ROBO Solutions – The SDDC Perspective: NSX from a ROBO context

We have seen in part 1 some of the common ROBO Solution licensing gotchas that can confuse businesses looking to price a Software Defined Datacentre ROBO Solution. In part 2 we have seen how vSAN ROBO HCI solutions can be simple, robust and consistent, policy-based shared storage solutions, with a minimal hardware investment as low as two server nodes. This is the final blog in the 3-part series and addresses why and how VMware NSX is such a great fit for Branch Office solutions.

VMware NSX is the network virtualisation platform for the Software Defined Data Centre (SDDC). Abstracted and encapsulated in software, are all the modern network functions including: switching, routing (East West Intra Data Centre traffic as well North South Internetwork/ Inter DC traffic), firewall and load Balance services. The ability to provision or un-provision these services fully automated, on demand and on a per application basis is hugely powerful. Another major benefit to businesses is for IT Services to have the agility to respond to changing business needs in a secure manner. In fact, traditional networking approaches no longer adequately address this rapid application growth in terms of the ability to provision these physical network systems in a timely manner and to operationally manage the environment as it grows.

NSX is not only a networking platform but is a security platform that is able to deliver micro segmentation across all the evolving components of a modern data centre. NSX delivers on this promise by having;

  • Distributed Firewall Capability: Ensuring firewall traffic segregation can be on every vSphere host and VM leading to per application firewall capability.
  • Network Topology agnostic: Vendor agnostic; Supporting both Layer 2 and Layer 3 topologies as NSX is an overlay technology independent of the underlay vendor implementation
  • Centralised Policy management: Controlled from a centralised policy manager
  • Grouped Object Control: Granular dynamic application controls that can be grouped by App type, O/S, VM name or vSphere VM object meaning controlled traffic flows to these groups can be controlled in a single policy
  • Network isolation: Separate Logical networks or overlays can be created to segregate network segments which can be across hosts, racks and DCs.
  • Policy Driven Service Insertion: 3rd Party traffic introspection can also be achieved to enable malware, anti-virus and other Layer 7 firewall facilities as part of NSX security policies

Specifically, in a ROBO context NSX micro-segmentation capability can be leveraged to provide a centrally managed policy for branch office sites. The ability to provide secure firewall services to these remote sites without the need for any investment in physical security hardware is hugely compelling for businesses. The firewall rules are managed automatically based on the security policy and associated security groups. Therefore as systems de-commission so too do the firewall rules automatically.

If we take the example of a Global Manufacturer with a Central Site and 100s of remote manufacturing plants dotted over 100+ Countries that implements NSX across the estate i.e. Centrally and stretched across remote sites.  NSX can be leveraged (via NSX Policy Manager) to push a global central security policy to all remote sites as well as the capability to push a unique policy to an individual site. On each site, Manufacturing Traffic is segregated from LAN traffic with NSX Distributed Firewall policy (managed centrally) removing the requirement for physical firewalls as well as separate switches at the remote site.

Sticking with the Manufacturing example, a lot of Telemetry data from the manufacturing lines need to remain at the Remote Sites for Analytics purposes. These Remote Manufacturing Analytic platforms can be in place for Machine learning and Internet of Things which are capabilities which enable “Smart Manufacturing”. Smart Manufacturing allows factory managers to automatically collect and analyse data to make better-informed decisions and optimize production. Securing these platforms with NSX policies by controlling flows of data between devices within the Data Centre and between Data Centres is critical to the success of the IoT and Smart Manufacturing platform.

As well as the IoT platform, NSX can manage, monitor and secure these (often vast number) of edge applications. Millions of devices can be involved in these edge IOT solutions. While Edge solutions are not the focus of the blog it is important to know that SDN and NSX can play a key role here as well.

The image below illustrates how the security posture is pushed out centrally to branch offices;

NSX Traffic Steering and Service insertion capability can bring partner security services such as NGFW and IPS to the Remote Branch office solutions again removing the need for proprietary hardware. The traffic steering capability of NSX to 3rd party anti-virus and malware solutions means that should an intrusion be detected at a remote branch office site such as a manufacturing plant, Retail Store, Banking Agency etc the intrusion can be ring fenced on the fly using NSX to an isolated network, so the breach impact (attack surface) is significantly reduced and related only to that specific application.

This post hopefully illustrates successfully the incredibly powerful solution that NSX can provide in applying Software Defined Networks and Security easily to Remote Branch Office Solutions as is a fit for Enterprises that have many remote sites. Having a consistent network and security policy which can be easily pushed to the remote sites and centrally managed is a compelling IT Solution that the Asystec SDDC team can help you define, design, deploy and operate.

We can reduce the overall Total Cost of Ownership (TCO) of the Branch Solution with a Software Defined Compute (vSphere) ,Storage (vSAN) and Network (NSX) IT Infrastructure Solution that is centrally managed and secure. The Branch Solution can also have commercially attractive licensing models to suit the scale of workloads in the Branch Office sites.

Make sure you also check our Part 1: Dispelling the Myths of ROBO Licensing and also ROBO Solutions: Part 2 – VMware vSAN from a ROBO context.

If you or your team are considering IT Solutions for your Branch Offices then request support through [email protected] and members of the SDDC and Cloud Infrastructure team can address the requirements directly with you!