2.2 NSX for vSphere Overview

The overall goal of network and security virtualization is to at a minimum achieve the same functionality of physical network and security components and provide that functionality in a virtualized logical component. This ability is enabled by providing a centralized management platform to organize the multiple virtualized networking and security functions within a single interface. The networking and security functions supported by the VMware NSX platform are shown in the following figure.

• Switching – Extension of L2 segment IP subnets anywhere in the fabric, regardless of the physical network design.

• Routing – Layer 3 logical routing between IP subnets without traffic going out to the physical router. This routing, performed in the hypervisor kernel with minimal CPU or memory overhead, provides an optimal data path for routing traffic within the virtual infrastructure (East-West communication). Similarly, VMware NSX Edge™ services gateway provides an ideal centralized point for seamless integration with the physical network infrastructure, handling communication with the external network (North-South communication).

• Distributed firewall (DFW) – Security enforcement implemented as a kernel module and providing a virtual NIC level firewall. This enables firewall rule enforcement in a highly scalable manner, without creating bottlenecks on physical appliances. The firewall is distributed in the kernel, and therefore, has minimal CPU overhead so it can perform at line-rate speed.

• Logical load balancing – Support for L4–L7 load balancing with the ability to provide SSL termination.

• VPN – SSL VPN services to enable L2 and L3 VPN services.

• IPsec VPN – Service provider configures two NSX Edge nodes and creates a site-to-site tunnel between the two edges. The networks behind the two edges are reachable with the site-to-site solution, providing the ability to interconnect two different networks.

• L2 VPN – Service provider can extend a network across boundaries such that the VMs being extended are unaware of or require any change in their routing or MAC addresses.

• SSL VPN-Plus – Service provider offers this user-based solution, where an NSX Edge is provisioned with SSL VPN and the private network behind the NSX Edge is reachable through the end user’s machine after connected through the SSL VPN client.

• Connectivity to physical networks – L2 and L3 gateway functions are supported within VMware NSX for vSphere® to provide communication between workloads deployed in logical and physical spaces.

• NSX Edge services gateway – Multi-functional networking and security virtualized component that provides support of both control plane and data plane functions, such as network address translation (NAT), dynamic routing protocols (OSPF, iBGP, eBGP), static routing, firewall, Identity-Based Firewall, load balancing, DHCP/DNS support, and VPN functionality with a primary focus on
North-South traffic.

• Distributed logical router – Networking virtualized platform that provides support of both control plane and data plane functions of routing protocols (OSPF, BGP) with a primary focus on East-West traffic.

• Distributed firewall – Distributed firewall services integrated with the vSphere kernel for optimized performance and functionality.

• VMware NSX Controller™ cluster – Virtual appliance that provides the control plane function for the L3 routing and L2 switching components.

• VMware NSX Manager™ – Virtual appliance that centralizes the provisioning of logical networking components and manages the connection of virtual machines and storage objects to the networking functions.

• VMware NSX API™ – Restful API for interfacing with external programs, such as cloud management portals or orchestration engines.

Various VMware NSX components, as shown in the following figure, support the networking and security virtualization functions to provide an overall end-to-end network and security virtualization solution.