NSX-T: VMware’s Networking Solution for Modern, Multicloud Applications
VMware has played a pivotal role in helping transform the data center by virtualizing compute. The company has also been doing the same with network virtualization.
VMware’s network virtualization platform, called NSX, creates network services like routing, load balancing, firewalling and more. All of it is done in software that can be implemented on any underlying infrastructure as long as it does IP transfer. At a higher level, VMware has essentially decoupled NSX from the underlying physical infrastructure — the product’s key differentiator.
“As a result, we could bring the same networking and security services across different environments and manage them through a single pane of glass,” said Suresh Thiru, senior director, product management at VMware. “This is applicable for east-west traffic and north-south traffic between containers and between pods. NSX can do micro-segmentation at the coarse level and at a granular level.”
Another important differentiator is seamless connectivity between containers and the rest of the data center applications and services. This is accomplished by dynamically provisioning logical routers and peering with physical networks as containers are created.
“Whatever tools that customers use today for IT operations and management, they can continue to use the same tools for both VMs and containers and even bare metal. The same tools could be extended to cloud. No changes are needed,” said Thiru.
NSX for vSphere (“NSX-V”) and NSX-T
VMware has two products in the NSX family: NSX for vSphere and NSX-T. Each has a totally different code base and caters to a different use case. NSX-V has been around for more than four years. It’s very much tied to vSphere and VMware infrastructure. It provides networking services to applications running on vSphere. But with the advent of Containers as a Service (CaaS), Platform as a Service (PaaS) and public cloud, many workloads are no longer running in VMs.
“We are at the cusp of the next stage of our journey where applications are starting to run on environments outside of virtual machines,” said Sai Chaitanya, NSX product line manager at VMware. “These could be containers or applications running outside the vSphere on a public cloud. That’s where NSX-T comes in.”
VMware has been working on NSX-T for more than two years now. It’s a single networking platform that’s implemented in software to connect any type of application. It could be a virtual machine, containers or bare metal; it could be running on private or public cloud. “A single network, single abstraction and single way of managing policies — that’s the fundamental value of NSX-T,” said Chaitanya.
“With NSX-T, we are moving towards the second stage of our journey to support endpoints or applications and PaaS frameworks,” said Thiru. “We have decoupled NSX-T from vCenter. NSX-T is a standalone solution that can support vCenter, vSphere enrollment, KVM, public cloud, containers; it can also be integrated with application frameworks like Red Hat OpenShift and Pivotal.”
NSX-T Ensures App Connectivity and Access in Containers
NSX-T provides seamless connectivity and security services for all types of endpoints — virtual machines, containers and bare metal — regardless of where these endpoints are. It could be in a data center, remote office, branch office or in the cloud. The same policies can be applied and managed through a central manager.
NSX-T has IP Address Management (IPAM) capabilities and it’s primarily driven by integration with IaaS environments like OpenStack and container environments. It doesn’t support DNS yet.
In terms of establishing connectivity, it is done through network overlay. “It’s a faithful reproduction of networking, just like the way you had a LAN segment primarily based on VLAN technology. We just happen to be using Geneve as the network virtualization overlay protocol,” said Chaitanya.
Kubernetes network policies are only an intended definition, they are not an implementation of the policies. You still need an adapter, like NSX-T, to realize the intended state of these policies.
NSX-T is fully compatible with CNI (Container Networking Interface) and it integrates with CNI to gain the ability to do networking with containers. “In addition to CNI, it also implements network policies and load balancing,” said Chaitanya. “So it’s a one-stop API required to bring up the application right from IPAM to L2/L3 connectivity to security for policies and load balancing.”
It seamlessly integrates with the rest of the data center infrastructure. “Even if someone has built an application which is running in Kubernetes, it might still need a database service or some other service that would still reside in the traditional infrastructure,” said Thiru. “NSX-T ensures that the application has the appropriate connectivity and access to those services.”
But Kubernetes has its own policies, so how does NSX-T work with that? The fact is Kubernetes network policies are only an intended definition, they are not an implementation of the policies. You still need an adapter, like NSX-T, to realize the intended state of these policies.
NSX-T takes that intent definition and translates it to things like a stateful firewall implementation on a per Kubernetes pod basis. So the stateful firewall gets implemented wherever that Kubernetes pod is running.
“There are vendors that say ‘we implement Kubernetes policies.’ That’s great, but in our experience, applying policy is a base requirement. There is a significant amount of tooling required around monitoring the policy,” said Chaitanya. “That’s where we bring all of this operational expertise that VMware has with enterprise customers. We bring operational tools around things like monitoring Kubernetes networking policies — it could be firewall, Syslog, dashboard or other tools. So there’s a huge amount of tooling built around monitoring the security policy, we make it easier so you can run an application in production.”
VMware does provide its own dashboards and visualization, but customers can use any third- party tools through seamless NSX-T integration.
Which NSX to Choose?
It’s quite clear that NSX-V and NSX-T are two different beasts. One is tied to the VMware ecosystem and the other one is not. But if a customer is using a VMware solution, how to decide whether to go with NSX-T or NSX-V? It really depends on the use case and where are you running it.
If a customer has a virtualized application in a data center and their only requirement is to create network virtualization for existing applications, then Thiru would recommend NSX-V. Chaitanya concurs: “It has many features tightly integrated with vSphere that would benefit the user a lot.”
But if the same customer, running a classical application on vSphere, says they are planning to build modern applications based on Pivotal Cloud Foundry or OpenShift, then Thiru would point them to NSX-T. “It can support vSphere enrollments, but if you want to move to the cloud, you can extend the same NSX-T to cloud,” said Thiru. “Our customers choose NSX-T if they have multiple hypervisors, cloud and container needs.”
It boils down to which stage customers are in on their journey toward modern applications and public cloud deployments. The moment you hear modern applications, NSX-T is the answer.
NSX, like any other networking product, supports many distributed services such as logical switching, routing, firewall, load balancing, NAT… the list goes on and on. “We also integrate with third-party security services such as Palo Alto Firewall and Checkpoint Firewall, to name a few,” said Thiru.
NSX-T integrates well with Kubernetes, VMware Pivotal Container Service (PKS), OpenShift and EC2 networking. The only orchestrator it’s not yet integrated with is Docker Swarm, but if there is enough demand, that is a possibility.
“We’ve built our architecture in such a way that we can keep adding adapters for different container orchestrators and the PaaS framework,” said Thiru. “So the data plane remains the same, control plane remains the same. ”
At the core NSX-T is a single networking platform that connects all types of applications and is ubiquitously available in all environments. It’s the choice to make for modern, multicloud-based applications.