What's New VMware NSX Advanced Load Balancer (Avi Networks)
Download as PPTX, PDF1 like1,545 views
The document presents an overview of VMware NSX Advanced Load Balancer (Avi Networks) highlighting its complete L2-L7 software-defined stack and the various services it offers including multi-cloud load balancing and web application firewall (WAF). It emphasizes the challenges of traditional load balancing and introduces features such as automated security measures, flexible upgrades, and enhanced scalability for modern cloud environments. The update version 18.2.6 includes features like TLS 1.3 support and a positive security model for improved application protection.
What's New VMware NSX Advanced Load Balancer (Avi Networks)
- 1. Confidential │ ©2019 VMware, Inc. Webinar Ashwin Manekar Product Line Manager, NSBU, VMware September 26th 2019 What’s New with VMware NSX Advanced Load Balancer (Avi Networks)
- 2. Confidential │ ©2019 VMware, Inc. 2 The Foundation of the Virtual Cloud Network VMware NSX Portfolio NETWORK AND SECURITY VIRTUALIZATION Security Integration Extensibility Automation Elasticity NSX Data Center NSX Cloud AppDefense SD-WAN by VeloCloud HCX NSX Service Mesh NSX Advanced Load Balancer Avi Networks, now part of VMware • Industry’s only complete L2-L7 software-defined stack • A leader in the ADC market with multi-cloud LB, WAF and analytics
- 3. Confidential │ ©2019 VMware, Inc. 3 VMware NSX Advanced Load Balancer Portfolio VMware NSX Integration+Standalone Multi-cloud LB & WAF NSX Data Center NSX Cloud NSX Service Mesh VMware Cloud on AWS (VMC) VMware Horizon & UAG
- 4. 4Confidential │ ©2019 VMware, Inc. Avi Networks Product Overview
- 5. Confidential │ ©2019 VMware, Inc. 5 Load Balancing is the Blocker for Digital Transformation Drivers Increased IT Demands ON- PREMISES Load Balancing is Not Automated Network StorageCompute CLOUD Challenges Scalability Agility Flexibility # Apps # Changes # Env/Infra Cost Efficiency $ Time to Market Modern Apps Load Balancers ?
- 6. Confidential │ ©2019 VMware, Inc. 6 Hardware / Virtual Load Balancer Challenges DC1 DC2 DEPT1 DEPT2 Standby 0% Active 15% Separate control points – operational complexity, hard to automate, painful upgrades Capacity management – manual VIP placement, costly overprovisioning, no capacity pooling Not designed for modern new environments ON-PREMISES CLOUD CONTAINER
- 7. Confidential │ ©2019 VMware, Inc. 7 BARE METAL VIRTUALIZED CONTAINERSON PREMISES PUBLIC CLOUDVIRTUALIZED CONTAINERS Modern, Scalable, Multi-Cloud Architecture CONTROLLER SERVICE ENGINE SEPARATE CONTROL & DATA PLANE ELASTICITY INTELLIGENCE AUTOMATIONMULTI-CLOUD
- 8. Confidential │ ©2019 VMware, Inc. 8 Comprehensive Application Services Platform • Web App Firewall • SSL Termination • DDoS Protection • L3-4 ACLs • L7 Rules/Policies • Rate Limiting SECURITY • Application Map • Service Health Score • Network Performance • App Performance • Request Logging • Security Insights ANALYTICS • Central Management • 100% REST API / SDK • Self-Service • Multi-Tenancy • Service Discovery • IPAM/DNS PLATFORM • L7 (HTTP) LB • L4 (TCP/UDP) LB • Global Load Balancing • Content Switching • Caching/Compression • Autoscaling LOAD BALANCING Features (K8S, OpenShift, PKS, AKS, GKE, EKS, ...) Enterprise-grade Ingress • Converged LB, Security, Analytics • Service Discovery & App Map • Multi-cluster and Multi-cloud Containers Use Cases (ESXi, x86, NSX, ACI, OpenStack…) • Central Management • Real-time Analytics • SDN Integration and Automation • Cost Savings SDDC / On-Prem (AWS, Azure, GCP, VMC, …) • Cloud-native Automation • Enterprise-grade Features • Real-time Analytics • Multi-cloud Consistency Public Cloud
- 9. 9Confidential │ ©2019 VMware, Inc. What’s new in 18.2.6 - Positive Security Model - Learning Mode for WAF
- 10. Confidential │ ©2019 VMware, Inc. 10 Comprehensive Security Stack NSX Advanced Load Balancer Encryption SSL/TLS L3/4 Firewall Rules IP-Port based Security Rules L7 Firewall Rules Content (URI) based security rules DDoS Protection DDoS detection and mitigation with elastic scaling Application Rate Limiting Control and restrict by application or tenants Security Insights Security score Attack insights SSL Insights WAF analytics Web Application Firewall OWASP TOP 10, Application protection, Attack Analytics Centralized Management Multi-Cloud Elastic Fabric Automation & Programmability Real Time Visibility & Analytics REST API Data Center Private Cloud Public Cloud
- 11. Confidential │ ©2019 VMware, Inc. iWAF policy checks Whitelist • High performance for trusted traffic • Match Criteria: Headers, IP, Path and more • Similar to HTTP policy matching PSM • Positive definition of Application behavior • Zero-day attacks defense and performance • Rules: Learning, Scanners, Manual Signatures • Scans for common attack patterns • Rules: OWASP Top 10 protection rules
- 12. Confidential │ ©2019 VMware, Inc. 12 How does Positive Security Model work? FastPas s Deep Inspection Negative Security Deny Allow Traffic ML Classifier Automating Application Security using Machine Learning
- 13. Confidential │ ©2019 VMware, Inc. 13 Avi’s WAF Capabilities Application defense in depth • Application Learning and Positive Security • OWASP Top 10 Protection • Signatures and app-specific rules • HTTP protocol enforcement and input Validation – XSS, SQLi, etc. • Virtual patching using scripting for application logic flaws • API protection for JSON, XML • Metrics and statistics about the current application attack surface • Bot detection Backend Application Untrusted Trusted WAN
- 14. 14Confidential │ ©2019 VMware, Inc. What’s new in 18.2.6 - Support for modern encryption – TLS 1.3
- 15. Confidential │ ©2019 VMware, Inc. 15 NSX Advanced LB supports versions SSLv3, TLS 1.0 Starting 18.2.6, TLSv1.3 protocol is supported. Ciphersuites: Users must select one or more of the three supported TLSv1.3 ciphers in the list of ciphers Enable Early Data: - Enables TLS terminated applications to send application data without having to first wait for the TLS handshake to complete - Saves one full round trip time between the client and server before the client requests can be processed Terminate SSL connections between the client and the virtual service Enable encryption between NSX Advanced LB and the back-end servers SSL/TLS Profile
- 16. 16Confidential │ ©2019 VMware, Inc. What’s new in 18.2.6 - Flexible Upgrade
- 17. Confidential │ ©2019 VMware, Inc. 17 Current Challenges Everybody needs to get onto the bus! Upgrade ALL Validate ALL Rollback ALL Need to boil the ocean for a simple fix for a single application Nightmare to coordinate and cancellation is common All or Nothing No Targeted Upgrades Approval & Scheduling
- 18. Confidential │ ©2019 VMware, Inc. 18 Segmentation Per-tenant Per-app Per-SE group Smaller scale & isolated impact Faster resolution or rollback Modern approach to upgrade Need an ability to upgrade LB infrastructure in an isolated manner Granular Upgrades Selective Upgrades Simplified Upgrades Unable to deliver flexible upgrades with legacy appliances Either ALL or NOTHING!!
- 19. Confidential │ ©2019 VMware, Inc. 19 Separated control plane upgrades from data plane upgrades Upgrade Control Plane independent from Data Plane Patch the controller without impacting the data plane Non-disruptive, headless operations, no failover needed Allow selective upgrades to the desired assets only Upgrade individual SE Groups (segmentation) Push specific features to only the selected SEs associated with that apps Simpler verification, Faster rollback Failure impact is on a smaller scale, Faster to resolve and Faster rollback Delivers higher high time to value to the end users Flexible Upgrades
- 20. Confidential │ ©2019 VMware, Inc. 20 How can you use Flexible Upgrades? Se group X Se group Y Se group Z Tenant 1 Tenant 2 V 1 V 1 V 1 V 1 V 2 V 2 V 2 • Sandbox Upgrades – Upgrade an Se group, validate prior to upgrade remaining • Introduce new features or patches only for the Apps that need them – Meet application demands without impact to others • Canary Upgrades – Continue/rollback upgrades based upon analytics engine data • Flexible Upgrade scheduling • Self Service Upgrades • Sandbox Upgrades – Upgrade an Se group, validate prior to upgrade remaining • Introduce new features or patches only for the Apps that need them – Meet application demands without impact to others • Canary Upgrades – Continue/rollback upgrades based upon analytics engine data • Flexible Upgrade scheduling • Self Service Upgrades • Sandbox Upgrades – Upgrade an Se group, validate prior to upgrade remaining • Introduce new features or patches only for the Apps that need them – Meet application demands without impact to others • Canary Upgrades – Continue/rollback upgrades based upon analytics engine data • Flexible Upgrade scheduling • Self Service Upgrades
- 21. Confidential │ ©2019 VMware, Inc. Thank You
- 22. Confidential │ ©2019 VMware, Inc. Thank You