Architecting a VMware NSX Solution
Introduction
1.1 Document Purpose
Technology Mapping
2.1 Glossary of Terms
2.2 NSX for vSphere Overview
Deployment Model Considerations
3.1 Deployment Sizing Considerations
3.1.1 Small/Medium Data Center Deployment
3.1.2 Large Data Center Deployment
3.2 Cloud Service Offerings
3.2.1 Hosting (Managed or Unmanaged)
3.2.1.1 VMware vSphere Client Consumption
3.2.2 Private Cloud (Managed or Unmanaged)
3.2.2.1 VMware vRealize Automation Consumption
3.2.3 Public Cloud
3.2.3.1 VMware vCloud Director for Service Providers Consumption
3.2.3.2 VMware vCloud Director and VMware NSX
Design Considerations
4.1 Architecture Overview
4.2 Network Requirements and Topologies
4.2.1 Classic Core/Aggregation/Access Layer Topologies
4.2.2 Leaf-and-Spine Fabric Design
4.3 vCenter Server Design
4.3.1 Design Considerations
4.4 vSphere Cluster Design
4.4.1 Design Considerations
4.5 NSX Manager
4.5.1 Design Considerations
4.6 NSX Controller Cluster
4.6.1 Design Considerations
4.7 VXLAN Design Considerations
4.7.1 Design Considerations
4.8 Transport Zone Design
4.8.1 Design Considerations
4.9 VMware NSX Distributed Firewall
4.9.1 Design Considerations
4.10 Service Composer
4.10.1 Security Groups
4.10.2 Security Policy
4.10.3 Design Considerations
4.11 NSX Edge Services Gateways
4.12 VMware NSX Distributed Logical Router
4.12.1 Design Considerations
4.13 NSX Logical Switches
4.13.1 Multicast Mode
4.13.1.1 Design Considerations
4.13.2 Unicast Mode
4.13.2.1 Design Considerations
4.13.3 Hybrid Mode
4.13.3.1 Design Considerations
Key Use Cases
5.1 Customer On-Premises-to-Hosted Cloud Connectivity
5.2 Securing Applications and Networks in the VMware Cloud Provider Program
5.2.1 Consumption Models
5.3 Micro-Segmentation
5.4 On-Demand Creation of Logical Networks
5.4.1 Consumption Models
5.5 VMware NSX Dynamic Routing Scenario (Provider/Tenant) with MPLS
5.6 Independent Networking and Security Functions
5.7 NSX Provider Edge Independent of vCloud Director
Availability
6.1 NSX Manager
6.2 NSX Controller Cluster
6.3 NSX Edge Services Gateway
6.3.1 Stateful Active/Standby HA Deployment for NSX Edge Services Gateway
6.3.2 Standalone Deployment for NSX Edge Services Gateway
6.3.3 Equal-Cost Multi-Path High Availability for NSX Edge Services Gateway
6.4 NSX Distributed Logical Router Control VMs
Manageability
7.1 Cloud Consumption Models
7.1.1 Hosting Solution
7.1.2 Private Cloud Solution
7.1.3 Public Cloud Solution
7.2 NSX for vSphere Logging Considerations
7.3 Management Interfaces
7.3.1 Distributed Logical Router Control Virtual Machine
7.3.2 VMware NSX Distributed Firewall Monitoring
Performance and Scalability
8.1 Performance of Networking and Security in a Virtualized Environment
8.1.1 Quality of Service (QoS Layer 3) and Differentiated Services (DSCP Layer 2)
8.2 Scalability of Virtualized Cloud Environments
8.2.1 Scalability of NSX for vSphere Components
Recoverability
9.1 NSX Manager Recoverability
9.1.1 Restoring NSX Manager Backups
9.2 NSX Controller Recoverability
9.3 NSX Edge Services Gateway Recoverability
9.4 Distributed Firewall Recoverability
9.5 VMware vSphere Distributed Switch Recoverability
9.6 VMware vCenter Server Recoverability
Security
10.1 NSX for vSphere Component Security
10.2 Integration with vCenter Single Sign-On
10.3 Role-Based Access Control
10.4 NSX for vSphere Hardening
Operational Considerations
11.1 NSX Manager Operational Considerations
11.1.1 NSX Manager General Operational Considerations
11.1.2 NSX Manager Installation Considerations
11.1.3 NSX Manager Upgrade Considerations
11.1.4 NSX Manager Performance Considerations
11.1.5 NSX Manager Connectivity Issue Considerations
11.1.6 NSX Manager Log Location
11.2 NSX Controller Operational Considerations
11.2.1 General Considerations
11.2.2 NSX Distributed Firewall Log Location
11.3 NSX Distributed Firewall Operational Considerations
11.3.1 VMware NSX Distributed Firewall General Operational Considerations
11.3.2 VMware NSX Distributed Firewall Log Location
Appendix A: NSX for vSphere Port and Protocol Requirements
Appendix B: Reference Documents
Workload Mobility and Disaster Recovery
Introduction
1.1 Document Purpose and Scope
Service Definition
2.1 Service Offering Overview
2.1.1 Target Virtual Infrastructure
2.1.1.1 Sizes and Specifications
2.1.2 Hybrid Networking Specification
2.1.2.1 Direct Connect Networks
2.1.2.2 VPN Services
2.1.3 Virtual Machine Replication
2.1.4 Automated Failover, Testing, and Migration Capabilities
2.1.4.1 Disaster Recovery Scenario
2.1.4.2 Planned Migration Scenario
2.1.4.3 Testing Scenario
2.2 Workload Mobility and Live Migration Services (Optional)
Conceptual Architecture
3.1 Business Drivers
3.2 Conceptual Architecture Solution Overview
Designing the Solution
4.1 Logical Architecture Solution Overview
4.2 Solution Architecture Bill of Materials
4.3 Management Components Design
4.3.1 VMware vCenter Server Management Services
4.3.1.1 vCenter Server Resource Requirements
4.3.1.2 Scripted Installation
4.3.1.3 vCenter Server Database Requirements
4.3.2 NSX Management Services
4.3.2.1 NSX Manager Resource Requirements
4.3.2.2 NSX Manager Scripted Installation
4.3.3 Site Recovery Manager Management Services
4.3.3.1 Site Recovery Manager Database Requirements
4.3.4 vSphere Replication Management Services
4.3.4.1 vSphere Replication Manager Appliance
4.3.4.2 vSphere Replication Server Appliance
4.3.5 vSphere Replication Resource Requirements
4.4 Network Design
4.4.1 Data Center Connectivity
4.4.2 Data Center Routing Design
4.4.2.1 North-South Routing
4.4.2.2 East-West Routing
4.4.2.3 Local Egress
4.4.2.4 Ingress Optimization
4.4.2.5 Stateful Services Routing
4.4.3 Alternative Network Architectures
4.4.4 Control-Plane Design
4.4.4.1 NSX Controller Resource Requirements
4.4.5 Data-Plane Design
4.4.5.1 Universal Transport Zone Design
4.4.5.2 Universal Logical Distributed Router Design
4.4.5.3 Universal Logical Switch Design
4.5 Security Design
4.6 Workload Mobility Design
4.6.1 Long-Distance vSphere vMotion
4.7 Disaster Recovery Design
4.7.1 Virtual Machine Replication
4.7.1.1 Calculate Bandwidth for vSphere Replication
4.7.1.2 Defining an Appropriate RPO
4.7.1.3 Multiple Point-In-Time Instances
4.7.2 Site Recovery Manager Inventory Mappings
4.7.2.1 Automatic or Manual Mapping
4.7.3 Site Recovery Manager Protection Groups
4.7.4 Site Recovery Manager Recovery Plans
4.7.5 API Consumption
4.7.6 Site Recovery Manager Operational Limits
4.7.7 Site Recovery Manager Planned Migration
4.7.8 Site Recovery Manager Non-Disruptive Disaster Recovery Testing
4.7.9 Site Recovery Manager Disaster Recovery
4.7.10 Re-protection
4.8 Failure Scenarios
4.8.1 Complete Site Failure
4.8.2 Application Component Failure
4.8.3 Edge Cluster Failure
Operational Considerations
5.1 Cloud Service Provider Operations
5.1.1 Platform Monitoring and Alerting
5.1.2 Platform Billing Integration
5.1.3 VMware Cloud Provider Program Usage Metering
5.1.4 Service Provider Roles and Responsibilities
5.2 Cloud Service Tenant Operations
5.2.1 Executing Long-Distance vSphere vMotion Operations
5.2.2 Executing Planned Migration with Site Recovery Manager
5.2.3 Executing Disaster Recovery Test Scenario
5.2.4 Executing Disaster Recovery Scenario
5.2.5 End Customer Roles and Responsibilities
Conclusion
VMware vCloud Networking and Security Upgrade to VMware NSX
Introduction
Interoperability and Upgrade Path
2.1 Solution Interoperability
2.2 Upgrade Paths
Impact of Network Virtualization Technology
3.1 Cisco Nexus 1000V
3.2 vCloud Director Network Isolation (VCDNI)
Migration Considerations
4.1 Port Requirements
4.2 vCloud Director Legacy Edge Compatibility
4.2.1 vCloud Director 8.0 and Earlier
4.2.2 vCloud Director 8.10
4.3 Management
4.4 Licensing
4.5 NSX Controller Cluster
4.6 VMware NSX VIB Upgrade
4.7 Control Plane Mode
4.8 VMware vShield App and VMware vShield Endpoint
Migration Scenario with Minimal Production Impact
Reference Documents
Customer Onboarding with VMware NSX L2VPN Service
Introduction
1.1 Overview
1.2 Document Purpose and Scope
1.3 Definitions, Acronyms, and Abbreviations
Customer Onboarding Overview
2.1 Key Onboarding Factors
2.1.1 VMware Cloud Provider Infrastructure
2.1.2 Customer On-Premises Infrastructure
2.1.3 Hybrid Network Connectivity
2.1.4 Tenancy
2.1.5 Users and Roles
2.1.5.1 Service Provider
2.1.5.2 Customer/Tenant
2.1.5.3 Workload Mobility and Migration Services
Conceptual Architecture
3.1 Business Drivers
3.2 Conceptual Architecture Solution Overview
Designing for VMware NSX L2VPN Service
4.1 VMware NSX L2VPN Deployment Models
4.1.1 Stretched L2VPN with VMware NSX On Premises
4.1.2 Stretched L2VPN with Standalone NSX Edge
4.2 Architecture Prerequisites
4.2.1 VMware Software Product Requirements
4.2.2 Networking Requirements
Management Components and Feature Design
5.1 vSphere Component Design
5.1.1 vCenter Server
5.1.2 vSphere Cluster Design
5.1.3 Virtual Switches
5.2 VMware NSX Component Design
5.2.1 NSX Edge
5.2.2 NSX Edge Considerations
5.2.3 Standalone NSX Edge Appliance
5.2.4 VMware NSX Logical Switch
5.2.5 Transport Zones
5.3 VMware NSX L2VPN Service Components
5.3.1 L2VPN Server
5.3.2 L2VPN Server Global Configuration
5.3.2.1 L2VPN Server Site Configuration
5.3.3 L2VPN Client
5.3.4 Trunk Port
5.3.5 Tunnel ID
5.3.6 Egress Optimization
5.3.7 VMware NSX L2VPN Service Threshold Recommendations
VMware NSX L2VPN Onboarding Scenarios
6.1.1 Long-Distance vSphere vMotion Migration Considerations
6.1.1 Long-Distance vSphere vMotion Migration Considerations
6.2 L2VPN and New Workload Provisioning
6.3 L2VPN with vSphere Replication
Conclusion
References
Architecting Tenant Networking with NSX in vCloud Director
Introduction
1.1 Overview
1.2 Document Purpose and Scope
1.3 Definitions Acronyms and Abbreviations
1.3.1 Definitions
1.3.2 Acronyms and Abbreviations
Customer Networking In a Service Provider Environment
2.1 Customer Network Topologies
2.2 Replicating a Managed Service Customer Topology in vCloud Director
2.2.1 Traditional Managed Service Customer Topology
2.2.2 The NSX Edge Services Gateway
2.2.3 Basic Cloud Service Provider Customer Topology
2.2.4 The NSX Distributed Firewall
2.2.5 Further NSX Feature Support in vCloud Director
Multitenancy in a Cloud Service Provider
3.1 vCloud Director Multitenancy
3.2 Basic vCloud Director Tenant Topology
3.3 Multitenant Networking
3.3.1 Network Layers in a Multitenant Cloud Platform
Networking Layers Examined
4.1 Tenant Networking
4.2 vCloud Director Multitenant Data Center Networking in vSphere
4.3 Networking in a Multi-Cluster “Leaf-Spine” Infrastructure Topology
4.4 vCloud Director Multitenant Networking in NSX
IP Address Management and Routing
5.1 Tenant Address Management
5.1.1 Service Provider Managed Addressing
5.1.2 Bring Your Own IPs
5.2 Customer Address Assignment
5.2.1 Static IP Pool Assignment
5.2.2 Static – Manual Assignment
5.2.3 DHCP Assignment
5.3 Internet Address Management
5.3.1 Shared Multitenant External Network
5.3.2 Dedicated Single-Tenant External Network
5.3.3 Outbound Internet Access
5.4 External Network Address Sub-Allocation
5.5 Routing in a Multitenant Service Provider Environment
5.5.1 Provider Data Center Internet Routing
5.5.2 Provider Data Center Per-Tenant Routing
5.6 IPv6 Considerations
Commercial Considerations
6.1 Managed Service or Self Service
6.2 Additional Product Licensing
References
Appendix A: Provisioning an External Network in vCloud Director
Introduction
Appendix A: Provisioning an External Network in vCloud Director