Identify the components in a VMware NSX stack
NSX Manager: The NSX Manager is the centralized network management component of NSX, and is installed as a virtual appliance on any ESX™ host in your vCenter Server environment. It provides an aggregated system view. One NSX Manager maps to a single vCenter Server environment and multiple NSX Edge, vShield Endpoint, and NSX Data Security instances.
NSX vSwitch: NSX vSwitch is the software that operates in server hypervisors to form a software abstraction layer between servers and the physical network. NSX vSwitch allows you to place these virtual workloads on any available infrastructure in the datacenter regardless of the underlying physical network infrastructure. NSX vSwitch = vSphere Distributed vSwitch + Hypervisor Extension Modules
NSX Controller: NSX controller is an advanced distributed state management system that controls virtual networks and overlay transport tunnels. It is the central control point for all logical switches within a network and maintains information about all virtual machines, hosts, logical switches, and VXLANs. The controller does not have any dataplane traffic passing through it. Controller nodes are deployed in a cluster of odd-numbered members to enable high-availability and scale. Any failure of the controller nodes does not impact any data-plane traffic.
NSX Edge: NSX Edge provides network edge security and gateway services to isolate a virtualized network. You can install an NSX Edge either as a logical (distributed) router or as a services gateway. The NSX Edge logical (distributed) router provides East-West distributed routing with tenant IP address space and data path isolation. Virtual machines or workloads that reside on the same host on different subnets can communicate with one another without having to traverse a traditional routing interface.
The NSX Edge gateway connects isolated, stub networks to shared (uplink) networks by providing common gateway services such as DHCP, VPN, NAT, dynamic routing, and Load Balancing. Common deployments of NSX Edge include in the DMZ, VPN Extranets, and multi-tenant Cloud environments where the NSX Edge creates virtual boundaries for each tenant.
Distributed Firewall: NSX Distributed Firewall is a hypervisor kernel-embedded firewall that provides visibility and control for virtualized workloads and networks. You can create access control policies based on VMware vCenter objects like datacenters and clusters, virtual machine names and tags, network constructs such as IP/VLAN/VXLAN addresses, as well as user group identity from Active Directory. Consistent access control policy is now enforced when a virtual machine gets vMotioned across physical hosts without the need to rewrite firewall rules. Since Distributed Firewall is hypervisor-embedded, it delivers close to line rate throughput to enable higher workload consolidation on physical servers. The distributed nature of the firewall provides a scale-out architecture that automatically extends firewall capacity when additional hosts are added to a datacenter.
Identify common physical network topologies
One of the key goals of network virtualization is to provide virtual-to-physical network abstraction. The
physical fabric must provide a robust IP transport with the following parameters :
- High bandwith
- Fault Tolerant
- QoS providing
Note : A leaf switch is typically located inside a rack and provides network access to the servers inside that rack. The terms aggregation and spine layer—which effectively provide connectivity between racks—refer to the location in the network that aggregates all the access switches.
Describe a basic VMware NSX topology
Differentiate functional services delivered by a VMware NSX stack
Logical Layer 2: Enabling extension of a L2 segment / IP Subnet anywhere in the fabric irrespective of the physical network design
Distributed L3 Routing: Routing between IP subnets can be done in a logical space without traffic going out to the physical router. This routing is performed in the hypervisor kernel with minimal CPU / memory overhead. This functionality provides an optimal data-path for routing traffic within the virtual infrastructure. Similarly the NSX Edge provides a mechanism to do full dynamic route peering using OSPF, BGP, IS-IS with the physical network to enable seamless integration.
Distributed Firewall: Security enforcement is done at the kernel and VNIC level itself. This enables firewall rule enforcement in a highly scalable manner without creating bottlenecks onto physical appliances. The firewall is distributed in kernel and hence has minimal CPU overhead and can perform at line-rate.
Logical Load-balancing: Support for L4-L7 load balancing with ability to do SSL termination
NSX Edge Services :
- Dynamic Routing
- Site-to-Site Virtual Private Network (VPN)
- L2 VPN: Provides the ability to stretch your L2 network
- SSL VPN-Plus: SSL VPN-Plus enables remote users to connect securely to private networks behind a NSX Edge gateway
- Load Balancing
- High Availability: High availability ensures an active NSX Edge on the network in case the primary NSX Edge virtual machine is unavailable
- Syslog export