary virtualized views that are coming in at the kind of cutting edge of the data center world today. One thing that is helping embrace this is the x86 revolution. Now, everything nowadays is x86 whether you look at your firewalls or your big fast servers. We have these converged infrastructure units, these Vblock-like pods which are ultra-powerful, high-capacity, high-contolidation ratio boxes that can host thousands of VMs. What we're seeing now is build-outs of data centers that go to the hundreds of thousands of VMs. What we need for this is the ability to actually scale up and scale down the network in a power-efficient, operationally friendly mode. This brings us to what we want to do with network virtualization and advanced security and network service virtualization. The new trends in the industry today are for overlay networks and whether that's with the MVP solution or with existing other solutions out there, you have your VxLand, your STTs and other overlay networks that are truly going to let you adopt and benefit from the whole software-defined data center vision that everyone's trying to achieve. Now, why are we trying to do this? We're doing this for a couple reasons. We're trying to decouple the physical operational and change management from a virtualization need. When a tenant is requesting a VM or a three-tier application, for example, they don't need to call up their infrastructure admins and request for changes. They can merely go ahead and click a button within a matter of minutes. They have all the changes they need, whether that's a load balancer, whether that's a firewall, it's a private L2, it's an added network. All of this is fully accomplishable with network virtualization. This also lets us scale up the number of networks. We're no longer tethered to legacy VLAN limitations and we're able to embrace some of the L4 through L7 services, which are typically and primarily only available at your end of row rack, for example, in past data center architectures. We're specifically in this talk going to be focusing on L4 through 7 virtualization, but I wanted to walk through a couple of use cases to put that in context before we get into it. What are the problems in the enterprise data center today? Typically, you'll have an on-site data center, which is going to consist of maybe some storage, some compute, some physical gear inside your fabric, and maybe then on top of that, you're going to have tenants, and tenants are going to come in from the outside world. You're going to have some VMs in a DMZ, you may have a virtualized desktop environment, and then you may have remote users connecting out via VPNs, remote sites, or from perhaps their home network connections. We need to be able to adopt all of these, but they need to be able to be adopted to the data center architectures in a secure fashion. The DMZ must remain a DMZ. The PCI compliant zone must remain a PCI compliant zone, regardless of whether the infrastructure is virtualized or not. That's typically why we need to actually embrace this entire software-defined data center vision to actually accomplish this. In your traditional data center, you may have things that are plumbed on the physical infrastructure, whether that's a VLANs, ACLs, firewall rules. Maybe you have an IDS IPS box that you need to configure, and some antivirus agents. Now, when you virtualize, none of this can change because this is kind of the baseline requirements for your application workloads. When we actually burst out to remote sites or external clouds, we need to actually keep the same logistics true. We need to make sure we have our DMZ's firewall. We need to make sure we have any data intrusion that we need. We have NAT and user VPNs. All of this must remain. What this is actually happening with the physical world is we're actually making this very complicated. This is actually fragmented, manual, and it's requiring many admins to kind of touch different pieces of the equation to get the desired result. This is making something that should take minutes, take hours, days, weeks, and we want to actually bring that back down so that it can actually be truly at the click of a button. It goes and configures exactly what you need, whether that's a VPN or firewall, your application workload, your actual VM. You get it all at the click of a button. Let's dive a little bit deeper and we'll actually take a specific use case, your traditional multi-tier application. You have your web app and your back-end tiers and you are actually trying to silo this. The challenge here is that this is your predominant use case and it blurs a lot of these boundaries. You have your firewalls, you have your load balancers, you have your top of rack switch which has some VLAN, some L2's provision, and then you have the application workloads. So now you're dealing with your network admin, your security admin, your server admin doing some of the compute, and then you're dealing with specific tenants. Now, as you scale up to thousands and 100,000s of VMs, this is going to be untenable if you're actually trying to have manual intervention for each of these VM workloads spinning up and spinning down. And additionally, we had to make sure it's not tightly coupled. So the problem with this architecture of it's manually plumb is that it's very tightly coupled to the hardware and it's not mobile within the infrastructure. Now I should be able to kind of forklift this three-tier app and drop it in another data center, perhaps in a vendor location or another rack in my data center, and it should work seamlessly without actually having reconfiguration required. And so this is what we're trying to achieve. So in this typical use case, you would actually need someone to go configure the front-end load balancer, you need to go configure the firewalls, plumb the VLAN at your top of the rack, perhaps actually add ACLs, etc. This is all very manual. And so this is what we're trying to solve here. So diving right into it, we're trying to take a three-pronged approach at VMware to solve this messy situation. So the first you've heard about, and I'm not going to focus on too much, but is network virtualization. Now I'll touch upon just the brief overview of what that's trying to accomplish. And that's decoupling the physical infrastructure from the overlay networks from your actual L2s and be able to provision these dynamically on the fly. So this is embracing virtualization in a couple of ways, mainly because what we've seen as a trend in data centers today is a huge port sprawl. We have instant app standup requirements and we have VM mobility requirements because as you have, let's say a dynamically clustered web application, you need to make sure that let's say on Black Friday and your workload as your scale is going to explode, you need to make sure that these VMs are able to scale up to your requirements without actually requiring physical provisioning in your infrastructure. Now, what are some of the shortcomings that are out there today which are leading to the case for network virtualization? Well, you know, there's static VLANs that are tied to the fabric and each of these directly impacts, let's say your IP addressing or your subnetting in your VMs. That makes IP address management kind of undoable from an automatic automation perspective. Now similarly, VM placement, diamond or mobility is crimped by exactly this problem. And there's unnecessary network detours. Now, when I have one VM that's sitting right next to another VM physically in my data center, I shouldn't have to loop it through an end of road device in my data center infrastructure just to make sure it's firewall. I should be able to do this at a micro segmented level to make sure that all of my applications use cases are met without actually having to take extra latency requirements or have manual provisioning requirements. So that brings us to our next case for services specifically. Now the first one I'm going to focus on is firewall virtualization. Now, traditionally, when you crack open a physical firewall, what are you going to find in there? You're going to find an x86 processor, perhaps there's some offloads for, you know, for specific security and encryption. But other than that, it's an x86 processor that's doing some kind of firewall workloads. Now, firewalls are very important specifically in your data center because you need to have a stateful nature. You need to make sure that you have those compensating controls for let's say your PCI compliance or your DDS requirements. Now, one of the trends for firewall virtualization is again, as we saw for network virtualization, you have a port explosion. Now, as you have several ports, you need to make sure that the data center is is crimped to a degree where tenants are not stepping on one another. And there's no malicious activity going on. Now, one of the other big use cases is to actually group these VMs into into segments and actually having these grouping objects that makes firewall management, you know, easy. One of the big things that firewalls do out there today is make sure that they have solid central management. And what the central management lets us achieve is to make sure that when an admin is trying to make a change, they are doing that within the context of all the other firewall rules out there. And so actually having these group objects, let's us do that by making sure that specific applications are grouped together or specific tenants are grouped together. And you know that when you make a change, you're affecting a specific set of applications, a specific set of tenants, etc. Now, some of the shortcomings that are out there today is typically for firewall management, it's very static. You have your IP sets, you have your Mac sets, and what that yields is ruled sprawl. When you make a change, you're afraid to actually remove an old rule simply because you don't know who else would be impacted. So one of the benefits of firewall virtualization is you can say attach a firewall rule to a specific set of VMs, a V app have you. And what will happen is it'll be associated for that V app for that V app's lifecycle. When the V app is deleted, you are guaranteed that that firewall rule is no longer relevant. You can delete it without any worry, you can make sure your firewall remains performant, and you're not affecting others in your in your virtualized data center. Now, the other thing is we want to make sure we don't have to hairpin any of the traffic to our end of rural appliances, because what that's going to do is it's going to set up choke points in our data center. Now, that's obviously going to be poor for latency and those kinds of use cases. We also want to make sure that we have the flexibility in the physical fabric to enable some of these features without actually having to make sure we have physical connectivity or we have a specific type of firewall at their end of our row. And finally, we have perimeter service virtualization. So perimeter service virtualization is some of your kind of concentrator services, whether that's a VPN, whether that's a load balancer. These services are going to actually allow us to provide flexibility and fit the real use cases for application workloads. So let's say we have a web application again. If we need to put a web load balance in front of it and actually cluster this web application for performance for scale out, it lets us do that. Now, this kind of goes hand in hand with the firewall virtualization, simply because in your three tier application, as we saw in the traditional use case, a couple slides back, we actually have the use case for not only network virtualization, creating an L2, but actually creating some NAT rules and load balancers, some firewall rules specific in the context of an application. When that application is deleted or is wiped out or is no longer needed, all of these services are also naturally no longer needed. And when an application comes up, we'd want to spin this up in a matter of minutes without having to call our security guy or network guy, etc. So kind of traditionally what we're trying to do is network virtualization, let us take the physical IP network, make sure that we're operating specifically over L3, decouple us from that and have specific L2s for any set of VMs that are required. This is kind of the next logical step at the frontier of the next virtualization wave and that is what we're calling network and advanced security services virtualization. And what that lets us do is pull in to these applications, our load balancers, our firewalls, our VPNs, etc. to kind of group with the switching constructs, the L2s that we've already virtualized. Now let's focus a little bit up specifically on virtual perimeter services and something here at VMware we're calling the Moore's law networking. Now as I mentioned earlier there's an x86 revolution. You have these big powerful racks that are out there that are providing unlimited compute power. And what we are thinking is well if we have this compute power and we're looking at typical workloads, memory bound is, we're typically memory bound. CPU is typically not an issue. So if we can cycle steel from these workloads we get better kind of throughput and performance on these workloads. We're utilizing our hardware more, we're saving power and we're actually able to have custom use cases for our application workloads. Now in a recent IDG study we've seen that 65% of servers are refreshed every 12 to 24 months. And as I mentioned earlier any of your physical firewalls out there if you crack them open they're going to be x86 based. So the Moore's law of networking really is saying as there's an x86 revolution and you change your servers every one to two years you can actually upgrade your servers and your network and your network services will go faster. Your firewalls will go faster if they're virtualized on this physical hardware which is upgraded at a rate that's much more great, much greater than actually your physical firewalls out there because those typically are going to be on you know a four year refresh cycle or a couple year refresh cycle whereas this way it's actually coupled with your compute. You get faster compute, you get faster networks. Now what we're doing here is we've actually done a few tests out there with some of the products that we have in the suite today and what we're doing is actually folding together some of the services that we've we've acquired through the Nacera acquisition with MVP with distributed L3 etc and we're folding in some of the VMware networking services that were available in the portfolio before and forming our networking and security group. Now within this we're able to provide you know a VMware implementation for a virtualized distributed stateful firewall, a load balancer, security services, VPNs and kind of that's where we're starting and we're starting with integration in quantum through OpenStack to actually plumb each of these services into the full stack and right after these few slides I'll touch upon firewalls and load balancers and we'll dive into a demo and that's where I want to focus a lot of the presentation today. Now before we get there I want to show some quick kind of checks of what we were getting in performance so the typical worry when you're virtualizing these services is that well you know no it could never be as performant as my physical firewall as my physical load balancer but that's simply not true just because when you have a application which is going to be maybe five VMs maybe 20 VMs you can actually scale up your load balancer your firewall to cater to the five VM or the 20 VM capacity you don't necessarily need to hit everything with a hammer and I think that's the beauty of the solution where you can say well I need something that's going to have throughput X well you can define your application so that you get throughput X and you're guaranteed that you're not wasting any resources there and similarly you can scale that up so with the VMware networking family we actually had in the last release three flavors if you want to call them a small a compact medium size a large and an extra large size of the the edge service load balancer and the edge service firewall and what this was letting us do is actually provide connections based on an application workload now diving specifically a little bit deeper into the advanced services so what we've been doing with OpenStack specifically is at VMware trying to drive some of these advanced services which we are seeing as P0 requirements in the next level of the software defined data center so in the grizzly release we are working with some of our partners out there PayPal eBay F5 many of the other load balance of renders and we came up with load balancer as a service and so the main thing we're trying to do at VMware is make sure all of the integrated L4 through 7 services are available through Quantum first and foremost and also through a VMware plugin so we did that with load balancer and grizzly those APIs are out there out encourage you guys to check them out and we're actually targeting both firewall and VPN in Havana so if you are actually attending the Havana design summit you may have heard some of this buzz and in fact we've made significant progress in the last few weeks and I would encourage you to actually check out these APIs as well as they're under implementation for Havana if your use case actually desires these these services now the other things that we are actually trying to do is make sure that we have routing logical network gateways etc in the stack and and some of these are provided through MVP today through the MVP gateway through you know our distributed L3 etc and we want to make sure that when we couple all of these together you get the full portfolio now another thing we're doing at VMware is additionally making sure that we have a fully extensible platform for all of our third-party network services so through the VMware ready for networking and security program what we've done is partnered with several of the leading vendors out there the Cisco's the F5 is the riverbeds and many more and we're partnering to make sure that if you integrate with the VMware API you can slot in your VMware load balancer or you can slot in an F5 load balancer you can slot in you know any of these switching solutions for whom we're partnered and there's a number of our partners but we want to make sure that the the platform remains fully extensible to any third-party and this kind of speaks to the beauty and the power of the solution is that you know when you're integrating with your API's or with the with quantum out there you can be guaranteed that if you change your vendor and your next hardware refresh or your next software virtualized services require refresh you're guaranteed that none of your applications none of your automations none of your scripting on top of it is actually going to break and what that's going to let you do is guarantee that SLA of you know minutes of performance minutes of uptime etc to make sure that you have your dynamic services you meet your use cases but you're still providing your tenants with the services they desire so let's dive a little bit specifically into the virtual load balancer service so so VMware has a load balancer out there it's been shipping for several releases and we've actually plumbed that into the quantum stack it's available and actually if you were able to attend the one of the demonstrations at our booth you actually would have seen the load balancer and I'll show us quick preview of that in just a minute as well so we have the support for multiple virtual IP's we set have separate server pool configurations it's like your typical load balancer so when you are looking at the load balancer API or the load balancer UIs you would see what you would see on on any other you know state-of-the-art load balancer out there you know we have your traditional load balancing algorithms we support many protocols we have you know good performance you know I would say 550k concurrent connections six gig throughput is sufficient for most application workloads out there today and we'll see a demo of this specific VMware load balancer implementation in a few slides when I jump into the demonstration here and the next thing here is the virtual firewall services so here's a typical use case you know you have your cloud you have the internet backbone you have your perimeter firewall right so there's two types of firewalls out there you have your perimeter firewall is kind of your choke point and then you have the distributed firewall to micro segment within a specific network and at VMware we want to make sure that firewall management is uniform but we can fit in either use case so we have some L2's that we build out we have a few VM's and we have a logical router now within the context of that logical router we're actually going to micro segment on a specific L2 network and provide perhaps one on load balancing services so this is that of instance of a multi-tier application that we saw earlier in the presentation actually embodied in a fully virtual form factor so we have our perimeter firewall and we have our distributed stateful firewall at the v-neck and we have a load balancer providing services and what this lets us do is make sure that our DMZ and our PCI zones give us the compensating controls there and integrate fully with an open stack or fully with the quantum today so without much further ado I want to jump into the demo and what I'll highlight is in the demo we're actually using the load balancer that that we worked on the API's in Grizzly and then firewall and VPN are kind of at the bleeding edge we're still undergoing some design discussions with our our peers in the design summit so the firewall and VPN are all operating through quantum but those API's are somewhat of a preview version they may change a little bit but mostly the concept remains the same so let's take a quick look here at our demo topology so we have an external web client and we have our open stack cloud now within the open stack cloud we have a couple different hypervisor nodes we have ESX and KVM and if you were able to attend Scott Lowe's presentation at the summit as well you would have seen that actually VMware supporting the ESX hypervisor natively in the Grizzly release itself and that's what we're leveraging here but I'm not going to focus too much on that so we have multi hypervisor within our open stack cloud we have a couple networks we have an external network which is going to be accessed by our web client and we have an internal network which is hosting a couple web server VMs and then we have our services container which is actually going to be providing firewall and load balancer services and eventually VPN services so let's say our use cases we're building out this application and we have some web workloads which we want to show on this that this client needs to access so the client's going to connect to the external network and what we're going to do is actually set up this topology so I have a video here and we're actually going to create the logical networks and the logical router through the quantum API so in this demo here first we're actually going to go ahead and create that services gateway we're having advanced services router which we created and that router is going to be providing these services and we're actually going to set up the subnet as we showed in our demo topology so now that the router is created that was all created by a script through the quantum API we have a UID that's returned and we're going to leverage that we go to our demo topology here and we see we have these three networks that are created you can't see it maybe too well but there's a couple different subnets there and we'll see that each of the subnets the outside the private in the inside what we called it in this demo pod here are created on different subnets and are active in our network and we're looking at this through the horizon UI here now the next thing we're going to do is spin up our worker VMs spin up our web servers so that's again going to be driven through you know your typical open stack scripts and we're going to launch what we're calling the test bed here so we're going to go ahead create your logical port create the logical router and it's going to plum up all of these configuration and this is being driven through open V switch through MVP in the back end and we can go ahead to our instances tab in horizon again and we see that well our three VMs were spun up and we have our network topology view in horizon that's going to show us here that we have these VMs we have a couple of VMs as was shown in the earlier topology in slightly different view that are on the internal network and we have our web client VM on the external clients of facing network now the next step is actually for us to connect these VMs to the network through MVP so we go ahead and do that we're seeing the MVP manager UI here and we see our L ports are fully in an upstate and we have our topology kind of ready to go we have a few switch ports that are enabled and ready to use now here's the interesting part now we're going to dive into the services now that our topology is configured so the first step is on that advanced services router we're going to go ahead and configure a load balancer we're going to configure a few pool nodes for those web server VMs and we're going to configure the VIP on the services router that the clients can access so again that's as simple as running a script to hit the quantum API or potentially you can build a UI around this and I think actually for load balancer a few folks in the community were able to build a UI in horizon in grizzly for load balancing as a service so the first thing here is we're going to pop open our web client VM we're going to go and try to access that VIP and this is before we've created any load balancer configuration so we're going to go ahead and try accessing you know 192.168.3.1 which is the VIP we're going to configure and we see that well obviously it's not there yet because we haven't configured we're going to run the script to actually create the load balancer and we're going to go ahead and add two pool nodes one on the 1.101 network and one on the 1.102 network we give that just a second and then we create our VIP on the 192.168.3.1 network which is the IP we were just trying to access so now that that's completed we're actually can go back to our web client VM and try to access this network and so our web server VMs are doing something very simple you know when you hit refresh one web server VM is hosting a Bing web page the other web server VM is hosting Google and what we see here is that when I click refresh here I'll get Google on one instance and when I hit refresh I'll get Bing on the other so we're seeing our load balancers actually load balancing between the two VMs now this is a very kind of very simple example but it's just to demonstrate the power behind the solution this can be any web VM in the back end that's doing this at the end of the day so we're seeing that we're actually doing load balancing through quantum powered by the VM or load balancer here when we access the VIP so now that we've done that let's go ahead and dive to the next level of detail let's let's add a firewall rule here and see if that actually works so again we're going to do something very simple we're going to actually drop a firewall rule on the VIP on port 80 which is the port being used by the web servers to access the web page so we're going to go back to our scripts here and create a firewall rule that's going to create a couple objects we're going to create an IP object for for the firewall and we're going to create a firewall rule to block port 80 here and as soon as we've done that we go ahead and try clicking refresh in our web client VM again and we see that we're constantly spinning in a connecting state the firewall is actually blocking port 80 as we had desired so that's kind of just a very again fundamental basic use case but that can be applied in many different ways now let's suppose it's the middle of the night our data center our application goes down and we need to have some maintenance but we need some of our our engineers in the IT team who are at a remote site let's say they're hosted in in in China to actually go ahead and and connect to this environment and debug what's going on so what actually we've done here is we connected from our Palo Alto VM our office with a VPN through quantum to a Beijing office that we have where some of our engineers work now what we're going to do is actually have a remote site up as you see at the top of the screen there and we're actually going to create a VPN instance on that advanced services router and have the internal network stretch out to the remote site of via our services router and this is all again going to be configured through quantum preview version of what we're trying to accomplish in Havana we hop back into our our scripts here we go ahead and create the remote gateway which is again also running using OpenStack and we can go and again and hop into our network topology and we see here that the remote gateway is actually connected out via the public network here now we go ahead and go back to the scripts and we in configure the VPN instance between the advanced services router at the local site to connect out to the remote site so we created a site object we created a VPN site to that remote site and then we tried SSHing into that web server VM that may have had an issue which is 192.168.1.101 which is one of the the VMs behind our load balancer and as we see we're actually in the remote box and we're able to SSH in to that web server VM so we're actually having a VPN connection from our remote Beijing site into our Palo Alto office all over VPN as a service powered through OpenStack so this kind of just demonstrates some of the building blocks that you can use in your environment to actually build out this infrastructure you have kind of these pieces that you can layer together and formalize into the use case for your application workloads so basically the in summary we have the VMware networking and security services and what we're trying to accomplish is actually make sure that we deliver the leading software defined data center vision with network and security solutions out in the market today and we do it we're doing this through a couple concepts we talked about network virtualization decoupling from the physical fabric but we're adding to that at that bleeding edge with firewall VPN load balancer our services virtualization if you want to call it that to take us to the next level now the next thing we want to make sure we do is make sure we increase that operational efficiency improve utilization we want to make sure that your OPEX and your CAPEX stays capped when you're actually trying to leverage virtualized services virtualized solutions and this is actually all of this is going to bundle up and try to enable your IT department to actually have an agility that lets it you know drive business needs as as requirements desire and the finally and kind of very important is that we're trying to make sure we're doing this through a platform that's very open such as open stack and it's extensible for for either VM or any of VMWare's partners so what we're trying to make sure is we are driving that goal of the software defined data center and we're leaving it open to the tenant to the customer to the consumer to build these pieces out and make sure their use cases are are met without actually being stuck in any specific solution so with that I hope you enjoyed it please feel free to reach out to me if any if any questions come up the load balancer the VPN and the firewall which were demonstrated here are all shipping VMWare products out there today they're actually slowly being integrated into quantum load balancers already out there and I hope you enjoy the presentation thank you