Page 2 of 6

20190320 VMUG Presentation Welcome Slide

South West UK VMUG – March 2019 – VMware NSX and Micro-Segmentation from the Field

That was a blast! On Wednesday 20th March I had the pleasure of speaking at the South West UK VMUG, held at the Bristol and Bath Science Park. My biggest thanks to VMUG Leaders Jeremy Bowman, Simon Eady, Barry Coombs, and Megan Warren for such a great opportunity, and to all who attended my session. This was my first time speaking at a VMUG, and despite the nerves, I really enjoyed it.

Focusing on VMware NSX Data Centre for vSphere and, more specifically, the micro-segmentation of applications with the aid of the NSX Application Rule Manager (based around my previous article). I opted not to perform a live demo during my very first speaking slot, but instead produced a live recording, for which I walked the group through how to utilise the NSX Application Rule Manager to identify application dependencies, endpoints, and service/ports/protocols when implementing a zero-trust environment.

Continue reading → South West UK VMUG – March 2019 – VMware NSX and Micro-Segmentation from the Field

VMware NSX-T 2.4 – ‘A Landmark Release’

Today saw the release of VMware NSX-T 2.4, the latest and greatest, lauded as a ‘landmark release’ for the product.

Since its initial release in February 2017, NSX-T has focused on addressing organisational requirements to support cloud-native applications, bare metal workloads, multi-hypervisor environments, and public clouds. With the release of NSX-T 2.4, we can now add multi-clouds to the list.

NSX-T delivers security to diverse endpoints such as VMs, containers, and bare metal, as well as a range of cloud platforms and cloud native projects including Kubernetes, VMware PKS, Pivotal Application Service (PAS), and Red Hat OpenShift.

With NSX-T 2.4, VMware are able to deliver further advancements in networking, security, automation, and an ‘operational simplicity for everyone’. This includes IT admins, DevOps teams, and developers. As such, NSX-T is an enabler for customers embracing cloud-native application development, expanding use of public cloud, and those who require automation to drive agility.

Continue reading → VMware NSX-T 2.4 – ‘A Landmark Release’

South West UK VMUG – 20th March 2019

The first South West UK VMUG will be taking place on Wednesday 20th March 2019 at the Bristol and Bath Science Park, an event which also marks my first time presenting at a VMUG. No pressure, but I will be following a session by fellow vExpert, Chris Lewis (no relation).

My session will be covering VMware NSX Data Centre for vSphere (NSX-V) and, more specifically, the reality of managing a zero-trust environment for true micro-segmentation of services. NSX itself makes this fairly easy thanks to a number of tools (Application Rule Manager being just one), however, there are always a number of human variables which need to be acknowledged and identified along the way.

Continue reading → South West UK VMUG – 20th March 2019

VMware vSAN: Part 1 – Installation and Configuration

I recently had a discussion with a Twitter connection regarding the ease and simplicity in which VMware vSAN can be enabled. It is so simply in fact, that it’s probably quicker than most client application installs. Granted, this discussion assumed that all hardware was already in place, had been racked and cabled, and all hosts had been added to a pre-existing vCenter Server. But the point still stands – enabling vSAN can be completed in 10 clicks. Yup, 10. No, honest….just keep reading.

Continue reading → VMware vSAN: Part 1 – Installation and Configuration

RunNSX

VMware NSX Data Center for vSphere 6.4.4 Released

In what was a slightly quiet announcement, VMware NSX Data Center for vSphere 6.4.4 was released just two days ago on Thursday 13th December 2018. Unsure as to why this was such a hushed release as there are a number of cool items to shout about.

Other than the usual resolved issues, 6.4.4 has had a much awaited functionality update. Specifically, we are now able to manage Logical Switches, perform Edge Appliance management, Edge Services (DHCP, NAT), Edge Certificates, and Edge Grouping Objects, all from the HTML 5 vSphere Client. Until 6.4.4, these features were only available via the legacy Flex vSphere Web Client, forcing NSX administrators to jump between the two difference consoles.

Continue reading → VMware NSX Data Center for vSphere 6.4.4 Released

VMware NSX Data Centre – Application Rule Manager

With the release of VMware NSX 6.3.0 back in February 2017, we saw the introduction of the Application Rule Manager (ARM). The Application Rule Manager allows us to a) simplify the process of creating grouping objects and distributed firewall rules for the micro-segmentation of existing workloads, and b) deploy applications within a zero-trust environment with greater speed and efficiency.

Continue reading → VMware NSX Data Centre – Application Rule Manager

VMware NSX Edge Load Balancers: Part 2 – In-Line/Transparent Mode

In Part 1 we looked at the deployment of the NSX Edge load balancer in One-Armed/Proxy mode. As detailed, this flavour of NSX Edge load balancer requires nothing from its back-end server pool members, and enables us to quickly and easily add a load balancer to an existing network segment which houses a number of proposed back-end servers.

In-Line/Transparent Mode

In this second post we take a look at the alternative load balancer mode – In-Line/Transparent mode. First of all, unlike the One-Armed/Proxy mode, In-Line load balancers require two logical interfaces (LIFs); one Uplink LIF (connected to either a DLR or upstream Edge) and one Internal LIF. The Internal LIF is directly connected to the network segment housing the back-end servers requiring load-balancing. In addition to this (and unlike the One-Armed/Proxy load balancer), In-Line load balancers are required to act as the default gateway for all back-end servers.

Continue reading → VMware NSX Edge Load Balancers: Part 2 – In-Line/Transparent Mode

VMworld 2018 Europe – Customer Panel on NSX Data Center (NET3042PE)

At this year’s VMworld Europe in Barcelona I was invited to take part in a Customer Panel session which saw me detailing my story with VMware NSX Data Centre. Myself and two other panellists covered three very different use cases and stories, and I loved hearing their challenges, why they chose to implement NSX Data Centre, and of course, their implementation road-map, hurdles and successes.

Despite a few nerves, I’m quite happy with my story, and it was a load of fun! A huge thanks to all who attended the session, as well as to those who stayed behind afterwards to discuss their own NSX challenges with me (next time I might need a whiteboard). It was great speaking to you all, and I hope you all took something away from the session.

That was a blast! Thanks for having me, VMworld!

To replay the session, simply visit  Customer Panel on NSX Data Center (NET3042PE). To view the full range of on-demand videos, simply visit https://videos.vmworld.com/global/2018.

VMworld 2018 NSX Data Centre Panel - Members

VMworld Europe 2018 - Gareth Lewis

VMworld 2018 NSX Data Centre Panel - Members

VMware NSX Edge Load Balancers: Part 1 – One-Armed/Proxy Mode

Welcome to the first in a series of posts covering VMware NSX Edge load balancers. These posts will dive into the two main flavours – ‘One-Armed’ and ‘In Line’. We will cover use-cases for each option.

NSX Edge load balancers allow us to distribute incoming requests across a number of servers (aka – members) in order to achieve optimal resource utilisation, maximise throughput, minimise response time, and avoid application overload. NSX Edges allow load balancing up to Layer 7.

One-Armed/Proxy Mode

In this first post, we deploy an NSX Edge, enable the load balancer feature, and configure it in One-Armed mode (aka – Proxy, SNAT, non-transparent mode). This One-Armed/Proxy mode is the simplest of the two deployments, and utilises a single internal Logical Interface (LIF) (i.e. – it’s ‘one arm’).

This flavour of NSX Edge load balancer utilises its own IP address as the source address to send requests to back-end/member servers. The member servers see this traffic as originating from the load balancer and not the client and, as a result, all responses are sent directly to the load balancer. So, nice and simple, and this is usually my go-to solution where I have a requirement to load balance across a number of member servers for resilience.

Topology

In this article we have a basic topology consisting of a NSX Edge load balancer (LB-101-10-WEB / 10.101.10.100) and two back-end/Member servers (101-10-WEB01 / 10.101.10.11 and 101-10-WEB02 / 10.101.10.12), all of which are housed on the same Logical Switch (10.101.10.0/24).

Configure NSX One-Armed Load Balancer
NSX Edge Load Balancers: Part 1 – One-Armed/Proxy Mode

Note, this article assumes your Logical Switches are already in play, traffic is able to route directly to each of the back-end servers, and you have created the necessary NSX Distributed Firewall rules. In this example, I will be configuring the NSX Edge load balancer to pass HTTP traffic to the back-end/Member servers.

NSX Edge – Deployment

1. Create a new NSX Edge Services Gateway. Note, for my lab environment I will not enable High Availability. When ready, click Next.

Configure VMware NSX One-Armed Load Balancer

2.Configure the CLI credentials and click Next.

Configure VMware NSX One-Armed Load Balancer

3. Configure the appliance size and resources. Again, for lab purposes, the Compact appliance size is appropriate. When ready, click Next.Configure VMware NSX One-Armed Load Balancer

4. Next up, we need to configure a single (one-armed) interface. Click the + button to begin.

Configure VMware NSX One-Armed Load Balancer

5. Give the interface a name, select Internal, and connect it to the same Logical Switch which houses both back-end web servers. Assign a primary IP address (this will be used as the load balancer’s virtual IP address) and, when ready, click OK.

Note – 10.101.10.100 has been assigned to the internal LIF and will be utilised in a future step as the virtual IP address of our new application pool. Additional/secondary IP addresses can be added and assigned to additional application pools (more on this on a later step), meaning one load balancer is capable of load balancing multiple applications.

Configure VMware NSX One-Armed Load Balancer

6. Confirm the configuration and click Next.

Configure VMware NSX One-Armed Load Balancer

7. As the NSX Edge will not have an Uplink LIF, we will not be able to configure a default gateway. Click Next.

Configure VMware NSX One-Armed Load Balancer

8. For lab purposes, I will not configure any firewall policies. Also, as we are not deploying the appliance in HA mode, all HA parameters will be greyed-out. Click Next.

Configure VMware NSX One-Armed Load Balancer

9. Confirm the NSX Edge configuration, and click Finish to deploy.

Configure VMware NSX One-Armed Load Balancer

NSX Edge – Routing

Here in Lab World, I don’t have OSPF/BGP configured, so we’ll create a static route to enable traffic to flow upstream. Looking at the topology a little more closely, you’ll note the NSX Edge load balancer has a next hop of 10.101.10.254 (the internal LIF of the DLR ).

Configure VMware NSX One-Armed Load Balancer
Configure a VMware NSX Edge Static Route

To configure the static route, simply jump into the configuration console of the newly created NSX Edge, browse to Manage > Routing > Static Routes, and click +. Configure accordingly and click OK.

Configure VMware NSX One-Armed Load Balancer

NSX Edge – One-Armed Load Balancer Configuration

Now that our new NSX Edge has been deployed, we will enable the load balancer feature and configure in One-Armed/Proxy Mode.

1. Browse to Manage > Load Balancer > Global Configuration and click Edit.

Configure VMware NSX One-Armed Load Balancer

2. Ensure Enable Load Balancer is ticked, and click OK.

Configure VMware NSX One-Armed Load Balancer

3. Browse to Manager > Load Balancer > Application Profiles and click +.

Application Profiles – An Application Profile is used to define the behaviour of a particular type of network traffic, and is associated with a virtual server (virtual IP address). The virtual server then processes traffic according to the values specified in the Application Profile. This allows us to perform traffic management tasks with greater ease and efficiency.

Configure VMware NSX One-Armed Load Balancer

4. As mentioned at the start of this post, we are only interested in load balancing for resilience. As such (and as detailed below), we will set the Application Profile Type to TCP.

Configure VMware NSX One-Armed Load Balancer

5. Confirm creation of the new Application Profile.

Configure VMware NSX One-Armed Load Balancer

6. Browse to Manager > Load Balancer > Pools and click +.

Pools – A Pool is simply a group of back-end servers (aka, Members), and is configured with a load-balancing distribution method/algorithm. A service monitor (optional) can also be configured and, as this suggests, is used to perform health checks on its Members.

Configure VMware NSX One-Armed Load Balancer

7. Give your new Pool a Name, Description, choose its distribution method/Algorithm, and Monitors.

Configure VMware NSX One-Armed Load Balancer

8. When ready, click + to add your back-end/member servers. For this either click Select to choose a vSphere Object, or simply type the destination’s IP address.

Configure VMware NSX One-Armed Load Balancer

9. Define the Port (in this instance I am load-balancing HTTP/80 traffic), as well as the Monitor Port (here I use port 80 again). When done, click OK.

Configure VMware NSX One-Armed Load Balancer

10. Confirm your configuration by clicking OK.

Configure VMware NSX One-Armed Load Balancer

11. Confirm creation of the new Pool.

Configure VMware NSX One-Armed Load Balancer

12. Check your newly created Pool’s health status by clicking Show Pool Statistics. The Status of both the Pool and it’s Members should show UP.

Configure VMware NSX One-Armed Load Balancer

13. Browse to Virtual Servers and click +.

Configure VMware NSX One-Armed Load Balancer

14. From the Application Profile drop-down menu, select the recently created Application Profile, give the Virtual Server a Name and Description, and click Select IP Address to select the IP address which we allocated to the internal LIF when we created the load balancer.

Configure VMware NSX One-Armed Load Balancer

15. Lastly, set the Protocol to TCP, Port/Port Range to 80, and set the the Default Pool to the pool we created in step 6.

Configure VMware NSX One-Armed Load Balancer

16. Confirm creation of the new Virtual Server.

Configure VMware NSX One-Armed Load Balancer

17. Finally, browse to the Virtual Server IP address to confirm load-balancing to each of the Pool Members is successful. In the below screenshot, traffic is routed to the VM, 101-10-WEB01.

Configure VMware NSX One-Armed Load Balancer

18. After Refreshing the browser, I am directed to 101-10-WEB02.

Configure VMware NSX One-Armed Load Balancer

Conclusion

In the next post we’ll cover the second flavour of NSX Edge load balancer, In-Line mode (aka, Transparent mode) and, in future posts, we’ll look at use cases for both, as well as troubleshooting tips.