§ Started as Software Engineer § KPN patents § Currently Architect Let me introduce myself … https://www.linkedin.com/in/albertalberts/ @a_w_alberts [email protected]
§ 33 million subscribers in Netherlands, Germany, Belgium, France and Spain § 2.1 million Internet access customers § 1 of 15 worldwide VMware showcase partners KPN, the company
within the Netherlands; • Operational maintenance from within the Netherlands under Dutch law and regulations; • Assurance through the Cloud Compliance Framework (CCF).
private IP private IP NSX Edge pair public IP public IP Tenant ESG Tenant ESG Perimeter ESG Perimeter ESG default GW Perimeter ESG Perimeter ESG Distributed Logical Router Tenant A ESG Tenant A ESG Distributed Logical Router VM VM VM VM VM VM VM VM transport network default GW default GW default GW transport network public network, without NAT(ting) private network, with sNAT(ting) Internet Datacenter 1 Datacenter 2 Default network setup: front-end & back-end
& back-end Tenant ESG Distribute d Logical Router Tenant B ESG transport network Tenant A Tenant ESG Distribute d Logical Router Tenant B ESG transport network Tenant A private IP public IP Perimeter ESG default GW Perimeter ESG VM VM VM VM default GW transport network Internet Tenant ESG Tenant A ESG Distribute d Logical Router Datacenter 1 Datacenter 2 private IP public IP Perimeter ESG default GW Perimeter ESG VM VM VM VM default GW transport network Tenant ESG Tenant A ESG Distribute d Logical Router
NSX § Multi-tenancy within NSX § Multi-tenant self-service portal § Multi-tenant API § Integration with vRealize Client requirement: § Next Gen Firewall
IP NSX Edge pair public IP public IP Core Router Tenant ESG Tenant ESG Perimete r ESG Perimete r ESG default GW Perimeter ESG Perimeter ESG Distributed Logical Router Tenant ESG Tenant ESG Distributed Logical Router Core Router Core Router Core Router VM VM VM VM VM VM VM VM transport network default GW default GW default GW restriction of 10 connections transport network public network, without NAT(ting) private network, with sNAT(ting) Datacenter 1 Datacenter 2 internet internet Management network NSX Manager config Management network NSX Manager config
IP NSX Edge pair public IP public IP Core Router Tenant ESG Tenant ESG Perimete r ESG Perimete r ESG default GW Perimeter ESG Perimeter ESG Distributed Logical Router Tenant ESG Tenant ESG Distributed Logical Router Core Router Core Router Core Router VM VM VM VM VM VM VM VM transport network default GW default GW default GW restriction of 10 connections transport network public network, without NAT(ting) private network, with sNAT(ting) internet internet Management network NSX Manager config Fortigate SVM config Fortigate-VMX Security Node Management network NSX Manager config Fortigate SVM config Fortigate-VMX Security Node Datacenter 1 Datacenter 2
Orchestration GUI only for KPN administrators API only via vRO vRA portal as single “pane of glass” = API = GUI vRealize Automation Fortigate Service Manager Management plane SVM per datacenter Advanced multi-cloud configuration tasks Common configuration tasks Fortigate-VMX Security Node Fortigate-VMX Security Node Control plane VMX per vSphere No easy integration with vRealize Automation
Orchestration GUI only for KPN administrators API only via vRO A Fortigate Service Manager GUI for each datacenter = API = GUI vRealize Automation Fortigate Service Manager Management plane SVM per datacenter Fortigate-VMX Security Node Fortigate-VMX Security Node Control plane VMX per vSphere Possible but not preferred Interface to Fortigate Service Manager in datacenter 1 Interface to Fortigate Service Manager in datacenter 2
vRealize Orchestration GUI only for KPN administrators API only via vRO vRA portal for simple tasks, FortiManager GUI for more advanced tasks = API = GUI vRealize Automation Fortigate Service Manager Management plane SVM per datacenter ⋙ ⋙ Advanced multi-cloud configuration tasks Common configuration tasks Fortigate-VMX Security Node Fortigate-VMX Security Node Control plane VMX per vSphere FortiManager solves the dual interface problem but was not available during the Poc. Current status is beta
NSX § Multi-tenant self-service portal § Multi-tenant API § Integration with vRealize Next Gen Firewall PoC results ✓ ✗ no, this requires developer effort ✓ ✓ but two self-service portals ✓ but two interfaces
NSX § Multi-tenant self-service portal § Multi-tenant API § Integration with vRealize Next Gen Firewall expected PoC results with FortiManager ✓ ✗ plans to build it for most used configs ✓ ✓ ✓