F5 Reference Architecture for VMware NSX

Updated June 20, 2016
  • Share via AddThis


Organizations want to increase competitiveness, reduce time to market, and drive the velocity of their business. However, traditional network architectures are too complex and costly to manage, and too brittle to withstand the demands being made upon them. They're also too static and slow to respond to dynamic environments caused by shifting data center traffic patterns and the rapid increase of users, devices, and applications. Furthermore, application architects and operations staff often feel like the network is in the way, preventing them from achieving goals rather than enabling them. In short, organizations' networks need a change in architecture to become more agile and address business demands.

A change in architecture can drastically reduce lead times for deploying new applications and services, eliminate down time due to unforeseen increases in workloads, and speed disaster recovery. This change cannot focus singularly on servers, or on their interconnectivity. Nor does it hinge on security, switching, routing, or load balancing. The solution derives from a synthesis across all elements of data center networking and application delivery architecture. A software-defined data center (SDDC) architectural approach is required to meet today's business expectations, help organizations transform data center economics, and increase application deployment agility.

Business Challenges

For organizations to be competitive while remaining efficient with resources, data center agility must be all-encompassing. It must include storage, server, and network virtualization. The static, siloed, hardware-defined data center (HDDC) inhibits application delivery responsiveness. On the other hand, an SDDC architecture is better suited to meet today’s challenges without unnecessary disruption to existing services or delay in the deployment of new ones.

Time to Market

Enterprise applications don’t run in a vacuum. Development in server virtualization has dramatically improved application deployment times. However, beyond the virtualized components of the server infrastructure, applications require both connectivity services, switching and routing, and application services. These services include local and global load balancing as well as encryption, optimization, acceleration, access, and security services.

Recent developments in network virtualization and the tools to manage it can help to further reduce application and network service deployment times. The simplification of network design and operation inherited from an SDDC architecture enables organizations to rapidly alter network configurations and behaviors. When businesses allocate time up front to building configurations for their applications, they can then automate and orchestrate the implementations. This results in the deployment of new applications and network services in a matter of hours, rather than weeks or months.

Figure 1: Application services provisioning doesn’t have to take weeks.

Time to Change

The diversity of application delivery requirements and broad fluctuations in throughput demand have made it increasingly difficult to plan for data center growth. This situation is further exacerbated by the pace at which Internet-based technologies are evolving and the demand for them is growing. Consequently, the need for business IT to be more agile has never been greater—not just for newly deployed services, but also for existing services that must constantly change.

Unforeseen demand on data center resources can come from successful marketing or sales campaigns, unpredicted company growth, or even cyber attacks. In these and other circumstances, and given today’s increased reliance on technology, data center agility and the resulting ability to react quickly are crucial for business continuity and brand protection.

The Shortfall of SDN

While software-defined networking (SDN) has the potential to provide compelling benefits to customers, application layer challenges are not addressed by most of today’s SDN solutions. SDN is typically focused on network-centric challenges (layers 2–4) but largely ignores application-centric challenges (layers 4–7). Since the network exists to support the applications that use it, any new network architecture must address the network challenges without neglecting the application layer.

Specific areas where current SDN architectures are not well aligned with application layer requirements include those that require:

  • Stateful networking. Packet forwarding decisions at the network layer do not maintain a great deal of state awareness. However, application layer-aware technologies maintain state insight associated with application layer transactions in order to manage the exchange of data and application behavior between those end points.
  • Message-based, rather than packet-based, decisions. SDN operates on “flows” (e.g., a TCP connection). However, application layer decisions are often based on HTTP messages, and a single flow might contain many such messages. Therefore, most SDN architectures are not well suited to applications that involve message-based decision making.
  • Layer 4–7 context. Simply put, many challenges cannot be met by simply focusing on layer 2 and 3 data. Functions such as authentication, authorization, metering, message steering, cross-origin resource sharing, data protection, performance, elasticity, fault isolation, SSL offload, and many others require application logic, state, and message-based decision making.
  • Adequate product implementations. Due to the design constraints of SDN, current products are not being developed to handle application-centric (layers 4–7) requirements, limiting computing power, addressing (flow) tables, and update frequencies.

When evaluating a new architectural paradigm such as agile data center networking, it is important to consider how that networking can be influenced by the applications and services for which it exists.

Business Solution

The issues behind delays in time to market for new applications and services—and those inhibiting changes to the applications and services already deployed—can be solved through an SDDC.

While a hardware-free data center is not a real possibility, organizations should avoid building their architectures toward an HDDC with capabilities that are defined by and hinge upon physical elements. Such an approach greatly reduces flexibility in how network resources are provisioned and deployed.

Within today's heavily virtualized environments, network segments can be created and destroyed, as needed, in very little time. However, missing from these rapidly spawned networks are the application services that ensure a safe, secure, and resilient application experience. Rapid provisioning of the networks along with application services provide a customer-ready system. In legacy data centers, delivering access, mobility, high availability, and security services can take anywhere from days to weeks before the application is delivered as a service to its intended audience. Every change, no matter how minor, requires a similar process in order to preserve application experience.

The SDDC abstracts server, storage, and network infrastructure and allows data center resources to be pooled and repurposed on demand. VMware NSX, the network virtualization component of the SDDC, enables customers to realize the full potential of the SDDC.

VMware NSX

VMware NSX brings virtualization to existing networks and transforms network operations and economics. With it, administrators can programmatically create, provision, delete, restore, and take snapshots of complex networks, all in software. VMware NSX breaks through the barriers of current physical networks, enabling data center operators to achieve better speed, economics, and flexibility by orders of magnitude.

Just as server virtualization enables IT to treat physical hosts as a pool of computing capacity, NSX allows IT to treat the physical network as a pool of transport capacity that can be consumed and repurposed on demand.

F5 Software-Defined Application Services

Modern architectures and data center models require a more flexible approach to application services, one that better aligns with trends toward micro-services and API-based architectures.

More broadly, given increased user mobility and the reality of HTTP superseding TCP as the de facto transport protocol, service providers and organizations are reevaluating traditional architectural principles to determine how best to move forward with application delivery service provisioning that can keep up with, or at least catch up to, industry trends.

F5® Software-Defined Application Services™ (SDAS) is the next-generation model for delivering application services. SDAS takes advantage of F5 innovations in scalability models, programmability, and an intrinsic decoupling of the data and control planes. It creates a unique application service fabric capable of extending the benefits of F5 application delivery services to all applications, regardless of location.

F5 BIG-IP and VMware NSX

The integration of VMware NSX and the F5 BIG-IP® platform, with its full-proxy architecture, provides automated provisioning and deployment of the rich set of F5 application delivery services to both network and virtualization operators and delivers a reliable, enterprise-class application experience to SDDC environments.

Figure 2: An SDDC approach delivers multiple benefits while increasing agility and speeding time to market.

An SDDC architecture positions the physical elements of the data center as a reusable pool of resources that can meet computing, access, performance, availability, and security requirements.

Technology Solution

An SDDC architecture is rooted in virtualization and defined by three pillars—server virtualization, storage virtualization, and network virtualization. VMware NSX provides the third critical pillar, network virtualization.

Figure 3: F5 integrates with VMware to allow for a scalable, programmable network with rich layer 4–7 application services.

NSX, VMware's network virtualization and security platform, delivers logical network and security services and an operational model for the network similar to that delivered by VMware for computing virtualization. This means data center operators can create virtual networks on demand without having to reconfigure the physical network, enabling them to provision network and security services—including L4–7 application services—in minutes, increase network operations efficiency, and optimally use resources. NSX-distributed service framework enables automated provisioning of services on every hypervisor across the data center, and its scale-out architecture allows services to be scaled on demand by simply adding new hosts.

Together, F5 and VMware have reduced repetitive and time-consuming processes by allowing IT staff to pre-define application delivery policies.

F5 iWorkflow

F5 iWorkflow™ (formerly BIG-IQ Cloud) is a platform that accelerates the deployment of applications and services in next-generation networks—including those based on VMware NSX. Available as a virtual appliance, iWorkflow simplifies architecture and reduces exposure to operational risk. It also offers both a GUI-based connector and REST-based, API-level integration between VMware NSX Manager and the F5 fabric. iWorkflow enables VMware administrators to provision application delivery services for an application's virtual machines (VMs) without leaving the NSX Manager console. The combination of a unified deployment workflow for virtual machines and services, along with the abstraction of complex application service configuration, simplifies and shortens the application deployment process.

The NSX and iWorkflow integration allows for the provisioning of the F5 SDAS fabric and the interconnection of that fabric with the NSX virtualized networks. This can be done by provisioning net-new virtual editions (VEs), licensing them, and connecting them to NSX virtualized networks. This NSX and iWorkflow integration also allows for the creation of standardized policies and the application of those policies for NSX-managed virtual resources on the F5 SDAS application fabric.

iWorkflow simplifies the provisioning of application delivery services using F5 iApps® Templates. These provide wizard-like deployment of application services for rapid configuration of BIG-IP devices or VEs, and the associated policies for any application. In this scenario, iWorkflow functions as the translation point between iApps and VMware's provider templates. iWorkflow begins the process by translating an iApp and breaking it into two parts. The first part is filled out by a cloud or virtualization security administrative professional as part of the service standardization effort. The remaining runtime portion of the iApp, once standardized, is reflected in the VMware NSX UI. The tenant user can choose a standardized provider template and finish filling it out with runtime information—such as fully qualified domain name, virtual server IP address, and which pool members to include. As a result, application functions including acceleration, high-availability, security, and many others that require application logic, state, and message-based decision making are deployed efficiently with the virtualized network.

The F5 and VMware NSX integration has simplified the deployment of network-based application services within an SDDC. The NSX network virtualization platform and iWorkflow platform expose the rich set of F5 application services to both network and virtualization operators, and automate the provisioning and deployment of these services from a single administrative standpoint. The combination of a unified deployment workflow for virtual machines and services, along with the abstraction of complex application service configuration, simplifies and shortens the application deployment process.


The integration of F5 iWorkflow and VMware NSX reduces deployment time and simplifies operations for application layer acceleration, security, and availability services. This innovation eliminates the network as a stalling point in application deployment and management so that neither the network nor its application services stand in the way of meeting business expectations.