Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Understand vSRX Virtual Firewall Deployment with Nutanix

Nutanix Platform Overview

The Nutanix Virtual Computing Platform is a converged, scale-out compute and storage system that is purpose-built to host and store virtual machines (VMs).

All nodes in a Nutanix cluster converge to deliver a unified pool of tiered storage and present resources to VMs for seamless access. A global data system architecture integrates each new node into the cluster, allowing you to scale the solution to meet the needs of your infrastructure. Nutanix supports VMware vSphere (ESXi), Microsoft HyperV, Citrix XenServer, and Nutanix Acropolis hypervisor (AHV) (KVM-based).

The foundational unit for the cluster is a Nutanix node. Each node in the cluster runs a standard hypervisor and contains processors, memory, and local storage (SSDs and hard disks).

The Nutanix cluster has a distributed architecture, which means that each node in the cluster shares in the management of cluster resources and responsibilities. Within each node, there are software components that perform specific tasks during cluster operation. All components run on multiple nodes in the cluster, and depend on connectivity between their peers that also run the component. Most components also depend on other components for information.

A Nutanix Controller VM runs on each node, enabling the pooling of local storage from all nodes in the cluster.

Guest VM Data Management

VM data is stored locally, and replicated on other nodes for protection against hardware failure.

When a guest VM submits a write request through the hypervisor, that request is sent to the Controller VM on the host. To provide a rapid response to the guest VM, this data is first stored on the metadata drive, within a subset of storage. This cache is rapidly distributed across the 10-Gigabit Ethernet GbE network to other metadata drives in the cluster. Oplog data is periodically transferred to persistent storage within the cluster. Data is written locally for performance and replicated on multiple nodes for high availability.

When the guest VM sends a read request through the hypervisor, the Controller VM will read from the local copy first, if present. If the host does not contain a local copy, then the Controller VM will read across the network from a host that does contain a copy. As remote data is accessed, it will be migrated to storage devices on the current host, so that future read requests can be local.

Guest VM data management includes the following features:

  • MapReduce tiering—Nutanix cluster dynamically manages data based on how frequently it is accessed. New data is saved on the SSD tier. Frequently accessed data is kept on the SSD tier and old data is migrated to the HDD tier.

    Automated data migration also applies to read requests across the network. If a guest VM repeatedly accesses a block of data on a remote host, the local controller VM migrates that data to the SSD tier of the local host. This migration not only reduces network latency, but also ensures that frequently accessed data is stored on the fastest storage tier.

  • Live migration—Live migration of VMs, whether it is initiated manually or through an automatic process like vSphere DRS, is fully supported by the Nutanix Virtual Computing Platform. All hosts within the cluster have visibility into shared Nutanix datastores through the Controller VMs. Guest VM data is written locally, and is also replicated on other nodes for high availability.

    If a VM is migrated to another host, future read requests are sent to a local copy of the data, if it exists. Otherwise, the request is sent across the network to a host that does contain the requested data. As remote data is accessed, the remote data is migrated to storage devices on the current host, so that future read requests are local.

  • High availability (HA)—The built-in data redundancy in a Nutanix cluster supports high availability provided by the hypervisor. If a node fails, all high-availability-protected VMs can be automatically restarted on other nodes in the cluster. The hypervisor management system, such as vCenter, selects a new host for the VMs, which might or might not contain a copy of the VM data.

  • Virtualization management VM high availability—In virtualization management VM high availability, when a node becomes unavailable, VMs that are running on that node are restarted on another node in the same cluster.

    Typically, an entity failure is detected by its isolation from the network (the failure to respond to heartbeats). Virtualization management ensures that at most one instance of the VM is running at any point during a failover. This property prevents concurrent network and storage I/O that could lead to corruption.

    Virtualization management VM high availability implements admission control to help ensure that in case of node failure, the rest of the cluster has enough resources to accommodate the other VMs.

  • Datapath redundancy—The Nutanix cluster automatically selects the optimal path between a hypervisor host and its guest VM data. The Controller VM has multiple redundant paths available, which makes the cluster more resilient to failures.

    When available, the optimal path is through the local Controller VM to local storage devices. In some situations, the data is not available on local storage, such as when a guest VM was recently migrated to another host. In those cases, the Controller VM directs the read request across the network to storage on another host through the Controller VM of that host.

    Datapath redundancy also responds when a local Controller VM is unavailable. To maintain the storage path, the cluster automatically redirects the host to another Controller VM. When the local Controller VM comes back online, the datapath is returned to this VM.

vSRX Virtual Firewall Deployment with Nutanix Overview

This topic provides an overview of vSRX Virtual Firewall deployment on Nutanix Enterprise Cloud.

vSRX Virtual Firewall offers the same full-featured advanced security as the physical Juniper Networks SRX Series Firewalls, but in a virtualized form factor. Handling speeds up to 100 Gbps, making it the industry’s fastest virtual firewall. vSRX Virtual Firewall with Nutanix delivers:

  • A single platform delivering high performance and predictable scale for any virtual workload.

  • High-performance networking and security for scale-out virtual data centers.

  • Flexibility with multi-hypervisor support (Hyper-V, ESXi, and Acropolis Hypervisor) and a full appliance portfolio for the right mix of compute and storage resources.

  • VMs that keep running and are protected with VM-centric backups and integrated disaster recovery.

  • Innovative Virtual Chassis Fabric architecture with automation capabilities for simplified management.

Manual, rigid, and static connectivity and security implementations might work in traditional network environments. In the multicloud era, however, where application requirements are highly dynamic, network security must be an agile and scalable partner to compute and storage.

Enterprise multiclouds typically employ perimeter security solutions like Nutanix Enterprise Cloud to block threats contained in north-south traffic entering or leaving the HCI. Effective as they are, these solutions cannot defend against threats introduced by compromised virtual machines (VMs) that infect east-west traffic flowing within the data center itself, between applications and services. If these threats are not identified and addressed in a timely manner, they could compromise mission-critical applications and lead to the loss of sensitive data, causing irreparable harm to revenue and reputation of an organization.

vSRX Virtual Firewall works with Nutanix Enterprise Cloud to provide advanced security, consistent management, automated threat remediation, and effective microsegmentation—delivering a secure and automated solution for defending today’s multicloud environments.

The joint Juniper Networks-Nutanix hyperconverged solution helps enterprises secure their multicloud environments with advanced security, consistent management, automated threat remediation, automation, and effective microsegmentation. Enterprises can now easily deploy a secure and automated multicloud without the overhead of operational and management complexity.

Nutanix provides on-demand services in the cloud. Services range from Infrastructure as a Service (IaaS) and Platform as a Service (SaaS), to Application and Database as a Service. Nutanix is a highly flexible, scalable, and reliable cloud platform. In Nutanix, you can host servers and services on the cloud as bring-your-own-license (BYOL) service.

Benefits of vSRX Virtual Firewall with Nutanix

  • Advanced security—Protects the business by delivering advanced security services, including user and application firewall, advanced threat prevention, and intrusion prevention.

  • Microsegmentation—Employs microsegmentation to secure applications and defend against lateral threat propagation in the enterprise multicloud. Protects virtual workloads through effective microsegmentation.

    Microsegmentation facilitates granular segmentation and control by applying security policies at the virtualized host level. From a security perspective, the more granular level at which a threat can be blocked, the more effective the defense will be in containing the threat’s propagation. Administrators must augment their security solutions with microsegmentation and automated threat remediation, providing the visibility and control required to protect lateral data center traffic from common breaches.

  • Visibility—Provides granular visibility and analytics into application, user, and IP behavior.

  • Automation—Offers rich APIs and automation libraries from Nutanix and Juniper Networks to enable agile DevOps workflows; to deliver improved security response through unified automation of security and networking workflows.

  • Operational simplicity—Streamlines and enables policy deployment and enforcement with single-pane management and simple, intuitive controls across multicloud deployments.

Understand vSRX Virtual Firewall Deployment with Nutanix AHV

Nutanix Acropolis hyperconverged infrastructure (HCI) supports customer choice in virtualization solutions including VMware vSphere (ESXi), Microsoft HyperV, Citrix XenServer, and Nutanix AHV. AHV is a feature-rich Nutanix hypervisor. AHV is an enterprise-ready hypervisor based on proven open-source technology. Nutanix AHV is a license-free virtualization solution included with Acropolis that delivers enterprise virtualization ready for a multicloud world. With Acropolis and AHV, virtualization is tightly integrated into the Nutanix Enterprise Cloud OS rather than being layered on as a standalone product that needs to be licensed, deployed and managed separately.

Common tasks such as deploying, cloning, and protecting VMs are managed centrally through Nutanix Prism, rather than utilizing disparate products and policies in a piecemeal strategy.

Figure 1 illustrates how security is provided for applications running in a private subnet of Nutanix Enterprise Cloud with AHV hypervisor.

Figure 1: vSRX Virtual Firewall Deployment in Nutanix Enterprise CloudvSRX Virtual Firewall Deployment in Nutanix Enterprise Cloud

The Nutanix AHV virtualization solution, including the tools you need to manage it, ships from the factory already installed and ready to go state so that you can have the system up and running as soon as you have racked the cluster and powered it on. When the system is up and running, you can maintain the environment through a simple HTML 5 Web UI. Prism Element, which is available on each cluster you deploy, integrates this UI with the overall Nutanix solution. You can access Prism Element through each individual Nutanix cluster through the cluster IP or any of the individual Nutanix Controller Virtual Machine (CVM) IP addresses. Prism Element requires no additional software; it is built into every Nutanix cluster and incorporates support for AHV.

If you prefer a more centralized mechanism for managing your deployment, Prism Central is available from the Nutanix portal or can be deployed directly from the Nutanix cluster. Prism Central is a robust optional software appliance VM that can run on ESXi, Hyper-V, or AHV.

Prism Central is both a platform and a hypervisor-agnostic management interface, providing an aggregate view of your deployed Nutanix clusters. In addition to allowing you to view and manage the cluster, Prism Central provides insight into VMs, hosts, disks, and containers or pooled disks.

Prism Central provides a single pane of glass for managing not only multiple Nutanix clusters, but also the native Nutanix hypervisor, AHV. Unlike other hypervisors, AHV requires no additional back-end applications or database to maintain the data rendered in the UI.

Prism runs on every node in the cluster, but like other components, it elects a leader. All requests are forwarded from the followers to the leader using Linux iptables. This allows administrators to access Prism using any Controller VM IP address. If the Prism leader fails, a new leader is elected. The leader also communicates with the ESXi hosts for VM status and related information. Junos Space Security Director manages vSRX Virtual Firewall Virtual Firewalls deployed on each node of a Nutanix AHV cluster, and it acts as a unified security policy manager to apply consistent policies across all vSRX Virtual Firewall VMs in Nutanix-based private and public clouds (AWS/Azure).

Traffic between VMs and applications is redirected through the vSRX Virtual Firewall, allowing next-generation firewall security services with advanced threat prevention to be provisioned. Security policies enforced on traffic inside the Nutanix Enterprise Cloud augment the Nutanix HCI with microsegmentation, blocking sophisticated threats that propagate laterally while identifying and controlling application and user access. This enables security administrators to isolate and segment mission-critical applications and data using zero trust security principles.

Components of vSRX Virtual Firewall Deployment with Nutanix

Joint solution with vSRX Virtual Firewall and Nutanix includes the following key components:

  • vSRX Virtual Firewall—vSRX Virtual Firewall offers the same full-featured advanced security as the physical Juniper Networks SRX Series Firewalls, but in a virtualized form.

  • Junos Space Security Director—Junos Space Security Director allows network operators to manage a distributed network of virtual and physical firewalls from a single location. Serving as the management interface for the vSRX Virtual Firewall Virtual Firewall, Security Director manages the firewall policies on all vSRX Virtual Firewall instances. It includes a customizable dashboard with details, threat maps, and event logs, providing unprecedented visibility into network security. Remote mobile monitoring is also possible through a mobile application for Google Android and Apple iOS systems.

  • Nutanix AHV—Nutanix AHV is an enterprise-class virtualization solution included with the Nutanix Enterprise Cloud OS, with no additional software components to license, install, or manage. Starting with proven open-source virtualization technology, AHV combines an enhanced datapath for optimal performance, security hardening, flow network virtualization, and complete management features to deliver a leaner yet more powerful virtualization stack, no costly shelfware, and lower virtualization costs.

  • Nutanix Manager (Nutanix Prism)—Nutanix Prism is an end-to-end management tool for administrators to configure and monitor the Nutanix cluster and solutions for virtualized data center environments using the nCLI and the Web console. The end-to-end management capability streamlines and automates common workflows, eliminating the need for multiple management solutions across data center operations. Powered by advanced machine learning technology, Prism analyzes system data to generate actionable insights for optimizing virtualization and infrastructure management.

Sample vSRX Virtual Firewall Deployment Using Nutanix AHV

A Sample vSRX Virtual Firewall deployment to provide security for applications running in a private subnet of Nutanix Enterprise Cloud with AHV hypervisor is shown in Figure 2.

Figure 2: Sample vSRX Virtual Firewall Deployment in Nutanix Enterprise Cloud Using AHVSample vSRX Virtual Firewall Deployment in Nutanix Enterprise Cloud Using AHV

A vSRX Virtual Firewall image is loaded into the Linux-based kernel with Nutanix AHV virtualization solution as the hypervisor. AHV-based VMs support multitenancy, allowing you to run multiple vSRX Virtual Firewall VMs on the host OS. AHV manages and shares the system resources between the host OS and the multiple vSRX Virtual Firewall VMs.

Note:

vSRX Virtual Firewall requires you to enable hardware-based virtualization on a host OS that contains an Intel Virtualization Technology (VT) capable processor.

The basic components of this deployment include:

  • Linux bridge—Used for CVM control traffic

  • Open vSwitch (OVS) bridge(s)—Used form VM traffic and to connect to physical ports

  • Physical switch—Transports in or out traffic to the physical network ports on the host

Related Documentation