The NSX DFW solution will be deployed over an existing VMware vSphere virtualization infrastructure, coupled with an existing cloud consumption management platform. The solution has two independent deployment target data centers.
Within this deployment, the construct of the cloud tenant has been declined by the customer in the project entity, which is identified as a group of VMs characterized by the same customer, application, reference environment, and network zone. The tenant and project are considered as the same entity in the following descriptions.
NSX for vSphere architecture will consist of the following clusters, as per VMware best practices:
- A set of management clusters (one for the smaller site, two for the second site) containing the NSX Manager instance, the vCenter Server instances, and any other management VMs that are needed by the cloud and IAAS manager. The clusters don't have the underlying hosts prepared for NSX for vSphere to protect the management components from unintentional lockout.
- A set of payload clusters that contain the workloads and have the underlying hosts prepared for NSX for vSphere.
Each set of clusters is managed by an independent vCenter instance: two instances in one site and one instance in the second site.
The DFW is loaded as an ESXi kernel module, and provides line-speed firewalling services, with no dependence from the underlying network design. Consequently, when limiting NSX deployment to a distributed firewall feature, design choices are not stringent. Yet this design will simplify the network configuration by eliminating the need to trunk a large number of VLANs to all hosts if and when VXLAN is adopted.
Actually, with no overlay in place, VLAN trunks are configured on TOR switches, and resources external to the cloud are accessed by a routing layer providing the proper firewall, and NAT services according to the traffic patterns. The distributed firewall (DFW) manages security, and ensures projects are kept separated and unable to access other projects' VMs on the network when needed.
The NSX distributed firewall will be servicing two different cloud infrastructures:
The vSphere Cluster design decisions are as follows:
|
Design decision |
Design justification |
Design implication |
|
For this design, the administrator has made the following decisions. |
||
|
The customer has organized the workloads in multiple vSphere clusters, distributed under multiple vCenter management boundaries. vSphere clusters host management and payload workloads separately. In absence of the overlay network, there is no option to evaluate edge cluster deployment. |
This design choice offers better separation in terms of security, management, and resources. |
NSX Manager has to register with the vCenter Server instance that is managing the hosts that provide payload compute resources (and edge compute resources, when this is the case). Multiple vCenter servers require multiple NSX Manager instances and multiple NSX controller clusters for any future network overlay adoption. |