VMware Cloud

Foundation 5.1.x
Networking and Security

Waldemar Pera
Enterprise Architect – AT Innovando Juntos

CCNP ENT/Sec/DC/SP
VCP-DCV/NV/Cloud 2024, VCP-SEC 2023, VCIX-NV 2024
vExpert 2019-2024, vExpert NSX 2020-2024
vExpert Security 2020-2024, vExpert Avi 2021-2024
vExpert Hybrid Cloud 2023-2024, vExpert Cloud Provide
2023-2024
Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom.
vExpert App Modernatization 2024
All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
CISSP, BCNP, Nutanix NCA v6.5, Fortinet FCF/FCA
Cloud Foundation
Networking

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom. 2

All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
 Updated for VCF 5.1.x
An Introduction to Cloud Foundation Networking

VMware Cloud Foundation

Management Domain

vCenter SDDC NSX

Server Manager Manager

VM Management VLAN
(Host) Management
VLAN
vMotion VLAN
vSAN VLAN
VDS
NSX Overlay
Transport VLAN Host TEP Network

Host TEPs TEP TEP TEP TEP TEP TEP TEP TEP

ESXi 1 ESXi 2 ESXi 3 ESXi 4

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom. 3

All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
 Updated for VCF 5.1.x
Overlay Networks as Deployed by Cloud Foundation

VMware Cloud Foundation

Management Domain

vCenter SDDC NSX

Server Manager Manager

VM Management VLAN
(Host) Management
VLAN
vMotion VLAN
vSAN VLAN
VDS

Overlay segment 1
NSX Overlay Overlay segment 2
Overlay Transport
Transport VLAN Zone
Overlay segment 3

Host TEPs TEP TEP TEP TEP TEP TEP TEP TEP

ESXi 1 ESXi 2 ESXi 3 ESXi 4

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom. 4

All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
NSX Networking and
Security

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom. 5

All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Introducing VCF Networking with NSX
SDN Leadership with comprehensive differentiation

​ NSX provides scalable network connectivity to all applications in a secure and available fashion

​ Best-in-class ​Full-stack platform (L2- ​ Foundational for ​ Strong Customer

private cloud SDN L7); Includes FW, ATP, VMware Clouds Momentum
LB, WAF ​ Consistent networking ​ Across all segments
and security and verticals

​ NSX is VMware’s cloud networking and security solution for private cloud connectivity

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom. 6

All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Virtual Networking and Security Services
Going beyond just layer 2 operations

​ Integrated Security

Virtual Virtual ​ Firewalling (1) ​ Intrusion ​ Load

Switching Routing Prevention (2) Balancing
(3)

Distributed Distributed Distributed Distributed ​ L3-7 Load

Switching Routing Firewalling IPS/IDS Balancing

​ (1) vDefend Firewall (add-on)

​ (2) vDefend Firewall with ATP (add-
Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom. on) 7
All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
(3) Avi Load Balancer (add-on)
Configuring Cloud Foundation for Full SDN
Configuring an NSX Edge for connectivity outside of Cloud Foundation

VMware Cloud Foundation

Management Domain
NSX Edge Cluster
vCenter SDDC
SDDC
SDDC NSX NSX Edge NSX Edge
Server Manager
Manager
Manager Manager
Node 1 Node 2
TEP TEP TEP TEP
VM Management VLAN
Management VLAN
vMotion VLAN
TEP VLANs need
vSAN VLAN to be routable
VDS

NSX Edge TEP Network

Overlay segment 1
NSX Overlay Overlay Transport
Overlay segment 2 Distributed Services
Transport VLAN Zone
Overlay segment 3

DLR DLS SDFW

Host TEPs TEP TEP TEP TEP TEP TEP TEP TEP
Centralized Services

ESXi 1 ESXi 2 ESXi 3 ESXi 4

NAT VPN DHCP ​LB

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom. 8

All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Configuring Cloud Foundation for Full SDN
Detailed Configuration of an NSX Edge Cluster ASN 65001

TOR1 TOR2

Uplink01 BGP Uplink02

VMware Cloud Foundation

Management Domain Uplink Uplink

VLAN ASN 65003 VLAN 02
01
vCenter SDDC
SDDC
SDDC NSX NSX Edge T-0
Server Manager
Manager
Manager Manager Cluster T-
1
TEP TEP
VM Management VLAN
Management VLAN
vMotion VLAN
NVDS
vSAN VLAN
VDS NSX Edge TEP Network

Overlay segment 1
NSX Overlay Overlay segment 2
Overlay Transport
Transport VLAN Zone Host TEP network
Overlay segment 3

Host TEPs TEP TEP TEP TEP TEP TEP TEP TEP

ESXi 1 ESXi 2 ESXi 3 ESXi 4

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom. 9

All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Configuring Cloud Foundation for Full SDN
Detailed Configuration of an NSX Edge Cluster ASN 65001

TOR1 TOR2

Uplink01 BGP Uplink02

VMware Cloud Foundation

Management Domain Uplink Uplink

VLAN ASN 65003 VLAN 02
01
vCenter SDDC
SDDC
SDDC NSX NSX Edge T-0
Server Manager
Manager
Manager Manager Cluster T-
1
TEP TEP
VM Management VLAN
Management VLAN
vMotion VLAN
NVDS
vSAN VLAN
VDS NSX Edge TEP Network

Overlay segment 1
NSX Overlay Overlay segment 2
Overlay Transport
Transport VLAN Zone Host TEP network
Overlay segment 3

Host TEPs TEP TEP TEP TEP TEP TEP TEP TEP

ESXi 1 ESXi 2 ESXi 3 ESXi 4

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom. 10

All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
NSX Edge Deployment and Use Cases

Cloud Foundation Initial Deployment SDDC Manager

Configure an NSX Edge Cluster

1 2 3

Pre-requisites Upload simplified Perform

Checked Deployment Bring-up
A B C
Parameter Worksheet
Kubernetes Application Custom
Workload Virtual (Network
Streamlined and Faster Managemen Networks Architecture
t )

Pre-deployment Cloud Builder Post Deployment

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom. 11

All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
NSX Edge Cluster Deployment and Scale
Automated through SDDC Manager

​Deploy per domain, per cluster,

or across domains

​Scale on-demand without the need

to size up-front

​Expand an Edge Cluster beyond

two nodes to a maximum of eight
nodes

​Shrink an Edge Cluster to a minimum

of two nodes

​Create a larger Edge Cluster when

deploying Tanzu in a consolidated
deployment

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom. 12

All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
 VMware Aria Operations for Networks
​End-to-end, Agentless, Application Performance, Security, and Network Metrics

Flows

Campus, Branch Offices Metrics APIs

VMware VCF & Hybrid Cloud

Events Config
VMs, Containers,
Microservices, Applications

Security
Telemetry
NSX, Data Center & Private
Cloud, vSphere, Switch, Router,
Load Balancer, Firewall,
Physical/Virtual Integrations Virtual Desktops, IoT

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom. 13

All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Visibility with Aria Operations for Networks
Providing NSX Networking Visibility over Switch Fabrics

​More end-to-end visibility

​Troubleshooting is more complete

with path search capabilities
between NSX and Cisco ACI
topologies
​Cisco ACI support for End Point
Groups, including EPG Gateway,
L3Out Contracts, L3Out EPG
​Now, it is easier to pinpoint issues
in complex scenarios between
vendors more easily

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom. 14

All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
NSX Advanced
VMware Security
vDefend Security

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom. 15

All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Visibility & Enforcement across the Attack Chain
vDefend Security
VMware Threat Analysis Unit

VMware vDefend Security

Security for East-West and Zone / Cloud Edge Traffic

Security Analytics and Management

App Flow Discovery | Rule Recommendations | Policy Management | Network Detection &
Response

Advanced Threat Prevention

IDS/IPS | Malware Analysis & Malware Prevention | Network Traffic Analysis

Distributed Firewall Gateway Firewall

App & User ID | FQDN. | IP Reputation App/User ID | URL Filtering | TLS Decryption

VMs Physica Container Multi-

l Server s Cloud

ELASTIC SCALE | APPLICATION AWARE | NO NETWORK CHANGES | POLICY AUTOMATION

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom. 16

All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Network Security Controls and Threat Protection
Legacy vs vDefend Multi-Cloud Security

VMware
Hyperviso VMware
Hyperviso
ESXi
r ESXi
r

Network-Based
Firewalling IDS/IPS
• Manual and labor-intensive
• IP/Subnet based • No Environmental Context
• No East/West Visibility
• High false positive rate
Network Sandbox
Packet Broker
• Detection technology easily Network Traffic Analysis
bypassed by evasive
malware • Difficult and costly to hairpin
• Fails to detect advanced 100% of traffic
threats • High false positive rates

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom. 17

All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Network Security Controls and Threat Protection
Legacy vs vDefend Multi-Cloud Security

VMware vDefend Firewall

Hypervisor Based Advanced
Threat Protection
VMware VMware
ESXi ESXi • No Network Changes
• Hypervisor Observability
• Segmentation/
Microsegmentation
• NSX Network Detection &
Response

Tapless NTA (E-W Visibility)

NSX Sandbox (Guest
Introspection)
NSX Distributed IDS/IPS
Network Event Correlation
Packet Broker

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom. 18

All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
 Visibility & Enforcement across the Attack Chain
vDefend Distributed Firewall

vDefend Distributed Firewall

T0

• VM and K8S
• (Micro)-Segmentation
• L2-L7 based policies
T1_VDI T1_PROD
• VLAN and Overlay-backed
NSX segments
• L7 APP-ID
• FQDN/Outbound Filtering Distributed

• Firewall
User-based Firewalling
VDI_Contractors VDI_Employees PROD_DMZ PROD_INTERNAL
• (Advanced) Threat
Prevention

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom. 19

All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
 Visibility & Enforcement across the Attack Chain
vDefend Edge Gateway Firewall (Zone Firewall)

Uplin
k
vDefend Edge Gateway Firewall
T0Gateway Firewall

• Tier-0 & Tier-1 Gateway

Uplin
k
Uplink
support
Gateway Firewall • Applied to the Gateway Uplink
T1_VDI T1_PROD and Service Interface
DARKSIDE Service
DOWNLOAD
Interface
• Instantiated on NSX edge
nodes
Gateway Firewall
• L2-L7 based policies *
• L7 APP-ID **
• User-based Firewalling with
VDI_Contractors VDI_Employees PROD_INTERNAL HW Appliances
log event scraping
• FQDN Analysis *
• URL Filtering *
* Advanced Threat Prevention, L7 App-ID, FQDN analysis, TLS Inspection, APP-ID and URL Filtering only supported on Tier-1
• TLS Inspection *
Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom.
• Advanced Threat Prevention * 20
All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
 NDR

Intrusion Detection and Prevention (IDS/IPS) NTA

Malware Prevention
IDS/IPS
Distributed IDS/IPS (ex. Virtual Patching) Segmentation

VDI WEB APP

VULNERABILITY: VULNERABILITY: VULNERABILITY:
Magnitude EK Log4j API/Sql injection
:

Hypervisor VIRTUAL PATCH Hypervisor VIRTUAL PATCH Hypervisor VIRTUAL PATCH

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom. 21

All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
 NDR

Malware Detection and Prevention NTA

Malware Prevention
IDS/IPS
vDefend Distributed Malware Prevention Segmentation

vDefend Distributed Malware

Protection

• Network-Independent Detection &

Prevention of known and unknown T1_PROD
T1_VDI
malicious files
• Windows VMs & PE Files in NSX 3.2
• Hash lookup, Local (static) analysis
and cloud-based dynamic analysis
• Guest-introspection based file-
extraction and blocking for DFW VDI_Contractors VDI_Employees PROD_DMZ PROD_INTERNAL

• No hair pinning, network-latency or

re-architecture
• Full system-emulation cloud
sandbox enables detection of
evasive malware
Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom. 22
All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
 NDR

Malware Detection and Prevention NTA

Malware Prevention
IDS/IPS
Sandbox Comparison Segmentation

Typical Enterprise VMware Cloud

Sandbox Capabilities Sandbox Capabilities

Analysis does not require

custom OS images or app
versions
Web, Files, Apps Web, Files, Apps
BETTER DATA SOURCES
Dormant code analysis locates
code blocks that don’t execute
Operating Operating Dormant code analysis
Systems Systems Code branch triggering
Code branch replay
Evasion detection
Switching processor mode
CPU from 32 to 64 bit
VISIBILITY OF
Incomplete hardware CPU EVASIVE MALWARE Code injection
emulation inhibits HYPERVISOR
observability of Unpacking
malware Memor
y Analyze network
capabilities
Object risk assessment
Memor Signature generation
Networ NTA model generation
y
k

Physical Physical
Hardware Hardware

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom. 23

All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
 NDR

Network Traffic Analysis NTA

Malware Prevention
IDS/IPS
How is vDefend different? Segmentation

vDefend Network Traffic Analysis

• Detect anomalous network

behavior
• Machine-learning based detection
of traffic anomalies with threat-
centric models
• Applied to enriched flow and
endpoint context collected by
vDefend intelligence
• Uses 14 Detectors to detect
deviations from “normal"
• No need for TAPs, monitoring
networks or network re-
architecture

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom. 24

All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
 NDR

Network Detection and Response NTA

Malware Prevention
IDS/IPS
Connecting the attack chain Segmentation

Darkside

vDefend Network Detection and

Response

Malware • Scoring and Correlation of IDPS,

Events Malware and Anomaly events into
intrusion campaigns
Remote Services • “Connect the attack chain”
Anomaly
capability
Remote Code NDR
Execution • Provides security teams high
Threat
Anomaly
Detection fidelity by constantly correlating
Events
Events
DNS Tunneling signals from distributed network
sensors
• Correlation into threat campaigns
rather than events allows SOC
operators to focus on triaging only
Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom. a small set of actionable threats. 25
All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
 See All Connections and Conversations

Network Detection and Response (NDR)

Conversations
Network Sandbox
L7
Multi-Hop Network Traffic Analysis (NTA)

Per Hop Distributed IDS/IPS

Connections and
Conversations
Network Segmentation and Micro-Segmentation
L4 L7

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom. 26

All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
VMware Aria Suite and AVN

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom. 27

All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
VMware Aria Suite for Cloud Foundation
Products deployed using VMware Aria Lifecycle

VMware Workspace ONE Access

VMware Aria Operations

VMware Aria Operations for Logs

VMware Aria
Lifecycle

VMware Aria Automation

VMware Aria Operations for

Networks*

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom. 28

All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
VMware Aria Suite on VCF Architecture
NSX Edge Cluster configuration
Operations Cloud
Team Administrator
Load Balancer

T-1
The NSX Edge Cluster is
T-0
deployed from SDDC Manager
Edge 01 Edge 02
10.50.0.0/24 10.60.0.0/24 Configure the Edge Cluster for
NSX Edge Cluster Application Virtual Networks
Configures two-tier routing for
NSX
VMware Aria Suite Local
Workload Domain
Region and Cross Region
segments
Configures NSX Load
Balancers for VMware Aria
components
SDDC Manager

1 2 3 4 5 6 7

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom. 29

All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
VMware Aria Suite on VCF Architecture
Application Virtual Networks (AVN)
Operations Cloud
Team Administrator
Load Balancer

T-1
Deployed from SDDC
T-0
Manager to the
Edge 01 Edge 02 management domain
10.50.0.0/24 10.60.0.0/24

Region Specific NSX Edge Cluster

Cross-Region
Used to configure Local
Region and Cross-Region
NSX SDN segments for VMware
Aria Suite management
Workload Domain applications
Once deployed AVN
configuration is visible
from within SDDC Manager

SDDC Manager

1 2 3
3 4 5 6 7

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom. 30

All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
VMware Aria Suite Architecture
AVN configuration deploys a Local Region and X-Region segments

VMware Aria Suite

Network Choice

Overlay VLAN-backed
Uses NSX overlay network segments Uses VLAN-backed network segments
Create segments independently from Requires physical VLAN configuration
hardware
Supports static routing
VLAN deployed with NSX Edge Cluster
Requires manual configuration
Requires BGP configured at ToR

Recommended

1 2 3
3 4 5 6 7

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom. 31

All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
VMware Aria Suite Networking
NSX Edge Cluster with AVN configured for VMware Aria Suite SDN

Management Upstream
Workload Domain BGP
Region Specific Network
VMware Aria Operations for Logs
Load Balancer NSX
VMware Workspace ONE Access
VIPs Edge
VMware Aria Operations Collectors
Region Specific Segment
Cross Region Network
10.10.0.0/24
VMware Aria Operations
Workspace Aria Ops
Aria Logs Cluster
ONE Access Collectors
VMware Aria Automation
VMware Workspace ONE Access Cross Region Segment

VMware Aria Suite Lifecycle 10.20.0.0/24

Workspace ONE Aria Ops Aria Auto

Aria Lifecycle
Access Cluster Manager Cluster Cluster

1 2 3
3 4 5 6 7

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom. 32

All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
NSX Federation

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom. 33

All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
NSX Federation Use Cases

NSX Federation Use Cases:

Operational simplicity NSX Global
Manager
Common policy configuration Cluster

Global networking
NSX Manager NSX Manager
Simplified disaster recovery
SDDC Manager SDDC Manager

vCenter vCenter
Additional features provided by
NSX Global Manager:
Password management
Certificate management
Backup and restore of
Global Managers
NSX Federation Support is provided in Cloud Foundation as manual guidance

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom. 34

All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
What is NSX Federation?
Manage multiple NSX Data Center environments

Global Manager
Primary Cluster

NSX Manager NSX Manager NSX Manager

…
NSX Manager NSX Manager NSX Manager

…
Location 1 Location 2 Location N+1

Location 1 Location 2 Location N+1

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom. 35

All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
What is NSX Federation?
Manage multiple NSX Data Center environments

Global Manager
Primary Cluster

Local Manager Local Manager Local Manager

L L L
…

Location 1 Location 2 Location N+1

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom. 36

All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
What is NSX Federation?
Manage multiple NSX Data Center environments

Global Manager Global Manager

Primary Cluster Standby Cluster

G G

Local Manager Local Manager Local Manager

L L L
…

Location 1 Location 2 Location N+1

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom. 37

All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
What is NSX Federation?
Manage multiple NSX Data Center environments

Global Manager Global Manager

Primary Cluster Standby Cluster

UI/API G G

Global config

Local Manager Local Manager Local Manager

L L L
…

T1 T1 T1

T0 T0 T0

Location 1 Location 2 Location N+1

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom. 38

All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
What is NSX Federation?
Manage multiple NSX Data Center environments

Global Manager Global Manager

Primary Cluster Standby Cluster

UI/API G G

Global config

Local Manager Local Manager Local Manager

L L L
…

T1 T1 T1

T0 T0 RTEP T0

Location 1 Location 2 Location N+1

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom. 39

All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
VCF Architecture for NSX Federation
Control plane

G G
Management /
Control Plane

L L

G Tier 0
Active/Active
Primary/Primary

G Tier 1 G Tier 1 G Tier 1

Active / Standby Active / Standby Active / Standby
Data Plane Primary Primary / Secondary Primary

Multi-Region Segments
Region A Only Segments Region B Only Segments
Egress thru single site

Region A Region B

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom. 40

All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
VCF Architecture for NSX Federation
Data plane

G G
Management /
Control Plane

L L

G Tier 0
Active/Active
Primary/Primary

G Tier 1 G Tier 1 G Tier 1

Active / Standby Active / Standby Active / Standby
Data Plane Primary Primary / Secondary Primary

Multi-Region Segments
Region A Only Segments Region B Only Segments
Egress thru single site

Region A Region B

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom. 41

All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Theory of Operations
Normal operation

G G
Region Failure
Management /
Control Plane L L

Region A Datacenter Region B Datacenter

G Tier 0
Active/Active
Primary/Primary

G Tier 1 G Tier 1 G Tier 1

Active / Standby Active / Standby Active / Standby
Data Plane Primary Primary / Secondary Primary

Multi-Region Segments
Region A Only Segments Region B Only Segments
Egress thru single site

Region A Region B

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom. 42

All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Theory of Operations
Region A failure
Region Failure
G G
Management /
Control Plane L L

Region A Datacenter Region B Datacenter

G Tier 0
Active/Active
Primary/Primary

G Tier 1 G Tier 1 G Tier 1

Active / Standby Active / Standby Active / Standby
Data Plane Primary Primary / Secondary Primary

Multi-Region Segments
Region A Only Segments Region B Only Segments
Egress thru Single Site

Region A Region B

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom. 43

All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Theory of Operations
Network failover
Region Failure
G G
Management /
Control Plane L L

Region A Datacenter Region B Datacenter

G Tier 0
Active/Active
Primary/Primary

G Tier 1 G Tier 1 G Tier 1

Active / Standby Active / Standby Active / Standby
Data Plane Primary Primary / Secondary Primary

Multi-Region Segments
Region A Only Segments Region B Only Segments
Egress thru Single Site

Region A Region B

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom. 44

All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Theory of Operations
Network fail-back
Region Failure
G G
Management /
Control Plane L L

Region A Datacenter Region B Datacenter

G Tier 0
Active/Active
Primary/Primary

G Tier 1 G Tier 1 G Tier 1

Active / Standby Active / Standby Active / Standby
Data Plane Primary Primary / Secondary Primary

Multi-Region Segments
Region A Only Segments Region B Only Segments
Egress thru Single Site

Region A Region B

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom. 45

All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Theory of Operations
Normal operation

G G
Management /
Control Plane L L

Region A Datacenter Region B Datacenter

G Tier 0
Active/Active
Primary/Primary

G Tier 1 G Tier 1 G Tier 1

Active / Standby Active / Standby Active / Standby
Data Plane Primary Primary / Secondary Primary

Multi-Region Segments
Region A Only Segments Region B Only Segments
Egress thru Single Site

Region A Region B

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom. 46

All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
VCF 5.2 (short list)

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom. 47

All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom. 48
All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom. 49
All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom. 50
All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom. 51
All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom. 52
All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
 Thank You
Waldemar Pera

https://www.linkedin.com/in/waldemarpera/

@WaldemarPera

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom.

All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.