Enhance Security with NSX Cloud and Horizon Cloud on Microsoft Azure

While virtual desktops have successfully helped address security and operational challenges, IT organizations still have concerns about a growing threat landscape and an expanded security perimeter that they need to protect, especially in public cloud environments. Malware, phishing, and other emerging advanced threats can be used to compromise a virtual desktop to serve as jumping off point for an attacker to move laterally into the rest of the network.  Until now, customers could secure their VMware Horizon deployments in on-premises data centers with VMware NSX. We are happy to announce that NSX can now also secure virtual workloads deployed by VMware Horizon Cloud on Microsoft Azure, providing a more robust security posture in cloud-hosted virtual desktop environments in Microsoft Azure.

It’s been a great year for Horizon Cloud on Microsoft Azure. This service offering allows customers to easily pair their own Microsoft Azure capacity with the intuitive Horizon Cloud control to quickly deliver virtual desktops and apps to end-users in a matter of hours. There is a lot of momentum from customers as they adopt Horizon Cloud to deliver virtual desktops and application from their own Microsoft Azure infrastructure to any device, anywhere.

One of the key features of the new Horizon Cloud release is the support for VMware NSX Cloud. We are particularly excited about this integration and the added security it brings to our customers – so let’s dive a little deeper on this topic.

What is NSX Cloud?

NSX Cloud delivers networking and security for applications running natively in public cloud environments such as Microsoft Azure and Amazon AWS. NSX Cloud is an extension of VMware’s NSX Data Center technology that brings the NSX networking and security framework to cloud-native applications. NSX Cloud for Horizon Cloud on Azure brings enhanced security to virtual desktop environments, with policies that dynamically follow end users across infrastructure, devices, and locations.

Key Benefits of NSX Cloud for Horizon Cloud on Microsoft Azure Environments

Secure Virtual Desktops Using Micro-segmentation

NSX Cloud protects virtual desktops and apps hosted in Microsoft Azure data centers by securing traffic between each VDI system (east-west traffic) and providing isolation for desktop pools. The NSX Cloud micro-segmentation policy can control traffic between desktops within Azure VNET/s as well as traffic destined to on-premises applications in a hybrid deployment.

Automated Policy That Dynamically Follows End Users and Desktops

Administrators can set policies centrally that dynamically adapt to the end user’s computing environment, with network security services that map to the user based on role, logical grouping, desktop operating system, and more— independent of the underlying network infrastructure. Policies follow the virtual desktops wherever they are moved across the cloud-hosted environment.

We are extremely excited to have support for NSX Cloud for Horizon Cloud on Microsoft Azure and look forward to enabling customers with this powerful security solution in their cloud environments.

Success Secrets: How you can Pass VMware Certification Exams in first attempt 

AWS OUTPOSTS AND VMWARE HYBRIDITY DEFINED - VMware Certifications

Outposts as a Product Name is no Accident

Like many, I like the product name Outposts. It’s catchy and straight away you can make sense of what it is…however, I decided to look up the offical meaning of the word…and it makes for some interesting reading:

• An isolated or remote branch
• A remote part of a country or empire
• A small military camp or position at some distance from the main army, used especially as a guard against surprise attack

The first definition as per the Oxford Dictionary fits the overall idea of AWS Outposts. Putting a compute platform in an isolated or remote branch office that is seperate to AWS regions while also offering the ability to consume that compute platform like it was an AWS region. This represents a legitimate use case for Outposts and can be seen as AWS fulling a gap in the market that is being craved for by shifting IT sentiment.

The second definition is an interesting one when taken in the context of AWS and Amazon as a whole. They are big enough to be their own country and have certainly built up an empire over the last decade. All empires eventually crumble, however AWS is not going anywhere fast. This move does however indicate a shift in tactics and means that AWS can penetrate the on-premises market quicker to extend their empire.

The third definition is also pertinent in context to what AWS are looking to achieve with Outposts. They are setting up camp and positioning themselves a long way from their traditional stronghold. However my feeling is that they are not guarding against an attack…they are the attack!

Where does VMware fit in all this?

Given my thoughts above…where does VMware fit into all this? At first when the announcement was made on stage I was confused. With Pat Gelsinger on stage next to Andy Jessy my first impression was that VMware had given in. Here was AWS announcing a direct competitive platform to on-premises vSphere installations. Not only that, but VMware had announced Project Dimension at VMworld a few months earlier which looked to be their own on-premises managed service offering…though the wording around that was for edge rather than on-premises.

A Managed Service Offering means a Mind shift

The big shift here from VMware that began with VMware Cloud on AWS is a shift towards managed services. A fundamental change in the mindset of the customer in the way in which they consume their infrastructure. Without needing to worry about the underlying platform, IT can focus on the applications and the availability of those applications. For VMware this means from the VM up…for AWS, this means from the platform up.

Success Secrets: How you can Pass VMware Certification Exam in first attempt 

VMware Cloud Foundation for EC2 Overview

Secure by Design:  The VCF Framework 

VCF is intended to provide one consistent set of data center management services across vSphere and non-vShpere environments.  For the EC2 environment, a mechanism must be in place to transparently insert these services into the workloads running on EC2.  In the private cloud environment, users may be familiar with VMware’s VM Tools.  This is a collection of host-resident probes, drivers and agents that allow the vSphere system to optimize and manage workloads running on VMWare’s ESXi hypervisor.  VMware has extended this concept to EC2 based workloads.  VM Tools for EC2 creates a bundle of host-resident probes, drivers and agents, and provides a framework to transparently insert, manage and protect these host components as they run on EC2 environments, either in Amazon’s EC2 public cloud or on premise on Amazon’s Outposts hybrid cloud solution.

Networking Services 

The first set of services enabled in VMware Cloud Foundation for EC2 is NSX Networking and Security.  A key feature of the NSX offering for EC2 is service insertion and packet capture.  With this capability, the rich partner ecosystem of NSX that exists on VMware private clouds can now be extended into native EC2 environments.  Partners can utilize the same NSX APIs for service insertion and packet capture on premise in vSphere environments and in EC2 environments.  This is extremely useful for using NSX and the VMware Cloud Foundation as the platform to deliver consistent services across the hybrid cloud. 

Another very popular feature of NSX for EC2 is layer two network stretching.  This allows workloads running in any EC2 environment, whether on AWS Outposts on premises or in the public cloud to share a common L2 IP space even across multiple VPCs.  This greatly simplifies workload migration and DR scenarios as workloads do not to be re-addressed or modified to take advantage of the flexibility and elasticity of the hybrid cloud.

Security Services 

NSX is known for its built-in security services.  One of the most powerful is the firewall built for Internal (East-West) traffic flows.  This firewall understands the application topology and can visualize and map flows between the web tier, app tiers, and persistence tiers.  Firewall policies can then be automatically deployed and dynamically updated if there are changes to application topology.  This use case has been widely deployed and there are now thousands of enterprise customers using NSX to internally segment server to server traffic in the data center.  With VMware Cloud Foundation for EC2, this same capability can be extended to EC2 based workloads, either on the public cloud or running on AWS Outposts in the customer data center.  From a single policy console, IT can now ensure that foundational security policies are consistently enforced for workloads running on premise or in the public cloud, on vShpere or on EC2 environments.  In the future, this same architecture will allow VMware advanced security offerings such as App Defense to be extended onto native EC2 environments.

Management 

In addition to the data plane services of NSX, VMware has a collection of control plane services that support both vSphere and native EC2 workloads.  vRealize Network Insights provides a single pane of glass that allows customers to visualize their flows for workloads running in a vSphere environment and/or in EC2.  This is extremely helpful for troubleshooting hybrid cloud workloads, and also for formulating security policies. Additionally, VMware’s Cloud Health provides industry leading cost management for EC2 environments. 

The Foundation for all workloads 

VMware Cloud Foundation for EC2 creates a common set of data center services that spans the hybrid cloud. These services support all types of workloads from traditional VM based enterprise applications to modern container-based workloads utilizing platforms like PKS or Red Hat OpenShift.