Functional components of VMWare NSX

Today we are going to talk about the VMWare NSX functional components. The reason why we are writing this article as there are so many request to understand step by step and NSX is one of the most demanding technology in the datacenter and competing the Cisco ACI in the datacenter portfolio.

We knew most of you guys already aware most of the stuff in VMware NSX but this article is majorly for the Datacenter beginners who wants to understand the VMware NSX in details.

The NSX platform consists of multiple components, responsible for platform management, traffic control, and service delivery. The following sections detail their functional and operational specifics.

NSX logical networks leverage two types of access layer entities – the hypervisor access layer and the gateway access layer. The hypervisor access layer represents the point of attachment to the logical networks for virtual endpoints. 

we will talk about the various components which consists of the below components

  • VMWare NSX Manager
  • VMWare NSX Controller Cluster
  • VMWare NSX VXLAN Primer
  • VMWare NSX ESXi Hypervisors with VDS
  • VMWare NSX Edge services Gateway
  • VMWare NSX Transport Zone
  • VMWare NSX Distributed Firewall

Let's start one by one in little detail to understand the features of all these.

VMWare NSX Manager
NSX manager is tightly connected to the vCenter Server managing the compute infrastructure. NSX manager is the management plane virtual appliance. It serves as the entry point for REST API for NSX, which helps automate deployment and management of the logical networks.

Fig 1.1- Functional Components of VMWare NSX

NSX manager provides the networking and security plugin for the vCenter Web UI that enables administrators to configure and control NSX functionality.

NSX Manager is responsible for the deployment of the controller clusters and ESXi host preparation. The host preparation process installs various vSphere Installation Bundles (VIBs) to enable VXLAN, distributed routing, distributed firewall and a user world agent for control plane communications.

NSX manager also ensures security of the control plane communication of the NSX architecture. It creates self-signed certificates for the nodes of the controller cluster and ESXi hosts that should be allowed to join the NSX domain.

VMWare NSX Controller Cluster
Controller cluster in the NSX platform is the control plane component responsible for managing the hypervisor switching and routing modules. The use of controller cluster in managing VXLAN based logical switches eliminates the need for multicast configuration at the physical layer for VXLAN overlay.

NSX controller cluster represents a scale-out distributed system, where each controller node is assigned a set of roles that define the type of tasks the node can implement.

In the case of failure of a controller node, the slices owned by that node are reassigned to the remaining members of the cluster. In order for this mechanism to be resilient and deterministic, one of the controller nodes is elected as a master for each role. 

The master is responsible for allocating slices to individual controller nodes, determining when a node has failed, and reallocating the slices to the other nodes. 

The master also informs the ESXi hosts about the failure of the cluster node so that they can update their internal node ownership mapping.

If I talked about the NSX controller, the NSX controller nodes are deployed as virtual appliances from the NSX manager UI. Each appliance communicates via a distinct IP address. While often located in the same subnet as the NSX manager, this is not a hard requirement.

Let’s talk about VXLAN primer is the process how VXLAN works and why we required VXLAN in the datacenter environment. VXLAN is a L2 over L3 (L2oL3) encapsulation technology. 

The original Ethernet frame generated by a workload is encapsulated with external VXLAN, UDP, IP and Ethernet headers to ensure it can be transported across the network infrastructure interconnecting the VXLAN endpoints. NSX uses 8472 as destination port value for the external UDP header. This differs from the IANA assigned number for VXLAN that is 4789.

The source and destination IP addresses used in the external IP header uniquely identify the ESXi hosts originating and terminating the VXLAN encapsulation of frames. Those are usually referred to as VXLAN Tunnel Endpoints (VTEPs).The MTU for the VDS uplinks of the ESXi hosts performing VXLAN encapsulation is automatically increased when preparing the host for VXLAN.

VMWare NSX ESXi Hypervisors with VDS
Let’s talk about ESXi hypervisor with VDS services and as you know that VDS is a building block for the overall NSX architecture. VDS is now available on all VMware ESXi hypervisors, so its control and data plane interactions are central to the entire NSX architecture.

The message bus is used by the NSX manager to send various information to the ESXi hosts, including policy rules that need to be programmed on the distributed firewall in the kernel, private keys and host certificates to authenticate the communication between hosts and controllers, controller node IP addresses, and requests to create/delete distributed logical router instances.

The so called netcpa establishes TCP over SSL communication channels to the controller cluster nodes. Controller nodes leverage this control-plane channel with the ESXi hypervisors to populate local tables

VMWare NSX Edge Services Gateway
Going further with the VXLAN primer and the VDS services we have NSX Edge services gateway. So NSX Edge is a multi-function, multi-use VM appliance for network virtualization. 

Its deployment varies based on its use, places in the topology, elastic performance requirements, and stateful services such as load balancer, firewall, VPN, and SSL. Edge VM supports two distinct modes of operation. The first one is active-standby in which all services are available. 

The second mode is ECMP mode, which provides high bandwidth (up to eight Edge VM supporting up to 80 GB traffic per DLR) and faster convergence. In ECMP mode, only routing service is available. Stateful services cannot be supported due to asymmetric routing inherent in ECMP-based forwarding.

The NSX Edge provides centralized on-ramp/off-ramp routing between the logical networks deployed in the NSX domain and the external physical

network infrastructure. The NSX Edge supports various dynamic routing protocols (e.g., OSPF, iBGP, eBGP) and can also leveraging static routing. The routing capability supports two models, active-standby stateful services and ECMP.

NSX Supports NAT, Firewall ( Distributed Firewall- enabled in the kernel of the ESXi hosts); Load Balancing; L2 and L3 Virtual Private Networks (VPNs); DHCP, DNS and IP Address Management (DDI) Services.

VMWare NSX Transport Zone
Transport Zone defines a collection of ESXi hosts that can communicate with each other across a physical network infrastructure. This communication happens over one or more interfaces defined as VXLAN Tunnel Endpoints (VTEPs).

Transport Zone extends across one or more ESXi clusters and commonly defines a span of logical switches. The relationship existing between the Logical Switch, VDS, and Transport Zone is central to this concept.

VMWare NSX Distributed Firewall (DFW)
NSX DFW provides L2-L4 stateful firewall services to any workload in the NSX environment. DFW runs in the kernel space and provides near line rate network traffic protection. DFW performance and throughput scale linearly through addition of new ESXi hosts.

One DFW instance is created per VM vNIC; for example, if a new VM with 3 vNICs is created, 3 instances of DFW will be allocated to this VM. Configuration of these DFW instances can be identical or different based on the “apply to” setting. 

When a DFW rule is created, the user can select a Point of Enforcement

Fig 1.2- NSX Distributed Firewall

(PEP) for this rule, with options varying from Logical Switch to vNIC. By default, “apply to” is not selected, so DFW rules are propagated down to all the ESXi hosts which are part of the NSX domain that have been prepared for enforcement and applied to all the connected virtual machines.

NSX DFW operates at the VM vNIC level; therefore, a VM is always protected irrespective of topology. VMs can be connected to a VDS VLAN-backed port group or to a Logical Switch (i.e., VXLAN-backed port-group). ESG Firewall can also be used to protect workloads sitting on physical servers and appliances (e.g., NAS).