Articles in this section
- AutoNSX 2.5 Arrived
- AutoNSX 2.0 Arrived
- AutoNSX new features for NSX-T 3.2.
- Migration from NSX-v to NSX-T
- Accelerate Micro-segmentation
- Micro-segmentation with vRNI and AutoNSX
- VMware NSX-T and AutoNSX
AutoNSX 2.5 Arrived
( February, 2023 )
Check regularly for additions and updates to these release notes.
AutoNSX is a micro segmentation platform that leverages VMware NSX and vRNI to deliver comprehensive policy management, visibility and compliance with the data center. AutoNSX provides a lightweight user interface to make segmentation easy and provides the following features:
- Segmentation and micro-segmentation of applications in a data center within a minute’s time
- Ability to view past information about segmented applications, firewall configurations and changes at any time
- Application Owner Module for better firewall rules view
- Automated micro-segmentation planning by extracting firewall rules, services and traffic patterns from vRNI
- Ability to enrich and customize vRNI “raw” rules
- Ability to build security framework and tweak its behaviour
- Define Global Policies across the entire organization
- Define and Reuse firewall policies
- Apply set of conditions to match desired behaviour
- Automatic rule duplications avoidance
- Comprehensive governance with detailed reports and configurations changes of NSX infrastructure and more…
What’s in the Release Notes?
The release notes cover the following topics:
- What’s New
- System Requirements
- Compatibility Notes
What’s New in This Release?
AutoNSX 2.5 introduces the following new features and enhancements for real-time network traffic flow visualizations and firewall rule planning.
AutoNSX Reporting & Visualizations
- Ability to focus on interesting firewall rules in the report by coloring
- Application owners are automatically assigned to application in AutoNSX, in case they are defined in Service Now CMDB
- Application Owners can view applications that belong only to them with historical data on what was changed to their application in regards to firewall rules
- Enhanced governance where application owners can approve firewall rules before application is segmented
- Report containing firewall rules are send to application owner to be reviewed in AutoNSX, application owner has final approval segment or not segment
- Added functionality to filter ports and protocols on more granular way, beneficial with high dynamic ports 49152 to 65535 where firewall rules contain mixed low and high ports in the same rule
- Ability to add IP addresses instead of VM names in the security groups in case VMs are not present in NSX inventory
- Support of Global Manager and NSX-T Federation
- Support of vRNI 6.4 to the latest version
- Support of NSX-T 4.x
System Requirements
- AutoNSX platform requires: 4GB of RAM, 60GB of hard drive, 128MB video adapter
- AutoNSX Platform port and protocols: TCP 443 to NSX-T Manager and vRNI, TCP 443 to access AutoNSX Platform
- User credentials that can execute API calls to vRNI and NSX-T manager. Special considerations for vRNI – user must be able to access and UI
- AutoNSX-2.0.ova runs on esxi 6.5 or above (hardware version vmx-13)
AutoNSX Compatibility notes
- AutoNSX is compatible with vRNI version 4.x, 5.x, 6.x
- AutoNSX is compatible with NSX-V version 6.x
- AutoNSX is compatible with NSX-T version 2.x, 3.x, 4x
- AutoNSX is compatible with NSX-T Manager API and Policy API
- AutoNSX is compatible with NSX-T Cloud
- AutoNSX is compatible with NSX-T Federation, including posturing on Local Managers and Regions (applying for tags, security groups membership on NSX-T Local Managers). Users can select “apply to” a specific Region in the AutoNSX policy recommendation
AutoNSX 2.0 Arrived
( November, 2021 )
Check regularly for additions and updates to these release notes.
AutoNSX is a micro segmentation platform that leverages VMware NSX and vRNI to deliver comprehensive policy management, visibility and compliance with the data center. AutoNSX provides a lightweight user interface to make segmentation easy and provides the following features:
- Segmentation and micro-segmentation of applications in a data center within a minute’s time
- Ability to view past information about segmented applications, firewall configurations and changes at any time
- Automated micro-segmentation planning by extracting firewall rules, services and traffic patterns from vRNI
- Ability to enrich and customize vRNI “raw” rules
- Ability to build security framework and tweak its behaviour
- Define Global Policies across the entire organization
- Define and Reuse firewall policies
- Apply set of conditions to match desired behaviour
- Automatic rule duplications avoidance
- Comprehensive governance with detailed reports and configurations changes of NSX infrastructure and more…
What’s in the Release Notes?
The release notes cover the following topics:
- What’s New
- System Requirements
- Compatibility Notes
What’s New in This Release?
AutoNSX 2.0 introduces the following new features and enhancements for real-time network traffic flow visualizations and firewall rule planning.
AutoNSX Reporting & Visualizations
- Generated report flows with matching firewall rule sequence
- Report includes all members of the security groups including VM IDs, IP addresses, port numbers
- Exposed to the user interface firewall rules that are common between applications, including infrastructure rules
- AutoNSX user interface now includes information on VMs that belong to multiple security zones. VM Id is displayed during segmentation on Recommended firewall rules pane
- Application Owner segmented application applied security policy’s dashboard
- Support of vRNI 6.4 and 5.3
AutoNSX Recommendations
- Security recommendations support correlation to existing firewall rules and groups
- Security recommendations firewall rules and groups for physical servers have always been part of AutoNSX
- Recommendation output and validation of the rules
- Enhancement on Global Rules in AutoNSX
- Customized option for automatically removing duplicate rules from the suggested rules
- Support of the new policy on NSX-T 3.2
- Updating History capabilities for future enhancements and many more
- Improved History view of a published workflow
- NSX-T Federation full support. AutoNSX besides creating and publishing policies to NSX-T Global Manager now is able to apply all security tags on related applications in Local NSX-T Managers and automatically update group memberships for VMs and IP addresses and other NSX entities
AutoNSX Platform
- AutoNSX appliance is moved from CentOS to Ubuntu 20.0.4 LTS
- Certificate management enhancements are introduced, including support for new certificate types
- AutoNSX license self-update is now available
- Improved speed of micro segmentation. Multi-tab publishing capabilities. Users can run multiple workflows in a separate tab within the same browser
- 3 vector Licensing model change, now we support data source, CPU and Number of Applications. Recommended to use a combination of data source and CPU as licensing model
- Updated code framework that speeds up runtime and fixes recently announced security issues
- AutoNSX was born as a cross-platform software solution this continues to be the case
System Requirements
- AutoNSX platform requires: 4GB of RAM, 60GB of hard drive, 128MB video adapter
- AutoNSX Platform port and protocols: TCP 443 to NSX-T Manager and vRNI, TCP 443 to access AutoNSX Platform
- User credentials that can execute API calls to vRNI and NSX-T manager. Special considerations for vRNI – user must be able to access and UI
- AutoNSX-2.0.ova runs on esxi 6.5 or above (hardware version vmx-13)
AutoNSX Compatibility notes
- AutoNSX is compatible with vRNI version 4.x, 5.x, 6.x
- AutoNSX is compatible with NSX-V version 6.x
- AutoNSX is compatible with NSX-T version 2.x, 3.x
- AutoNSX is compatible with NSX-T Manager API and Policy API
- AutoNSX is compatible with NSX-T Cloud
- AutoNSX is compatible with NSX-T Federation, including posturing on Local Managers and Regions (applying for tags, security groups membership on NSX-T Local Managers). Users can select “apply to” a specific Region in the AutoNSX policy recommendation
The AutoNSX introduces new features for NSX-T 3.2.
In the coming weeks, a new major release of NSX-T 3.2 will be in GA. AutoNSX follows a new release version and introduces a few new features:
- NSX-T Federation improvement
NSX-T Global Manager doesn’t keep the inventory of the VM of the local managers. With help of the Global Manager, security policies are visible in a single pane of glass. There is a limitation on NSX-T
Federation, while provisioning all objects the most important object, VMs, are not postured. Administrators had to log in to the local NSX-T manager and manually add tags to VMs. With help of AutoNSX is not needed anymore. AutoNSX will add all corresponding VMs from the local manager inventory to a global defined security group. With this, the simplified operations will reach a new level, and will make segmentation easy.
- NSX-T 3.2 global rule policies
AutoNSX will automatically match globally defined rules, like infrastructure, and mark them as exiting in the policy proposal structure. With this approach, the administrator will be focusing on the new rules and improvements in the security model.
Migration from NSX-v to NSX-T
The end of General Support of NSX-v is on January 16, 2022. Most of the VMware customers are satisfied with NSX product line, hence migration is an obvious path for every organization that wants to use NSX in the future.
NSX- T can be used in various areas, including:
- Application Modernization running containerized workloads
- Building automation infrastructure with NSX-T is much more convenient. An example provisioning security policies with AutoNSX makes segmentation easy
- Extending data centers to the public cloud-like AVS, VMC and others
In other words, NSX-v is in its final stage of life.
Easy to say hard to execute
What would be the actual impact of the migration from NSX-v to NSX-T?
License wise, VMware current statement is that NSX-v licenses can be reused in NSX-T installation. Operational wise, NSXv and NSX-T are similar but NSX-T comes with a new architecture new terms and a new way to provision networks. Organizations must prepare for the Operations activities in NSX-T. Here, digITout can help adapt your organization for NSX-T to transform the OPS team.
Architecture wise, NSX-T differs almost in everything that NSX-v was providing. Depending on the customer’s use case, a new design of the NSX environment can be necessary, we can help you with that as well. Afterwards, digITout can deploy the newly designed infrastructure including Cloud Environments.
Migration Approaches
The migration approaches can be defined in two main groups:
In Place Migration & In Parallel migrations shown below:
None of these can be considered as the best migration method. What would best approach for your organization?
Introducing digITout NSX V2T Migration Assessment Service
We care about our customer’s success and based on our expertise we developed a Migration Assessment Service. On average it takes 5 to 7 days, we assess your infrastructure and provide a purpose-built migration plan by discovering current NSX-V infrastructure, matching NSX-V construct and objects to NSX-T, creating a compatibility matrix between used features and mapping to a new feature in NSX-T. Special accent is made on risk assessment and potential gaps that have to be covered from the technology and business side of the migration.
In general, NSX-v to NSX-T migration is a one-time effort. Because it is a one-time effort there is no “lesson learned” possibility for the customers, which makes migration from NSX-V to NSX-T as high-
risk activity. As n VMware Partner, with in house VCDX-NV experts, digITout successfully migrating NSX-v to NSX-T infrastructure. Being Partners we have direct access to the VMware support organization “GSS”. While creating assessments we use only supported tools by VMware or our own purpose developed tools that have been proven in the battle.
If you are running NSX-V, please reach out to us and we will assign our best experts. Our migration assessment can guarantee the best migration approach for your environment.
digITout can help your organization successfully transition from NSX-v to NSX-T. We have all houses; certified consultants, certified implementations. On every exit we provide “warm” had over to
operation and ensure that your team can operate the new NSX-T infrastructure.
Accelerate Micro-segmentation
Speed up your micro-segmentation delivery times
Integrating the AutoNSX with VMware vRNI provides the ability to automate micro-segmentation, enabling both professional services organizations and enterprises to speed up micro-segmentation implementations.
Benefits
Integrating VMware vRNI with AutoNSX lets you:
- Design and publish security policy from scratch
- Change existing security policy
- Avoid rule/policy duplications
- Control Security zoning traffic patterns (Production/DMZ/DEV)
- Avoid complex scripting tasks
- Reduce time and effort on implementing PoC for micro-segmentation
- Automate security rules suggestion by vRNI
- Enrich security rules that come from vRNI
- Optimize security rules prior to publishing to the firewall
- Hand over to the customer a fully segmented environment within one sprint.
- Go beyond the “teach to fish” concept – usually, PSOs implement a pilot micro-segmentation for a few applications and show the customer how to do them. Then they leave, and the customer is usually left puzzled when it comes to segmenting additional applications or updating already segmented ones. With AutoNSX they can implement the entire micro-segmentation in one sprint.
- Easy adoption to the customer’s change management – with AutoNSX’s generated detailed application policy report organizations can move faster through the policy approval process. For a smoother and even more seamless AutoNSX Solution can be integrated with ITSM (ServiceNow, BMC Remedy)
- All of the above will definitely lead to higher customer satisfaction
AutoNSX is a Governance focused solution that keeps the process of micro-segmentation under tight control:
- By using AutoNSX customers will be able to focus on the actual micro-segmentation design as opposed to running scripts, educating staff and tracking changes in the environment. This will lead to a fast time to market, a low total cost of ownership and a high ROI.
- Application owners focused: Application Owners can track and verify all the changes as well as view the current rules for their assigned applications.
- Avoid unnecessary outages driven by human errors.
- IT Generalist with minimum to zero knowledge of security can implement a strong security framework out-of-box.
- Reduced to zero firewall misconfigurations.
- Eliminates configurations drifts.
- Follow approved security architecture design conceptions.
- Avoid rule/policy duplications.
- Easier housekeeping.
- Documented environments changes with detailed workflow settings.
- Preparation of audits is simplified and reduced time efforts.
- Last but not least – with AutoNSX there is no vendor lock. If the customers don’t want to use it anymore, they can immediately switch back to manual operations. AutoNSX does not store any objects needed for the micro-segmentation and customer-related data. It keeps history and details around who executed the last update.
What is VMware vRealize Network Insight?
VMware vRealize Network Insight also known as vRNI is a monitoring tool that provides high-grade visibility on software-defined network flows and integrates with most of the big vendors like Cisco & Arista. The main focus of vRNI is VMware software-defined datacenter and WMware NSX (link to NSX page). vRNI provides suggested firewall rules for the micro-segmentation. However, exporting those rules are not very handy and the rules are “rough” and require additional manipulation.
This is the use case of AutoNSX. The AutoNSX Solution can be seen as an extension to the vRNI functionality that allows the IT security/networking team to adjust the rules based on their need. Implement additional actions and rules behaviour like:
- optimizing rules
- merge similar rules in one
- adjust port and protocols
- adjust IP ranges
- apply specific condition
- prevent rules mismatch
- spotlight rouge tariffing patterns
Micro-segmentation with vRNI and AutoNSX
To achieve micro-segmentation with AutoNSX is a 5-step workflow that includes:
- Select source and destination. In this particular case source and destination are vRNI and NSX-T
- Select security zone/ environment/group (not mandatory depending on the security framework)
- Select Application that must be segmented
Select micro-segmentation
Select macro-segmentation
Select Flow types (Allowed, Protected, dropped or unprotected)
Select timeframe for the rule generation
- Customize security groups (if that is needed)
Review Security rules, add comments etc.
- Publish rules – DONE Segmented!
Solving complexity challenges while micro-segmentation
Having rules provided by vRNI gives a “raw” estimation of what is real communication. As we mentioned above suggested by vRNI can be implemented in two ways – manually and with a script. Manual implementation is complex by default and implies errors repetitive tasks and long implementation times. On the other hand, scripts are faster but require good scripting knowledge. By running a script, it is very easy to create configuration drifts and the governance is very poor.
AutoNSX solves the challenges of micro-segmentation by providing unique configuration parameters with all automation under the hood. Even highly complex tasks such as micro-segmentation become native to IT personnel. Additionally, governance is the key capability here, as audit groups or application owners can review all changes in the environment.
The AutoNSX and vRNI integration
The AutoNSX solution intelligently orchestrates and automates micro-segmentation to make Professional Service Organizations more successful in their deliveries and Enterprises more agile, secure and more compliant – at any given time. Thought AutoNSX IT personnel and application owners can rapidly plan and execute network security across the data center and in the cloud. With AutoNSX automation of the security rules, customers can process the security framework and apply security policy within one sprint time (agile methodology).
How it works?
AutoNSX uses vRNI provided API and RPA (robot process automation) to cover full integration to vRNI. AutoNSX then uses this information from vRNI and apply different conditions criteria.
Today there is no solution like AutoNSX that can automate every single chunk of data provided by vRNI. vRNI doesn’t expose all API methods publicly. This is where AutoNSX has a unique position as full automation of security policy is possible only with AutoNSX.
VMware NSX-T and AutoNSX
Integrating AutoNSX and VMware NSX allows automated security policy implementation. Organizations using AutoNSX will be able to perform faster micro-segmentation in the data center.
Benefits:
Integrating VMware NSX with AutoNSX let you:
- Accelerates business security
- Reduces time to market security posturing and keep it within reasonable timelines
- Nearly eliminates human errors which lead to minimum unplanned outages
- Abstract security groups creation, tags, IPsets etc
- Creates all necessary objects to achieve micro-segmentation
- Creates policy in NSX by Application or by tier
- Avoids rules duplications
- Prohibit unwanted behaviour of objects mapping
What is VMware NSX?
VMware NSX is a Network & security platform that fits in the category of Software Defined Networking aka SDN. The primary use case of NSX is VMware Data Center with recent releases NSX become more and more stable on BareMetal hardware, as well. NSX has rich capabilities in the security field. The NSX has three main use cases:
- Networking
- Security
- Automation
The AutoNSX Solution uses the Security and Automation capabilities of NSX.
Micro-segmentation with NSX & AutoNSX
The main security component of the NSX is the distributed firewall. Additionally, to the distributed firewall, NSX provided capabilities to dynamically match objects in Datacenter by utilizing tags, OS, or directly with IP addresses. All the objects in NSX are grouped with a logical construct called Security group. Members of the security group can be dynamically or sterically assigned, based on the mentioned above criteria, VMs. Micro-segmentation with NSX is an easy task for small datacenter but in medium, to large data centers it can be a real challenge. Even when NSX is used in a small data center then usually organizations suffer from the security knowledge of their staff and how to approach security and especially complex micro-segmentation implementations. AutoNSX Solution come to play a role in mitigating knowledge gaps. IT generalists can use AutoNSX with a “no brainer”.
AutoNSX Solution is used by wide enterprise and professional services organizations to speed up the micro-segmentation in any size Datacenter.
Solving the real complexity challenge with AutoNSX
As is mentioned before, medium and big data centers have real complexity challenges with complexity to maintain micro-segmentation. Fast deployments, the agility of the security can become very complex in a shorter time. All NSX constructs must be automated and managed in an orchestrated way to keep agility and fast deployment as the main benefits of SDN, but security is always present as the main complex factor. There are multiple ways to achieve this result. The most common ones are: manually, scripting and automation. Manual works require intensive knowledge and keeping track of every single NSX object and item. Scripts are usually used for a single task or task that doesn’t require deep logic of implementation. However, all those methods have a weak side of uncontrolled governance. In comparison, while leveraging AutoNSX organizations can simply implement micro-segmentation in a few clicks by having all of the weak sides under control. Instead, all the complexity is kept in the AutoNSX Software intelligence. This allows organizations to focus on their main activity – achieve faster, complied and solid security of their data center by utilizing AutoNSX Solution.
The VMware NSX and AutoNSX integration
AutoNSX uses rest API to connect to NSX the same way as vSphere vCenter doses. Having this level of integration, allows AutoNSX to manage, provision, update and orchestrate the organization’s security frameworks. The AutoNSX automatically updates NSX constructs in case of any change, for example, VM is decommissioned in CMDB and must be removed out of Application Security Model, a new port has to be opened etc. AutoNSX gives an additional layer of governance to the application owners as they can see all the rules and objects that belong to their applications at any given time. Application owners can track the changes made by the IT department, what was changed, when by whom.
Please provide us with your contact details and one of our experts will reach out →