Nutanix – Flow Networking

AOS 5.6 introduces a SDN function to the Nutanix platform, in particular – Micro Segmentation.

Flow is the initial SDN funtions for Nutanix focused on security.  It only applies to AHV and it built into the hypervisor during deployment, its not installed after the fact that is managed in Prism Central.  Flow will automatically detected the flows between VMs and visualise the traffic and relations.

Within in Prism Central you use Categories to logically group machines and apply polices.  Policies are applied across multiple AHV clusters, they not restricted to a single cluster.

Micro segmentation works at a east-west protection, that is within the datacentre, lateral data flow.  Rules are always-on and deployed in a stateful manner.  The allows and deny happen at the vNIC to virtual switch level, applied at the VM.  The data plane is at the host level using open vSwitch and open flow.  Rules dont need to be configured for IPs, they can be applied to categories which include VMs, meaning the VM can move around and change its IP and still be protected.  Rules are port based, layer 4.

Policy types

  • Quarantine – Programmatic restriction of network connections, manual intervention or can be automatic via scripts calling the API following a anti-malware alert.
  • Isolation – restricts two defined groups of VMs from communicating with each other
  • Application – most flexible policies, defining noth inbound traffic sources and outbound destinations for a single or multi-tiered application

To do a manual quarantine of a VM, you simply select the VM in Prism Central and go to  Actions – Quarantine VM

  • Strict – isolates the VM from the network
  • Forensics – isolates the VM from everything on the network apart from specified source and destination VMs used for forensics.  Source and destination VMs are added to the quarantine policies.

Below shows an example of a Application policy and the flexibility it can offer.  Application tier can be built out by adding the relevant VMs, the tiers are added to the category.

If the rule is set to Monitoring, traffic that is not allowed can be viewed from the policy.  Traffic wont be blocked but it allows you to see what traffic would be blocked.  The blocks on the left hand side in blue are what is allowed and the blocks in yellow is what is due to be blocked. History of connect attempts can be viewed as well.  Yellow boxes can be allowed and the policy can be simply updated.

As well as traffic to and from the application tier, rules can be created from traffic within the tier.

Longer term visions for Flow will be to expand the SDN functions to include things like VPN, IPS/IDS and load balances.  Currently 3rd party vendors can be leveraged for these network functions via service chains.  Traffic flows through a partner VM to provide these functions.  As part of the cloud strategy for Nutanix, a SDN product is key.

Another future feature talked about it linking quarantine policies to Citrix / AD for granular control for VDI environments.

Additional licensing is required and is based on per-node, subscription basis.


Leave a comment

Your email address will not be published. Required fields are marked *