Friday, October 24, 2014

Trying out VMWare NSX Hands-On-Lab (HOL)

Just did my first lab on VMWare NSX Hands-On-Lab on network virtualization. The task is to create a logical L2 network between 2 VMs, even though they could be separated by underlying L3 physical network and even residing on different clusters. Finally, the lab will bridge the VXLAN logical switch to VLAN 100 on production network.

Let's understand the key NSX components:
  1. NSX Manager is the centralized network management component of NSX, and is installed as a virtual appliance. It provides an aggregated system view.
  2. NSX controller is the central control point for all logical switches within a network and maintains information of all virtual machines, hosts, logical switches, and VXLANs. The controller is running as a VM. For redundancy, a second controller can also serve as a standby VM. The controller supports two new logical switch control plane modes, Unicast and Hybrid. These modes decouple NSX from the physical network. VXLANs no longer require the physical network to support multicast.
  3. NSX Edge provides network edge security and gateway services to isolate a virtualized network and to bridge or route to physical network. You can install NSX edge either as a logical router or a services gateway.
  4. NSX vSwitch replaces the default Virtual Distributed Switch (VDS) on the kernel mode hypervisor on each host.
I won't go through the detailed step-by-step. Rather, I would highlight the high level steps to serve better understanding on the deployment scenario.

Step 0: Preparing the network and clusters. There are 3 clusters of hosts. Compute A and B are 2 clusters are meant for hosting VMs. NSX vSwitch resides on all hypervisors. Other NSX components mentioned above reside on the "Management and Edge Cluster".

Step 1: Enable VXLAN Tunnel End Points (VTEPs) and VXLAN using vSphere client.

Step 2: Create a VXLAN Transport Zone spanning the 3 clusters

Step 3: Create a logical switch and attach it to an NSX Edge. The Edge gateway has an interface of connecting to the transport zone. Note the new L2 logical network ( created in green.

Step 4: Add two Web VMs and their vNICs to the new logical network as shown below. Both static IP and DHCP should work fine on the VMs. Test connectivity between both VMs.

Step 5: Bridging the logical switch to the physical network via NSX Logical Router. In this case, the VXLAN is bridged to VLAN 100 on the production network.

Saturday, October 4, 2014

Windows Azure AD with your Active Directory

I've just watched a Microsoft jump-start video on how to integrate Windows Azure AD (AAD) with your on-premise AD infrastructure. By doing so, your users can experience seamless authentication experience between public Windows Azure (e.g. Office 365, Sharepoint online etc) and on-premise network. Here is the link: AD to Windows Azure AD.
In summary, there are 3 possible options:
1) No integration. Users logon to Azure and on-premise AD separately with different sets of credential.
2) Directory sync (DirSync) only: On-premise AD user accounts and password hashes are synced to Azure. Users logon to both using same set of credential. No Single Sign-On (SSO) between AD and AAD. In other words, users have to authenticate twice, even though they may use the same set of user ids and passwords.
3) AD Federation (ADFS with DirSync): AD user objects (but no password hash) are synced to Azure. Establish one-way federated trust (i.e. Azure trusts your AD). This option supports SSO and even smart card authentication.