Nutanix Flow - Virtual Network Microsegmentation

Micro-segmentation is, along with our other key product, the cloud orchestrator Nutanix Calm, one of the most important innovations in the release of AOS 5.5 released in late December ( codename Obelix ).

Since Microsegmentation is too long a name for a commercial product, as a product, this technology will be named Nutanix Flow .
')
In release 5.5, we, as is our custom, presented the Tech Preview, a kind of “gamma” version for review in a test environment, and in the next update, coming out at the end of February-March, and called 5.5.1, the micro-segmentation will be announced final. “Production-ready” release, ready to use.

Nutanix Microsegmentation (Flow) can be considered as a distributed firewall of virtual machines built into the AHV virtualization system , protecting virtual machines inside the infrastructure “cloud” .

Instead of the usual scheme, when the external firewall protects the “perimeter” of the cloud, but, as a rule, inside the cloud, network protection is usually either quite primitive or not used at all, and “malware” that gets inside the cloudy space has all the possibilities to “walk around the buffet "Among weak VMs and intercept any traffic, Nutanix proposes to use not only the infrastructure perimeter protection, but the entire infrastructure, each virtual machine, and this protection is built-in, easily configurable using VM and destination groups Capable policies that do not use the overlay network mechanism , such as VXLAN, and do not require reconfiguration of network equipment.



You might argue that, if necessary, you can isolate VM groups using VLAN mechanisms. However, networkers will not allow to lie, for infrastructures of even a few dozen VMs, configuring, as well as maintaining, in case of normal life, a farm of virtualization hosts, a complex scheme of dozens of VLAN segments will soon turn into a serious headache. And what to say not about tens, but hundreds, thousands of virtual machines migrating between dozens of virtual center hosts of a data center, depending on their load, or even moving between data centers!

Today in big business, not only hosting, it is already a reality.

It would be great if you could bind a network segment not at the level of an external switch, but by applying a policy to a specific VM in a virtualization environment! And, of course, such decisions began to appear. The most famous such solution is VMware NSX, which, despite its high price and complexity, has found itself on the market, although, of course, the complexity of implementation, as well as the price, make it difficult to use widely.

Nutanix in this area, as with our hypervisor AHV, went the way when the most requested functionality is implemented in the first place, and the task is not to make a “Swiss knife” (which usually, let's be clear, like a knife - no). That is why, having looked at what kind of NSX functionality by users of virtual environments, is used most of all, we began to do our enesics with poetess.



So, Nutanix Flow is our own implementation of the concept of microsegmentation for our hypervisor AHV, and so far only for it. If you use as a hypervisor on Nutanix vSphere, NSX is for you. We would like to implement Flow for vSphere, but for now these are not plans for the near future.

Since Flow is a fully software implementation, it will also work on products from our OEM partners, such as the Dell XC, Lenovo HX, and so on, including on Software-only installations.

To use Flow, you need AOS 5.5 and newer, the latest version of AHV and Prism Central, our free administration tool running from the VM appliance, for example, in the Nutanix environment. Although Flow is “built into the core” of AOS, and will work even without Prism Central, Prism Central is needed to configure policies.

The main features of Flow are:

• A distributed stateful firewall integrated into the AHV core, minimally loading the CPU and memory during operation.
• Centralized management of this firewall built into Prism Central, using a policy map that is automatically updated during the application and VM lifecycle.
• Built-in visualization of rules and applicable policies.
• The ability to customize service chaining , for example, to redirect network flows to control systems, firewalls, antivirus programs, put VMs or their groups into quarantine, simply assigning policies to a group, and so on.

How is the formation and assignment of a policy for a virtual machine? Unlike the classic firewall rule setting, which consists of specifying the source IP address / port, destination IP address / port and protocol, that is, associated with the IP address category, Nutanix Flow is based on the concept of “application groups”. You create (or use from the pre-installed ones) the AppType category (for example: AppType: Microsoft Exchange), then supplement it with the AppTier category (for example: AppTier: Edge Transport Server or AppTier: Mailbox Server), and finally associate the VM with the appropriate category into the group which you later assign to the policy. In a policy, you can define and define inbound flows that can be limited by a set of sources, for example, they can be other groups and categories, and also define outgoing flows. The latter are open by default, but you can also define groups and categories in them.



There are three types of policies in Nutanix Flows: Application policies , Isolation policies and Quarantine policies .

The first, the application policy , can be used to protect applications in the VM, by selectively setting inbound and outbound flows to and from the application.

The second, the isolation policy , is used to isolate all traffic groups, for example, to separate the group “DevTest” from “Production”, “HR” from “Finance” or “MoscowDC” from “StPetersburgDC”.
Finally, the third, quarantine policy , is used to completely isolate a group or container from all other VMs and applications, for example, in case of need to investigate a hacking incident, suspicion of a virus, and so on.

Policies can be combined with each other, while the priority of combining policies is as follows: Quarantine - Isolation - Application . That is, for example, the assignment of the quarantine policy automatically overrides all the lower priority policies of Isolation and Application, immediately after its application.



Complex schemes of action and combinations are simplified by the presence of a special monitoring mode, in which the created policies are applied in a special test mode, allowing you to verify the correctness of settings before the actual application of policies.

And, of course, our policy of visualization interface facilitates the process of setting and assigning policies.



For example, we want the HR unit in the San Jose group to allow access to sending e-mail to the Edge server via the SMTP port. The required policy in the visual editor will look like:



And if we want to pass outgoing traffic through the service chain, for example through the application-level firewall, simply add it by clicking the Redirect through service service checkbox below and select the desired firewall from the list.

Nutanix Flow does not use overlay networks, for example, VXLAN, which greatly simplifies configuration and use, and does not require a special separate SDN controller. All work is done at standard network levels. For example, the firewall in Flow runs at L4 (TCP), and performs stateful inspection of network traffic from L2 to L4 inclusive. At the same time, if you need a deeper check at levels above L4, integration with third-party products is possible, for example, joint work with the Palo Alto Networks PANW VM-series firewall has been implemented to control traffic up to the Application Layer (L7). If the user has already deployed its firewall facilities, they can continue to work in parallel with Flow.

Usually, to begin using Flow, no changes in the network topology are required if it is already configured by the user. All Flow operations occur within a virtual infrastructure, on an AHV vSwitch. The policies assigned by the VM continue to run even if the IP address issued by the VM is changed (ARP spoofing is used to identify the VM and its new IP and update policy settings), and if the VM is moved to another host.



So far, IPv6 traffic is not supported and processed (but we plan to add processing in the future), so now, to ensure that there is no “gap” through IPv6, and if, as a rule, your infrastructure does not use it, it’s better to completely block it on firewalls perimeter.

The maximum number of policies that can be created and applied is large enough and is determined by the available CVM memory. When testing in Nutanix, one million rules were created on a host once, and it all worked, so Flow is ready to work even in very large and complex network infrastructures.

And the best part: at the moment for the Tech Preview microsegmentation in AHV is free. After its exit to GA status, the user will need a license purchased separately. Quant - on a host, for a period of one to five years (per-node, per-year), technical support is included in the price. The total cost will remain low, I can’t talk about pricing, but it will be at least half the price than, for example, the NSX Advanced license, which provides similar functionality for vSphere. There will be, of course, and Trial (for 60 days).

For our customers who have support systems, the AOS and AHV updates will arrive automatically (it only remains to download and install the update without interrupting the system), and if they are already using Prism Central, the update will allow you to immediately start using Flow.

Thus, the Acropolis Hypervisor - now today is not only a hypervisor, but also an SDN (Software-defined Network) embedded in the hypervisor, and if you were looking for a solution for microsegmentation of the virtual environment, and the NSX seemed too expensive and complicated, then it's time to look at Nutanix Flow, maybe this is what you need.