NSX+ SaaS-based Multi-Cloud Networking and Security Lab Guide PMaaS

Updated on

Introduction to VMware NSX+:  This is new NSX offering that allows customers to transition to a SaaS-based Multi-Cloud operating model for networking, security, and advanced load balancing. It is a SaaS-based Multi-Cloud networking and security solution delivered as a service, offering Centralized Policy Management, NSX Intelligence and NDR Network Detection Response for both networking and security across multiple cloud environments (Private and Public Clouds).

With this new NSX+ lab, we demonstrate an innovative cloud operating model that ensures consistent networking and security for applications deployed in multiple cloud environments. This allows you to achieve consistent policies as single pane-of-glass, provides end-to-end security visibility, correlation to enhance lateral security and simplify operations across private and public cloud all managed centrally from a single VMware cloud console.

Demo Scenario: ACME Corp is a Global company now has the opportunity to expand its presence in various locations using different cloud platforms for its applications including Private Clouds, VMware Clouds, and Public Clouds. However, this diversity also presents challenges as ACME IT leaders are grappling with following key issues:

  • Partial automation inefficiencies: siloed teams struggle with setting up security, networking, and load balancing for applications, leading to operational inefficiencies and friction between infrastructure and app owners.
  • Multi-Cloud complexity: managing multiple cloud environments lacks consistency, causing difficulties in change management, security, and issue resolution.

Solution: VMware introduces NSX+ to address these challenges with:

  • New cloud-managed service offering for our NSX network virtualization, security and advanced load balancing services that allow customers to run applications across their Multi-Cloud environments from a centralized VMware Cloud console.
  • Multi-Cloud Virtual Private Cloud (VPC) that provides full isolation of networking, security, and load balancing services to multiple tenants on a shared VMware Cloud infrastructure.
  • Enhanced security with a centralized, end-to-end management model.
NSX+: Key Messaging

VMware NSX+ is a new NSX offering that allows customers to transition to a SaaS-based Multi-Cloud operating model for networking, security, and advanced load balancing. NSX delivers: 

1-Consistent Multi-Cloud network operations (NSX+ Policy Management)

2-Simplified cloud consumption via a centralized cloud console to manage On-Premises and cloud network infrastructure with key Multi-Cloud capabilities (NSX+ Policy Management and VPC)

3-Comprehensive app visibility across clouds (NSX+ Intelligence) 

4-Enterprise Guardrails with multi-tenancy running across multiple sites to simplify the creation and consumption of Multi-Cloud architectures and network constructs (NSX+ VPC)

5-Strong Multi-Cloud security across clouds with defense-in-depth via Network Detection and Response (NSX+ NDR)

NSX+: Key Services
NSX+: Demo Flow

For more detail step-by-step check our NSX+ Techzone for short story telling in here https://nsx.techzone.vmware.com/end-end-demo-showcase-nsx

Section 1: Before You Begin

1.1 Access to the Lab

To login to the environment, perform the following steps:

  • First, open a web browser of your choice (Incognito recommended) and navigate to vmtestdrive.com. Select LOG IN
  • If you are signing in for the first time and do not have a TestDrive account, click GET STARTED and follow the instructions for creating your TestDrive portal account. See this guide.
  • Enter your TestDrive Username and Password and select ENTER.
  • Click on Intrinsic Security. Locate the VMware NSX+ Basic Lab(PMaaS) and click Launch. 

*In case of long idle or disconnected session, please log-out from the upper-right corner and re-login to Launch a new Horizon desktop or switch to Incognito browser instead of Chrome/Firefox. 

  • A new tab will open with Workspace ONE. Enter your TestDrive Username and Password, then click Sign in.
  • Note: Please provide the short username (not your email ID) and password to login.
  • Click on Apps(1) section and search for the NSX+(2) desktop and launch the desktop(3).

NSX+ desktop is loaded. At this point you can begin the walk-through steps listed in the next section.

  • Click on Lab guide Chrome icon (1) before opening the NSX+ console. Wait for the lab guide to fully open.
  • Click on NSX+ icon(2) only after the lab guide is opened completely.
1.2 Access to NSX+ Instance

For the benefit of all users, we kindly ask that you use the lab responsibly. Please do not delete any object or making any change to license or subscription that could potentially disrupt this shared NSX+ lab environment.

  • The automatic login process will handle the login procedure without any need for manual intervention. Please don't press any keys until the login process is finished and you are logged into the VMware Cloud Services portal."
  • Organization must be "Global Platform Engineering"(1) under the user name.
  • Click on NSX+ "LAUNCH SERVICE (2)" to open the NSX+ Instance.
1.3 NSX+ Prerequisites

If you plan to onboard your On-Premise NSX Manager/ NSX Local Manager, make sure the following prerequisites are satisfied.

  • On-Premise NSX Manager must be of version 4.1.1+.
  • A vSphere+ subscription.
  • Supported vCenter Server version is 8.0+.
  • Latest VMware Cloud Gateway version.
  • The minimum sized form factor of an NSX Manager Large node On-Premise to be onboarded on to an NSX+ instance with below subscription:

              1. NSX+ Policy Management

              2. NSX+ Intelligence

              3. NSX+ NDR

1.4 NSX+ Workflow
  • Purchase NSX+ Subscription: VMware NSX+ is subscription-based software. No software installation is needed, and no license key is used to activate the software. You buy VMware NSX+ directly from the VMware Sales team.
  • Receive an email to add NSX+ service to your organization: After buying the NSX+ service, VMware sends you a service welcome email that has a unique service activation link. Use this link and follow the on-screen prompts to apply an NSX+ subscription.
  • Download, Install and Configure VMware Cloud Gateway: VMware Cloud Gateway is a secure gateway between the On-Premise NSX Local Manager and NSX+. It allows you to onboard and off-board your NSX Local Manager to NSX+ Instance.
  • Launch the NSX+ Service: Assign adequate NSX+ service role based in order to work in the NSX+ UI.
  • Onboard an NSX+ Instance: An NSX+ instance defines a logical grouping for the managed sites hosted in a region. Once this is defined you can onboard sites to your instance.  
1.5 NSX+ Policy Management Lab Topology

In this lab, we have deployed two On-Premise NSX local managers at separate locations LM-Dallas and LM-Paris. The two sites are onboarded to NSX+. By using NSX+, we can easily accomplish simplified cloud consumption while ensuring that applications deployed across LM-Dallas and LM-Paris benefit from enhanced availability, consistency, and security.

Section 2: Simplified Multi-Cloud consumption and Consistent Operations with NSX+ Policy Management

NSX+ Policy Management speeds up deployment of applications and network infrastructure across private, public, and sovereign clouds through on demand access to consistent network, security policies and automation deployed from a centralized SaaS console.​ NSX+ Policy Management provides Cross-cloud network operations with comprehensive visibility allows customers to achieve agility and cost efficiency in multi cloud environments.

2.1 NSX+ Policy Management Demo scenario

Centralized Policy Management with NSX+: In this session, you will be able to manage networking and security policies centrally across all their clouds. NSX+ provides consistent networking and security controls and policies across Multi-Site and multi-region deployments.

In this demo, we will illustrate how you can use NSX+ Policy Management to seamlessly scale a CRM application from On-Premise site LM-Dallas to a LM-Paris instance. We have on-boarded two sites (LM-Dallas, LM-Paris) to NSX+. The DB workload of CRM application has to be scaled to LM-Paris site for enhancing application performance and scalability. With NSX+ Policy Management we will apply consistent Security Policies across cloud through centralized cloud console.

For the benefit of all users, we kindly ask that you use the lab responsibly. Please do not delete any object or making any change to license or subscription that could potentially disrupt this shared NSX+ lab environment.

ACME Corporation operates its PROD-CRM application across two sites: the primary site located at their headquarters in LM-Dallas, the secondary site situated in LM-Paris. To ensure consistency and keep the CRM databases up to date across both locations, ACME’s team has a plan to scale the CRM database to LM-Paris site to enhance the service availability across clouds.

By leveraging NSX+, ACME Corporation now can easily achieve goal to simplify cloud consumption with high availability, consistency, and security for their application across both their Dallas and Paris sites.

The following lab flow will walk you through how to navigate this scenario using the Capabilities of NSX+ Policy Management.

2.2 Central Management of Networking Multi-Sites
2.2.1 NSX+ Provider Creation
  • NSX+ allows to view networking objects that have been created locally in the NSX managers. This allows you centralized monitoring and managing networking resources across sites from the NSX+ cloud console. Click on each site to view the Tier-0 Gateways created from NSX Local Managers.
  •  Your first step is to inspect the Tier-0 Gateways created in the each On-Premise site, by navigating to each individual site. In each On-Premise site we have a Tier-0 gateway configured which enables the external connectivity for the network segments in the environment.
  • Click on Global (1).
  • Click on ACME_instance (2).
  • In the ACME_instance. Navigate to Networking (1).
  • Click on the View (1) tab. It lists the sites on-boarded to NSX+. In the following steps we will inspect the Tier-0 Gateways created in LM-Dallas and LM-Paris NSX local managers.
  • To view the Tier-0 Gateway that is set up specifically in LM-Dallas, click on "LM-Dallas Site." Then, click (1) to open up T0-GW-Dallas-01. You will notice that any networking items created using NSX Local Manager have an icon next to them that shows the name of the local site they were created.
  • Repeat the previous step by changing the site from LM-Dallas to LM-Paris. To do this Click on the "View"(2) tab to change the site to LM-Paris.
2.2.2 NSX+ Networking Tenant creation

In our lab setup, we've set up one Tier-1 Gateway in LM-Dallas and LM-Paris using NSX+. For each of these Tier-1 gateways, we've chosen the corresponding Tier-0 Gateway that matches its location. Additionally, we've turned on the "All connected segments and service ports" in Route Advertisement.

  • Select "Tier-1 Gateways"(1). You'll notice that there is one  Tier-1 gateways created for each location from NSX+, which is indicated by the NSX+ icon next to these objects.
  • Expand each Tier-1 Gateway (2)(3) and observe the Linked Tier-0 Gateway and Location details of Tier-1 Gateways.
2.2.3 NSX+ Segment Creation
  • We have created Web-Dallas segment in LM-Dallas location and DB-Paris segment is created in LM-Paris. The Web Virtual machine in Dallas is connected to the Web-Dallas segment, and the DB VM in Paris is connected to DB-Paris segment.
2.3 Central Management of Inventory Multi-Sites

We've created two inventory groups, one for the Web group and the other for the DB group. The Web VM's in Dallas site are members of  Web Group, while the DB VM's in the Paris site belong to the DB Group.The inventory groups we set up will be included in the Distributed Firewall Rules that we have configured for the CRM application.

  • Click on Security (1) and Click on Groups (2) under Inventory.
  • Click on View Members(3).

CRM-Web-01  VM deployed in LM-Dallas site is part of Web group. Click on close(3).

Click on View Members(1).

CRM-DB-01  VM deployed in LM-Paris site is part of DB group. Click on close(3). We will proceed to configure the Distributed firewall rules across multi-sites to secure the CRM application.

  • Change the View from LM-Dallas to LM-Paris(1) to see the members of the group.
  • Click on close(2).
2.4 Central Management of Security Multi-Sites

After creating networking and inventory groups, the next step is to secure the CRM application VM's. To achieve this, we have implemented the Global Distributed Firewall policies across two sites.

  • Click on Distributed Firewall (1) under Policy Management to view the Global policies configured under "APPLICATION".
  • We have configured the Distributed Firewall Rules to micro-segment the Two-Tier application.
  • "Allow Web rule" permits the HTTP connections from any source to Web VMs in On-Premise (LM-Dallas).
  • "Allow Web to DB" rule permits traffic from Web server in LM-Dallas to the Database server in LM-Paris.

NSX+ offers the ability to use Distributed IDS/IPS functionality across sites while creating IDS/IPS policies in a single pane of glass. NSX+ security offerings are discussed in detail in advanced lab.

  • Click (1) on IDS/IPS . Change the timeline to Last 7 days(2).

Section 3: Enterprise Guardrails with Multi-tenancy and NSX+ VPC

Multi-tenancy with NSX+: NSX+ introduced the concept of Projects, a new feature that enables granular resource management for multiple tenants within NSX deployments. Projects take multi-tenancy support in NSX to the next level by delivering flexible resource allocation and management. Enterprise Admins can segment the platform into Projects, assigning different spaces to different tenants while maintaining full visibility and control. 

Virtual Private Cloud (VPC) in NSX+ refers to a logical networking construct that provides isolation and segmentation within a data center or cloud environment. It allows you to create multiple virtual networks within a single physical infrastructure, each with its own grouping/tagging, network, and security policies. With NSX+ Multi-Cloud VPC VMware is now bringing Enterprise-grade VPC constructed for private clouds and extending to multi-cloud to offer full isolated sandboxes with security guardrails.

NSX+ VPC is an abstraction layer that simplifies setting up self-contained virtual private cloud networks within an NSX project to consume networking and security services in a self-service consumption model. NSX+ VPC hides the complexity of the underlying NSX infrastructure, network topology, networking objects, and IP address management from the application owners and offers them a self-service consumption model to run applications in their own private space.

Application owners or DevOps engineers do not need to know about the underlying NSX infrastructure for running applications within their isolated space. They can add subnets (networks) inside the NSX+ VPC that is assigned to them, and configure security policies to meet their application requirements without having any dependency on the Enterprise Admin.

3.1 NSX+ VPC Demo scenario

ACME Corp has several applications in multiple cloud environments and has various departments. They aim to create a multi tenancy where each department's application Virtual Machines run in isolated environments. Additionally, ACME Corp wants the application owners to have the ability to add their own subnets and security policies for their application.

To address this challenge, we can leverage NSX+ VPC. NSX+ VPC's operate under Projects. A project in NSX+ is similar to a tenant. By creating projects, we can isolate security and networking objects across tenants in a single NSX deployment. Project Admins can assign access to the projects for Application owners. Application owners can add the subnets inside the VPC and configure security policies for their workloads. The security policies impact only the workloads within the NSX+VPC and not outside the NSX+ VPC.

3.2 NSX+ Projects and VPC Workflow

To set up a VPC in NSX+, you need to follow a series of steps. Here are the main steps, and we will go into detail on each step in the following sections.

  • Enterprise Admin : Creates project called Project01-Finance in NSX+. Assigns Project Admin roles to users.
  • Project Admin : Adds NSX+ VPC, VPC1-Finance inside a project and defines VPC settings, such as IP assignment, DHCP configuration, edge cluster and so on.
  • Project Admin : Assigns roles to users in the NSX+ VPC.
  • Project Admin: Defines quota or limits for the number of objects that users can create within the NSX+ VPC.
  • VPC Admin or Network Admin: Adds subnets in the NSX+ VPC. Connects workloads to these subnets based on business requirements.
  • VPC Admin or Security Admin: Adds security policies in the NSX+ VPC to meet the security requirements of the workloads that are connected to the subnets in the VPC.
3.3  Multi-Tenancy with NSX+ Projects

NSX+ projects are similar to tenants. By creating projects, you can isolate security and networking objects across tenants in a single NSX+ deployment. By creating a project called Project01-Finance , ACME corp can isolate the networking and security configurations from its other departments.

  • Click on default--ACME_instance(1).
  • We have created two projects called VPC-Site2-ACME-Fitness-Application and Project01-Finance.
  • Click on MANAGE(2).
  • Expand(1) Project01-Finance to review the project configuration. Observe the each highlighted RED box to see the the config required to create a new NSX+ project.
  • Sites: The project Project01-Finance has been created for the LM-Dallas site. The Tier-0 Gateway, Edge cluster, and External IPv4 blocks are all associated with the LM-Dallas site.
  • The associated Tier-0 Gateway T0-GW-Dallas-01 that the workloads in the project can use for north-south connectivity. you can select multiple gateways if required, If no gateway is selected the workloads in the project will not have north-south connectivity.
  • An Edge Cluster is selected to associate with this project. These edge clusters can be consumed inside the project for running centralized services like NAT, Gateway Firewall and DHCP.
  • External IPv4 Blocks are available to add public subnets in the NSX+ VPC's within the project.The system will assign CIDR blocks to the public subnets in the NSX+ VPCs from these external IPv4 blocks. VPC users can also use the external IP blocks for adding NAT rules in the NSX+ VPCs.
  • Click on close(2).

In this lab workflow, we've created a VPC using the Enterprise Admin. Once a project is set up, users can be designated as Project Admins, and these Project Admins have the privilege to create NSX+ VPCs.

3.4 VPC Creation with Guardrails (Admin)
  • NSX+ VPC provides an isolated space for application owners to host applications and consume networking and security objects by using a self service consumption model.
  • We have created NSX+ VPC (VPC1-Finance) with Enterprise Admin.
  • Click(1) on drop down next to default--ACME_instance.
  • Click on Project01-Finance(2) to navigate to the project. you will be navigated from default view  to Project view.
  • A subset of NSX+ networking features are available in the projects view.
  • Click on VPCs(1) to navigate to the VPCs section.
  • We have created a VPC called VPC1-Finance under project Project01-Finance. Expand(1) the VPC to review the configuration.
  • Sites: The VPC1-Finance has been created for the LM-Dallas site.
  • IP Assignment : The external IP blocks that are assigned to the project are available for selection in the NSX+ VPC. These IPv4 blocks must be routable from outside the NSX+ VPC.
  • The Private IPv4 Blocks field,  The IPv4 blocks that are added in the project with visibility set to Private are available for selection in the NSX+ VPC
  • Service Settings: By default "N-S Services" and "Default Outbound" NAT are turned on. This option is only available when N-S services option is turned on for the NSX+ VPC.

When a NSX+ VPC is created successfully, the system implicitly creates a gateway. However, this implicit gateway is exposed to the Project Admin in a read-only mode and is not visible to the NSX+ VPC users.

3.5 VPC consumption by App owner (Developer)
3.5.1 NSX+ VPC Subnets Creation
  • A subnet in an NSX+ VPC represents an independent layer 2 broadcast domain. NSX+ VPC subnets are realized as overlay segments in the default transport zone of the project. A user with role VPC Admin/Network Admin can create subnets in VPC.
  • When a VPC created successfully. the system creates default north-south and east-west firewall rules to govern the default firewall behavior for the workloads running in the NSX+ VPC.
  • N-S firewall rules are centralized rules that apply to traffic going in and out of the NSX+ VPC.
  • E-W firewall rules are distributed rules that apply to workloads running inside the NSX+ VPC.
  • Expand the "CONNECTIVITY(1)" section and click on "Subnets(2)".
  • We have created three Private subnets Web-Segment(1) , App-segment(2) , DB-Segment(3) in the VPC. By default, Automatic IP assignment is set for private and public subnets. It means that the system will assign an IPv4 CIDR for the subnet automatically. For a private subnet, the CIDR is assigned from the private IPv4 blocks of the NSX+ VPC.
  • Subnets in an NSX+ VPC are realized as overlay segments in the default transport zone of the project.An Enterprise Admin or a Project Admin can view these overlay segments from segments under networking section.
  • We can start attaching virtual machines to the subnets created in NSX+ VPC by using the vSphere client.
3.5.2 NSX+ VPC Security Policies
  • Expand the "SECURITY(1)" section and click on "E-W Firewall Rules (2)".
  • We have created three E-W firewall rules for the application. All three E-W firewall rules in an NSX+ VPC have the Applied To set to DFW. Although the Applied To is set to DFW, the firewall rules are enforced only on the workload VMs that are connected to the subnets in the NSX+ VPC

Section 4: NSX+ Conclusion

NSX+ is evolution from NSX as we are now delivering NSX+ Policy Management, Intelligence, NDR, and Advanced Load Balancing  so you can achieve consistent policies, unified visibility, stronger lateral security, and simpler operations - all centrally managed from a single cloud console providing you full control while allowing your applications to run on the cloud that best fits their needs.

Deploying NSX+ Intelligence across clouds and implementing NSX+ NDR ensures enhanced visibility, consistent security policies, efficient network management, rapid threat detection, and Multi-Cloud flexibility, thereby bolstering the overall security and performance of your network infrastructure.

NSX+ now is working with your On-Premise NSX and VMware Cloud on AWS and short later Native Public Cloud environments- can helps you extend the benefits to your Multi-Cloud environments. Truly centralized, end-to-end management is achievable with NSX+, which makes the true cloud operating model attainable through a distributed, scale-out software architecture.

Previous Article MASC Multi-cloud Application Security Lab Guide
Next Article NSX+ SaaS-based Multi-Cloud Networking and Security Advanced Lab Guide Intelligence and NDR (beta)