NSX-T 3.0 – Innovations in Cloud, Security, Containers, and Operations

NSX-T 3.0 – Innovations in Cloud, Security, Containers, and Operations

We are excited to announce the general availability of VMware NSX-T™ 3.0, a major release of our full stack Layer 2 to Layer 7 networking platform that offers virtual networking, security, load balancing, visibility, and analytics in a single platform. NSX-T 3.0 includes key innovations across cloud-scale networkingsecurity, containers, and operations that help enterprises achieve one-click public cloud experience wherever their workloads are deployedAs enterprises adopt cloud, containers, and new applications, IT teams are managing more heterogenous and distributed environments that need to be better secured, automated, and monitoredThe need to run and manage workloads on all types of infrastructure, VMs, containers, bare metal across both private and public cloudsis greater than ever. Enterprises need end-to-end software-defined solutions to fully automate, connect, and protect all their workloads. 

As a key component of VMware Virtual Cloud NetworkVMware NSX-T 3.0 includes groundbreaking innovations that make it easier to replace legacy appliances that congest data center traffic, achieve stronger security posture, and run virtual and containerized workloads anywhereNSX-T 3.0 also introduces global policy consistency, AWS and Azure gov cloud supportVMware NSX® Intelligence enhancements, Layer 3 EVPN, and powerful networking and security services for vSphere with Kubernetes, superseding features in NSX-VIn addition, NSX-T 3.0 integrated with enhancements in VMware vRealize™ Network Insight 5.2 to deliver comprehensive end-to-end network visibility and flow-based application discovery.

Cloud-scale Network Agility

Scaling up and managing a cloud environment – whether public or private – requires simplified network configuration and management, visibility and control, and the ability to rapidly add new capabilities into the existing environment. 

  • NSX Federation – NSX Federation in NSX-T 3.0 helps deliver a cloud-like operating model by simplifying the consumption of networking and security constructs. It introduces the NSX Global Manager, a centralized console for managing the network as a single entity while keeping configuration and operational state synchronized across multiple locations.
      
     

     


    Security policies attach and move with the workload, ensuring that policy compliance is maintained during workload failover or migration between locations.     Follow us on twitter @vmwarensx for a detailed blog on NSX Federation in a few weeks. 
  • Support for AWS GovCloud and Azure Government – NSX-T 3.0 extends support for public clouds with VMwareNSX™ Cloud support for AWS GovCloud and Azure Government. This provides isolated public cloud environments for U.S. government agencies and customers to move sensitive workloads into the cloud and assist with regulatory and compliance requirements. NSX customers will benefit from the extended visibility, consistent networking and security policies, precise control over cloud networking, and end-to-end operational control across clouds. 
  • Enhanced Multi-tenancy with VRF Lite and Layer 3 BGP EVPN – VRF Lite greatly reduces the networking infrastructure footprint by introducing complete data plane tenant isolation with separate routing table, NAT, and firewall within each VRF on NSX Edge. NSX Edge also implements Layer3 EVPN to seamlessly connect telco VNFs to the overlay network.  The Edge implements standards based BGP control plane to advertise IP Prefixes, running eBGP sessions to the VNF and MP-BGP sessions with the PE/DCGW(s). 
  • Dynamic Network Service Chaining – NSX service insertion is further enhanced with support for dynamic service chaining for traffic from and to VMs, containers, and bare metal workloads.  The Edge Node dynamically classifies incoming network traffic and applies a set of network services to achieve app-aware security and monitoring. 

Best-in-class Intrinsic Security

With NSX-T 3.0, the Service-defined Firewall in the NSX platform has been enhanced with the addition of a distributed IDS/IPS  solution to protect east-west traffic in the data center. NSX-T 3.0 is a step further towards our goal of extending the NSX intrinsic security approach from every workload to data center, multi-cloud, and edge. 

  • NSX Distributed IDS/IPS – At VMworld Europe last year, we announced the VMware Distributed IDS/IPS solution for our advanced Layer 7 internal firewall. NSX Distributed IDS/IPS is an advanced threat detection engine purpose-built to detect lateral threat movement on east-west traffic across multi-cloud environments.  It eliminates security blind-spots and helps meet compliance needs.
     

     


    Unlike traditional architectures that hairpin traffic to discrete appliances, NSX Distributed IDS/IPS distributes the analysis out to every workload and curates the signatures evaluated by each engine based on precise knowledge of running applications. This elastic throughput scales with workloads while improving utilization of existing compute capacity, simplifies the network design and operational model, and radically reduces the rate of false positives. This approach enables security teams to replace discrete appliances, and helps achieve regulatory compliance and create virtual security zones without physical separation of infrastructure. 
  • L7 Edge Firewall Enhancements – The Layer 7 Edge Firewall is further enhanced in NSX-T 3.0 with the implementation of URL Analysis for URL Classification and Reputation. The Edge Firewall detects access from outside the datacenter for granular detection and categorization of in-bound and outbound URLs.
  • DFW for Windows 2016 workloads – In addition to existing support for Linux, NSX-T 3.0 adds NSX Distributed Firewall (DFW) support for Windows 2016 based physical workloads. 
  • Time-based rules and Configuration wizard – Firewall rules can be enforced based on a pre-scheduled timeline defined by the administrator. NSX-T 3.0 also simplifies the implementation of VLAN backed micro-segmentation using a new configuration wizard. 

Full-stack Networking and Security for Modern Apps

  • Networking for vSphere with Kubernetes – NSX-T is designed-in from the ground up as the default pod networking solution for vSphere with Kubernetes.  NSX provides a rich set of networking capabilities for vSphere with Kubernetes, including distributed switching and routing, firewalling, load balancing, NAT, IPAM, and more.
     

     


    Vinay Reddy describes how NSX-T, designed into vSphere with Kubernetes as the default networking solution, addresses common challenges associated with container networking and security.

     

     
  • Prescriptive networking for vSphere Namespace isolation  NSX-T 3.0 delivers a prescriptive network design to greatly simplify the implementation of vSphere Namespaces. It automatically implements the logical segments, distributed routing and firewalling, and IPAM services required for Namespace isolation in the vSphere Supervisor Cluster.  Any workloads created in a Namespace automatically inherit the security policy applied to that Namespace, allowing developers to self-service resources into that Namespace. 
  • Integration with Cluster API in VMware Tanzu Kubernetes Grid Service – NSX-T integrates with VMware Tanzu Kubernetes Grid Service to allow developers to deploy Tanzu Kubernetes Grid clusters.  NSX-T greatly simplifies the necessary networking infrastructure, including the creation of logical segments, Tier-1 Gateway, and load balancers, needed for Tanzu Kubernetes Grid clusters.

Operational Simplicity and Automation 

  • Converged vSphere® Distributed Switch™ – With NSX-T 3.0, admins can now deploy NSX-T directly on VMware vSphere Distributed Switch 7.0This greatly simplifies NSX-T deployment in vSphere environments with no changes required to the existing vSphere Distributed Switch and no VM traffic disruption.
     

     

  • Policy Enhancements with Terraform Provider & Ansible Module – NSX-T 3.0 extends the use of Terraform Provider and Ansible Modules, two of the most widely used automation tools for config generation and deployment, beyond NSX-T installation use cases with support for the NSX-T Policy API It now supports additional topology deployment workflows for security, logical gateway and segments, and network overlays and VLAN segments. Lifecycle management has become easier with the Ansible Module. NSX-T component upgrade of NSX Managers, Transport Nodes, Edge Nodes can be automated with the Ansible Modules. 
  • Simplified Integration with vRealize Network Insight 5.2 – Tight integration with vRealize Network Insight 5.2 delivers comprehensive end-to-end network visibility. Support for vRealize Operations alerts enables precise troubleshooting in NSX-T environments from vRealize Network Insight dashboard. vRealize Network Insight 5.2 also implements flow-based application discovery across VMware platforms for application categorization by tier. 
  • OpenStack Neutron Enhancements – The OpenStack Neutron plugin for NSX-T has been enhanced to abstract multiple NSX-T end points and operators can now configure additional IPv6 features (including DHCPv6, IPv6 LB, and NAT64) using the NSX-T policy plugin. 

Summary 

The NSX-T 3.0 release expands the breadth and depth of NSX-T use cases across cloud-scale networking, distributed IDS for advanced threat protection, and modern container-based applications. We remain committed to helping our customers radically simplify their network, achieve consistent policies across locations and transform their operations in the data center and cloud with full-stack automation across switching, routing, security, load balancing, and other layer 7 network services. 

Follow us on Twitter @vmwarensx for updates and a series of deep-dive blogs on the key capabilities delivered in NSX-T 3.0. 

NSX-T Resources 

0 Kudos
Version history
Revision #:
1 of 1
Last update:
‎06-04-2021 09:37 AM
Updated by:
Enthusiast
 
View Article History