vCloud NetworkingDeep DiveUpdated: 16 November 2010                            © 2009 VMware Inc. All rights reserved
Agenda Networking Overview External Network Network Pools Organization Networks vApp Networks Example Use CasesQ&A2
Networking Overview Layers of Networking    • External    • Network Pools    • Organization    • vApp Managed at two lay...
External Network: Overview a.k.a ‘Provided Network’    • Network that is external to VMware vCloud Director    • Created ...
External Networks: In vSphere    • VMware vCloud Director does NOT create portgroups when you create an External      Netw...
External Networks: In VMware vCloud Director    • In VMware vCloud Director, create an External Network and attach it to o...
Network Pools: Overview A set of pre-configured network resources that can be used for    Organization and vApp Networks ...
Network Pools: Portgroup-backedRequires • Preconfigured portgroups at the vSphere layer • Assign meaningful names so its o...
Network Pools: VLAN-backedRequires • A vDS that’s connected to all ESX/ESXi hosts in your cluster • A range of unused VLAN...
Network Pools: VLAN-backed in VMware vCloud DirectorVLAN-backed: • define the VLAN range for the pool and select the vDS t...
Network Pools: VLAN-backed in vSphereVLAN-backed Example: •   The VLAN-backed network pool was defined to use the range 10...
Network Pools: vCloud Network Isolation VMware proprietary network isolation technology • vCD-NI “networks” span hosts an...
Network Pools: vCloud Network Isolation-backedRequires • A vDS that’s connected to all ESX/ESXi hosts in your cluster.How ...
Network Pools: vCloud Network Isolation in vSpherevCD-NI-backed Example: • A vCD-NI-Backed Pool where transport VLAN is 99...
Organization Networks: OverviewContained within an organizationAllows vApps within the organization to communicate with ea...
Organization Networks: In VMware vCloud Director Creating NAT-Routed and Isolated Org Networks: • Select the type of Org N...
Organization Networks: In VMware vCloud Director Creating NAT-Routed and Isolated Org Networks: • Select the Network Pool ...
Organization Networks: In VMware vCloud Director Creating NAT-Routed and Isolated Org Networks:     • For the External Net...
vApp Networks: OverviewContained within a vApp • Inherently Private InternalAllows VMs in a vApp to communicate with each ...
Putting it Together: vCloud Networking Options – Examples     External Network (set up by system admin)            Organiz...
Putting it Together: vCloud Networking Options – Examples     External Network 2     vSphere Network 2     External Networ...
Use Cases22
Networking Use Cases – Example 1 of 4Use Case 1: Isolated vApp23
Networking Use Cases – Example 2 of 4Use Case 2: Dev/Test24
Networking Use Cases – Example 3 of 4Use Case 3: Pre-Production with access to Internet25
Networking Use Cases – Example 4 of 4Use Case 4: Pre-Production with access to VPN 26
Networking Multi-tenancy27
vSphere DependenciesNetwork Pools: Backing for private networks in vCloud Director • vSphere Port Group backed     • Requi...
Network SecurityvShield Edge  • Integrated with vCloud Director  • Network security services      •   Firewall      •   NA...
Questions30
Upcoming SlideShare
Loading in …5
×

Cloud networking deep dive

1,281 views
1,185 views

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,281
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
155
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Cloud networking deep dive

  1. 1. vCloud NetworkingDeep DiveUpdated: 16 November 2010 © 2009 VMware Inc. All rights reserved
  2. 2. Agenda Networking Overview External Network Network Pools Organization Networks vApp Networks Example Use CasesQ&A2
  3. 3. Networking Overview Layers of Networking • External • Network Pools • Organization • vApp Managed at two layers: Consumers & Providers An External Network is an network that is outside of VMware vCloud Director. • This is set up by the Provider An Organization Network is contained within an organization. • This is also set up by the Provider vApp Network is a contained within a vApp. • This is set up by Consumers Note: Both organization networks and vApp networks are entirely within VMware vCloud Director-managed infrastructure..3
  4. 4. External Network: Overview a.k.a ‘Provided Network’ • Network that is external to VMware vCloud Director • Created in vSphere/vCenter environment and consumed by VMware vCloud Director to provide external connectivity to Organizations • Mapped to a portgroup at the VMware vSphere layer • vSS or vDS • The portgroup is attached to VMware vCloud Director as an “External Network” Use cases • Internet access • Provider supplied network endpoints • IP based storage Set up by Provider • Backup servers • Backhauled networking to a customer datacenter • VPN access to a private cloud • MPLS termination4
  5. 5. External Networks: In vSphere • VMware vCloud Director does NOT create portgroups when you create an External Network • The VI Admin must create the portgroups first, before a VMware vCloud Director Provider Admin can map External Networks to them. • It is recommended that you define these port groups on a dedicated “Provider” vDS vs. creating them on a vSS on each ESX host in your cluster. (Can use Cisco Nexus 1000V) • Below is an example of VLAN isolated External Networks:5
  6. 6. External Networks: In VMware vCloud Director • In VMware vCloud Director, create an External Network and attach it to one of the portgroups • Note if done using the VIM SDK you should create an ephemeral port group; otherwise, you get static portgroups when created with the vCenter UI6
  7. 7. Network Pools: Overview A set of pre-configured network resources that can be used for Organization and vApp Networks • Use to facilitate VM to VM communication Three Types of Network Pools in VMware vCloud Director • Portgroup-backed • Reference pre-created portgroups • These have to be created in vSphere manually or through orchestration • Do not have to be VLAN isolated (but should for L2 isolation) • Attach a collection of them to VMware vCloud Director • VLAN-backed • Exactly like portgroup-backed…but VMware vCloud Director will automatically create the portgroups as needed, and use a range of VLANs to isolate them. • vCloud Network Isolation-backed (vCD-NI) • VMware proprietary network isolation technology7
  8. 8. Network Pools: Portgroup-backedRequires • Preconfigured portgroups at the vSphere layer • Assign meaningful names so its obvious what is being mapped • If using vSS portgroups, they must exist on all ESX/ESXi hosts in the clusterHow it works • The system administrator manually creates the portgroups. • When creating the network pool, you are given a list of unused portgroups that exist in the cluster.Advantages • Works with all types of vSwitches.Disadvantages • Requires manual work or orchestration to create all of the portgroups • Portgroups needs to be keep in sync on a vSS • To ensure isolation portgroups rely on VLANs for L2 isolation 8
  9. 9. Network Pools: VLAN-backedRequires • A vDS that’s connected to all ESX/ESXi hosts in your cluster • A range of unused VLANsHow it works • vCD admin creates the network pool and chooses an “Organization” vDS to attach it to, then provides a range of valid VLANs, for example, 10 – 15. • When an isolated network is needed, vCD will automatically create a portgroup on the vDS and assign it one of the unused VLAN numbers. • Many isolated portgroups can coexist on the same vDS because they are isolated by the VLAN tagAdvantages • Isolated networks • Best network performance.Disadvantages • Requires VLANs to exist in the physical network hardware (physical switches) • VLANs are limited and may not be available at all • Not compatible with Cisco Nexus 1000V • Use portgroup-backed network pool of portgroups that happen to have VLAN tags9
  10. 10. Network Pools: VLAN-backed in VMware vCloud DirectorVLAN-backed: • define the VLAN range for the pool and select the vDS to provision the portgoups on10
  11. 11. Network Pools: VLAN-backed in vSphereVLAN-backed Example: • The VLAN-backed network pool was defined to use the range 10-15 • The External Org Network was called Emca External. • An ephemeral port group was created for you with a vShield edge, vse-1821527865. • Editing properties shows the switch is named with V10 matching the consumed VLAN and the name is dvs.VC1098296841DVS1CM1-V10-Emca External11
  12. 12. Network Pools: vCloud Network Isolation VMware proprietary network isolation technology • vCD-NI “networks” span hosts and are represented as portgroups on a vDS. • Setup: • Designate a “Transport Network” – an actual layer 2 segment to carry the packets for vCD-NI networks • Decide how many networks you want in the pool • Individual vCD-NI Networks are isolated from each other and the Transport Network via MAC-in-MAC encapsulation • Works with vmkernel functionality in ESX/ESXi 4.0U2 or 4.1 and above • (vCD Beta required Service VM on older ESX/ESXi hosts) • Technical details: In Lab Manager, this was • Implemented with MAC-in-MAC encapsulation called “Cross-Host Fencing” • Can cause frame fragmentation with default MTU • Requires a small increase in MTU to 1524 or higher12
  13. 13. Network Pools: vCloud Network Isolation-backedRequires • A vDS that’s connected to all ESX/ESXi hosts in your cluster.How it works: • vCD creates an overlay “transport” network for each isolated network to carry encapsulated traffic • Each overlay network is assigned a Network ID number. • Encapsulation contains source and destination MAC addresses of ESX/ESXi hosts where VM endpoints reside as well as the Network ID • ESX/ESXi host strips the vCD-NI packet to expose the VM source and destination MAC addressed packet that is delivered to the destination VMAdvantages: • Does not require VLANs (can optionally set a VLAN ID for the transport network; leaving blank defaults to 0) • More secure than VLAN-backedDisadvantages: • Small performance overhead due to encapsulation (dvFilter). • Added MAC header require an increase in MTU same as in MPLS networks • vCD-NI is for layer 2 adjacency and not for routed networks • vCD-NI is only for VMs and cannot be accessed by physical hosts13
  14. 14. Network Pools: vCloud Network Isolation in vSpherevCD-NI-backed Example: • A vCD-NI-Backed Pool where transport VLAN is 99 was created. • The VI portgroup does not reflect isolation, just the transport VLAN used for the vCD-NI • The name of the portgroup gives you a hint that it’s isolated. It contains, in this instance, with “V99-F1” meaning it’s using VLAN 99 and isolation network ID 1.14
  15. 15. Organization Networks: OverviewContained within an organizationAllows vApps within the organization to communicate with each other or to outside the organizationCan be connected to External Networks as: • Public (External Org Direct) • Bridged connection to an External Network • Others outside the organization can see • Private Routed (External Org NAT-Routed) • Connected to an External Network through a vShield Edge • Can be configured for NAT & Firewall…or left unconnected to external Set up by Provider • Private Internal (Internal Org) • No External connectivityBacked By Network Pools15
  16. 16. Organization Networks: In VMware vCloud Director Creating NAT-Routed and Isolated Org Networks: • Select the type of Org Network to create using the typical radio button and dropdown box16
  17. 17. Organization Networks: In VMware vCloud Director Creating NAT-Routed and Isolated Org Networks: • Select the Network Pool to use for the Internal Network • Assign internal addressing for the Internal Network17
  18. 18. Organization Networks: In VMware vCloud Director Creating NAT-Routed and Isolated Org Networks: • For the External Network select the External Network to attach to as well as the internal • Also select the Network Pool to use for the Internal Network behind the vShield Edge. • Assign internal addressing for the Inside portion of Org Network18
  19. 19. vApp Networks: OverviewContained within a vApp • Inherently Private InternalAllows VMs in a vApp to communicate with each otheror...by connecting them to Org Networks, other vApps Can be connected to Org Networks as • Public (Direct) Set up by Consumers • Bridged connection to a organization network • Private Routed • Connected to a organization network through a vShield Edge • Can be configured for NAT & Firewall Backed by a Network Pool 19
  20. 20. Putting it Together: vCloud Networking Options – Examples External Network (set up by system admin) Organization 6 5 External Organization Network (set up by system admin) External Organization Network vApp 4 8 1 2 vApp network vApp network 3 vApp network (set up by org admin/vApp author, internal to vApp) 7 Internal Organization network (set up by system admin)20
  21. 21. Putting it Together: vCloud Networking Options – Examples External Network 2 vSphere Network 2 External Network 1 vSphere Network 1 Organization vShield Edge (NAT/firewall) Organization Network 3 Internal Organization Network Internal vSphere network (backed by Network Pool) Organization Network 2 External Organization Network – Internal vSphere network NAT-routed Connection (backed by Network Pool) Organization Network 1 .111 .112 External Organization Network – Direct Connection vShield Edge vApp 1 vApp 2 vApp 3 (NAT/firewall) vApp 4 Isolated VM .11 .12 vApp Network vApp Network vApp Network (Private) Internal vSphere network Internal vSphere network Internal vSphere network (backed by Network Pool) (backed by Network Pool) (backed by Network Pool) Connected to Connected to Organization network Connected to Organization Network Isolated vApp Network Organization network (vApp network with direct connection) (vApp network with NAT-routed connection (vNICs connected to and IP masquerading defined) Organization network)21
  22. 22. Use Cases22
  23. 23. Networking Use Cases – Example 1 of 4Use Case 1: Isolated vApp23
  24. 24. Networking Use Cases – Example 2 of 4Use Case 2: Dev/Test24
  25. 25. Networking Use Cases – Example 3 of 4Use Case 3: Pre-Production with access to Internet25
  26. 26. Networking Use Cases – Example 4 of 4Use Case 4: Pre-Production with access to VPN 26
  27. 27. Networking Multi-tenancy27
  28. 28. vSphere DependenciesNetwork Pools: Backing for private networks in vCloud Director • vSphere Port Group backed • Requires vSS or vDS or N1KV Switches • VLAN-backed • Requires vDS and VLANs • vCloud Director Network Isolation-backed (vCD-NI) • Requires vDS and VLANs • Mac-in-Mac Encapsulation (1524 bytes MTU)External Networks: for Internet, VPN/MPLS, IP SAN connectivity • Requires vSS or vDS or N1KV Switches28
  29. 29. Network SecurityvShield Edge • Integrated with vCloud Director • Network security services • Firewall • NAT • DHCP • Port forwarding • IP masqueradingOption for internal only or connected externally • Internal only – within vApp or within organization 29
  30. 30. Questions30

×