VMware released starting NSX-T Data Center v3.2 a new feature named “NSX Application Platform“. But what is this new functionality about, and what value does it bring to a NSX environment?
Well, to provide more security services in a more efficient way, VMware has decided to create NSX Application Platform (NAP) which is a container-based environment running on a Kubernetes cluster.
Talking about new security capabilities, what are exactly those features.
There are four features in total that can be added to an existing NSX setup, and it’s up to you to decide which ones you’d like to install after the deployment of NSX Application Platform.
- VMware NSX® Network Detection and Response™
- VMware NSX® Malware Prevention
- VMware NSX® Intelligence
- VMware NSX® Metrics
Let’s jump back to NSX-T v3.0 or even v2.5 for a moment to better explain and understand what has changed and why hosting now these features on Kubernetes.
You certainly heard about NSX Intelligence for quite some time. It is a very nice feature providing very good visibility of flows but also recommendations to plan and apply micro-segmentation in a NSX environment. That feature used to be installed with an OVA file and to be deployed directly from the NSX Manager.
Starting NSX-T v3.2, VMware released alongside NSX Application Platform (NAP), new security features that would have made NSX quite heavy and more difficult to scale if deployed with regular OVA files as appliances.
So, to make things easier and more efficient, VMware decided to build NSX Application Platform (NAP) in the form of micro-services hosted on a Kubernetes platform. To do so you have the choice to deploy NAP over Tanzu or an upstream Kubernetes cluster.
NSX Application Platform Prerequisites
In order to install NSX Application Platform, you will have to follow the prerequisites below:
- Prepare on your own a Tanzu Kubernetes cluster or a native Kubernetes Cluster as NAP does not automatically prepare the underlying Kubernetes infrastructure for you.
- You must provide the configuration file for an existing Kubernetes cluster during the deployment of NSX Application Platform.
- You must also set up a private Harbor registry with chart repository service to deploy NSX Application Platform.
More information here on the prerequisites.
Set Up a Private Harbor Registry
Now that you have prepared your Kubernetes environment, you need to set up a private Harbor Registry with a chart repository service.
You can use of course any other container registry but the steps may differ. We’re going here to use Harbor as an example.
You can use this registry to upload the Helm charts and Docker images required to deploy NSX Application Platform.
The Helm charts role is to specify the configuration settings to be used during the deployment, and the Docker images include the container images.
One important thing to remember for production environments is that the private Harbor instance must be configured using external CA-signed certificates.
More details to set up the harbor registry are available here.
NSX Application Platform Form Factor
Now that you have deployed NAP container images, you’re ready to start the deployment.
All you have to do is simply select the appropriate form factor based on the required features.
- Supports NSX Network Detection and Response, NSX Malware Prevention, and Metrics
- Requires one controller (2 vCPUs/4 GB RAM) and three worker nodes (4 vCPUs/16 GB RAM) or more in the Kubernetes cluster
- Supports NSX Network Detection and Response, NSX Malware Prevention, NSX Intelligence, and Metrics
- Requires one controller (2 vCPUs/4 GB RAM) and three worker nodes (16 vCPUs/64 GB RAM) or more in the Kubernetes cluster
- Supports all available features
- Requires one controller (2 vCPUs/4 GB RAM) and one worker node (16 vCPUs/64 GB RAM) in the Kubernetes cluster
Note: This form factor is not supported in production environments. It is intended only for evaluation, testing, or proof-of-concept.
NSX Application Platform Deployment
Once you have selected the form factor, you can now start the deployment.
To do so, navigate from the NSX Manager to System > Configuration > NSX Application Platform to deploy NSX Application Platform.
And make sure that the Helm Repository and Docker Registry URLs point to your private Harbor registry like the example below.
The next step consists of selecting the configuration file for the underlying Kubernetes platform, but also the appropriate form factor.
Please note that depending on the underlying Kubernetes infrastructure, the steps to obtain the Kubernetes cluster configuration file may vary. You should work with your Kubernetes Administrator to complete this step of the deployment. For more details, click here.
Before proceeding with the deployment, the wizard will run a pre-check to make sure that your configuration is correct. You can then review one last time your settings and then run the deployment.
Congratulations! Your NSX Application Platform deployment is now completed. You can then visualize the state or your Controle Plane and Worker nodes, check the system load and see if there is any alarm etc…
Now that NSX Application Platform is up and running, you can start implementing and enjoying all the security features that we mentioned earlier in this post.
Hope that you enjoyed the blog post and do not hesitate to share 😉.