VMware pushes NSX deeper into containers, security
Microsegmentation for microservices, plus automated key management for all those tiny, transient networks
VMware's released a new version of NSX-T, the version of its NSX network virtualization tool that runs in multiple environments.
NSX-T's roots lie in NSX-MH, the early version of NSX VMware created not long after acquiring software-defined networking pioneer Nicira. Before VMware acquired Nicira, it made sense for the company to address multiple hypervisors, but once VMware was in control it steered things towards its own ESX.
But NSX-T stayed alive because Virtzilla VMware feels that there are plenty of people who can benefit from network virtualization without having to go all-in on the VMware ecosystem. Hence billing the new NSX-T 2.0 as “an agile software-defined infrastructure to build cloud-native application environments.”
The most interesting new bits this time around include the addition of microsegmentation for Kubernetes. Microsegmentation sees virtual networks spun up to give workloads their very own connections that are logically isolated. Microsegments can be torn down at will, making it easy to kill connections on which something untoward is occurring. Their applicability to orchestrated containers comes from the potential to create networks just for each instance of a microservice, giving its component containers the connectivity they need without requiring arrangements
Another addition is distributed network encryption, which handles encryption and key management among anything that NSX touches. This is handy for NSX-T because it is designed to connect workloads running on different hypervisors, be they on-prem or in the cloud. Or in Kubernetes-orchestrated containers. Sensible organisations won't be comfortable with any of the chat among those resources being unencrypted. NSX-T will let users define and apply policies to enforce encryption and then take care of the messy, messy business of getting the right keys in place to make crypto happen.
There's also a new Edge Firewall to secure north/south traffic inside NSX domains.
As our own Matt Asay pointed out yesterday, VMware's container strategy is far from convincing, other than as a salve for organisations that need to keep on virtualizing indefinitely. NSX-T might make matters a little more coherent by giving VMware a product that helps cloud-native types that don't care about vSphere and complements Kubernetes rather than trying to surround it. ®