Closing the gap between on-prem and off-prem services
Digital transformation is changing the requirements of enterprise networking. Cloud computing and virtualisation require different ways in which workloads must be set up and serviced to customers. The increased performance and agility required in the new digital age can no longer be achieved only with traditional data centres. VMware is responding to this transition with the Software-Defined Data Centre (SDDC), which adds performance, flexibility and cost savings to the traditional data centre, because the entire data centre is software-defined. An important part of the VMware SDDC is NSX, a network virtualisation and security platform that can bridge the gap for service providers between on-premises and off-premises services.
SDDC and the NSX data centre
At Insight we strongly believe with VMware’s CEO Pet Gelsinger in the Software-Defined Data Centre as the future to connect workloads across data centres, clouds and applications. General estimations are that the global SDDC market will grow from USD 31.84 billion in 2017 to a value of USD 121.91 billion by 2023 at a CAGR of 25.2%, over the forecast period (2018-2023). We want to help service providers to get their piece of the pie and develop a full SDDC roadmap, with the NSX data centre as a vital part of that process. With NSX the data centre network is entirely software-defined and delivers multi-cloud, virtualised networking and intrinsic enterprise security. This gives our partners the agility and security that is paramount today and provides them with a major business opportunity.
Micro-segmentation: fine-grained security unique of NSX
One of the defining features of NSX and only possible in the Software-Defined Data Centre is the use of micro-segmentation (see this two-minute video for a comprehensive explanation). Micro-segmentation is a software-defined security solution that micro-segments the network down to the individual VMs, enabling east-west firewalling, and automatically sets and manages policies for VMs anywhere. The reason why micro-segmentation is so unique, is because it is completely software-defined. It is impossible to achieve this level of security with a traditional hardware firewall, since there is no agility and takes a long time to deploy. The following example explains the difference.
Micro-segmentation vs traditional firewalling
The traditional firewall in a physical data centre is like a castle. It has a very strong perimeter with one entrance through the main gate. It is usually quite difficult to enter, but once someone has penetrated that defensive wall and has entered the castle, that person can go anywhere and easily attack any instance within the system. Now there is micro-segmentation, which is more like a hotel. Anyone who wants access to the hotel goes to reception and identifies with an ID. This person receives an access key to the floor where the room is located. The person can go to this room and unlock it, but cannot enter anywhere else. Unlike traditional firewalling in the physical data centre, micro-segmentation assigns individual policies to each VM. If hackers have access to one VM, they cannot replicate it to adjacent VMs in the same network. This makes micro-segmentation the most granular security solution that is currently available.
When service providers design workloads in a traditional firewall application, one of the big risks is that if they need to migrate a workload into a different public cloud or work from different data centre locations, this is a very time-consuming and expensive process. It would be very expensive and time consuming to migrate the whole environment and replicate it in a different data centre, because the application needs to be secured with the similar physical hardware as in the previous situation, including the assignment of new IP addresses and more. With NSX in the fully Software-Defined Data Centre, the whole workload can be spun up in real time in a different public cloud or data centre. Entire workloads can be moved to different geographical locations and among different public cloud infrastructures in minutes and with no downtime. This represents a huge opportunity in cost reductions and improvement of agility. With VMware HCX – Hybrid Cloud Extension – workloads can be moved seamlessly between Data Centres or AWS cloud.
Benefits: segmentation and automation
Security with NSX adds an entire new way of applying and managing security in the data centre for service providers. Three benefits stand out:
1) Consistent enforcement of security controls
NSX Data Centre allows service providers to enforce network security policies across multi-data-centre and hybrid cloud environments to secure traffic between VMs, containers, and bare metal servers, alike, through one single pane of glass.
2) Holistic application visibility
There is a unique visibility into how applications are composed – from network traffic to process-level behaviour on workloads – so that network security policies can be created automatically. Staff can significantly cut down on time spent on reviewing application security.
3) Adaptive network security policies
Security is shifted from a reactive into a proactive process. Security policies can be automatically provisioned for each workload and will remain with the workload. Even when workloads change overtime, the security remains in place.
106% ROI and payback within 6 months
At Insight we believe that the future of the data centre for many service providers lies with NSX, especially as we increasingly move to multi-cloud scenarios and workloads across different platforms and different clouds. The NSX date centre is a very powerful way to enable this. Most service providers are already familiar with VMware and NSX features in their own data centres, but only a small percentage now actually use it to its full extent.
Perhaps software-defined security is not immediately embraced by the majority right now, but this will soon change as the benefits are more widely recognised. And next to the additional security features that cannot be achieved with traditional methods, there is also an attractive financial driver for NSX. Forrester has conducted a study into the Total Economic Impact (TEI) of the virtual cloud network of VMware. They concluded that “deploying a Virtual Cloud Network has the following three-year financial impact: $13.2 million Present Value (PV) in benefits versus costs of $6.4 million, resulting in a net present value (NPV) of $6.8 million and an ROI of 106%.”
Source: Forrester; Total Economic Impact (TEI) of VMware’s NSX virtual cloud network.
What’s next is to bridge the gap between the traditional data centre and new ways of provisioning networking. The adoption of the cloud, new business models, and a proliferation of connected devices and services requires service providers to develop a unified approach to management, automation, and security of their data centres. When hardware becomes obsolete or when support ends, partners are now gradually starting to consider digital enablement and how they can provision that, instead of considering a physical data centre refresh. If you are at that intersection right now, contact us to discuss a Virtual Network Assessment (VNA) of your current workload. A VNA provides you with a clear report on all east-west firewalling and recommendations on how you can implement NSX micro-segmentation and optimise your network. Insight has an international team of cloud service consultants ready to help and optimise the use and costs of your platform. Or to discuss new business models and ways of marketing the service and respond to every challenge.
VMware VCPP editions compared
The NSX Base version which comes with the VMware vCloud Provider Program (VCCP) Advanced Bundle includes VXLAN Service, Point to Site SSL VPN, Site to Site IPsec VPN, Edge Firewall, Edge Load balancing rule pack, Edge Load balancing instance and NAT rules.
NSX Advanced introduces some increased security and network connectivity offerings with network routing services for customer routing, micro-segmented Virtual Machines, layer 2 VXLAN to vLAN connectivity for managing outgrown IP address space without impacting the end user’s existing datacentre network architecture and DHCP ranges as the estate grows. Lastly, server activity monitoring provides essential visibility into the end user’s virtual network to ensure that the organisation’s security is being enforced correctly. Also see the NSX comparison datasheet.