You want micro-segmentation? vRealize Network Insight is your friend!
As many of you have probably heard, in June 2016 VMware acquired Arkin Net. Arkin Net offers 360 degree visibility, enables faster deployments via micro-segmentation planning, and delivers significantly lower time to resources, leveraging constructs like ‘time machine’, natural language search, and contextual analytics. Now 2 months later the impact and position is visible, VMware will be incorporating Arkin Net with its vRealize Cloud Management platform. Under its new name, vRealize Network Insight, VMware vRealize Suite will have the ability to extend across the entire SDDC, including the VMware NSX network virtualization layer.
vRealize Network Insight has three primary use cases:
- Micro-segmentation planning/Security analysis.
- 360-degree Network visibility.
- NSX (Advanced) Operations.
Many customers like the idea of micro-segmentation but have no idea how their servers/services communicate. But this information is essential when configuring micro-segmentation. So how do you gather how servers communicate, over which ports, through which network devices? The answer is simple, vRealize Network Insight is your friend!
Network Insight offers rich traffic analytics, for determining where there are network security and segmentation weaknesses within vSphere infrastructures. Based on these weaknesses, Network Insight provides recommendations utilizing NSX micro-segmentation best practice network designs. Network Insight collects this traffic data from vSphere hosts, with the enablement of the IP Fix (Netflow) traffic accounting data. There is a simple GUI within Network Insight for selecting the traffic to be collected on a per vDS basis.
Proactive problem identification to troubleshoot issues in the SDDC Network.
Network Insight offers end to end 360-degree visibility of traffic conversations and traffic paths with combined overlay (virtual) and underlay (physical) topology views. With this information you can easily determine how to setup micro-segmentation. Network Insight detects out of how many components a service consists, how they communicate, outgoing/incoming traffic, the volume of the communication and eventually does a firewall recommendation on how to setup your micro-segmentation.
Besides that Network Insight reports on the amount of East-West, switched traffic (% of EW) and routed traffic (% of EW). This information can be very useful when assessing the use of NSX logical distributed routing. If the amount of routed traffic is high, this means that a large amount of traffic has to leave the vSphere infrastructure, go to a router device and return again. This can be optimised using NSX logical distributed routing.
360-degree Network visibility
VMware vRealize Network Insight is an Intelligent Security and Operations Management solution for the network. If you are not looking for micro-segmentation or if micro-segmentation is already in place, Network Insight provides 360 degree visibility across virtual and physical network using network flow analytics.
Network Insight leverages the rich metadata from NSX and provides real-time metrics and analytics. Including details of virtual machines, network streams, overlay-to-underlay mappings, and firewall rules. All within the context of an application-centric approach. By correlating the cross-domain data, operations teams have full context and visibility of traffic flows while monitoring and troubleshooting issues.
Network Insight can deliver detailed reports on port flow, routing information, micro-segmentation setup and nesting. You can also report on all services in a VLAN, the amount of traffic produced and top consumers on that VLAN. So any information needed for smooth operation of your physical or virtual network, Network Insight can deliver.
Probably one of the coolest features (for me, as a non-network guy) is the ability to do a ‘visual trace route’. Just select multiple network objects (servers, security groups) and trace how they communicate with each other and map that out in a nice and clear diagram.
Network Insight discovers the topology dynamically by crawling the network from source to destination and plotting the information on the diagram. The cool thing is, that the crawl results are based on realtime configuration information of every component and device in the path. Once the diagram is ready, you can drill down to see all underlying information.
NSX Advanced Operations
When you’ve got micro-segmentation up-and-running, you can continue using Network Insight for NSX operations. An intuitive search based interface to search datacenter information enables advanced NSX Operations Management with configuration synchronization and error checking, relationship mapping between NSX services and vSphere hosts, and CLI scrapping for extracting routing and firewall tables.
Besides day-to-day operations and quick root cause analysis, Network Insight can be used for validation and compliance checking.Network Insight checks for best practices and problems to reports on any abnormalities.
Beyond these day-to-day operations, Network Insight also automates auditing and compliance for NSX. Network Insight continuously tracks and analyzes the relationships between virtual machines and security groups. Any deviation from the desired compliance state is instantly logged and an alert generated.
Eg. you can report when firewall rules are changed or membership of a security group is changed.
First download vRealize Network Insight from your My VMware Portal.
Two appliances have to be deployed:
- vRealize Network Insight Platform: 8 vCPU, 32 GB RAM, 750 GB disk.
- vRealize Network Insight Proxy: 4 vCPU, 10 GB RAM, 150 GB disk.
vRealize Network Insight does support multiple vCenter Servers and NSX Managers, so you can create a single pain of glass across all of these.