Facebook LinkedIn Instagram Vimeo WeChat WhatsApp YouTube
Back to Blog

vCD and NSX – A Match Made in Clouds

-

Today we're going to dive into what vCloud Director is, and how NSX supercharges it. We'll largely be focusing on what vCloud Director leverages out of NSX, but we'll also touch a little on the features within vCloud Director that enables Cloud services consumption. 

FirstlyvCloud Director (vCD) is a software solution that provides deployment, automation and management of virtual infrastructure resources in multi-tenant cloud environments. This multi-tenant virtual data centre is provided via an intuitive HTML5 based UI and an REST API. vCloud Director is backed by vSphere technology that most of us will be intimately familiar with, so you can expect to see a lot of the features that you'd normally find in a standard vSphere deployment. vCloud Director is designed to be fully multi-tenanted, both allowing multiple organisations within a deployment, but also multiple virtual data centres within an organisation.  

Next we introduce NSX network virtualisation technology, which is really what makes vCloud Director so powerful and flexible. Without NSX, vCloud Director loses the majority of its charm, since we're working with the limitations of traditional physical networking (VLANs, switches, routers, etc). By leveraging software defined networking (NSX), vCloud Director provides consumers with Software Defined Data-Centres (both virtualised compute and networking) that allows you to untether from the constraints of typical physical data centre networking. With NSX in the picture we can vastly reduce the amount of manual effort required to deploy network services, since we significantly reduce or eliminate the need to configure physical network switches, firewalls and routers. This not only speeds up deployment of network services, it also reduces complexity and often typical error-prone nature of manually programming physical network devices. You can then easily consume network services in a more modern fashion (for example, using a single common API to deploy compute and networking and automation tooling).  

NSX abstracts the majority of common network functions, such as firewalls, routing, load balancing, DHCP, NAT and VPN (IPSEC and SSL) to improve operational efficiency and simplification of data centre designs. It also turbo charges a lot of these common functions, in particular by offering distributed firewalls (micro-segmentation) and distributed logical routing (DLR), which we'll dive further into below.  

Lastly, by operating a software defined network solution under vCloud Director, you open the possibility of automating deployments of entire virtual data centres or applications with workflows and infrastructure-as-code solutions that allow you to deploy in ways that previously may have been either overly complex, or impossible.  

 

How does NSX enable rapid deployment?

Typically, if you want to deploy a new network segment in your environment, you'll be deploying a new VLAN. Depending on the complexity of your network, this can often be a time-consuming process that can really slow you down. Instead of leveraging VLANs configured (typically manually) on physical devices, NSX introduces VXLANs that are encapsulated within a single VLAN allowing literally millions of network segments on a single VLAN. This allows rapid provisioning of network segments, without any requirement to modify physical network devices. It's worth noting however that vCloud Director fully supports the use of VLAN backed networks, via Distributed Port Groups on a vSphere Distributed Switch, so if you still have a thirst for VLANs the functionality is still there. 

Now that we've virtualised all of our network segments, we need to route between them, and also somehow break out of the virtual network into the physical network, this is where the Edge Services Gateway (ESG) enters the picture. The primary role of the NSX Edge is to operate as the border between physical and virtual networks (VLANs and VXLANs), but an ESG offers so much more than this. Within a single highly available virtual appliance, an NSX Edge can offer 5 tuple north/south firewall capabilities, network address translation (NAT), load balancing, IPSEC and SSL VPN, DHCP and routing (both dynamic and static), all managed by a single web based GUI, or via the vCloud Director API. 

The DLR's (Distributed Logical Router) primary role is simply to route between VXLANs, this seems rather boring but it's secret is that it's distributed to each ESXi host, allowing every ESXi host that's a member of the DLR to perform routing decisions. This means we can route traffic before it has even left the ESXi host which eliminates hair pinning. For an overview of these benefits, the diagrams below show a number of traffic flows and the benefits of the DLR. The image on the left show traffic that can route within an ESXi host, eliminating hair-pinning to the physical router. The image on the right shows the reduction in network hops and hair pinning between ESXi hosts.

Another benefit of operating virtual networks (VXLANs) with Edge Services Gateways, is the ability to have overlapping subnets within a physical data centre. This allows for many use cases, the most obvious being multi-tenancy, which is the core of vCloud Director, but this also allows for tenants to operate over-lapping subnets Test/Dev uses cases, as well as upgrade testing. It's very simple to clone an entire application environment using the same IP addresses as the original production environment within an isolated network to test an end to end upgrade of an application, without ever having to modify a single physical network device.   

It's also important to touch on micro-segmentation with the DFW (Distributed Firewall), which in a nutshell allows for firewall rules to processed at the virtual NIC, rather than when the traffic hits a firewall which is typically only ever when the traffic is being routed to a different network. I won't specifically dive into these details of micro-segmentation in this post as my colleague Matt has already covered this in detail in a previous post. Matt also covers off a number of other security features that NSX offers, however it's important to note that not all of these features have native functionality within vCloud Director. 

In summary, NSX allows you to provision highly efficient networks in your virtual data centre at speeds that previously were impossible, not to mention being able to easily do this programmatically.

 

Automation with vCloud Director

vCloud Director offers several different features that can really save you time both deploying and managing Cloud services within vCloud Director.  

vCloud Director naturally includes a REST API, which fully leverages it's multi tenanted capabilities and observes RBAC. The benefit here is that different users can programmatically deploy and manage resources whilst observing the permissions they've been granted and the Organisations they are a member of. The use cases here are practically endless depending on your organisation's requirements and the different automation tools you possess.  

We also have deep integration with vRealize Orchestrator within vCloud Director, which allows us to provide XaaS (anything-as-a-service) functionality. For example, we can write workflows within vRealize Orchestrator to configure virtual machine backups. We can then expose this workflow to the vCloud Director UI to allow consumers of vCloud Director to fully configure virtual machine backups without ever having to log in to a backup solution or leave the vCloud Director UI. There's a large number of use cases here as the extensibility of vRealize Orchestrator is incredibly vast.  

Whilst not as elegant as a REST API or vRealize Orchestrator, we have Catalogues within vCloud Director that allows consumers to be presented with pre-canned virtual machines, or entire application stacks. These can be deployed either via GUI wizards, or through the API to allow a common set of operating systems or application stacks to be rapidly deployed.  

There's also a number of other third-party tools with deep integration with vCloud Director. For example, TerraForm provides infrastructure-as-code functionality in a tool that can also manage public cloud solutions, allowing you to manage multiple cloud deployments from a single platform.  

In summary, vCloud Director offers a fully software defined virtual data centre solution with all of the modern features you'd expect from a Cloud solution, with some cutting-edge technology thanks to NSX. The use cases and extensibility are quite vast, ranging from hosting your standard Production IaaS needs, to Dev/Test, DevOps and Virtual Labs.  

 

Related Topics