Tag Archives: vCNS

Virtualizing Business Critical Applications – Security and Compliance

VirtualizationSecurityVirtualizing Business Critical Applications is often stopped either by the sudden involvement of security and compliance, a need to better understand, or a need to gain visibility into the underlying security of the virtual environment in order to build new security and compliance models. As we have commented on the Virtualization Security podcast many times, security and compliance teams need to be involved from the beginning. However, this is not a discussion about involvement but about the tools that will help security and compliance to gain the necessary visibility into the security of their virtual environments and therefore allow for the virtualizing of business critical applications. Continue reading Virtualizing Business Critical Applications – Security and Compliance

Cisco Nexus 1000v: Free unless you want Security

VirtualizationSecurityWhile not particularly new news, the next version of the Cisco Nexus 1000v will be free, unless you want the security features. This is an interesting shift from Cisco with respect to VMware vCloud Director, the Nicira purchase, furthering UCS, and Cisco within non-UCS data centers. However, given other announcements, with respect to OpenStack, perhaps this is more a play to level the playing field between cloud architectures? But what I find most interesting, is that the changes to the Nexus 1000v also align with the changes we see in the vCloud Suites from VMware. Continue reading Cisco Nexus 1000v: Free unless you want Security

VMworld 2012: vCloud Networking and Security Enhancements

VMworld2012150x27There are several improvements in virtual networking and security within the latest vSphere and vCloud products. vCloud Networking and Security lowers of the overall cost to implement endpoint security within a vSphere environment. VMware has accomplished this by including vShield Endpoint into vSphere. There by lowering the cost to offloaded antivirus and malware to just the product chosen to implement antivirus and antimalware.

By far the biggest change is the implementation of VXLAN, which is implemented with in vSphere. VXLAN allows the ability to create a software defined network.

  • VXLAN will span vSphere clusters, virtual switches, and layer 3 physical networks.  How does this work? Because VXLAN is a layer-2 overlay network using MAC in UDP tunneling.

vCloud Networking and Security

VMware has also renamed vShield Edge to vCloud Networking and Security (vCNS) Edge Gateway and vShield App to vCNS App.  But other than renamed products what has been added?

  • High Available vCNS Edge Gateway with 10 user defined network interfaces. While vShield Edge provided single internal and external interfaces vCNS Edge 5.1 will allow you to define up to 10 internal or external interfaces, as well as logical groupings for internal vs external which makes use of the 10 vNICs that have been available on virtual machines since vSphere 4.x.

vCNS Edge Gateway Improvements


vCNS Edge Gateway in addition provides an active standby high availability pair with stateful session failover, automatic configuration syncing.  In this way if one firewall dies, the standby firewall will take over in less than 10 seconds. This provides minimal loss of firewall functionality.

  • Advanced load balancing features are now part of vCNS Edge Gateway. While in the past there was simple load balancing vCNS Edge Gateway now includes round robin load balancing that will verify the health of the target VMs and not send traffic if the health check fails with session persistence. In other words, if a session starts on a target VM, continued traffic for a given session stays on the target VM. The vCNS Edge Gateway load balancer natively handles HTTP and HTTPS, but also provides a pass-through mechanism for other protocols.
  • SSL VPN is now a supported mode of VPN as well as the existing IPSec Tunneling protocols.  An SSL VPN could be used for management traffic for a hybrid cloud or to access your individual vCloud tenant, or management features of your virtual environment making use of the vCNS Edge Gateway.
  • The vCloud Service Automation framework allows the integration of third party security applications within the virtual environment. This framework provides a set of APIs for integration into the virtual environment.
  • Inside the VM via vCNS endpoint security version 2 (EPsec v2) APIs.
  • Edge of the VM via vCNS App APIs
  • Edge of the virtual network via vCNS Edge Gateway APIs
  • NETX 10 tuple based data redirection between physical and virtual or virtual and virtual security appliances.


  • vCNS also includes a few updates to the vNetwork distributed switch such as:
  • Netflow v9
  • Network Health Checks which is a limited set of health checks to ensure the network is healthy and that all hosts in a cluster have the same network constructs.

But what do all these improvements mean?

In a nutshell they enable the software-defined datacenter.

Simply put, VXLAN widens the capabilities of a single vCloud virtual data center to span multiple clusters instead of being limited to just 32 hosts in a cluster.  This will improve cloud implementations for service providers and larger private clouds. VXLAN may eventually allow for software-defined networks that span hybrid clouds. On the security side, the improvements and implementation of vCloud Service Automation framework allows for the creation of a software-defined security layer.

Both of these technologies are necessary if there is to be a software-defined data center.