carloscastilla - Fotolia
An intro to Nutanix Flow software-defined networking for HCI
Learn how Flow SDN brings network policy and management services to Nutanix hyper-converged infrastructure through the automation and streamlining of common networking operations.
Nutanix Flow is a software-defined networking service sold as an optional add-on to the Nutanix Acropolis platform. Flow is fully integrated into the Nutanix AHV hypervisor and Nutanix Prism management, which are included with all editions of Acropolis. Flow brings network and policy management to virtual environments, making it possible to incorporate SDN services into a Nutanix hyper-converged infrastructure. With a focus on application delivery, Flow simplifies network and policy management, providing the mechanisms necessary to control virtual machines independently of their physical environments.
Nutanix Flow product features
Nutanix Flow streamlines and automates common networking operations, such as implementing application security and modifying configuration settings. It applies security rules between applications and VMs to protect resources behind the firewall, while providing automated change management that's tied to the VM lifecycles.
With Flow, administrators have greater control over their applications and visibility into how they operate. Flow provides application-centric firewall policies specific to the VMs, while protecting against threats designed to spread laterally across systems, as well as threats that traditional security solutions can't easily detect.
Flow must be implemented in conjunction with the Acropolis platform, which includes the AHV hypervisor and Prism Starter management package. Prism Starter contains the main components that make up the Nutanix Prism management suite, including Prism Element and Prism Central. (Nutanix offers Prism Pro as a separate license.)
Prism Element provides node-level management, and Prism Central facilitates cross-cluster management, supporting features such as centralized administration, single sign-on and summary dashboards. Prism Central also includes management features for working with Flow.
Through Prism Central, administrators can view detailed visualizations of communications between VMs, enabling them to configure the right policies for their virtual networks. Administrators can then attach these policies to VMs or applications, rather than being limited to network segments such as virtual LANs or identifiers such as IP addresses. Prism Central also makes it possible to automatically update network policies throughout the VM lifecycle.
Flow is tightly integrated with AHV and Prism, allowing it to work seamlessly across the entire Nutanix Enterprise Cloud platform. Because of this integration, a Nutanix-based hyper-converged infrastructure (HCI) system can incorporate always-on networking functionality without requiring additional software or management tools. According to Nutanix, Flow can handle any network topology or architecture and can be expanded to work with third-party network inspection and policy solutions.
The Nutanix Flow architecture
To protect network resources, Flow incorporates microsegmentation, a process of segmenting virtual networks and applications to control communications between logical boundaries. With microsegmentation, administrators have granular control over all traffic in and out of VMs, helping to increase application security while simplifying policy management.
Nutanix Flow's microsegmentation is indifferent to how the underlying network is configured or built, enabling it to be implemented without changing the existing topology. Instead, Flow automatically discovers applications, which can then be categorized to support specific requirements. The discovery technology provides visibility and insights into complex communications and application dependencies across the Nutanix clusters.
Categories are an important concept in the Flow architecture. They provide administrators with a flexible tool for defining groups that logically tie VMs together based on designated classifications. Categories make it possible for administrators to create distributed firewalls that support application-centric policy management aimed at securing VM traffic.
Prism Central includes a number of system categories for managing the Flow environment. For example, the AppType category defines a group of VMs that run the same application, and the AppTier category defines a group of VMs that serve the same function within an application. Administrators can also create custom categories, although Nutanix recommends keeping the design as simple as possible.
After defining their categories, administrators can use Prism Central to assign security policies to those categories, rather than directly to the VMs. In this way, the categories abstract the complexities of the virtualization platform, making it easier to implement and manage security. At the same time, the policies provide granular control over traffic sources and destinations, while directing network traffic and supporting application mobility.
Administrators can combine policies and policy types to build complete security for their applications. Nutanix Flow also provides the tools necessary to visualize communications between the VMs that support the applications, helping administrators better understand how to implement their policies across the entire infrastructure.
Nutanix Flow includes other features for enhancing its software-defined networking services, such as API-based notifications that enable third-party network devices to observe VM lifecycle events. Nutanix plans to add more features and services in the future. More importantly, Flow brings the much-needed SDN component to HCI platforms based on AHV, which itself represents a significant milestone.
Nutanix Flow vs. VMware NSX
Like Nutanix Flow, VMware NSX provides integrated SDN that delivers advanced networking and security services. Both products offer visibility into virtual networks, protection from network threats and the ability to integrate with automation tools and other third-party systems. The two offerings also support microsegmentation, which provides a flexible and granular approach to network security.
That said, there are several important differences between Nutanix Flow and VMware NSX. For example, both Flow and NSX make it possible to provision and manage virtual networks independently of the underlying hardware. However, Nutanix Flow targets applications running in VMs, whereas NSX supports applications running in VMs, in containers or on bare metal. And, according to VMware, virtual networks can extend across data centers, public and private clouds, container platforms and bare-metal servers.
Another distinction between Flow and NSX is the way in which intelligence can be integrated into the SDN foundation. For example, Flow provides threat intelligence and detection through Nutanix Ready partner integrations that enable organizations to insert advanced security functions into their virtual network environments. VMware, on the other hand, offers a feature called NSX Intelligence, which provides automated security policy recommendations and continuous monitoring and visualization of the network traffic flow. NSX Intelligence is available only in the NSX Enterprise Plus edition, however.
The topic of editions points to another important difference between Flow and NSX. Nutanix offers only one edition of Flow, which can be included with any edition of the Acropolis platform. In contrast, NSX is available in five editions, ranging from Standard to Enterprise Plus. Also, NSX can be licensed for vSphere or for multi-hypervisor environments, whereas NSX is limited to AHV.
Organizations already committed to either the Nutanix or VMware HCI ecosystem will likely choose the SDN tools already integrated in their existing platform. However, those trying to choose between the Nutanix and VMware platforms should certainly take into account the SDN capabilities available to each platform, along with the other capabilities, carefully comparing them to determine which one has the SDN features they need.
Nutanix Flow licensing and pricing
The Acropolis software platform comes in several editions that can be licensed by capacity, appliance or specific use cases and workloads. All licensing models include AHV and Nutanix Prism; however, none of them include Flow, which must be licensed separately, regardless of the Acropolis edition.
Nutanix licenses Flow on a per-node basis as an annual subscription, with subscriptions ranging between one to five years. Customers must purchase a license for each node in a cluster where microsegmentation will be implemented. The cluster must also use the AHV hypervisor, as opposed to one of the other supported hypervisors, and Prism Central must be used to manage the Flow implementation.
Nutanix does not publish the actual cost for licensing Flow. According to the vendor, however, pricing is dependent on the subscription terms, packaging options, product dependencies and other factors. Organizations should contact the Nutanix directly to get an exact quote.
Nutanix HCI products and tools
Enterprise Cloud Platform. Nutanix's hyper-converged software stack that virtualizes and pools compute, storage and network resources across a hyper-converged cluster of Nutanix-enabled appliances.
Acropolis. The OS that runs the HCI platform. It includes Nutanix's AHV hypervisor -- based on the Linux-based KVM hypervisor -- and supports VMware vSphere and Microsoft Hyper-V.
Prism. Software that manages the hardware stack and virtual machines on Acropolis-run appliances.
Calm. Tool for application orchestration and lifecycle management.
Flow. Integrates software-defined networking with Nutanix Enterprise Cloud Platform.
NX. Hyper-converged appliances that run on Supermicro servers and Nutanix's Enterprise Cloud Platform hyper-convergence software. Available in a variety of versions and configurations that target different use cases.
Xi Beam. Software-as-a-service option with a multi-cloud management dashboard for optimizing cloud resources.
Xi Cloud Services. Hybrid cloud services that tie on-premises data to the public cloud in multi-cloud infrastructure scenarios.
X-Ray. Benchmarking and evaluation software for HCIs that automates infrastructure analysis to improve reliability and performance.
OEM systems. Appliances are available from the likes of Hewlett Packard Enterprise (HPE), Lenovo, Fujitsu, Dell EMC, IBM and Inspur (in China) that run on Nutanix HCI software.
Third-party hardware. Resellers, including HPE and Cisco, offer Nutanix Enterprise Cloud as a software option.