It's been a bit since the announcement, so let's cover some of the new capabilities of interest with NSX-T 2.5. This is a summary of what I found interesting, the complete release notes are here
VMWare will be introducing a new paid service to analyze traffic handled by distributed firewalling, to allow infrastructure administrators to map out service applications, ports, and policies to better secure their east-west network environment. It will also provide the capability that NSX-V has natively, Application Rule Manager.
Testing and Troubleshooting
VMWare added a ton of good stuff here, some of which seems a little late...
Layer 2 MTU/VLAN Checking
This one has been a big pain point for NSX administrators everywhere, especially if they don't also control the route-switch infrastructure. Prior to this, NSX-T had tunnel status (which would alarm if no VMs in a port group were on a host, causing a LOT of noise) and NSX-V had nothing.
We get BGP routing information from the API and GUI for the first time!
We pick up SLAAC, Router advertisements allowing for automatic IP configuration. Ideally, this would not be something we really need - but I'm sure there's a use case somewhere.
Firewalling and Security
- NSX-T now supports configuration management as well, with config drafts!
- NSX Cloud is beginning to support native constructs in public cloud for security enforcement. This is a pretty big deal for hybrid cloud shops that won't have to use an agent to enforce consistent multi-cloud security!
- VMWare has introduced Layer 7 (App-ID) support for gateways and is beginning to introduce FQDN filtering as a precursor to URL filtering.
- VMWare has also added Identity-based firewalling.
- Elliptic Curve Cryptography over IPSEC is now available
- Preset compliance suites for VPNs are also available
- Load Balancing GUI Improvements - We'll see the simplified GUI in a bit.
- SNMPv3 Polling is supported on all appliances
- The NSX-V to NSX-T migration tool has unlisted improvements
- NSX Manager to Edge communication is changing ports - from 1234 to 5671. This could potentially break connectivity during an upgrade. Port 1235 does still need to be open.
Next, let's try it out!