Cloud VXLANs and segmentation

The “invisible infrastructure” of VMware cloud is a vision that emphasizes freedom from boundaries

The Virtual Distributed Switch abstracts the data center fabric and provides a sea of ports. vCloud Director (VCD) creates an Org Virtual Data Center (VDC), including allocating compute and storage resources. Tenants/orgs can now provision their own logical network to connect these resources. VCD delegates networking/security control to the vShield Manager, which in turn creates a VDS port group backed by a VXLAN, maps the tenant id to the VXLAN segment id, and connects org VMs to the respective ports in the port group. Additionally, vShield Edge provides multicast services, and maps tenant broadcasts into provider multicasts (using PIM). We now have VXLAN backed logical networks, which are elastic (add/delete vNics/ports on an as-needed basis).

With networking constraints out of the way, VDCs can now span cluster, pod and subnet boundaries, removing one of the major limitations in the data center.

I covered this in my VMworld 2011 sessions on Penetration Testing the Cloud relative to the concerns around segmentation. Risk analysis or threat maps will help refine the topic but in most cases the best security is one that does not impede the ability of the business to operate freely. The ultimate security objective, in other words, should be to create freedom from interference.

While removal of the limitations might sound scary at face value there are many ways to transparently validate segmentation and controls are still effective, even in a multi-tenant environment. I will be presenting on this again several times in the next few months, and then publishing a book early next year with a toolkit and scripts to help.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.