I have had so many conversations around this topic, I wanted to capture my thought process here, and avoid injecting operational or performance risk, as we take our first steps with VCF.

So, let’s dive into the current offerings from Broadcom. We are only going to be discussing their primary offering….VMware Cloud Foundation (VCF).

VCF, which is what Broadcom leads with, and…VVF (VMware vSphere Foundation), which exists, but is not the topic of this post.

We are not talking about every single SKU or offering they have, as there are quite a few additional “add-on” licenses that exist for VCF. None of these add-on licenses are being discussed in the post, in any way.
BUT, you SHOULD discuss “add-ons” as you may want/need some.

And don’t forget. vSphere 8 End of Support is October 2027. That’s only 19 months away….start planning your approach now! The only way to vSphere 9 is VCF (and potentially VVF).

For the purposes of this post, we are going to sit in the role of an enterprise architect, who has to size new hardware required for a new application stack for the business that drives the business, same as if we are having this discussion about rolling out SAP, Oracle E-Business Suite, or PeopleSoft. We wouldn’t want to introduce unnecessary risk for those applications, right?

What is VCF?

So let’s start with what VCF is, and what it takes to deploy and run VCF. VCF is a private-cloud platform. You do not get to pick and choose the individual components.

Just like when you go to buy a car….if you want a moonroof, and it is only available in the “touring edition” package of the car, you get the touring edition. Don’t want the heated steering wheel or seats? Well, they came with the touring edition, so you can either use them or not….but they came with the touring edition.

You don’t have to use EVERYTHING that came with the touring edition, but I’ll bet you appreciate those heated seats on nights when its 7°F.

What Does VCF (The Private Cloud Platform) Give Me?

Essentially, all the same capabilities you get (and expect) of a public cloud provider (AWS, Azure, GCP…any of the hyperscalers). It is a platform to run VMs, containers, K8s, workloads, VPC networking constructs, monitoring, troubleshooting tools, and automation/self-service you can build. Also included is logging capabilities, insights into your network traffic flows, workload mobility, SSO, etc.

What Makes Up The VCF “Application”?

Let’s list this out (you’ll see VCF in front of a bunch of the products that you might remember as vRealize, which got rebranded to Aria, which is now prefixed with VCF). Here are the 14 “components” that comprise VCF:

• VCF Operations
• VCF Operations Collector
• VCF Operations Fleet Management
• VCF Operations for Logs (used to be Log Insight)
• VCF Operations for Networks (used to be Network Insight, or vRNI)
• VCF Operations HCX
• VCF Operations Orchestrator
• VCF Automation
• VCF Identity Broker (provides SSO capability)
• vSphere Replication
• VMware ESX
• VMware NSX
• VMware vCenter
• VMware vSAN

 to where you see all of these components if you try to download from VCF 9.0 from the Broadcom Support Portal. I know I’m linking to 9.0.0.0, the GA release, but let’s see the forest through the trees for this discussion (login required to get to this page!).

This sounds like a lot, and it is, when we (like many) compare it to what we have known for years as vSphere (which is just ESXi and vCenter).

How Do You Get This Deployed?

That might be another post, or better yet, take a 1-day workshop with us here at WEI, and we can show you HOW it gets deployed. About a week (or two, depending on the size of the committee) of planning. About a week of deployment & configuration (to do it right). A few days (to five) to polish up the rest of your new “on-prem private cloud”. So, for the time being, we will just say it gets deployed….

Management Domain

This initial deployment for VCF is what is called the “Management Domain”. The Management Domain runs all those products we listed out above and will then be the location where the management VMs for “Workload Domains” are expected to run…more on that later.

Does it seem like you need a lot of resources to run this full VCF stack in the Management Domain? Well, that depends on what you consider as “a lot of resources”…

• Total vCPUs allocated: 234 vCPU
• Total RAM allocated: 825-GB RAM
• Total Storage allocated: 15.5-TB
• Total Storage consumed: 4-TB

…and this is with the smallest deployable VM sizing available via VCF-Installer process. Ask us for the RV tools export of a newly deployed VCF environment.

What else might your run in the “Management Domain”? Forgetting that running Windows Server and/or Red Hat VMs requires licensing…

• Domain Controllers
• IdP connectors
• Backup Servers
• Security workloads

…and other backend functions…but don’t overdo it. This Management Domain will have other things to run.

This Management Domain is running 25 new VMs to start. You see the resources (listed above) those VMs will require. You see all the different components listed earlier that are integrated together…and we want to do it right the first time, because if you can’t do it right to the first time, when will you find the time to fix it later? My advice:

• Start with 4 x new ESXi servers running vSAN ESA (requires NVMe drives).
• Brand new, or (very modern) repurposed vSAN ESA Ready Nodes, but they WILL be wiped as part of this process.
• We will deploy VCF together on those new servers and create the Management Domain.
• Could you use FC (not FCoE) or NFS? Sure, but given the small cost of a few NVMe drives to run vSAN ESA, we can isolate this “VCF Application” and guarantee the resources required to run our enterprise application, VCF. Plus, it is recommended by the vendor, VMware, to use vSAN for the Management Domain. We will repurpose your external storage when we get to the Workload Domains.

After the Management Domain is configured, we can then import your existing vCenter Servers and the clusters that they manage (and more importantly, the VMs that they run). More on that in a bit.

Taking a step back, we realize that to run VCF in a risk averse implementation, we need a new VMware Cluster of 4 x ESXi hosts running vSAN ESA to get everything deployed.

Sizing the Management Domain

As there are quite a few components deployed for VCF with 3 x VMs in a cluster, and the expectation is to have HA (High Availability) for the VMs running, you need a minimum of 4 hosts. To be redundant myself, that is a 3+1 cluster (the +1 is for the HA event, or more practically, to do maintenance without effecting production workloads).

OK fine, we can agree with 4 nodes configured as a 3+1 cluster. What about the CPU, RAM, storage & network connectivity needed?

CPU: For CPU, let’s focus on the number of vCPUs required. Do you want to oversubscribe the management cluster? You can, but remember, this is what manages your VCF stack, so heavy oversubscription is not the answer.

Should you do a 1:1 VM CPU, for each physical CPU core? I would love to see that happen, but our pocketbooks our not infinite.

OK, so do we go 2:1, or 5:1, or 10:1? For this Management Domain, I’m happy to agree to a 2:1 CPU oversubscription.

• Let’s work with sizing based on a CPU, with 32-cores per socket.
• Put 2 x CPUs in each ESXi host (64 cores).
• Go with the 4-node cluster (technically 3+1 cluster) just discussed.
• That gives me 256 total cores for the raw total…Technically, that’s 192 cores (3 nodes + 1 for HA) usable.
• The total vCPUs allocated to the VMs for VCF to get started is 234 vCPUs…
• We are already at 1.22:1 CPU oversubscription (234 / 192), and we haven’t added any other workloads or VCF functions yet.

RAM: Let’s start with 512-GB per node (I’d really prefer 1-TB per node, but let’s start here, just for the math). That gives you 2-TB of RAM for the raw total. But technically its 1.5-TB of RAM (3 nodes + 1 for HA again). And we are using 0.8-TB just to get started, and we haven’t added any other workloads or VCF functions yet.

What about memory oversubscription? I’m not a fan of that (most of us can agree that swapping RAM is a bad idea), but there is another way to get more useable RAM, and that is with NVMe Memory Tiering (add a NVMe drive to increase your “RAM” installed in the host). Add in NVMe Memory Tiering, and 512-GB per ESXi host isn’t a terrible starting point.

I would recommend 1-TB per host to get started.

vSAN ESA Storage: It’s ~16-TB allocated (thank goodness for thin provisioning in vSAN!) That’s before any growth, and data ingestion, any logs, or any other snapshots or data retention, or even VM templates considered…so let’s add 50% of that to start…24-TB. That’s 24-TB of USEABLE storage, not RAW capacity. 24-TB of RAID-1 is 48-TB RAW.

But vSAN ESA has some great storage efficiency (writes via RAID 1, and depending on the number of ESXi hosts in the cluster….cold data at RAID 5 or 6) and global deduplication is coming soon as well.

So, 48-TB of raw capacity can get you a minimum of 24-TB useable capacity. That means each ESXi host needs to contribute 12-TB of RAW disk capacity. That’s 3 x 4-TB drives.

Yes, you can add more storage to each node in the future (be sure to select hardware ready to do that).
…and don’t forget to add another NVMe drive for Memory Tiering…(typically a different part number than the ones used for vSAN).

Networking (physical NICs): Pretty easy for most of us. We want redundant networking that meets the minimum requirements set forth by our application vendor. 2 x 25-GB NICs.

25-GbE has been around since 2016, and affordable as a ToR (Top of Rack) solution since 2019. Nearly every server today ships with 10/25-GbE NICs onboard. Plus, it is recommended by our VCF “Application” vendor, so we follow their recommendations, given that the absolute minimum is 10-GbE. Latency must also be < 1ms.  is here.

Can you use more than 2 NICs per host? Yes, and you might do that to separate storage or NSX network traffic. We can discuss it, of course, though I hedge my bets for the Management Domain to have a pair of 25-GbE for most folks.

Summary of Management Domain Sizing

You need 4 x ESXi servers ready for vSAN ESA, each configured with:

• 2 x 32-core CPUs
• 1-TB RAM
• 3 x 4-TB NVMe drives (for vSAN ESA)
• OS boot Drive (Another NVMe, only needs 128-GB minimum)
• 2 x 25-GbE NICs

Optional, but highly recommended: 1 x 4-TB NVMe for Memory Tiering. This is what is needed to run the VCF “application”, while minimizing risk, delivering an acceptable SLA for performance & recovery, and providing the ability to scale out or up.

But Aren’t There Minimal Deployments?

Yes, there are. I suggest you access the . Quoted right from the documentation linked above…

“This Design Blueprint can be used as a full end-to-end design for a VMware Cloud Foundation platform or as a starting point and adjusted to suit your specific objectives by substituting any of the design selections listed below with alternative models.”

This is a great starting point to build a lab or demo environment in getting yourself familiar with VCF capacities and features. However, it is not a recommended way to implement something that is delivering mission critical capabilities for the business.

And you still need about 45% of the resource we discussed earlier when we discussed the Management Domain. You are not deploying everything that you have purchased to help you run a private-cloud.

Let’s say we do this minimum deployment…we are adding risk, with high impact scenarios that can play out in production. Well, what if we add the availability after the fact? I’ll bring up that quote again ,“…if you don’t have time to do it right, when will you have time to fix it?”

This design has the application VMs (VCF Automation, VCF Operations, and NSX) that are typically spread out as 3 x VMs, now running as a single VM each. While they do function, they are not truly available and add many single points of failures to the applications they serve, which essentially adds risk to your VCF created private cloud. Yes, they benefit from vSphere HA (which we have had since 2006 with Virtual Infrastructure 3), but that is not the way these applications were designed to run.

This minimal deployment design uses a cluster that is shared for Management Domain functions as well as any VM workloads that you see fit to mix with the Management Domain. We will call it a Consolidated Domain model (the language used in VCF release prior to 9.0). This will work, yes, but it is not what we expect from any of our applications that drive the business. Minimizing risk is a one of the things I have focused on in my 30+ years of working in IT.

…But the design docs you just linked to say it can be used that way! That is true, but it does not explain that you now need to take outages, additional work, and have limited options when you do updates, patches, or upgrades in the future….all things that are required in the lifecycle of IT any infrastructure component or solution.

Imagine us having this discussion if rolling out SAP, Oracle E-Business Suite, or PeopleSoft. We wouldn’t want to introduce unnecessary risk for those applications, right?

Reuse Existing vSphere Environment

ABSOLUTELY!…Just not for the Management Domain. We still need to run the VMs that are running on our existing vSphere environments, right? That environment isn’t going away anytime soon. We will end up running each of your existing vCenter Servers as a “Workload Domain” (explanation coming soon, I promise).

So long as the server hardware is supported to run ESXi 8.x or 9.x. (vSphere 7 support ended October 2025).

Do I have to use vSAN? No, but you can use vSAN if you would like (or need) to. You can use your existing NFS, FC, FCoE, or iSCSI SANs without issue. If you are using vVols, be aware that in vSphere 9, support is deprecated and vVols will be going away soon, so I would prefer to help you migrate off vVols at this time, rather than later.

What about my vCenter Server(s)? While possible to use vCenter 8, we would recommend upgrading that to vCenter 9. Yes, if vCenter is at version 9, you can still manage ESXi 8.x hosts. We will bring in those existing environments and make them part of your new VCF application.

Then we can take advantage of all the capabilities that VCF brings, most importantly, rightsizing your environment (as licensing CPU cores for no reason can be expensive). That means sizing your VMs as well as your physical servers running ESXi, so that we can optimize your resources so that they better align with the business outcomes defined and needed by your organization.

Workload Domains

While there is only going to be (in nearly all cases) a single Management Domain that is focused on providing VCF functions, management, and capabilities, Workload Domains are very different, but instantly familiar to us.

Essentially, a Workload Domain is very similar to what we are used to, if we think about any of our vSphere environments (any that are version 8 or earlier). It is a vCenter, and an NSX implementation, that runs the VMs that power the applications that our business needs.

Any Workload Domain is going to run the VMs that are currently running. THIS is where we can repurpose existing ESXi hosts and existing storage you have.

That’s it! Workload Domains are very flexible in how we create or import them. We can use storage other than vSAN (though you can still use vSAN here if you’d like).

What’s the difference between deploying a new Workload Domain, or importing an existing vCenter into VCF as a Workload Domain? The process to deploy versus import. That’s it.

So why the separation of duties like this? That’s just how Broadcom created VCF to work, so I just play by the rules provided me. Now, I like the separation of Management from Workload. Matter of fact, I’ve been doing that in my designs since 2009, and many designs of those designs in their 4th or 5th generation now, all well before the Broadcom acquisition and what is now VCF 9.

Since the “Management” of your Workload Domain is vCenter and the 3 x NSX Control VMs…guess where they run? The Management Domain! Yes, even if we import the existing vCenter that is running on your existing cluster, that’s where we should migrate it to.

Are there no other VMs needed to support the Workload Domain? Yes, there are, but they are all already running in the Management Domain.

So, creating (or importing) a Workload Domain requires additional resources in the Management Domain:

• Total vCPUs allocated: 44 vCPU
• Total RAM allocated: 174-GB RAM
• Total Storage allocated: 2-TB
• Total Storage consumed: 0.5-TB

Sizing the Workload Domain: Well, what about the sizing? There are expectation to have HA (High Availability) for the VMs running…you need a minimum of 3 hosts. To be redundant myself (again,…punny!)….that is a 2+1 cluster (the +1 is for the HA event, or more practically, to do maintenance without effecting production workloads).

What about sizing the CPU, RAM, and Storage (3-tiered or vSAN ESA)? That will vary with each Workload Domain’s Cluster. That’s right, every Workload Domain can have up to 400 x VMware Clusters, each up to 64 ESXi hosts. That’s a lot of resources being managed by just 1 vCenter Server.

Sizing a VMware Cluster

We have all been sizing VMware vSphere Clusters since 2006. The sizing exercise we went through earlier for the Management Domain happens in almost environmen, but quite often I see the following situation play out.

Time to refresh the VMware Infrastructure, so let’s size it to run the current workload and 25% additional growth for the next 3 years. Five years later, we realize we are running 400% of the planned workload, and wondering why performance of our most critical app is suffering. Good thing we will have the tools available to us to help us with that moving forward…

How do you break out each VMware Cluster, or better said, size each VMware Cluster? I would take the same approach I took above for sizing the Management Domain.

What Design Qualities are most important for THAT SPECIFIC workload? Availability, Manageability, Performance, Recoverability, Scalability, or Security? How do we prioritize those Design Qualities for THAT VMware Cluster?

…and we will do that for each of the components that make up your VMware Cluster:
Compute, Storage, Networking, Management, Workloads, Analytics, Chargeback, Reporting, and of course, Compliance.

Just like building a VMware Cluster dedicated to MS SQL or Oracle, you plan your workload requirements, size accordingly, and run it. Extra capacity? Let’s put other VMs on that VMware Cluster for Oracle…NOPE! That was designed a specific way for a specific purpose. That extra capacity is there for a reason, not to be consumed on a whim by something that is not running Oracle.

Questions? or fill out the Contact Us form here at wei.com.

The post What Does it Take to Run VCF 9? appeared first on IT Solutions Provider - IT Consulting - Technology Solutions.

When VMware by Broadcom introduced its new simplified bundle strategy earlier this year, it created new opportunities for enterprises to extract greater value from their VMware investments. Customers with active subscriptions to VMware Cloud Foundation (VCF) or VMware vSphere Foundation (VVF) now have access to tools for operations management, automation, networking, and Kubernetes.

But if your organization is like many others, the question isn’t whether you have access to these tools—it’s whether you’re able to take advantage of them. That’s where WEI comes in, so let’s explore!

Get More Than Licensing, Get Value

with certified technical experts on staff, WEI doesn’t just sell VMware solutions, we help you operationalize them. Whether you’re working through with changes to your licensing model or trying to understand what capabilities are now included with your entitlements, WEI can help you move from license ownership to business impact.

The VMware Cloud Foundation platform includes:

• VCF Operations for real-time performance optimization and intelligent analytics
• VCF Automation for policy-based provisioning and infrastructure as code
• VCF Networking powered by NSX for secure and scalable software-defined networking
• VMware Kubernetes Service (VKS) for modern application deployment and management

These technologies work best when aligned with your environment and business goals. That’s why WEI developed a structured, assessment-led framework to help customers unlock their full potential.

WEI’s VMware Optimization Framework

WEI’s assessment framework includes four interconnected services:

1. VMware Optimization Assessment (VOA) – Powered by VCF Operations

The VMware Optimization Assessment is a diagnostic evaluation designed to uncover inefficiencies, performance issues, and compliance risks within your VMware environment. Powered by VCF Operations, the VOA includes guided walkthroughs of key dashboards and lab environments, along with actionable insights that IT leaders can use to drive measurable improvements.

Key benefits of the VOA include:

• Identification of idle or overprovisioned resources
• AI-assisted root cause analysis
• Rightsizing and predictive capacity planning
• Compliance scoring and drift detection
• Energy efficiency through workload consolidation

2. VMware Value Modeler (VVM)

The VMware Value Modeler translates technical performance metrics into business outcomes. By comparing baseline and optimized states, this tool allows IT and finance teams to justify projects based on ROI, capital efficiency, and risk mitigation. It supports C-suite reporting by converting infrastructure usage into budget-relevant language.

3. Private Cloud Maturity Model (PCMM)

The PCMM benchmarks your private cloud posture across six categories, including automation readiness, governance, and security. WEI’s structured evaluation provides a gap analysis that helps prioritize roadmap activities, identify risk areas, and guide long-term transformation plans.

4. Future State Architecture (FSA)

Through FSA planning, WEI helps define and build strategic architectural goals such as ransomware resilience, Private AI, and infrastructure as code. This is where IT modernization strategy meets execution, with clearly defined migration paths, KPIs, and cross-functional alignment.

Activate VMware Kubernetes Service (VKS)

Included in both VCF and VVF, VMware Kubernetes Service (VKS) enables enterprises to deploy and manage modern containerized applications. VKS supports TKG clusters and includes integration with GitOps pipelines and workload management. WEI helps accelerate VKS adoption with tailored support that aligns with CNCF standards and customer-specific operational needs.

Secure the Network with VCF Networking Powered by NSX

Traditional perimeter-based networking models no longer provide adequate security in hybrid and distributed environments. That’s why VMware rebranded NSX under the VCF Networking powered by NSX umbrella. It combines software-defined networking with the add-on of microsegmentation.

Through WEI’s network assessment and deployment services, organizations can:

• Improve network visibility by 30% or more
• Implement zero-trust architectures
• Reduce lateral movement and segmentation risk (via add-on)
• Automate policy enforcement and troubleshooting

Built for Compliance and Ready for Impact

For customers in regulated industries like healthcare or financial services, WEI tailors assessments to align with standards such as HIPAA, PCI-DSS, and ISO 27001. With embedded tools from VCF Operations and VCF Automation, WEI helps organizations enforce governance policies, minimize drift, and support ESG and compliance goals.

Move from Insight to Execution with WEI

Owning VMware Cloud Foundation or vSphere Foundation is only the first step. Making those bundles work for your business requires execution. From infrastructure assessments to automation, compliance, and cloud-native enablement, WEI helps you achieve value faster—often in less than eight weeks.

Our certified experts (including VCDX, CKA, and Broadcom Software Knights) bring hands-on experience and a customer-first approach to every engagement. Whether you’re preparing for contract renewals, regulatory audits, or digital transformation, WEI’s framework provides the insights, planning, and execution you need.

Ready to unlock the full potential of your investment? Start your VMware Cloud Foundation journey with WEI today.

Next Steps: As a Broadcom-certified VMware partner with deep expertise across regulated, hybrid, and enterprise environments, WEI helps IT leaders translate bundled capabilities into real business outcomes quickly and measurably. Understand how to move from entitlement to enablement in 4–8 weeks.

to learn how WEI can set you on the fast track! 

The post What Every CIO Must Know About VMware NSX: Essential Insights for Confident Network Security appeared first on IT Solutions Provider - IT Consulting - Technology Solutions.

First, VMware reinvented the data center with their ESXi hypervisor. Then they transformed server management and deployment with vSphere. Now VMware’s NSX is revolutionizing networking through advanced software-defined networking (SDN) technology. VMware NSX is a comprehensive networking solution that solves the challenges faced by the modern data center. Designed to maximize speed, agility, and security, NSX can help your enterprise realize its full potential.

Creating a Fully Virtualized Data Center

Modern data centers have already adopted a software-first approach, utilizing VMs and software-defined storage whenever possible. However, many data centers still rely on legacy networking solutions. VMware NSX is the final piece of the software-defined data center (SDDC) puzzle. With NSX, you can now virtualize every aspect of your data center.

NSX brings hypervisor technology to the network. Just like a traditional hypervisor, it works by abstracting the software layer from the underlying hardware. A virtualized network extends the benefits of virtualization to your applications. Deployment of new application hosting environments is no longer limited by the physical infrastructure. The comprehensive management platform allows you to easily create, relocate, snapshot, and restore application environments. Each workload can run in the environment that best meets its individual needs.

Virtualizing your Services

NSX unites all of your networking and security services under a single management platform. From VMs to the cloud, NSX manages traffic and security in every part of the network.

• Switching – All VMs can communicate through a virtual extensible LAN (VXLAN) with NSX’s full switch functionality.
• Routing – NSX provides dynamic routing between logical switches and virtual networks.
• Distributed Firewalling – NSX’s scalable firewall automatically provides security and visibility for all virtualized networks and workloads.
• Load Balancing – NSX provides L4-L7 load distribution to maximize application scalability and availability.
• Edge Gateway – VXLAN to VLAN bridging capability ensures efficient connectivity for physical workloads.
• Virtual Private Network (VPN) – NSX offers both remote access and site-to-site VPNs.
• Endpoint Protection – NSX’s vShield Endpoint provides effective anti-virus protection.

Better Security with Microsegmentation

Legacy security solutions focus primarily on perimeter defense. When a threat breaches the outer defenses, there are few provisions in place for lateral protection. Once a threat penetrates the network, it is free to move throughout the system. This type of single-point security is no longer adequate. NSX’s microsegmentation approach provides comprehensive security for every part of the network.

Microsegmentation addresses individual security needs, allowing you to assign unique security policies to every single task, workload, and service. Assigned policies follow workloads as they move throughout the system. When creating and assigning security policies, you are not limited to fixed aspects, such as IP addresses. Policies can be defined based on changing criteria, like operating systems and users. NSX also allows for efficient, automated security. Newly created workloads are automatically assigned to the appropriate security policies. Microsegmentation with NSX provides flexible, customizable, and effective security for the entire network.

Which Version of NSX is Right for Your Enterprise?

VMware offers two different versions of their NSX data center. NSX-V is designed for enterprises that already use vSphere and are looking to extend virtualization to their network. While NSX-T is better suited for companies with more diverse data center architectures. NSX-T works well with public cloud hosting environments, container-based applications, and even other hypervisors.

A Cost-Benefit Analysis of NSX

In addition to all the benefits already mentioned, NSX is also designed to provide a substantial ROI. A Total Economic Impact study revealed that, in three years of use, NSX might save enterprises:

• $1 million in hardware and operating expenses
• $1.2 million through automation and reduced administration time
• $7.4 million in decreased hardware needs
• $1.6 million from increased user efficiency
• An indeterminable amount through security breach prevention and containment

VMware NSX extends the full benefits of virtualization to your network, giving you a true. All networking and security services are easily managed through a single, comprehensive platform. Application environments are simple to deploy and manage, allowing for better workload optimization. NSX’s microsegmentation approach ensures constant and consistent security that can be customized to meet each workload’s individual needs. VMware has also designed NSX to provide a significant ROI. The increased security, agility, and speed that NSX offers can help you reduce expenses and optimize your data center.

NEXT STEPS: Achieve more speed, more security and more agility with less time and money with the VMware NSX platform by reading our white paper titled A 360-Degree View of the VMware NSX Platform.

The post Get to Know VMware NSX and Transform Your Network appeared first on IT Solutions Provider - IT Consulting - Technology Solutions.

VMware NSX SD-WAN with VeloCloud

VMware CEO, , compares the current vibe about their SD-WAN solution to that of the early days of virtualization when VMware changed how servers are managed and deployed with its ESXI virtual technology. He describes its VeloCloud product as, “the hottest element of the company’s product portfolio.” Gelsinger added, “VeloCloud is quickly becoming a key element of VMware’s edge strategy.”

VeloCloud is incorporated into VMware’s -SD-WAN. The premise behind the product is simple – bring the same level of agility and flexibility to branch offices in order to deploy, manage, and secure application traffic remotely using a transport independent architecture. VMware accomplishes by substituting rigid inflexible network hardware for the nimbleness and flexibility of software. By separating the control plane and data plane layers, intelligence is moved from the data plane to the programmable control plane, substituting labor intensive tasks with automated policies. Some of the specific abilities of VeloCloud include:

• Increase bandwidth economically by aggregating WAN circuits of any type, while at the same time, providing faster application response
• Deploy a branch in minutes with NSX SD-WAN Edge activation from the cloud
• Enable direct cloud access for all users
• Provide standard based encryption to secure connectivity over any type of transport
• Compact multiple virtualized network functions to eliminate single-function appliances and reduce branch IT complexity.

With VeloCloud, VMware is developing a framework that extends its hybrid and multi-cloud environments to the edge for both applications and IoT devices alike. The result is a branch architecture that is agile, automated, and secure.

Cisco Viptela

Cisco has been a leader in WAN infrastructure technology for decades and their SD-WAN product is one of the most widely deployed enterprise solutions of its kind. With Cisco SD-WAN, the company sets out to ensure that every organization can become an “always connected workplace” whether work takes place at corporate headquarters, or district offices thousands of miles away. With deployment cycles growing every shorter and growing branch complexity throughout the network enterprise, Cisco identified the need to create to create a carrier agnostic overlay for any WAN, centralized management and increased visibility and versatility. Formerly , Cisco acquired this leading software defined technology to serve as a natural extension of their dominant product line. By software defining their branch network gateways, companies can reduce their WAN costs as much as 50%.

There are three main facets to Cisco’s software defined WAN solutions.

• Segmentation – Cisco SD-WAN takes the concept of the traditional VLAN even further to provide end-to-end segmentation that is policy driven in order to ensure that WAN traffic is protected.

• Zero-touch provisioning – Cisco SD-WAN gives central IT the ability to perform centralized control deployments and upgrades in order to scale out deployments fast enough to react to changing dynamics.

• Cloud Integration – If everyone is turning to the cloud for its many benefits, then it only makes sense to bring the power of the cloud to the WAN as well. Cisco SD-WAN is cloud based and integrates a cloud first philosophy directly into your WAN infrastructure that simplifies security and improves application performance.

Fortinet and SD-WAN

According to Gartner, 90 percent of SD-WAN vendors are not traditional security vendors and thus there are serious gaps within many of their solutions. Fortinet now integrates their Next Generation Firewall solutions with SD-WAN capabilities. The result is increased scalability, greater flexibility, improved simplicity, and cost savings. All of this without any compromise to security.

erases geographic boundaries, forming a mess like network that connects network and security paths to all of your locations across the world using multiple types of connectivity links that create a borderless infrastructure. It also does away with the need for multiple network devices residing at each branch gateway as all security, routing and management functions are conducted within a single appliance.

When it comes to security, Fortinet offers the full gamut of tools including application control, web filtering, antivirus, intrusion detection and advanced threat detection. Perhaps this is why Fortinet is the only vendor with security capabilities to receive the SD-WAN recommended rating in the First NSS Labs Software-Defined WAN Test Report. Because cost savings is a primary motivation for companies to explore SD-WAN opportunities, FortiGate SD-WAN shows that you can have your cake and eat it too.

Aruba Branch

Aruba is the same company that improved the visibility, security, and management capabilities of your wireless network and now wants to apply those same standards of visibility, control, simplicity, and security to the WAN. In the same way that their enterprise wireless platform solutions can control and react to your highly dynamic wireless environments, Aruba’s SD-WAN solution uses contextual data and awareness to dynamically route traffic across the WAN based on user, device, or group affiliation. Whether it is data, video, voice, or IoT, Aruba can protect and optimize all of your traffic patterns, LAN and WAN alike. Traffic segmentation, isolation and path selection are enforced for not just the last mile of connectivity, but the entire route from device to WAN exit point.

Like the previous vendors, Aruba’s solution is centered around software defined architecture that combines multiple virtual network functions into their SD-Branch appliance. Aruba’s branch gateway appliance connects to all WAN uplinks and provides an SD-WAN overlay fabric that makes application management and deployment a snap. Gateway functions include stateful firewall capabilities, IPsec encryption, VPN, QoS and WAN path monitoring. SD-Branch integrates with Aruba Central that provides single pane of glass visibility and manageability for all of your locations. But integration isn’t just about Aruba. The company’s security partner program has more than 140 technology partners, all of whom provide added functionality and innovation to an already powerful and proven platform.

Conclusion

Every mile of connectivity for your application traffic is important. The last mile is no less important than the first. Each of these vendors have proven solutions to optimize and secure the total connectivity arteries of your WAN. Each of these solutions brings agility and security to any WAN environment, making your WAN, a fully controlled and optimal environment. Talking to a trusted technology partner like WEI can help you see which SD-WAN strategy would be the best fit for your organization.

Next Steps: Sign up for a hat covers RF coverage maps, RF analysis, capacity plans, channel plans, access point installation recommendations, and more!

The post An Overview of the Top 4 SD-WAN Solutions appeared first on IT Solutions Provider - IT Consulting - Technology Solutions.

Data center architectures have continually evolved to meet the needs of mobile, social, big data, and cloud applications–and enterprise security solutions have evolved as well to support the new security needs of these applications in

Attacks on data centers are increasing, and physical security appliances aren’t sufficient to stop them. Independent research shows that successful attacks are occurring with growing regularity, and at increasing costs to enterprises. Seventy-five percent of all attacks begin stealing data in a matter of minutes, and may not be detected for quite a while. Additionally, after an attack has been discovered, full containment and repair can take weeks. There is no question that a new model for data center security is needed before these attacks become unstoppable.

Micro-Segmentation adds additional security

Micro-segmentation is a method of creating secure zones in data centers and cloud deployments that allows companies to isolate workloads from one another and secure them individually. It’s aimed at making network security more granular.

While traditional firewalls, intrusion prevention systems, and other security systems are designed to inspect and secure traffic coming into a data center from outside, micro-segmentation gives enterprises greater control over the growing amount of lateral communication that occurs between servers. This communication bypasses perimeter-focused security tools and has traditionally been vulnerable to attack.

Cisco lists the following goals for micro-segmentation:

1. Programmatically define segments on an increasingly specific basis, achieving greater flexibility (for example, limit the lateral movement of a threat or quarantine a compromised endpoint within a broader system)
2. Automatically program segments and policy management across the entire application lifecycle (from deployment to decommissioning)
3. Enhance security and scalability by enabling a zero-trust approach for heterogeneous workloads.

3 Security Solutions for micro-segmentation

Here are three networking security solutions enterprises should consider.

Cisco ACI

uses a new application-aware construct called an endpoint group that allows application designers to define the endpoints that belong to the EPG regardless of their IP addresses or the subnets to which they belong. The endpoint can be a physical server, virtual machine, Linux container, or even traditional mainframe computers.

With Cisco ACI’s highly specific endpoint security enforcement, customers can dynamically enforce forwarding and security policies, quarantine compromised or rogue endpoints based on virtual machine and network attributes, and restore cleaned endpoints to the original EPG.

Additionally, while data center micro-segmentation can provide enhanced security for lateral traffic within the data center, its true value lies in its integration with application design and holistic network policy, and it must interoperate transparently with a wide variety of hypervisors, bare-metal servers, L4-L7 devices, and orchestration platforms.

VMware NSX

micro-segmentation meets security recommendations made by the National Institute of Standards and Technology (NIST) in providing the ability to utilize network virtualization-based overlays for isolation, and distributed kernel-based firewalling for segmentation through ubiquitous centrally managed policy control. It also uses higher-level components or abstractions in addition to the basic 5-tuple for firewalling.

, NSX based micro-segmentation goes beyond NIST recommendations and enables the ability for fine-grained application of service insertion where they are most effective: as close to the application as possible in a distributed manner while residing in separate trust zones outside the application’s attack surface.

Finally, for physical to physical communication, NSX can tie automated security of physical workloads into micro-segmentation through centralized policy control of those physical workloads through the NSX Edge Service Gateway or integration with physical firewall appliances. This allows centralized policy management of your static physical environment in addition to your micro-segmented virtualized environment.

Illumio 

The Illumio Adaptive Security Platform (ASP) makes the invisible visible by mapping out connections between workloads in a single application, as well as connections between the applications themselves. This may reveal connections between systems that you weren’t aware of before and helps identify risks that weren’t immediately obvious.

Illumio uses this map of network traffic to automatically generate micro-segmentation policies for every workload and application running anywhere, on any computer platform, and analyze them in seconds – saving security teams critical time, reducing the risk of human error and improving policy consistency across the network.

The Takeaway

Micro-segmentation offers significantly more visibility and policy granularity than network or application segmentation, including the ability to fully visualize the environment and define security policies with process-level precision. This added granularity is increasingly important as growing use of cloud services renders traditional network-based security boundaries ineffective and elevates the urgency of detecting and stopping lateral movement

Are you looking for additional information on how to up your security game to meet the needs of your organization? Contact the network security experts at WEI for an unbiased perspective to solving your enterprise’s security challenges.&nbsp;

NEXT STEPS
Software defined networking represents an unparalleled innovation for IT network professionals managing enterprise networks. It’s flexible, smart, and highly automated. If you’d like to learn more about SDN, why you need it and the promises it delivers to a modern enterprise, we invite you read our white paper, “Software Defined Networking – The Next IT Paradigm of Promise.”

The post Defend Your Enterprise Network with Micro-Segmentation appeared first on IT Solutions Provider - IT Consulting - Technology Solutions.