vSphere 7.0 has brought a fundamental change – not only in how the platform is built but also how the resources that are run on top are managed, in the form of native integration of Kubernetes. Being an integral part of the platform, the underlying networking also had to be adapted accordingly and NSX 3.0 is the result of it.
In this post, I’ll talk about what’s new in NSX 3.0. Being a major release, there are so many changes that make it impossible to cover them all. However, I’ll talk about the ones that I think are the most important that you should know about.
NSX Federation
NSX has supported both on-premises and the various public clouds for a while now and policy options are broadly consistent too. However, as the various types of deployment and the number of sites increase, it becomes increasingly difficult to maintain and enforce policy configuration between them.
NSX Federation provides the option to have a global manager to configure and enforce policy configurations between all deployments. As it stands, it supports on-premises NSX as well as NSX Cloud. Support for VMware Cloud on AWS is coming soon.
Due to enhancements in other NSX capabilities with this version, such as stretching of router functionality between sites, disaster recovery from a site loss becomes as simple and quick as making the local manager and stretched T0/T1 routers for the secondary site active, either manually or via automation. Once done, you can carry on restoring your workloads as per your normal DR processes.
Please note that the global topology is in addition to your local one and should be deployed in a redundant fashion as you would deploy any infrastructure. However, for mission-critical environments, investment in such infrastructure is a no-brainer. Once deployed, you can control communication flows between the global and local managers and/or local to local managers, which spreads configuration information for failover purposes.
I think this is a brilliant addition to NSX’s capabilities and will make configuration, operations and disaster recovery much simpler, especially with large-scale deployments.
VRF Lite
VRF (Virtual Routing and Forwarding) allows a single networking device to manage multiple routing tables in order to forward traffic between the various networks accordingly.
In NSX 3.0, the Tier-0 network has been enabled to support multiple VRFs. In fact, it can support up to 100 of those. This is especially important for service providers who can isolate different tenants using this feature.
All the features that you would expect e.g. NAT and edge firewall etc. are present, meaning it allows service providers to drastically reduce the number of edge devices they need to manage.
Converged vDS
Converged vDS is a pretty nifty addition to the feature set. Like the versions that proceeded it, vSphere 7.0 can also be used with traditional networking. So, admins can possibly avoid introducing NSX in the mix if it’s not specifically required. However, the availability of Converged VDS might encourage them to introduce NSX into their infrastructure proactively.
Converged vDS simplifies the deployment of NSX by converging the configuration of a vSphere 7.0 VDS with an N-VDS. It takes the existing portgroup configuration and seamlessly adds NSX constructs to it, without any break in service.
This last aspect i.e. without break in service, is important for admins. If deployment risk and impact is taken away, admins can take their time to properly design it and enable the service proactively, rather than rushing to deploy it when actually required. That promotes reliable and well-designed deployments and gradual transition to NSX.
It’s worth mentioning that this particular feature is only available for greenfield deployments so something to bear in mind. But that does not make this feature any less important as transitioning to NSX retrospectively becomes seamless, removing any resistance due to complexity and increased workload.
User Experience Enhancements
Quite a few user experience enhancements have also made it into this release. Things like the ability to switch between “Policy” and “Manager” views from within the same interface and simple “Getting Started” wizards to carry out the basic initialisation tasks.
My favourite is the Network Topology Visualisations feature. We all know that a picture is worth a thousand words. It’s worth even more if it can be exported into PDF, which can be done now. In addition, one can search and filter objects in the topology too!
If you want a comparatively more detailed list of what’s new in NSX 3.0, here’s a slide showing them in a nicely categorised way:
Distributed IDS
Traditional IDS, that we find commonly in customer datacenters, suffers from the same “hairpinning” problem as traditional networks. Traffic destined for end systems first have to route through inspection, which results in choke points in the network. Correct sizing and design is critical for such topologies and more often than not, mistakes are made due to the complexity involved and rigidity of such systems. Devices are also generally oversized, just in case. On top of all these, there’s no real way to inspect traffic within a segment on which multiple virtual machines might reside.
NSX 3.0 solves all these problems by introducing NSX distributed IDS/IPS. It works in a similar way to a distributed firewall i.e. analysis is delivered in a distributed fashion which also scales linearly as hosts are added. Again, similar to how a distributed firewall works, Intrusion Prevention signatures are applied according to the defined rules which in addition to providing targetted control, also reduce computational overhead.
As you would expect, integration with major partners such as CheckPoint, PaloAlto Networks, Fortinet etc. is available. Signatures can be downloaded and applied automatically on a cluster or stand-alone host basis and none of this requires any additional infrastructure to what you would typically deploy as base NSX infrastructure.
Beautiful and simple, isn’t it!
In Conclusion…
NSX-T 3.0 is full of updates and new features which is fitting, given the major changes to the vSphere architecture itself. I am also glad that it’s becoming even easier for infrastructure admins to deploy and manage and if there were any complexity fears, preventing its deployment becoming the default, they should be gone with this version.
As you would expect from a major release, there’s a lot more detail to go through and feature enhancements to discover in NSX-T 3.0. For that reason, I would highly recommend that you download and play with it as it’s the best way to learn. As with everything else, don’t forget to read the Release Notes before installing or upgrading your existing installation.
It was a superb write up i have seen for NSX-T. Thanks for posting this to the tech followers. As per your blog, VRF lite which servers a turning point to accommodate VCF with multi virtual center and multi-tenant.
Do you have some summary written for the Kubernetes side. How NSX-T achieve it in vSphere with Kubernetes (Project Pacific) without VCF ?
I found it interesting when you said that global managers can now have the option to configure and enforce policy configurations between all deployment as per the NSX Federation. This is such a helpful piece of information for businesses that need the use of VMware for data security. I could imagine how migrating to NSX V2T migration can ensure efficiency in data security and other workloads.