• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Exalogic Elastic Cloud
 

Exalogic Elastic Cloud

on

  • 852 views

Weblogic Forum, 28.02.2012

Weblogic Forum, 28.02.2012

Statistics

Views

Total Views
852
Views on SlideShare
807
Embed Views
45

Actions

Likes
2
Downloads
0
Comments
0

1 Embed 45

http://ibank.uk.com 45

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • This is clearly a big vision. How are we going to execute? Java PerformanceJava is an essential technology to Oracle and almost all of our customers. There was a real focus on what we could do for Java and there was a lot of opportunity: Java is well known for being sophisticated to tune, and performance was something we could optimizeMission Critical CloudReal end to end standardization, consolidation and ultimately CLOUD – IT as a serviceThis isn’t something that just works for small enterprise applications. The real business value is when it can be deployed across the enterprise, which means you need an infrastructure that can support the most mission critical applicationsEngineered SystemWe focused on the benefits of what can be delivered out of the box while carefully balancing the requirement to not take too much control from customersWe have a long standing commitment to best of breed components, and our business is likely not going to move away from selling those componentsWe focused on the best standalone components that our customers would use to build their own systems and used those same components to build this new engineered system that we can deliver out of the box, pre-integrated and ready to run.These were our goals, and we achieved them! We are very pleased with what we have done accomplished with this product.
  • Nodes1481630240RAM963847681536288023040SSD20080016003200600048000ZFSSA6060606060480
  • EL 1.0 multiple for Web: 3.4EL 1.0 multiple for JMS: 1.6EL 1.0 multiple for Enterprise Java: 2.2
  • All figures compare 30 standard 12-core Intel servers connected with Gigabit Ethernet (standard hardware) to an Exalogic Full Rack configuration
  • EL 1.0 multiple for Web: 3.4EL 1.0 multiple for JMS: 1.6EL 1.0 multiple for Enterprise Java: 2.2
  • Datagram communications was limited by fixed number of threads reading/writing socket. MessageBus as a dynamic pool and, also, a MessageBus per Coherence service, making it much more scalable over a larger number of cores.
  • Data Unavailable for 10Gb2, so used 1 GbeUnit of failure is one physical server in 3-node cluster. For 32 GB cache, time to recover was 12 seconds for IB, 194 seconds for GbeTime measured is the time until the data is machine safe, that is, the time until the cluster is able to rebalance all partitions and be guaranteed to be able to withstand machine loss without data loss. Data is available during the recovery process.
  • For illustrative purposes, this diagram shows InfiniBand connectivity on the vertical axis and Ethernet connectivity on the horizontal axis.The compute nodes and the storage device within Exalogic are provisioned with redundant InfiniBand connections. These devices have access to the datacenter “external” network via the Ethernet ports on the InfiniBand Gateways.Ethernet connectivity to the compute servers and cloud storage is provided through the InfiniBand fabric. Virtual Ethernet NICs are instantiated within the host stack and Ethernet frames are encapsulated within InfiniBand packets which are forwarded to the gateway, which has physical Ethernet ports.Note that there is an independent 1 GbE network for device management that connects to all components in Exalogic
  • A key part of the value of an engineered system lies in reducing complexity (and thus TCO). Network, application and security administration roles should be defined to take advantage of the system *as a whole*.EECS 2.0 (Feb 2012) introduces 2 important capabilities that greatly extend the value of an engineered system. The first is full support for IB partitions, which allow hard partitioning of network traffic on the IB Fabric (thus providing higher levels of data security for multi-tenant and co-located application domains); the second is Oracle Traffic Director (OTD), which provides a highly-available, on-board Application Delivery Controller (ADC) optimized for Exalogic and Infiniband. In this short presentation, we’ll present some ideas on how these technologies support a much cleaner, more secure and efficient admin and security model for Exalogic.
  • For more details of configuring Infiniband partitions on Exalogic (EECS 2.0), please see:http://docs.oracle.com/cd/E18476_01/doc.220/e18478/physical_part.htm#sthref102The following blog has interesting perspectives on presenting IB partitioning and virtualizationhttps://blogs.oracle.com/networking/entry/infiniband_and_virtualizationFor more details of Oracle Traffic Director, please see:http://docs.oracle.com/cd/E23389_01/index.htm
  • The “Green Zone” is a term I am in using in this presentation to distinguish between the traditional (external) DMZ and an (on-board) hardened zone where SSL Termination and application traffic management happens. Today for non-engineered systems, it is common for both SSL termination and reverse proxy routing/caching to be configured using a h/w LBR installed in the DMZ. This is the wrong model for an engineered system: it mixes the network and application traffic management functions and it means that all requests must be routed through the LBR for HA/VIP support (cp the Exalogic 1.0 EDG where an external LBR is used to provide HA capability for OHS). For engineered systems, SSL termination and application traffic management should be controlled by OTD/OEG running in a hardened environment (the “Green Zone”) on-board Exalogic. There is a parallel with a traditional DMZ: since the Green Zone needs to be accessible to edge traffic (which has not been passed through a L7 firewall at this stage), it is important that the OS/VM environment be appropriately hardened (“web tier rules”) to protect against attempts to exploit network or services vulnerabilities. Typically this would involve a stripped-down kernel and a minimal set of network/daemon services, plus L3/4 s/w firewalls (e.g. iptables) and other OS-level security precautions.Note that the Green Zone does *not* replace an external DMZ: it supplements it. Many of the activities traditionally performed in the DMZ are still appropriate there and need to be implemented to secure the system as a whole. See the following slides for more detail on the separation of zones/roles.
  • The first two roles (network management and systems management) do not require application-specific knowledge or control, whereas application administration/traffic management do. For example, configuring a reverse proxy requires knowledge of how and where applications are deployed etc. Similarly with SSL/PKI configuration and traffic shaping/caching. A key advantage of the ADC model (which is increasingly supplanting the use of simple h/w LBRs) is that these functions are configured by application-aware administrators, with a clean separation of roles from traditional network administration (DNS, DDoS protection/QoS policy).These are *roles* rather than people: it is quite possible that Application Traffic Management and Application Administration are done by the same person but this need not be the case – the application administrator typically configures and deploys applications, while Application Traffic Management start from the assumption that the apps are already deployed and accessible (e.g. on the individual managed server listen ports)
  • In this and the subsequent security zone slide, note that the admin/security roles map closely to one another and correspond to different physical areas within the overall architecture. Network admin/security is concerned with the reliability and security of the physical network up to the EoIB edge interface to the Exalogic system; application admin/security is concerned with actual application deployment and the configuration of the app server platform (classpath, app components, patch levels etc); application traffic management /security is concerned with how applications and components are made accessible to both external and internal clients.
  • Note the comparison with the administration roles in Slide 7: there is a very close mapping between admin rols and security zones for an engineered system. The end product is a clean-cut division of responsibilities, quicker problem resolution and lowered TCO.
  • This is clearly a big vision. How are we going to execute? Java PerformanceJava is an essential technology to Oracle and almost all of our customers. There was a real focus on what we could do for Java and there was a lot of opportunity: Java is well known for being sophisticated to tune, and performance was something we could optimizeMission Critical CloudReal end to end standardization, consolidation and ultimately CLOUD – IT as a serviceThis isn’t something that just works for small enterprise applications. The real business value is when it can be deployed across the enterprise, which means you need an infrastructure that can support the most mission critical applicationsEngineered SystemWe focused on the benefits of what can be delivered out of the box while carefully balancing the requirement to not take too much control from customersWe have a long standing commitment to best of breed components, and our business is likely not going to move away from selling those componentsWe focused on the best standalone components that our customers would use to build their own systems and used those same components to build this new engineered system that we can deliver out of the box, pre-integrated and ready to run.These were our goals, and we achieved them! We are very pleased with what we have done accomplished with this product.

Exalogic Elastic Cloud Exalogic Elastic Cloud Presentation Transcript

  • 1 | © 2011 Oracle Corporation – Proprietary and Confidential
  • The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remain at the sole discretion of Oracle.2 | © 2011 Oracle Corporation – Proprietary and Confidential
  • ORACLE PRODUCT LOGO Exalogic Elastic Cloud I 2.0 Overview3 | © 2011 Oracle Corporation – Proprietary and Confidential
  • ExalogicElastic Cloud Software 1.0andX2-2 Hardware
  • Engineered Systems I Dawn of a New Era Problem Solution5 | © 2011 Oracle Corporation – Proprietary and Confidential
  • Exalogic Elastic Cloud I Best in Class • Engineered System, Best ROI • Extreme Performance for Java Applications • Extreme Performance for Oracle Business Applications6 | © 2011 Oracle Corporation – Proprietary and Confidential
  • Exalogic I vs. Typical Status Quo Applications & Middleware Operating System Compute Networking Storage Exalogic X2-27 | © 2011 Oracle Corporation – Proprietary and Confidential
  • Exalogic X2-2 I Complete, Integrated Compute Power • 2.93 GHz Xeon processors • 1333MHz DRAM, RAID SSD Disks • Redundant QDR InfiniBand, Power, Management Internal I/O Fabric and Data Center Connectivity • 40 Gb/sec internal I/O backplane • 10 Gigabit Ethernet connectivity to datacenter Integrated Storage • Shared storage for applications • Clustered for HA • 60 TB SAS disk • 4 TB read cache,72 GB write cache EL X2-28 | © 2011 Oracle Corporation – Proprietary and Confidential
  • Exalogic X2-2 I Seamless ScalabilityEighth Rack Eighth Rack QuarterRack Quarter Rack Half Rack Half Rack Full Rack Rack Multi-rack Multi-Rack 4 Nodes 8 Nodes 16 Nodes 30 Nodes 240+ Nodes384 GB RAM 768 GB RAM 1.5 TB RAM 2.8 TB RAM 23+ TB RAM800 GB SSD 1.6 TB SSD 3.2 TB SSD 6 TB SSD 48+ TB SSD 60 TB NAS 60 TB NAS 60 TB NAS 60 TB NAS 480+ TB NAS9 | © 2011 Oracle Corporation – Proprietary and Confidential
  • Exalogic X2-2 I Integrated Storage • Enterprise-grade NAS – 60TB disk capacity, – 4TB read cache, – 73GB write cache • ZFS clustering • Fully-embedded software suite, including clones and remote replication Exalogic Sun 7320 ZFS Storage Appliance10 | © 2011 Oracle Corporation – Proprietary and Confidential
  • Exalogic I Elastic Cloud Software 1.0 Middleware and Business Applications Enterprise Manager WebLogic Coherence Tuxedo Exabus Integration Exabus 1.0 (Exalogic I/O Performance, Efficiency and Network Virtualization System) Exalogic Elastic Cloud X2-2 Hardware = Exalogic Elastic Cloud Software 2.011 | © 2011 Oracle Corporation – Proprietary and Confidential
  • Exabus 1.0 I Optimized Network Virtualization Standard Hardware I/O Exabus Application Application Application Application Application Buffer Application Buffer Copy TCP IP Transport Kernel 20% Buffer Copies Zero Buffer Copy 40% Transport Processing Direct Memory Access 40 % Kernel Context Switches Kernel Bypass 4X Throughput, 6X Lower Latency12 | © 2011 Oracle Corporation – Proprietary and Confidential
  • EECS 1.0 I WebLogic Server Optimizations Exalogic Elastic Cloud Software 1.0 • Socket Direct Protocol Optimization – SDP over InfiniBand for JDBC – SDP over InfiniBand for Network channels • Work Manager and I/O Optimizations – Scatter/gather I/O – Optimized self tuning thread pool • Cluster optimizations – One way multi-channel RMI with lazy deserialization13 | © 2011 Oracle Corporation – Proprietary and Confidential
  • EECS 1.0 I Performance Benchmark 5-10x improvements from baseline Web JMS Enterprise Java Requests/Sec. Messages/sec. Operations/Sec. 22,481 246,035 1,237,462 3.1X 3.1X 2.3X 9,560 78,840 401,070 Standard HW EL 1.0 Standard HW EL 1.0 Standard HW EL 1.014 | © 2011 Oracle Corporation – Proprietary and Confidential
  • EECS 1.0 I Reduced IO Buffer Copying Free more CPU cycles and memory for application work Sender/Receiver 66% Copy Reduction JSP Compiler WebLogic User Space Uses Byte Buffers instead of static byte arrays Servlet Container Uses Byte Buffers instead of copying into temporary WebLogic Core buffers Uses Byte Buffer-aware streams instead of Kernel JRockit/HotSpot level chunked streams JVM pins WebLogic buffers on heap to avoid copies Kernel Space Sockets Direct Protocol Reduced copying between user and kernel space15 | © 2011 Oracle Corporation – Proprietary and Confidential
  • Standard WebLogic IPC Multi-core, memory and IO bottlenecks Slower Network Lots of small messages Muxer Muxer Single Single TCP/IP over Ethernet WebLogic WebLogic Inter-process Communication• Single muxer lock contention for narrowband• Small (1.5K) packet sizes requires more processing to put messages onto the network16 | © 2011 Oracle Corporation – Proprietary and Confidential
  • EECS 1.0 I WebLogic Clustering/IPC Faster Network Fewer, Larger Messages Parallel Muxer Parallel Muxer SDP over InfiniBand WebLogic WebLogic Inter-process Communication• Parallel muxer reduces lock contention due to faster message inflow• Larger packet sizes (64K for IPoIB and >=32K for SDP) reduces processing to put messages onto the network17 | © 2011 Oracle Corporation – Proprietary and Confidential
  • EECS 1.0 I WebLogic Scatter Gather I/O Standard WebLogic WebLogic Server on Exalogic WebLogic Server WebLogic Server Read/write 4K standalone chunks Read/write collections of 4K chunks 4K 4K 4K 4K 4K 4K 4K 4K Standard WebLogic WebLogic on Exalogic with standard read write IO withScatter/Gather IO 64K 128K 1.5K 1.5K 1.5K … … 10Gb/s Ethernet with 1.5K 40Gb/s Infiniband with 64K MTU Maximum Transmission (MTU)Size for IPoIB or >=32K MTU for SDP• Scatter gather input output collects 4K WebLogic chunks into larger collections of chunks• Chunks written onto larger MTU infrastructure of InfiniBand• Instrumental in increasing throughput and reducing latency 18 | © 2011 Oracle Corporation – Proprietary and Confidential
  • EECS 1.0 I Self-Tuning Thread Pool WebLogic Server• Thread pool aware of Work Priority Request Queue Work Work processor cores Request Request Request – 2 processors x 6 cores x 2 Self Tuning WebLogic Thread Pool Adjust by 24 Current Thread Count hyper threads per core = 24 _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ hardware threads _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________• Rapid adjustment to Hotspot or JRockit Operating System varying workloads Exalogic X4170 Compute Node – Optimal adjustment is 24 X86 Dual Processor 6 Cores per Processor with Hyper-Threading threads per time period 19 | © 2011 Oracle Corporation – Proprietary and Confidential
  • EECS 1.0 I Optimized WebLogic Replication State Replication with State Replication with Standard WebLogic WebLogic on Exalogic• Single channel state replication per JVM • Multi-channel state replication per JVM• Traditional two way RMI • Optimized one way RMI• Full deserialization on secondary server • Lazy de-serialization on secondary server• State replicated over standard networking • State replicated over InfiniBand 20 | © 2011 Oracle Corporation – Proprietary and Confidential
  • EECS 1.0 I WebLogic Active GridLink for RAC • Integrated Exalogic and Exadata clusters • Dynamic load balancing of requests to RAC nodes • RAC node transaction affinity for data locality • Maximum JDBC performance with SQLNet over native InfiniBand protocol (SDP) • Instant load balancing and failover with RAC changes WebLogic WebLogic WebLogic WebLogic WebLogic WebLogic GridLink GridLink GridLink GridLink GridLink GridLink XA 80% 20% RAC Node Load Aware RAC Node Affinity Continuous Connections Connection Requests For Transactions Even with RAC Changes21 | © 2011 Oracle Corporation – Proprietary and Confidential
  • EECS 1.0 I Fusion Middleware Performance Tuxedo 11g SOA 11g ADF 11g UCM 11g Response time Response Time Concurrent Users Throughput 520ms 240,000 1.1ms 7X 9X 10X 17,340 tps 3X 5,640 tps 0.16ms 58ms 24,000Standard Hardware Exalogic Standard Hardware Exalogic Standard Hardware Exalogic Standard Hardware Exalogic22 | © 2011 Oracle Corporation – Proprietary and Confidential
  • EECS 1.0 I Oracle Application PerformanceE-Business Suite E-Business Suite PeopleSoft Siebel UCM Self Service and HR Order to Cash Self Service HRMS, FIN Customer Hub and Procurement3x better Response Time 3x better Response Time 8x better Response Time 8x better Response Time2x better Scalability 5x better Scalability 4x better Scalability 2x better Scalability Response Time Response Time Response Time Response Time 200 ms 11.94 s 2.23 s 8X 1.18 s 8X 3X 3X 0.74 s 0.39 s 1.42 s 25 ms Exalogic and Exadata Standard hardware 23 | © 2011 Oracle Corporation – Proprietary and Confidential
  • EECS 1.0 I Oracle Application Performance JD Edwards Utilities Communications ATG Web Commerce Order Management Meter Data Management Billing Revenue Management Commerce Reference Store3x better Response Time 2x better Response Time 2x better Response Time 3x better Response Time2x better Scalability 7x better Scalability 2x better Scalability 3x better Scalability Response Time Scalability Scalability Scalability 10 4000 20 million 0.51 s 3X 7X 2X 3X 2027 3.1 0.17 s 2.75 million Exalogic and Exadata Standard hardware24 | © 2011 Oracle Corporation – Proprietary and Confidential
  • Exalogic Elastic CloudSoftware 2.0
  • Exalogic Elastic Cloud Software I 2.0 GA 02/19/12 Middleware and Business Applications Enterprise Manager Traffic Director WebLogic Coherence Tuxedo Exabus Integration Exabus Integration Exabus Integration Exabus Integration Exabus 2.0 (‘Virtual Firewall’) Exalogic Elastic Cloud X2-2 Hardware = Exalogic Elastic Cloud Software 2.026 | © 2011 Oracle Corporation – Proprietary and Confidential
  • EECS 2.0 I Application Delivery Controller• Oracle Traffic Director Application Application Application – 3.5X higher throughput and 28% better CPU efficiency than Apache – Native Exabus integration – HTTP Reverse proxy Traffic Director – AES Accelerated SSL 3.0 and TLS Exabus Fabric – Request-based routing – Request rate throttling – Connection limiting Datacenter Service Network – Detailed metering and logging27 | © 2011 Oracle Corporation – Proprietary and Confidential
  • EECS 2.0 Virtual Firewall I InfiniBand Partitions• Firewall-level end-point security Application Application Application Partition Partition• Enforced directly by Exabus fabric switches – Immune to all known IP-layer exploits – Immune to known firewall vulnerabilities Traffic Director Exabus• With Traffic Director: complete Fabric “virtual firewall” for Exalogic• Multiple management options: Fully Datacenter integrated with EM for Service Network Exalogic, stand-alone or hybrid 28 | © 2011 Oracle Corporation – Proprietary and Confidential
  • Elastic Cloud Software 2.0 I 2X Performance Web JMS Enterprise Java Requests/Sec. Messages/sec. Operations/Sec. 836,520 49,460 1,979,940 10X 5X 5X 1,237,462 22,481 3.1X 246,035 2.3X 401,070 9,560 78,840 3.1X Standard HW EL 1.x EL 2.x Standard HW EL 1.x EL 2.x Standard HW EL 1.x EL 2.x29 | © 2011 Oracle Corporation – Proprietary and Confidential
  • EECS 2.0 I WebLogic Optimizations • Messaging Optimization – JMS Lockless Request Manager • Web Optimization – JSP Factory Caching – HTTP Client Acceleration • Operational Optimization – Super Fast Cluster Recovery30 | © 2011 Oracle Corporation – Proprietary and Confidential
  • EECS 2.0 I WebLogic Lockless Request Manager Conventional Exalogic JMS Application Application Messages/sec. Work Manager Work Manager 3X 1,979,940 Request Manager Lockless Request Manager 5X 401,070 EECS Thread Pool Thread Pool 2.0X Conventional Hardware Exalogic Full JVM thread utilization through concurrency enabling Exalogic processor core saturation for maximum throughput31 | © 2011 Oracle Corporation – Proprietary and Confidential
  • EECS 2.0 I WebLogic Web Performance Web Conventional Exalogic Requests/Sec. Client Client Applications Applications 242 TPS HTTP Client HTTP Client 2X Create Thread Per Request Reusable Thread Pool 126 TPS Server Server Server Server Applications Applications Applications Applications Conventional Hardware Exalogic Optimized thread pool improves scalability of applications that make multiple HTTP connections to other services (e.g. Web Services/SOA applications) while dramatically reducing overall CPU utilization (82% to 8%)*32 | © 2011 Oracle Corporation – Proprietary and Confidential * Sample Application: Portal Application making SOAP calls – 10 Portlets per Page
  • EECS 2.0 I WebLogic Cluster Recovery Time to Recovery WebLogic Cluster 40 seconds WebLogic WebLogic Managed Managed Server Death Detection Server 23 seconds Optimization 1.7X Faster Exabus Conventional Hardware Exalogic Faster on Exalogic: Optimized Cluster Member Death Detection33 | © 2011 Oracle Corporation – Proprietary and Confidential
  • EECS 2.0 I Coherence Optimizations• Exabus Latency Optimizations – RDMA with kernel bypass and zero buffer copy – New Coherence “MessageBus” utilizes JVM Infiniband APIs• Scalable Networking – MessageBus per service to allow scalability to many cores – Simplifies deployments by requiring fewer Coherence nodes• Elastic Data Optimizations – Improved heuristics for moving data to SSD – Optimized for Exalogic SSD34 | © 2011 Oracle Corporation – Proprietary and Confidential
  • EECS 2.0 I Coherence Optimizations for Exabus 4x bandwidth, 1/6 latency Provider-based Transport Layer One per service for scalability to multiple cores Increased message parallelism to max network Context Switches reduced from 3 to 1 Coherence Services Datagram still used for cluster protocol JVM Message Busses Infiniband Message Bus Provider RDMA offloads host processor Zero copy and kernel bypass Predictive notifications avoid costly interrupts Custom off-heap DirectByteBuffer reduces GC JRockit/HotSpot35 | © 2011 Oracle Corporation – Proprietary and Confidential
  • EECS 2.0 I Configuring Coherence Before/After Single System, many JVMs Few JVMs Datagram Data Communications Message Bus Data Communications Fewer, Larger JVMs in EECS 2.0• MessageBus Per Service increases parallelism• Fewer JVMs needed to maximize bandwidth• Customized DirectMemoryBuffer reduces GC pressure• Reduce JVMs from 8-12 per compute node to as few as 236 | © 2011 Oracle Corporation – Proprietary and Confidential
  • EECS 2.0 I Simplified Coherence Deployments Number of JVMs Conventional Exalogic Needed for Coherence Infrastructure Infrastructure Single System, Many JVMs Fewer JVMs 8-12 Datagram Data Message Bus JVM Communications Data Communications • Scalability data communications to maximize network 1-2 JVM bandwidth with fewer JVMs. Conventional Hardware • Memory Buffers allocated off-heap dramatically reduces Exalogic object allocation and thus garbage collection pauses. • Scalable communications and reduced GC pressure favors fewer, larger JVMs for simplified deployment37 | © 2011 Oracle Corporation – Proprietary and Confidential
  • EECS 2.0 I Coherence Cluster Rebalancing Time to Recovery Coherence Cluster 194 seconds Coherence Coherence Coherence 16X Faster GbE 12 seconds Exabus Conventional Hardware Exalogic Exabus increases availability38 | © 2011 Oracle Corporation – Proprietary and Confidential
  • EECS 2.0 I Tuxedo MSGQ on Exabus Standard• Eliminates BRIDGE Tuxedo Hardware Exalogic process as bottleneck Transactions/sec.• Enables greater 95,595 BRIDGE scalability of Tuxedo domains 7X Single TCP Connection Over MSGQ on Exabus• 7x higher Ethernet throughput 13,680 BRIDGE EECS 1.0 dge• No application 2.0X changes needed Standard Hardware Exalogic Tuxedo Applications 39 | © 2011 Oracle Corporation – Proprietary and Confidential
  • Deploying Exalogic in theDatacenter
  • Exalogic X2-2 Hardware Architecture System Design Exalogic X2-2 Ethernet Gateways Spine Switch 10GbE QDR InfiniBand I/O Backplane Data Center Service Compute Nodes Exabus Network Direct IB Integration: Standard • Exadata Oracle • Additional Exalogic … Database configurations • ZFS Storage ApplianceExadata Management • Backup Media Servers Storage Switch Data Center Mgmt Network GbE GbE GbE Management Network (GbE) 41 | © 2011 Oracle Corporation – Proprietary and Confidential
  • Canonical EECS 1.0 Secure Deployment Datacenter view GbE Disaster Recovery Site Exalogic DMZ/GLB FW1 Exalogic FW2 Exadata Web Tier Application User 10GbE 10GbE Production SiteInternet Exalogic Application Staging Environment Administrator GbE GbE Exalogic GbE Exalogic Cloud Administrator Security Exalogic Exadata Administrator Administrator Administrator 10GbE GbE 42 | © 2011 Oracle Corporation – Proprietary and Confidential
  • Canonical EECS 1.0 OLTP Deployment Datacenter view GbE Disaster Recovery Site Exalogic DMZ/GLB FW1 Exalogic Exadata Web Tier Application User 10GbE Exabus Production SiteInternet Exalogic Application Staging Environment Administrator GbE GbE Exalogic GbE Exalogic Cloud Administrator Security Exalogic Exadata Administrator Administrator Administrator 10GbE GbE 43 | © 2011 Oracle Corporation – Proprietary and Confidential
  • Taking Advantage of Engineered Systems Implementing role-based network/security zones • EECS 2.0 adds two essential capabilities – Full support for Infiniband Partitions: network isolation on the Infiniband fabric – Oracle Traffic Director (OTD): on-board Application Delivery Controller (ADC) • Role-based network and security zones – Exploit Exalogic networking and performance features – Provide “defense in depth” for applications deployed to Exalogic – Combine external DMZ and hardened Exalogic “green zone”44 | © 2011 Oracle Corporation – Proprietary and Confidential
  • IB Partitions and Oracle Traffic Director Key additions to Exalogic Elastic Cloud software 2.0 • IB Partitions enforce network isolation on the IB Fabric – IB nodes can be members of multiple partitions and associated with specific VLANs – Hard partitioning: a node cannot communicate with nodes outside its partition(s) – Enforced by the Infiniband Subnet Manager • Traffic Director – On-board Application Delivery controller optimized for Exalogic/Infiniband – Full HTTP 1.1 caching, load-balancing reverse-proxy – Optimized for Oracle FMW/Apps and Enterprise Java on WebLogic Server – Hardware-assisted crypto/compression for 4x performance boost – Support for native Infiniband protocols. – Traffic shaping, connection throttling and application firewall support45 | © 2011 Oracle Corporation – Proprietary and Confidential
  • The “Green Zone” On-board complement to external DMZ EoIB Edge Traffic The “Green Zone” (encrypted) Edge Partition • Hardened Traffic Management Zone VIP Services VIP Services Application Application – “Web Tier rules”: hardened OS/VM image Delivery Delivery – Minimal kernel/services and L3/4 firewalling Controller Controller L7 Firewall L7 Firewall – Hardware accelerated SSL termination Routing/Shaping Routing/Shaping Caching/Proxy Caching/Proxy • Application-level Traffic Shaping Secure Partition – VIP services internally/externally 4170 Compute Node – OTD provides ADC for L7 traffic 4170 – OEG adds policy enforcement for SOAP/REST Compute Node web service APIs (directly or via OTD) 4170 … • Bridge Edge (EoIB) and Secure Partitions … – Internal traffic never leaves the IB Fabric Native Infiniband (or IPoIB) Traffic46 | © 2011 Oracle Corporation – Proprietary and Confidential
  • Administration Roles for Exalogic Deployments Separate application-specific and system roles • Network Management – Global load balancing, Routing and DNS – L3/4 Firewall, Connection Throttling, QoS Policy and DoS Protection • Application Traffic Management – Traffic Shaping, Reverse-Proxy, Caching, Load balancing – PKI Infrastructure, SSL configuration, L7 Firewall – High Availability/VIPs • Application Administration – Application deployment, monitoring and tuning – Application server/platform patching/upgrade47 | © 2011 Oracle Corporation – Proprietary and Confidential
  • EECDS 2.0 Secure Exalogic Deployment Datacenter view GbE Disaster Recovery Site Exalogic DMZ/GLB Exalogic Exalogic “Green Zone” Secure App Tier FW2 Exadata Partition Application User Exabus 10GbE Production SiteInternet Exalogic Application Staging Environment Administrator GbE GbE Exalogic GbE Exalogic Cloud Administrator Exalogic Exadata Administrator Administrator 10GbE GbE 48 | © 2011 Oracle Corporation – Proprietary and Confidential
  • External DMZ Network Management Router / Firewall • Global Traffic L3/4 Firewall – DoS Prevention – SSL Passthrough Management • QoS, Bandwidth Management • DNS Administration • L2-4 Network ConfigurationOAM/IdM X2-2 Edge Partition Edge Partition Edge Partition(External) VIP Services VIP Services VIP Services VIP Services VIP Services VIP Services Application Traffic ManagementApplication Application Application Application Application Application Access •Delivery Application Security Delivery Delivery• HTTP Routing/Caching Delivery Delivery Delivery Controller Controller Controller Controller Controller Controller • PKI Infrastructure • Virtual Server Administration L7 Firewall L7 Firewall L7 Firewall L7 Firewall L7 Firewall L7 Firewall • Traffic Shaping/Prioritization Routing/Shaping Routing/Shaping • Application TrafficRouting/Shaping Routing/Shaping Routing/Shaping Routing/Shaping Logging/Monitoring Identity • Application (L7) Firewall Caching/ProxyVIP Management Caching/Proxy Caching/Proxy Caching/Proxy Caching/Proxy • Caching/Proxy Secure Partition Secure Partition Secure Partition LDAP 4170 4170 4170 Application Administration Compute Node Compute Node Compute Node Roles • Domain 4170 Configuration 4170 • Application Logging/Monitoring 4170 • Application Deployment Compute Node Compute Node • Performance Tuning/Monitoring Compute Node Audit • Upgrades/Patching 4170 … 4170 • Application Security/Identity… 4170 Mapping … Compliance … … … 7320 ZFS Appliance ZFS Share ZFS Share ZFS Share ZFS Share ZFS Share ZFS Share 49 | © 2011 Oracle Corporation – Proprietary and Confidential
  • Security Zones in the Exalogic Architecture Map closely to admin roles/zones • External DMZ – Traditional (external to Exalogic) DMZ – No unencrypted traffic visible outside Exalogic • Hardened “Green Zone” – On-board Application Traffic Management zone – Hardened OS/VM image (iptables firewall, stripped-down kernel/services etc) – Acts as “bridge” between (externally-visible) edge partitions and (internal) secure partitions: SSL termination handled by OTD – Application (L7) firewall: ModSecurity (OTD) and XML Gateway (Vordel) • Secure Zones – Accessed only via secure IB partitions; – Traffic typically unencrypted and using SDP/ExaBus or IPoIB only50 | © 2011 Oracle Corporation – Proprietary and Confidential
  • External DMZ External DMZ Router / Firewall • No unencrypted data visible Prevention – SSL Passthrough L3/4 Firewall – DoS • Hardware DoS Protection • Traffic separation (VLANs) • L3/4 Firewall: Ports/Protocols etcOAM/IdM X2-2 Edge Partition Edge Partition Edge Partition(External) Hardened VIP Services Zone” Services VIP Services “Green VIP VIP Services VIP Services VIP Services Application Application Application Application Application Application •DeliveryTermination SSL • Hardened kernel, limited OS services Access Delivery Delivery Delivery Delivery Delivery • Authorization/Authentication Controller Controller • Network (L3/4) Firewall (iptables) Controller Controller Controller Controller • Traffic Shaping/Routing L7 Firewall PKI L7 Firewall L7 Firewall L7 Firewall • Certificate management L7 Firewall L7 Firewall Routing/Shaping Routing/Shaping Routing/Shaping Routing/Shaping Routing/Shaping Routing/Shaping Identity • Application (L7) Firewall Caching/ProxyVLANs separate edge network access Caching/Proxy Caching/Proxy • Caching/Proxy Caching/Proxy Caching/Proxy • Edge Access via EoIB Secure Partition Secure Partition • Controlled Access to IB Partition Secure Fabric LDAP 4170 4170 4170 Secure Zone Compute Node Compute Node Compute Node Roles • Native 4170 Infiniband Protocols 4170 • Other partitions access via Green Zone 4170 • Hard IB Partitions Compute Node • Edge Traffic Blocked Compute Node Compute Node Audit • VLANs… 4170 control network visibility • ZFS Shares restricted by VLAN/Partition 4170 4170 … … Compliance … … … 7320 ZFS Appliance ZFS Share ZFS Share ZFS Share ZFS Share ZFS Share ZFS Share 51 | © 2011 Oracle Corporation – Proprietary and Confidential
  • Filling out the Exalogic Architecture Consolidation, virtualization and shared services • Consolidate Identity Management domain onto Exalogic – Authentication/Authorization traffic restricted to IB Fabric – Easier to manage; lower cost of ownership • Partitions aren’t Silos (unless you want them to be) – Applications in one secure IB Partition access services in another through OTD – Shared edge partition (with IB interfaces to multiple partitions) allow controlled access for external (EoIB) and internal (IB) requests • Virtualization and Virtual Assemblies – OVM manages the physical/virtual mapping of resources – Traffic Director assemblies include HA (VIP) support – Virtual Assemblies map directly to admin/security zones.52 | © 2011 Oracle Corporation – Proprietary and Confidential
  • Exalogic and Exadata • Deploy Database Firewall inline on Exadata edge network – Inline deployment forces external SQL traffic through audit/firewall rules – Protection (or at least audit) against insider attacks – Standard L3/4 firewalls should block ALL interactive SQL access from Exalogic • Use Application Firewalls to block SQL Injection and L7 other attacks – OTD implementing ModSecurity for OWASP support (HTTP traffic) – Oracle Enterprise Gateway (Vordel) protects SOA/Web Service traffic – Both implemented within “Green Zone”: block malicious traffic at earliest opportunity • Future Direction: shared Exalogic/Exadata partitions – Isolate traffic between mid-tier and database/storage – Dedicated listeners only visible from dedicated IB partition – Database access controls enforced via partitioned listeners – Note: Exadata today supports only default IB partition53 | © 2011 Oracle Corporation – Proprietary and Confidential
  • EECS 2.0 Exa*OLTP Deployment Datacenter view GbE Disaster Recovery Site Exalogic DMZ/GLB Exalogic Exalogic “Green Zone” Secure App Tier Exadata Partition Partition Application User Exabus Exabus Production SiteInternet Exalogic Application Staging Environment Administrator GbE GbE Exalogic GbE Exalogic Cloud Administrator Exalogic Exadata Administrator Administrator 10GbE GbE 54 | © 2011 Oracle Corporation – Proprietary and Confidential
  • Identity Management and Exadata External DMZ consolidated via Infiniband Fabric Router / Firewall L3/4 Firewall – DoS Prevention – SSL Passthrough Exalogic Edge Partition Edge Partition Edge Partition Exadata VIP Services VIP Services VIP Services VIP Services VIP Services VIP Services OAM/IdM Application Application Application Application Application Application IB Partition (Internal) Delivery Delivery Delivery Delivery Delivery Delivery 4170 Database Controller Controller Controller Controller Controller Controller Server L7 Firewall L7 Firewall L7 Firewall L7 Firewall L7 Firewall L7 Firewall Access Routing/Shaping Routing/Shaping Routing/Shaping Routing/Shaping Routing/Shaping Routing/Shaping 4170 Database Caching/Proxy Caching/Proxy Caching/Proxy Caching/Proxy Caching/Proxy Caching/Proxy Server Secure Partition Secure Partition Secure Partition 4170 Database Identity Server 4170 4170 4170 Compute Node Compute Node Compute Node … LDAP 4170 4170 4170 5640 Storage Compute Node Compute Node Compute Node Server 4170 4170 4170 5640 Storage Roles … … … Server … … … 5640 Storage Audit Server Compliance 7320 ZFS Appliance ZFS Share … ZFS Share ZFS Share ZFS Share ZFS Share ZFS Share 40Gb QDR InfiniBand Fabric 55 | © 2011 Oracle Corporation – Proprietary and Confidential
  • OTD/OEG provide support forExternal DMZ Shared Services/ Firewall Architecture Router L3/4 Firewall – DoS Prevention – SSL PassthroughExalogic Shared Edge Partition Edge Partition Exadata VIP Services VIP Services VIP Services VIP Services OAM/IdM Application Application Application Application IB Partition (Internal) Delivery Delivery Delivery Delivery 4170 Database Controller Controller Controller Controller Server L7 Firewall L7 Firewall L7 Firewall L7 Firewall Access Routing/Shaping Routing/Shaping Routing/Shaping Routing/Shaping 4170 Database Caching/Proxy Caching/Proxy Caching/Proxy Caching/Proxy Server Secure Partition Secure Partition Secure Partition 4170 Database Identity Server 4170 4170 4170 Compute Node Compute Node Compute Node … LDAP 4170 4170 4170 5640 Storage Compute Node Compute Node Compute Node Server 4170 4170 4170 5640 Roles … … … Storage Server … … … 5640 Storage Audit Server Compliance 7320 ZFS Appliance ZFS Share … ZFS Share ZFS Share ZFS Share ZFS Share ZFS Share 40Gb QDR InfiniBand Fabric 56 | © 2011 Oracle Corporation – Proprietary and Confidential
  • Summary
  • Exalogic Elastic Cloud Software 2.0 I Summary • 2X performance – of the EECS 1.0 • Virtual Firewall – with InfiniBand Partitions • Application Delivery Controller – integrated Oracle Traffic Director58 | © 2011 Oracle Corporation – Proprietary and Confidential
  • For More Information Contact Resources• Your Oracle Sales Professional • oracle.com/exalogic • twitter.com/OracleExalogic • facebook.com/Exalogic • blogs.oracle.com/exalogic • linkedin.com/groups/Oracle- Exalogic-Elastic-Cloud-376418659 | © 2011 Oracle Corporation – Proprietary and Confidential
  • 60 | © 2011 Oracle Corporation – Proprietary and Confidential
  • Exalogic Elastic Cloud Software 2.0 I FAQ (1/3) • Q: Is it possible to upgrade an existing Exalogic X2-2 system to the EECS 2.0 software? – Yes. An upgrade kit for deployed Exalogic X2-2 systems will be made available in the near future. All X2-2 hardware configurations are now shipped with the EECS 2.0 pre-installed. • Q: Are all EECS 2.0 features available for Solaris 11 Express? – Yes. A new S11E Base Image for Exalogic has been provided as part of the release.61 | © 2011 Oracle Corporation – Proprietary and Confidential
  • Exalogic Elastic Cloud Software 2.0 I FAQ (2/3) • Q: Is the EECS 2.0 available for SPARC SuperCluster? – The WebLogic and Coherence enhancements are available for SPARC SuperCluster. Other features, such as Traffic Director, will be available for SPARC SuperCluster in the future. InfiniBand partitions are available for SPARC SuperCluster, although their usage will be somewhat different because of the SPARC SuperCluster’s different network and I/O subsystem architecture versus the Exalogic X2-262 | © 2011 Oracle Corporation – Proprietary and Confidential
  • Exalogic Elastic Cloud Software 2.0 I FAQ (3/3) • Q: Do I need to upgrade my hardware to use the EECS 2.0? – No. Existing X2-2 hardware can be used without modification. • Q: Does the EECs 2.0 include support for Oracle VM? – No.63 | © 2011 Oracle Corporation – Proprietary and Confidential