Introduction to VMware NSX+: This is new NSX offering that allows customers to transition to a SaaS-based Multi-Cloud operating model for networking, security, and advanced load balancing. It is a SaaS-based Multi-Cloud networking and security solution delivered as a service, offering Centralized Policy Management, NSX Intelligence and NDR Network Detection Response for both networking and security across multiple cloud environments (Private and Public Clouds).
With this new NSX+ lab, we demonstrate an innovative cloud operating model that ensures consistent networking and security for applications deployed in multiple cloud environments. This allows you to achieve consistent policies as single pane-of-glass, provides end-to-end security visibility, correlation to enhance lateral security and simplify operations across private and public cloud all managed centrally from a single VMware cloud console.
Demo Scenario: ACME Corp is a Global company now has the opportunity to expand its presence in various locations using different cloud platforms for its applications including Private Clouds, VMware Clouds, and Public Clouds. However, this diversity also presents challenges as ACME IT leaders are grappling with following key issues:
- Partial automation inefficiencies: siloed teams struggle with setting up security, networking, and load balancing for applications, leading to operational inefficiencies and friction between infrastructure and app owners.
- Multi-Cloud complexity: managing multiple cloud environments lacks consistency, causing difficulties in change management, security, and issue resolution.
Solution: VMware introduces NSX+ to address these challenges with:
- New cloud-managed service offering for our NSX network virtualization, security and advanced load balancing services that allow customers to run applications across their Multi-Cloud environments from a centralized VMware Cloud console.
- Multi-Cloud Virtual Private Cloud (VPC) that provides full isolation of networking, security, and load balancing services to multiple tenants on a shared VMware Cloud infrastructure.
- Enhanced security with a centralized, end-to-end management model.
VMware NSX+ is a new NSX offering that allows customers to transition to a SaaS-based Multi-Cloud operating model for networking, security, and advanced load balancing. NSX delivers:
1-Consistent Multi-Cloud network operations (NSX+ Policy Management)
2-Simplified cloud consumption via a centralized cloud console to manage o Premise and cloud network infrastructure with key Multi-Cloud capabilities (NSX+ Policy Management and VPC)
3-Comprehensive app visibility across clouds (NSX+ Intelligence)
4-Enterprise Guardrails with multi-tenancy running across multiple sites to simplify the creation and consumption of Multi-Cloud architectures and network constructs (NSX+ VPC)
5-Strong Multi-Cloud security across clouds with defense-in-depth via Network Detection and Response (NSX+ NDR)
Full storytelling how to demo NSX+ please follow below steps.
For more detail step-by-step check our NSX+ Techzone for short story telling in here https://nsx.techzone.vmware.com/end-end-demo-showcase-nsx
To login to the environment, perform the following steps:
- Enter your TestDrive Username and Password and select ENTER.
- Locate the VMware NSX+ product under the Intrinsic Security tab and click Launch.
*In case of long idle or disconnected session, please log-out from the upper-right corner and re-login to Launch a new Horizon desktop or switch to Incognito browser instead of Chrome/Firefox.
- A new tab will open with Workspace ONE. Enter your TestDrive Username and Password, then click Sign in.
- Note: Please provide the short username (not your email ID) and password to login.
- Click on Apps section and search for the NSX+ desktop and launch it.
- Now are on the NSX+ desktop. At this point you can begin the walk-through steps listed in the next section.
- Click on Lab guide Chrome icon (1) before opening the NSX+ console.
- Click on NSX+ icon(2) only after the lab guide is opened completely.
For the benefit of all users, we kindly ask that you use the lab responsibly. Please do not delete any object or making any change to license or subscription that could potentially disrupt this shared NSX+ lab environment.
- The automatic login process will handle the login procedure without any need for manual intervention. Please don't press any keys until the login process is finished and you are logged into the VMware Cloud Services portal."
- Check the organization name is "Global Platform Engineering"(1) under the user name.
- Click on NSX+ "LAUNCH SERVICE (2)" to open the NSX+ Instance.
If you plan to onboard your On-Premise NSX Manager/ NSX Local Manager, make sure the following prerequisites are satisfied.
- On-Premise NSX Manager must be of version 4.1.1+
- A vSphere+ subscription
- Supported vCenter Server version is 8.0+
- Latest VMware Cloud Gateway version
- The minimum sized form factor of an NSX Manager Large node On-Premise to be onboarded on to an NSX+ instance with below subscription:
1. NSX+ Policy Management
2. NSX+ Intelligence
3. NSX+ NDR
- To know how to do Onboarding your NSX Local Managers into NSX+, here is the step-by-step walkthrough (this lab will skip this step): https://engage.vmware.com/explore2023/nsx-and-vpc-8/nsx01-onboarding-nsx-demo?w=394bc
- Purchase NSX+ Subscription: VMware NSX+ is subscription-based software. No software installation is needed, and no license key is used to activate the software. You buy VMware NSX+ directly from the VMware Sales team.
- Receive and email to add NSX+ service to your organization: After buying the NSX+ service, VMware sends you a service welcome email that has a unique service activation link. Use this link and follow the on-screen prompts to apply an NSX+ subscription.
- Download, Install and Configure VMware Cloud Gateway: VMware Cloud Gateway is a secure gateway between the On-Premise NSX Local Manager and NSX+. It allows you to onboard and off-board your NSX Local Manager to NSX+ Instance.
- Launch the NSX+ Service: Assign adequate NSX+ service role based in order to work in the NSX+ UI.
- Onboard an NSX+ Instance: An NSX+ instance defines a logical grouping for the managed sites hosted in a region. Once this is defined you can onboard sites to your instance.
In this lab, we have deployed two On-Premise NSX local managers at separate locations LM-Dallas and LM-Paris. The 2 sites now are onboarded to NSX+. By using NSX+, we can easily accomplish simplified cloud consumption while ensuring that applications deployed across LM-Dallas and LM-Paris benefit from enhanced availability, consistency, and security.
NSX+ Policy Management speeds up deployment of applications and network infrastructure across private, public, and sovereign clouds through on demand access to consistent network, security policies and automation deployed from a centralized SaaS console. NSX+ Policy Management provides Cross-cloud network operations with comprehensive visibility allows customers to achieve agility and cost efficiency in multi cloud environments.
NSX+ Policy Management provides Cross-cloud network operations with comprehensive visibility allows customers to achieve agility and cost efficiency in Multi-Cloud environment deployed from a centralized SaaS console.
Centralized Policy Management with NSX+: In this session, you will be able to manage networking and security policies centrally across all their clouds. NSX+ provides consistent networking and security controls and policies across Multi-Site and multi-region deployments.
NSX+ Policy Management also comes with built-in networking and security operations and troubleshooting. In this demo, we will illustrate how you can use NSX+ Policy Management to seamlessly scale a CRM application from On-Premise site LM-Dallas to a LM-Paris instance. We have on-boarded two sites (LM-Dallas, LM-Paris) to NSX+. The DB workload of CRM application has to be scaled to LM-Paris site for enhancing application performance and scalability. With NSX+ Policy Management we will apply consistent Security Policies across cloud through centralized cloud console.
For the benefit of all users, we kindly ask that you use the lab responsibly. Please do not delete any object or making any change to license or subscription that could potentially disrupt this shared NSX+ lab environment.
ACME Corporation operates its PROD-CRM application across two sites: the primary site located at their headquarters in LM-Dallas, the secondary site situated in LM-Paris. To ensure consistency and keep the CRM databases up to date across both locations, ACME’s team has a plan to scale the CRM database to LM-Paris site to enhance the service availability across clouds.
By leveraging NSX+, ACME Corporation now can easily achieve goal to simplify cloud consumption with high availability, consistency, and security for their application across both their Dallas and Paris sites.
The following lab flow will walk you through how to navigate this scenario using the Capabilities of NSX+ Policy Management.
- NSX+ allows to view networking objects that have been created locally in the NSX managers. This allows you centralized monitoring and managing networking resources across sites from the NSX+ cloud console. Click on each site to view the Tier-0 Gateways created from NSX Local Managers.
- Your first step is to inspect the Tier-0 Gateways created in the each On-Premise site, by navigating to each individual site. In each On-Premise site we have a Tier-0 gateway configured which enables the external connectivity for the network segments in the environment.
- Click on Global (1).
- Click on ACME_instance (2).
- In the ACME_instance. Navigate to Networking (1).
- Click on the View (1) tab. It lists the sites on-boarded to NSX+. In the following steps we will inspect the Tier-0 Gateways created in LM-Dallas and LM-Paris NSX local managers.
- To view the Tier-0 Gateway that is set up specifically in LM-Dallas, click on "LM-Dallas Site." Then, click (1) to open up T0-GW-Dallas-01. You will notice that any networking items created using NSX Local Manager have an icon next to them that shows the name of the local site where they were created.
- Repeat the earlier step by changing the site from LM-Dallas to LM-Paris. To do this Click on the "View"(2) tab to change the site to LM-Paris.
- In our lab setup, we've set up one Tier-1 Gateway in LM-Dallas and LM-Paris using NSX+. For each of these Tier-1 gateways, we've chosen the corresponding Tier-0 Gateway that matches its location. Additionally, we've turned on the "All connected segments and service ports" in Route Advertisement.
- Select "Tier-1 Gateways"(1). You'll notice that there is one Tier-1 gateways created for each location from NSX+, which is indicated by the NSX+ icon next to these objects.
- Expand each Tier-1 Gateway (2)(3) and observe the Linked Tier-0 Gateway and Location details of Tier-1 Gateways.
- We've created two inventory groups: one for the Web group and the other for the DB group. The Web VM's in Dallas site are members of Web Group, while the DB VM's in the Paris site belong to the DB Group.
- Click on Security (1) and Click on Groups (2) under Inventory.
- Review the NSX+ Groups, Web Group and DB Group. Click on "View Members" to review the "Effective Members" and "Group Definition".
- The inventory groups we set up will be included in the Distributed Firewall Rules that we have configured for the CRM application.
- After creating networking and inventory groups, the next step is to enhance the security of the CRM application VM's. To achieve this, we have implemented the Global Distributed Firewall policies across two sites.
- Click on Distributed Firewall (1) under Policy Management to view the Global policies configured under "APPLICATION".
- We have configured the Distributed Firewall Rules to micro-segment the Two-Tier application.
- "Allow Web rule" permits the HTTP connections from any source to Web VMs in On-Premise (LM-Dallas).
- "Allow Web to DB" rule permits traffic from Web server in LM-Dallas to the Database server in LM-Paris.
Multi-tenancy with NSX+: NSX+ 4.1 introduced the concept of Projects, a new feature that enables granular resource management for multiple tenants within NSX deployments. Projects take multi-tenancy support in NSX to the next level by delivering flexible resource allocation and management. Enterprise Admins can segment the platform into Projects, assigning different spaces to different tenants while maintaining full visibility and control.
Virtual Private Cloud (VPC) in NSX+ refers to a logical networking construct that provides isolation and segmentation within a data center or cloud environment. It allows you to create multiple virtual networks within a single physical infrastructure, each with its own grouping/tagging, network, and security policies. With NSX+ Multi-Cloud VPC VMware is now bringing Enterprise-grade VPC constructed for private clouds and extending to multi-cloud to offer full isolated sandboxes with security guardrails.
NSX+ VPC is an abstraction layer that simplifies setting up self-contained virtual private cloud networks within an NSX project to consume networking and security services in a self-service consumption model. NSX+ VPC hides the complexity of the underlying NSX infrastructure, network topology, networking objects, and IP address management from the application owners and offers them a self-service consumption model to run applications in their own private space.
Application owners or DevOps engineers do not need to know about the underlying NSX infrastructure for running applications within their isolated space. They can add subnets (networks) inside the NSX+ VPC that is assigned to them, and configure security policies to meet their application requirements without having any dependency on the Enterprise Admin.
ACME Corp has several applications in multiple cloud environments and has various departments. They aim to create a multi tenancy where each department's application Virtual Machines run in isolated environments. Additionally, ACME Corp wants the application owners to have the ability to add their own subnets and security policies for their application.
To address this challenge, we can leverage NSX+ VPC. NSX+ VPC's operate under Projects. A project in NSX+ is similar to a tenant. By creating projects, we can isolate security and networking objects across tenants in a single NSX deployment. Project Admins can assign access to the projects for Application owners. Application owners can add the subnets inside the VPC and configure security policies for their workloads. The security policies impact only the workloads within the NSX+VPC and not outside the NSX+ VPC.
To set up a VPC in NSX+, you need to follow a series of steps. Here are the main steps, and we will go into detail on each step in the following sections.
- Enterprise Admin : Creates project called Project01-Finance in NSX+. Assigns Project Admin roles to users.
- Project Admin : Adds NSX+ VPC, VPC1-Finance inside a project and defines VPC settings, such as IP assignment, DHCP configuration, edge cluster and so on.
- Project Admin : Assigns roles to users in the NSX+ VPC.
- Project Admin: Defines quota or limits for the number of objects that users can create within the NSX+ VPC.
- VPC Admin or Network Admin: Adds subnets in the NSX+ VPC. Connects workloads to these subnets based on business requirements.
- VPC Admin or Security Admin: Adds security policies in the NSX+ VPC to meet the security requirements of the workloads that are connected to the subnets in the VPC.
NSX+ projects are similar to tenants. By creating projects, you can isolate security and networking objects across tenants in a single NSX+ deployment. By creating a project called Project01-Finance , ACME corp can isolate the networking and security configurations from its other departments.
- Click on default--ACME_instance(1).
- We have created two projects called VPC-Site2-ACME-Fitness-Application and Project01-Finance.
- Click on MANAGE(2).
- Expand(1) Project01-Finance to review the project configuration. Observe the each highlighted RED box to see the the config required to create a new NSX+ project.
- Sites: The project Project01-Finance has been created for the LM-Dallas site. The Tier-0 Gateway, Edge cluster, and External IPv4 blocks are all associated with the LM-Dallas site.
- The associated Tier-0 Gateway T0-GW-Dallas-01 that the workloads in the project can use for north-south connectivity. you can select multiple gateways if required, If no gateway is selected the workloads in the project will not have north-south connectivity.
- An Edge Cluster is selected to associate with this project. These edge clusters can be consumed inside the project for running centralized services like NAT, Gateway Firewall and DHCP.
- External IPv4 Blocks are available to add public subnets in the NSX+ VPC's within the project.The system will assign CIDR blocks to the public subnets in the NSX+ VPCs from these external IPv4 blocks. VPC users can also use the external IP blocks for adding NAT rules in the NSX+ VPCs.
- Click on close(2).
In this lab workflow, we've created a VPC using the Enterprise Admin. Once a project is set up, users can be designated as Project Admins, and these Project Admins have the privilege to create NSX+ VPCs.
- NSX+ VPC provides an isolated space for application owners to host applications and consume networking and security objects by using a self service consumption model.
- We have created NSX+ VPC (VPC1-Finance) with Enterprise Admin.
- Click(1) on drop down next to default--ACME_instance.
- Click on Project01-Finance(2) to navigate to the project. you will be navigated from default view to Project view.
- A subset of NSX+ networking features are available in the projects view.
- Click on VPCs(1) to navigate to the VPCs section.
- We have created a VPC called VPC1-Finance under project Project01-Finance. Expand(1) the VPC to review the configuration.
- Sites: The VPC VPC1-Finance has been created for the LM-Dallas site.
- IP Assignment settings: The External IPV4 blocks filed, Select the IPv4 blocks that the system can use for public subnets in the NSX VPC. The external IP blocks that are assigned to the project are available for selection in the NSX+ VPC. These IPv4 blocks must be routable from outside the NSX+ VPC.
- The Private IPv4 Blocks field, select the IPv4 blocks that the system can use for private subnets in this NSX+ VPC. The IPv4 blocks that are added in the project with visibility set to Private are available for selection in the NSX+ VPC
- Service Settings: By default "N-S Services" and "Default Outbound" NAT are turned on. This option is only available when N-S services option is turned on for the NSX+ VPC.
When an NSX+ VPC is created successfully, the system implicitly creates a gateway. However, this implicit gateway is exposed to the Project Admin in a read-only mode and is not visible to the NSX+ VPC users.
- A subnet in an NSX VPC represents an independent layer 2 broadcast domain. NSX+ VPC subnets are realized as overlay segments in the default transport zone of the project. A user with role VPC Admin/Network Admin can create subnets in VPC.
- When a VPC created successfully. the system creates default north-south and east-west firewall rules to govern the default firewall behavior for the workloads running in the NSX+ VPC.
- N-S firewall rules are centralized rules that apply to traffic going in and out of the NSX+ VPC.
- E-W firewall rules are distributed rules that apply to workloads running inside the NSX+ VPC.
- Expand the "CONNECTIVITY(1)" section and click on "Subnets(2)".
- We have created three Private subnets Web-Segment(1) , App-segment(2) , DB-Segment(3) in the VPC. By default, Automatic IP assignment is set for private and public subnets. It means that the system will assign an IPv4 CIDR for the subnet automatically. For a private subnet, the CIDR is assigned from the private IPv4 blocks of the NSX+ VPC.
- Subnets in an NSX+ VPC are realized as overlay segments in the default transport zone of the project.An Enterprise Admin or a Project Admin can view these overlay segments from segments under networking section.
- We can start attaching virtual machines to the subnets created in NSX+ VPC by using the vSphere client.
- Expand the "SECURITY(1)" section and click on "E-W Firewall Rules (2)".
- We have created three E-W firewall rules for the application. All three E-W firewall rules in an NSX VPC have the Applied To set to DFW. Although the Applied To is set to DFW, the firewall rules are enforced only on the workload VMs that are connected to the subnets in the NSX VPC
In the following section, you'll explore NSX+ Intelligence, that offers in-depth visibility into applications behavior across cloud environments. This part of the guide will walk you through the steps of examining virtual machine traffic patterns and implementing NSX+ Intelligence's rule recommendations to automatically create micro-segmentation for your applications.
Security Planning and Visibility with NSX+ Intelligence: VMware NSX+ Intelligence provides Comprehensive Application visibility across Cloud. It is a distributed analytics engine that leverages granular workload and network context unique to NSX+ to deliver security policy management and security analytics running across Clouds..
NSX+ Intelligence allows you to gain comprehensive visibility into your network across multiple clouds. NSX+ Intelligence provides Centralized data analysis dashboard. This helps to understand the traffic flow data and provide recommendations for network and security policies across multi-cloud deployments.
Full demo of NSX+ Intelligence is in here https://engage.vmware.com/explore2023/nsx-and-vpc-8/nsx02-intelligence-demo---application-visibility-across-clouds?w=394bc
This is easy, no need to install any big data analytic component on the new site as our NSX+ Intelligence is now running as SaaS like the other NSX+ services. This gives ACME a unified view of Applications and flows into a Central dashboard.
Data stream between the On-Premise location and NSX+ Intelligence instance is highly optimized, while we discover applications and see every packet, we only send a digest of the essential information that is required to be tracked, so it’s not a massive amount of data.
The ACME Networking Team wants to focus on the new ACME App first, as it needs to be integrated. So, let’s search for it within the NSX+ Intelligence discovered Apps and Flows.
We see the ACME Application Topology. We have a problem many of the flows are unprotected, you can recognize them from the red dotted lines. This mean no policy to explicit allow or block these flows is implemented yet. This is now easy to fix with NSX+ Rule Recommendation.
Let’s start a new policy recommendation through NSX+ Intelligence. The impact on Our ACME app is immediately visible. Now the Security posture is corrected and the Application is fully protected, blocking non-legitimate transactions within the Chicago site and across sites.
NSX+ Network Detection and Response (NDR) provides scalable threat detection and response for workloads deployed in private and/or public clouds. The NDR correlation engine will analyze IDPS, malware, and anomaly events based on threat campaigns, which helps in preventing alert overload and simplifying SOC monitoring processes. This service provides simplified threat triage, scoping, and threat hunting aligned to the ATT&CK framework.
NSX+ NDR can:
- Deliver Network security capabilities against advanced threats running across Clouds.
- Provide scalable threat detection and response for workloads deployed in multi-cloud environment.
- Strengthen multi-cloud security by proactively detecting and responding to potential security incidents across Clouds.
- Allow to visualize attack chains by aggregating and correlating security events such as detected intrusions, suspicious objects, and anomalous network flows. Then it ombines multiple detection technologies IDS/IPS, Sandboxing, and NTA with NDR context engines correlation to offer end-to-end cohesive defensive running across Clouds.
Full demo of NSX+ NDR is in here https://engage.vmware.com/explore2023/nsx-and-vpc-8/nsx04-ndr-demo-for-ransomware-protection?w=394bc
Security admin detected an unusual command-and-control atomic event in Web server running in Virginia. By leveraging the NSX+ NDR campaign view the admin has observed that we have detected and correlated more than a C and C activity across the environment. The attacker has laterally moved from ACME_Web to ACME_DB in Virginia and followed by the lateral movement to Database in Dallas. From Site Dallas, the attacker has dropped a Malware in PROD-CRM-DB running in Dallas and finally ex-filtrated data from the primary Database.
Mitre ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge. The ATT&CK framework is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary's attack lifecycle and the platforms they are known to target. With VMware NSX+ NDR, we fully applied Mitre ATT&CK into our solution. The Threat Actors start moving laterally and attempt to reach the CRM database in SDDC Paris to exfiltrate data and deploy ransomware.
The ACME SoC team can Triage the Campaigns based on the Severity and impact to our applications.
The CRM App Database needs to be protected because of the sensitive sales data it contains. We see here an attempt to exfiltrate data from the CRM database.
The ACME SoC Team can also analyze the IDS/IPS logs and alarms across sites to construct a timeline of the attack and root-cause the initial event.
In this case one key event was the exploit of a vulnerability that allowed for remote Code Execution on the Chicago site. The ACME security Team can now remediate quickly turning the specific IDS signature in blocking mode on all the vulnerable servers and prevent further exploit attempts.
Threat actors lurk undetected for over 9 months, using your binaries, ports, and protocols to target users and applications to ransom data. This is the end state without visibility…
With VMware, you have visibility into every packet, process and application across the entire ransomware attack chain, from the workloads, through the networks, to recovery. Let me show you how we see it.
Correlated campaigns provide timelines of the threat actors attack chain. NSX + NDR has network visibility into the initial access, a drive-by download on the Developers VDI of ACME app.
However, once in, threat actors leverage your internal network and live off your protocols. The Threat Actor discovers the Bastian host and takes a few hops laterally, across sites, landing on the Order/Checkout workload.
NSX can detect lateral movement across the same cluster or across multiple sites without the need to span or hairpin traffic. A top protocol for threat actors’ lateral movement is remote desktop protocol (RDP). Through RDP from the Paris, the threat actor logged in, just like an administrator, to the DB in LM-Dallas and LM-Paris. Once there, they enumerate, finding a remote code execution vulnerability they exploit the production ACME payment workload, gains root access. This enables the installation of ransomware and ransomware command and control communications. Ransom of data is the goal.
NSX+ NDR has visibility of the lateral exploit and the and the threat actors communications. There is no silver bullet in security. A strong ransomware defense includes detection, prevention and recovery measures.
To summarize NSX+ NDR: the goal is using NSX+ NDR to prevent lateral movement, the solution includes push-button VM network isolation capabilities based on NSX. This prevents reinfection of the production environment and helps expose dormant ransomware.
NSX+ is evolution from NSX as we are now delivering NSX+ Policy Management, Intelligence, NDR, and Advanced Load Balancing so you can achieve consistent policies, unified visibility, stronger lateral security, and simpler operations - all centrally managed from a single cloud console providing you full control while allowing your applications to run on the cloud that best fits their needs.
Deploying NSX+ Intelligence across clouds and implementing NSX+ NDR ensures enhanced visibility, consistent security policies, efficient network management, rapid threat detection, and Multi-Cloud flexibility, thereby bolstering the overall security and performance of your network infrastructure.
NSX+ now is working with your On-Premise NSX and VMware Cloud on AWS and short later Native Public Cloud environments- can helps you extend the benefits to your Multi-Cloud environments. Truly centralized, end-to-end management is achievable with NSX+, which makes the true cloud operating model attainable through a distributed, scale-out software architecture.