SN
Uploaded bySumit Naiksatam
1,143 views

Open stack gbp final sn-4-slideshare

The document discusses a new approach to OpenStack automation called Group-Based Policy (GBP). GBP aims to capture an application's infrastructure needs at a higher level of abstraction, independent of the underlying implementation details. It introduces several new concepts, including groups to organize resources, traffic classifiers to define network traffic, and policy tags to apply governance rules. The goal is for applications to simply describe their requirements and dependencies rather than having to specify low-level configuration details.

Embed presentation

OpenStack Kilo Summit, Paris, Nov 2014 Michael Cohen, Sumit Naiksatam, Prasad Vellanki, Stephen Wong
Agenda  Vision  GBP Model  GBP Architecture  Demo
IT exists to run applications automation infrastructure Scalable Uber-Easy Reliable Fast
IT exists to run application Reality: Based on worst principles borrowed from human middleware automation infrastructure
Micromanagement Do this sequence of things do do do do do do do do do do do do do do Automation has been an attempt at industrialization of micromanagemen t practices
heat automation detailed abstraction neutro n detailed abstraction nova detailed abstraction cinder detailed abstraction swift detailed abstraction glance ……….. Detailed Interactions Do, do, do, do Detailed Interactions Do, do, do, do Detailed Interactions Do, do, do, do Detailed Interactions Do, do, do, do Detailed Interactions Do, do, do, do Detailed Interactions Do, do, do, do (over and over again) Lots of HOW Too much Unnecessa ry detail + Closed Coupling
simplicity, at times, has heat automation detailed abstraction neutro n detailed abstraction nova detailed abstraction cinder complications detailed abstraction swift detailed abstraction glance complexity ……….. domain details leak into the automation layer and its enforcement mechanisms It was OK when these things were very simple, but it breaks down as the featureset expands….
detailed abstraction neutro n detailed abstraction nova simplicity, at times, has domain detail complexity detailed abstraction cinder complications app guy detailed abstraction swift detailed abstraction glance ……….. heat automation
but IT exists to run applications…. detailed abstraction neutro n detailed abstraction nova detailed abstraction cinder app guy detailed abstraction swift detailed abstraction glance ……….. heat automation “I’d like to run this app that has the following requirements on infrastructure, services and other apps.. with these characteristics!” My app looks like this: intent of what app should be and what it needs Intent Is lost in unnecessary domain specific details
intent  Abstraction  Portability  Self-containment  No leakage of unnecessary knowledge across apps this is how I expose myself to other apps/components/s ervices This is how I need to consume infra This is my application component some other app some other app storage requirements compute requirements placement requirements image rules scaling rules booting/init rules v m v m …. v m some app/compo nent/service What apps/components/servic es do I depend on? Network and netsec are implicit a real application consists of many of these
enforcement: multi-surface policy problem intent capabilities and state ops constraints governance
neutro nova cinder swift glance n heat automation intent abstraction intent abstraction intent abstraction intent abstraction intent abstraction governance app guy intent of what app should be and what it needs domain specific intent influence
neutro  Consistent continuous enforcement  Localized isolated domain specific decisions  Simplicity and Scale!  Under control of governance nova cinder swift glance n heat automation intent abstraction intent abstraction intent abstraction intent abstraction intent abstraction governance intent of what app should be and what it needs domain specific intent influence
neutro nova cinder swift glance n heat automation intent abstraction intent abstraction intent abstraction intent abstraction intent abstraction congress TOSCA group-based policy intent How do we get there?
…The Future… Policy driven registry (vm, containers, end-points with conditions) neutro n nova intent abstraction intent abstraction policy repository OpenStack .. .. end-points conditions business policy business policy enforcement conditions application intent -------- -------- -------- -------- -------- -------- -------- -------- -------- -------- -------- -------- -------- -------- -------- -------- -------- -------- -------- -------- -------- -------- -------- -------- --------
Agenda  Vision  GBP Model  GBP Architecture  Demo
Goal of OpenStack Abstractions Capture the “infrastructure needs” of an application independent of the complexities of how the underlying infrastructure is implemented.
Let us review the use-case 2-tier (Web & App) PCI-compliant app deployed either in production or for dev a) Developer intent: ● External to Web Tier: Open port 80, use LB ● Web to DB Tier : Open port 8800 ● Existing Services : MySQL, Events correlation Bigdata App, Billing, and Monitoring b) Cloud operator intent: ● Production : Allow internet access ● Production : DMZ firewall inspects external traffic ● Dev : Allow access to internal proxy ● Remediation : Infected application must be quarantined c) Compliance Officer intent: ● Security : PCI Firewall for Billing
How you build it today…  Create logical networks for app-tier and web-tier What subnets to use?  IT Trouble Ticket What routing to setup between these network?  IT Trouble Ticket On app tier, creates security groups to drop all traffic other than port 80, and  Monitoring traffic – creates Trouble Ticket for monitoring team to ask what ports to open  DB, Bigdata traffic – creates Trouble Ticket for DB/Bigdata team to ask what ports to open  Payment service traffic – creates Trouble Ticket for Payment team, hope PCI needs are met by those rules  May have to create FWaaS for requirements like auditing or stateful inspection Load balance traffic, create VIP using LBaaS Create Floating IP for VIP  Create Firewall using FWaaS for external traffic Creates Trouble Ticket for infra team to setup rules for external access Needs rules to drop all external traffic, not clear where to set that up? As routing rules? As FW rules?  One more Trouble Ticket! External traffic needs both FW and LbaaS rules now, how to order them?  Creates Trouble Ticket for support team on how to set them up to be ordered correctly  Need to quarantine infected VMs Create scripts to update security groups on demand for quarantine needs  Automate all of this as scripts, and whenever any of the dependencies change (infra or other apps), update the scripts as needed.
Where we are today…  We have good abstractions for representing logical networks/routers/services  However, our abstractions are very low level. We spread application description across multiple abstractions like: L2/L3 address allocation Routing rules Security Groups Service configuration  Requires manual reconciliation Can we do better?
What Abstractions are needed? 2-tier (Web & App) PCI-compliant app deployed either in production or for dev a) Developer intent: The application must ● Close all ports but 80 for the web tier ● Use LB for access to the web tier ● Allow no network communication to DB tier except from the web tier ● Use existing user db for provisioning ● Use existing bigdata app for events ● Use existing payment service for billing ● Use existing monitoring app for billing b) Cloud operator intent: ● Applications deployed for production may have access to the internet. ● Applications deployed for development should not have internet access. ● Any traffic from internet must be inspected by a DMZ firewall. ● Any infected application must be quarantined c) Compliance officer intent: ● All traffic to the payment service must be inspected by an audited firewall rule set
Groups A new 2-tier PCI app (app tier and web tier) can be deployed either for production or for development. a) Developer intent: The application must ● Close all ports but 80 for the web tier ● Use LB for access to the web tier ● Allow no network communication to DB tier except from the web tier ● Use existing user db for provisioning ● Use existing bigdata app for events ● Use existing payment service for billing ● Use existing monitoring app for billing b) Cloud operator intent: ● Applications deployed for production may have access to the internet. ● Applications deployed for development should not have internet access. ● Any traffic from internet must be inspected by a DMZ firewall. ● Any infected application must be quarantined c) Compliance officer intent: ● All traffic to the payment service must be inspected by an audited firewall rule set Groups
Traffic Classifiers A new 2-tier PCI app (app tier and web tier) can be deployed either for production or for development. a) Developer intent: The application must ● Close all ports but 80 for the web tier ● Use LB for access to the web tier ● Allow no network communication to DB tier except from the web tier ● Use existing user db for provisioning ● Use existing bigdata app for events ● Use existing payment service for billing ● Use existing monitoring app for billing b) Cloud operator intent: ● Applications deployed for production may have access to the internet. ● Applications deployed for development should not have internet access. ● Any traffic from internet must be inspected by a DMZ firewall. ● Any infected application must be quarantined c) Compliance officer intent: ● All traffic to the payment service must be inspected by an audited firewall rule set Groups Classifiers
Policy Tags A new 2-tier PCI app (app tier and web tier) can be deployed either for production or for development. a) Developer intent: The application must ● Close all ports but 80 for the web tier ● Use LB for access to the web tier ● Allow no network communication to DB tier except from the web tier ● Use existing user db for provisioning ● Use existing bigdata app for events ● Use existing payment service for billing ● Use existing monitoring app for billing b) Cloud operator intent: ● Applications deployed for production may have access to the internet. ● Applications deployed for development should not have internet access. ● Any traffic from internet must be inspected by a DMZ firewall. ● Any infected application must be quarantined c) Compliance officer intent: ● All traffic to the payment service must be inspected by an audited firewall rule set Groups Classifiers Policy Tags
Policy Actions A new 2-tier PCI app (app tier and web tier) can be deployed either for production or for development. a) Developer intent: The application must ● Close all ports but 80 for the web tier ● Use LB for access to the web tier ● Allow no network communication to DB tier except from the web tier ● Use existing user db for provisioning ● Use existing bigdata app for events ● Use existing payment service for billing ● Use existing monitoring app for billing b) Cloud operator intent: ● Applications deployed for production may have access to the internet. ● Applications deployed for development should not have internet access. ● Any traffic from internet must be inspected by a DMZ firewall. ● Any infected application must be quarantined c) Compliance officer intent: ● All traffic to the payment service must be inspected by an audited firewall rule set Groups Classifiers Policy Tags Actions
Group-Based Policy Model Policy Tags Policy Rules Set Policy Rule Policy Rule Policy Rule Group Classifier Classifier Action Action Service Chain
Agenda  Vision  GBP Model  GBP Architecture  Demo
Architecture Approach o Simplification of automation o Capture user intent declaratively o Separation of concerns by role o Reusable constructs
Architecture 1. Neutron Driver supports any existing Neutron plugin / ML2 driver 2. ODL Driver Other infrastructure components (future) supports ODL GBP Swift … 3. Native drivers will be supplied by vendors CLI Horizon Heat Group Policy Neutron Driver GBP Drivers Neutron Existing Plugins and ML2 Drivers Group Policy Nova Cinder To be defined
Application Policy My App Servers App Server RuleSet High Availability Service Chain My Web Servers Web Server RuleSet
Existing Application Consumer Policy My App Servers App Server RuleSet High Availability Service Chain My Web Servers Web Server RuleSet App DB RuleSet App Database User DB RuleSet User Database Payment RuleSet Payment Service Monitoring DB RuleSet Monitoring Service Monitoring V2 Service Existing Applications Security Service Chain
Infrastructure Policy Layering My App Servers App Server RuleSet My Web Servers Web Server RuleSet App DB RuleSet App Database User DB RuleSet User Database Payment RuleSet Payment Service Monitoring DB RuleSet Monitoring Service Monitoring V2 Service Existing Applications Outsid e Acces s Security Service Chain High Availability Security Service Chain Service Chain GBP renders the Services into a composed Chain
Agenda  Vision  GBP Model  GBP Architecture  Demo
Demo
DEMO
References  GBP wiki page to get more information on how to install and work with GBP: https://wiki.openstack.org/wiki/GroupBasedPolicy  GBP Design Summit Session: Tuesday November 4, 2014 12:05 - 12:45 Dufy (Le Meridien) http://kilodesignsummit.sched.org/event/98dc4255384e340 682137c8a7ee7e60d#.VFKCJYt4r4w  Try it out https://wiki.openstack.org/wiki/GroupBasedPolicy/InstallDe vstack

More Related Content

PPTX
Group-based Policy for Networking
bySumit Naiksatam
 
PPTX
Group-based Policy For OpenStack Networking
bySumit Naiksatam
 
PDF
Neutron Networking: Service Groups, Policies and Chains
byDaniel Krook
 
PPTX
How Red Hat ran a global OpenVPN offer during the COVID-19 pandemic with 99% ...
byAll Things Open
 
PDF
Brkcld 2215
byJuanCarlosMuruchi
 
PPTX
Securing Micro Services in Cloud Foundry
byPLUMgrid
 
PPTX
You Can Build Your OpenStack and Consume it Too
byPLUMgrid
 
PDF
Cisco - OpenStack Summit 2016/Red Hat NFV Mini Summit
bykimw001
 
Group-based Policy for Networking
bySumit Naiksatam
 
Group-based Policy For OpenStack Networking
bySumit Naiksatam
 
Neutron Networking: Service Groups, Policies and Chains
byDaniel Krook
 
How Red Hat ran a global OpenVPN offer during the COVID-19 pandemic with 99% ...
byAll Things Open
 
Brkcld 2215
byJuanCarlosMuruchi
 
Securing Micro Services in Cloud Foundry
byPLUMgrid
 
You Can Build Your OpenStack and Consume it Too
byPLUMgrid
 
Cisco - OpenStack Summit 2016/Red Hat NFV Mini Summit
bykimw001
 

What's hot

PDF
Machine learning for optical networking: hype, reality and use cases
byADVA
 
PDF
CENGN - OpenStack MeetUp - March 2017
byStacy Véronneau
 
PDF
Opinion: Why do so many new RAN players love Open RAN
by3G4G
 
PDF
F5 Networks - - OpenStack Summit 2016/Red Hat NFV Mini Summit
bykimw001
 
PDF
NFV Open Source projects
byMarie-Paule Odini
 
PPTX
See Your OpenStack Network Like Never Before with Real-time Visibility and Mo...
byPLUMgrid
 
PPTX
NFV +SDN (Network Function Virtualization)
byHamidreza Bolhasani
 
PDF
IO Visor Summit 2017: Welcome & Overview via Pere Monclus
byIO Visor Project
 
PDF
MEF Presto for SDN-enabled service lifecycle automation
byADVA
 
PDF
IoT based Industrial Gateway (IoT-SDK) built around Sitara™ AM437x processors...
byMistral Solutions
 
PPTX
NFV Cloud DataCenter Adaptation & Tobe evolution ways
byHongsik Choi
 
PDF
NFV Tutorial
byRashid Mijumbi
 
PDF
Brocade Software Networking (SDN NFV Day ITB 2016)
bySDNRG ITB
 
PDF
Practical and Incremental Convergence between SDN and Middleboxes
byOpen Networking Summits
 
PDF
Summit 16: Open-O Mini-Summit - Orchestrating Network Connectivity Services
byOPNFV
 
PDF
Is SDN ready for primetime?
byAPNIC
 
PPT
Telecom Infra Project study notes
byRichard Kuo
 
PPT
Chapter 7
byali raza
 
PDF
Connecting the smart factory to the cloud with MQTT and Sparkplug
byIan Skerrett
 
PDF
Cisco Connect Toronto 2017 - Introducing the Network Intuitive
byCisco Canada
 
Machine learning for optical networking: hype, reality and use cases
byADVA
 
CENGN - OpenStack MeetUp - March 2017
byStacy Véronneau
 
Opinion: Why do so many new RAN players love Open RAN
by3G4G
 
F5 Networks - - OpenStack Summit 2016/Red Hat NFV Mini Summit
bykimw001
 
NFV Open Source projects
byMarie-Paule Odini
 
See Your OpenStack Network Like Never Before with Real-time Visibility and Mo...
byPLUMgrid
 
NFV +SDN (Network Function Virtualization)
byHamidreza Bolhasani
 
IO Visor Summit 2017: Welcome & Overview via Pere Monclus
byIO Visor Project
 
MEF Presto for SDN-enabled service lifecycle automation
byADVA
 
IoT based Industrial Gateway (IoT-SDK) built around Sitara™ AM437x processors...
byMistral Solutions
 
NFV Cloud DataCenter Adaptation & Tobe evolution ways
byHongsik Choi
 
NFV Tutorial
byRashid Mijumbi
 
Brocade Software Networking (SDN NFV Day ITB 2016)
bySDNRG ITB
 
Practical and Incremental Convergence between SDN and Middleboxes
byOpen Networking Summits
 
Summit 16: Open-O Mini-Summit - Orchestrating Network Connectivity Services
byOPNFV
 
Is SDN ready for primetime?
byAPNIC
 
Telecom Infra Project study notes
byRichard Kuo
 
Chapter 7
byali raza
 
Connecting the smart factory to the cloud with MQTT and Sparkplug
byIan Skerrett
 
Cisco Connect Toronto 2017 - Introducing the Network Intuitive
byCisco Canada
 

Viewers also liked

PDF
Revista maig 2013
byAntoni Segura Puimedon
 
PPTX
OCP Engineering Workshop at UNH
by호용 류
 
PPTX
А.Арендарчук -- концептуальные схемы ресурсоснабжения
byAnatoly Levenchuk
 
PPTX
Cloud, SDN, NFV
byIgor D.C.
 
PPTX
OpenStack and nfvo
byKanagaraj M
 
PPTX
Paris beauty scripts
byProma Das
 
PDF
SAFE Final Report_12-07_Final_Corrected
byShira Yashphe
 
PPTX
Seguridad para slideshare
byIratxe Comercio
 
ODP
actividad
byjohanna1997
 
PDF
VilanovaDIBA14 Wilson Greatbach Raül Peiró
byRPR2015
 
PPTX
Domestic tp
bySweety Sharma
 
PPTX
Matter #2 6th gradeppt
bypwalpole
 
PPTX
Chemical injuries of eye
bysonia Daga
 
PPTX
Achieving Cost and Resource Efficiency through Docker, OpenShift and Kubernetes
byDean Delamont
 
PPTX
Who am I? Who is HUB?
byNathan Burtt
 
Revista maig 2013
byAntoni Segura Puimedon
 
OCP Engineering Workshop at UNH
by호용 류
 
А.Арендарчук -- концептуальные схемы ресурсоснабжения
byAnatoly Levenchuk
 
Cloud, SDN, NFV
byIgor D.C.
 
OpenStack and nfvo
byKanagaraj M
 
Paris beauty scripts
byProma Das
 
SAFE Final Report_12-07_Final_Corrected
byShira Yashphe
 
Seguridad para slideshare
byIratxe Comercio
 
actividad
byjohanna1997
 
VilanovaDIBA14 Wilson Greatbach Raül Peiró
byRPR2015
 
Domestic tp
bySweety Sharma
 
Matter #2 6th gradeppt
bypwalpole
 
Chemical injuries of eye
bysonia Daga
 
Achieving Cost and Resource Efficiency through Docker, OpenShift and Kubernetes
byDean Delamont
 
Who am I? Who is HUB?
byNathan Burtt
 

Similar to Open stack gbp final sn-4-slideshare

PDF
Putting the Sec into DevOps
byMaytal Levi
 
PDF
Managing infrastructure with Application Policy by Mike Cohen
bybuildacloud
 
PDF
DevSecOps: Putting the Sec into the DevOps
byshira koper
 
PPTX
TFI2014 Session I - State of SDN - Scott Sneddon
byColorado Internet Society (CO ISOC)
 
PDF
15-factor-apps.pdf
byNilesh Gule
 
PPTX
Technology insights: Decision Science Platform
byDecision Science Community
 
PDF
When DevOps and Networking Intersect by Brent Salisbury of socketplane.io
byDevOps4Networks
 
PDF
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
byDenim Group
 
PPTX
Mb openstack-nov2013v7
byMohammad Banikazemi
 
PDF
Dev seccon london 2016 intelliment security
byDevSecCon
 
PDF
L10 Architecture Considerations
byÓlafur Andri Ragnarsson
 
PDF
apidays Australia 2023 - Building On-Premise Hybrid API Platforms, David Free...
byapidays
 
PPTX
Design Reviews for Operations - Velocity Europe 2014
byMandi Walls
 
PPTX
LinkedIn's Approach to Programmable Data Center
byShawn Zandi
 
PDF
Creating Production-Ready, Secure and Scalable Applications in IBM Cloud Priv...
byMichael Elder
 
PDF
Agile and compliant firewall ACL configuration management for DevOps
byJ On The Beach
 
PPTX
L08 architecture considerations
byÓlafur Andri Ragnarsson
 
PPTX
A Blueprint for Cloud-Native Financial Institutions
byAngelo Agatino Nicolosi
 
PDF
The As, Bs, and Four Cs of Testing Cloud-Native Applications
byDenim Group
 
PDF
Automation for the Humans
byRakuten Group, Inc.
 
Putting the Sec into DevOps
byMaytal Levi
 
Managing infrastructure with Application Policy by Mike Cohen
bybuildacloud
 
DevSecOps: Putting the Sec into the DevOps
byshira koper
 
TFI2014 Session I - State of SDN - Scott Sneddon
byColorado Internet Society (CO ISOC)
 
15-factor-apps.pdf
byNilesh Gule
 
Technology insights: Decision Science Platform
byDecision Science Community
 
When DevOps and Networking Intersect by Brent Salisbury of socketplane.io
byDevOps4Networks
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
byDenim Group
 
Mb openstack-nov2013v7
byMohammad Banikazemi
 
Dev seccon london 2016 intelliment security
byDevSecCon
 
L10 Architecture Considerations
byÓlafur Andri Ragnarsson
 
apidays Australia 2023 - Building On-Premise Hybrid API Platforms, David Free...
byapidays
 
Design Reviews for Operations - Velocity Europe 2014
byMandi Walls
 
LinkedIn's Approach to Programmable Data Center
byShawn Zandi
 
Creating Production-Ready, Secure and Scalable Applications in IBM Cloud Priv...
byMichael Elder
 
Agile and compliant firewall ACL configuration management for DevOps
byJ On The Beach
 
L08 architecture considerations
byÓlafur Andri Ragnarsson
 
A Blueprint for Cloud-Native Financial Institutions
byAngelo Agatino Nicolosi
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
byDenim Group
 
Automation for the Humans
byRakuten Group, Inc.
 

More from Sumit Naiksatam

PPTX
Network Policy Abstractions in OpenStack Neutron
bySumit Naiksatam
 
PPTX
OpenStack Neutron Service Chaining and Insertion
bySumit Naiksatam
 
PDF
Quantum services' chaining open stack havana design summit, portland 2013
bySumit Naiksatam
 
PDF
Quantum firewall as a service open stack havana design summit, portland 2013
bySumit Naiksatam
 
PPTX
Quantum L3 (forwarding) model - OpenStack Folsom Design Summit
bySumit Naiksatam
 
PPTX
OpenStack Quantum
bySumit Naiksatam
 
Network Policy Abstractions in OpenStack Neutron
bySumit Naiksatam
 
OpenStack Neutron Service Chaining and Insertion
bySumit Naiksatam
 
Quantum services' chaining open stack havana design summit, portland 2013
bySumit Naiksatam
 
Quantum firewall as a service open stack havana design summit, portland 2013
bySumit Naiksatam
 
Quantum L3 (forwarding) model - OpenStack Folsom Design Summit
bySumit Naiksatam
 
OpenStack Quantum
bySumit Naiksatam
 

Recently uploaded

PDF
The State of the Gen AI economy - 2025 - The Meliora Company
byClive Dickens
 
PPTX
Gemini vs ChatGPT : Comparing Top AI Models
byDigicarrom
 
PPTX
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
PDF
Exam Prep Plan Overview: Amazon Web Services (AWS) Certified
byVICTOR MAESTRE RAMIREZ
 
PPTX
Emancipatory Information Retrieval: Radically Reorienting Information Retriev...
byBhaskar Mitra
 
PDF
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
PDF
Fundamentals and Frontiers of Post Quantum Cryptography
byGokul Alex
 
PDF
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
PDF
Day 4 - Access, Deployments, and Monitoring - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
PDF
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
PDF
Cross-Cultural Agile Development -Challenges and Strategies for Overcoming Them-
byTakashi Makino
 
PDF
10 Things AI-First Apps Do Differently by iProgrammer Solutions
byiProgrammer Solutions Private Limited
 
DOCX
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
PDF
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
PPTX
UiPath Autonomous Agents | Building and Orchestrating Agents End-to-End
byUiPathCommunity
 
PPTX
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
PPTX
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
PPTX
Technology Consulting _ by Slidesgo.pptx
byfh82277
 
The State of the Gen AI economy - 2025 - The Meliora Company
byClive Dickens
 
Gemini vs ChatGPT : Comparing Top AI Models
byDigicarrom
 
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
Exam Prep Plan Overview: Amazon Web Services (AWS) Certified
byVICTOR MAESTRE RAMIREZ
 
Emancipatory Information Retrieval: Radically Reorienting Information Retriev...
byBhaskar Mitra
 
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
Fundamentals and Frontiers of Post Quantum Cryptography
byGokul Alex
 
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
Day 4 - Access, Deployments, and Monitoring - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
Cross-Cultural Agile Development -Challenges and Strategies for Overcoming Them-
byTakashi Makino
 
10 Things AI-First Apps Do Differently by iProgrammer Solutions
byiProgrammer Solutions Private Limited
 
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
UiPath Autonomous Agents | Building and Orchestrating Agents End-to-End
byUiPathCommunity
 
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
Technology Consulting _ by Slidesgo.pptx
byfh82277
 

Open stack gbp final sn-4-slideshare

  • 1.
    OpenStack Kilo Summit,Paris, Nov 2014 Michael Cohen, Sumit Naiksatam, Prasad Vellanki, Stephen Wong
  • 2.
    Agenda  Vision  GBP Model  GBP Architecture  Demo
  • 3.
    IT exists torun applications automation infrastructure Scalable Uber-Easy Reliable Fast
  • 4.
    IT exists torun application Reality: Based on worst principles borrowed from human middleware automation infrastructure
  • 5.
    Micromanagement Do thissequence of things do do do do do do do do do do do do do do Automation has been an attempt at industrialization of micromanagemen t practices
  • 6.
    heat automation detailed abstraction neutro n detailed abstraction nova detailed abstraction cinder detailed abstraction swift detailed abstraction glance ……….. Detailed Interactions Do, do, do, do Detailed Interactions Do, do, do, do Detailed Interactions Do, do, do, do Detailed Interactions Do, do, do, do Detailed Interactions Do, do, do, do Detailed Interactions Do, do, do, do (over and over again) Lots of HOW Too much Unnecessa ry detail + Closed Coupling
  • 7.
    simplicity, at times,has heat automation detailed abstraction neutro n detailed abstraction nova detailed abstraction cinder complications detailed abstraction swift detailed abstraction glance complexity ……….. domain details leak into the automation layer and its enforcement mechanisms It was OK when these things were very simple, but it breaks down as the featureset expands….
  • 8.
    detailed abstraction neutro n detailed abstraction nova simplicity, at times, has domain detail complexity detailed abstraction cinder complications app guy detailed abstraction swift detailed abstraction glance ……….. heat automation
  • 9.
    but IT existsto run applications…. detailed abstraction neutro n detailed abstraction nova detailed abstraction cinder app guy detailed abstraction swift detailed abstraction glance ……….. heat automation “I’d like to run this app that has the following requirements on infrastructure, services and other apps.. with these characteristics!” My app looks like this: intent of what app should be and what it needs Intent Is lost in unnecessary domain specific details
  • 10.
    intent  Abstraction  Portability  Self-containment  No leakage of unnecessary knowledge across apps this is how I expose myself to other apps/components/s ervices This is how I need to consume infra This is my application component some other app some other app storage requirements compute requirements placement requirements image rules scaling rules booting/init rules v m v m …. v m some app/compo nent/service What apps/components/servic es do I depend on? Network and netsec are implicit a real application consists of many of these
  • 11.
    enforcement: multi-surface policy problem intent capabilities and state ops constraints governance
  • 12.
    neutro nova cinderswift glance n heat automation intent abstraction intent abstraction intent abstraction intent abstraction intent abstraction governance app guy intent of what app should be and what it needs domain specific intent influence
  • 13.
    neutro  Consistentcontinuous enforcement  Localized isolated domain specific decisions  Simplicity and Scale!  Under control of governance nova cinder swift glance n heat automation intent abstraction intent abstraction intent abstraction intent abstraction intent abstraction governance intent of what app should be and what it needs domain specific intent influence
  • 14.
    neutro nova cinderswift glance n heat automation intent abstraction intent abstraction intent abstraction intent abstraction intent abstraction congress TOSCA group-based policy intent How do we get there?
  • 15.
    …The Future… Policydriven registry (vm, containers, end-points with conditions) neutro n nova intent abstraction intent abstraction policy repository OpenStack .. .. end-points conditions business policy business policy enforcement conditions application intent -------- -------- -------- -------- -------- -------- -------- -------- -------- -------- -------- -------- -------- -------- -------- -------- -------- -------- -------- -------- -------- -------- -------- -------- --------
  • 16.
    Agenda  Vision  GBP Model  GBP Architecture  Demo
  • 17.
    Goal of OpenStackAbstractions Capture the “infrastructure needs” of an application independent of the complexities of how the underlying infrastructure is implemented.
  • 18.
    Let us reviewthe use-case 2-tier (Web & App) PCI-compliant app deployed either in production or for dev a) Developer intent: ● External to Web Tier: Open port 80, use LB ● Web to DB Tier : Open port 8800 ● Existing Services : MySQL, Events correlation Bigdata App, Billing, and Monitoring b) Cloud operator intent: ● Production : Allow internet access ● Production : DMZ firewall inspects external traffic ● Dev : Allow access to internal proxy ● Remediation : Infected application must be quarantined c) Compliance Officer intent: ● Security : PCI Firewall for Billing
  • 19.
    How you buildit today…  Create logical networks for app-tier and web-tier What subnets to use?  IT Trouble Ticket What routing to setup between these network?  IT Trouble Ticket On app tier, creates security groups to drop all traffic other than port 80, and  Monitoring traffic – creates Trouble Ticket for monitoring team to ask what ports to open  DB, Bigdata traffic – creates Trouble Ticket for DB/Bigdata team to ask what ports to open  Payment service traffic – creates Trouble Ticket for Payment team, hope PCI needs are met by those rules  May have to create FWaaS for requirements like auditing or stateful inspection Load balance traffic, create VIP using LBaaS Create Floating IP for VIP  Create Firewall using FWaaS for external traffic Creates Trouble Ticket for infra team to setup rules for external access Needs rules to drop all external traffic, not clear where to set that up? As routing rules? As FW rules?  One more Trouble Ticket! External traffic needs both FW and LbaaS rules now, how to order them?  Creates Trouble Ticket for support team on how to set them up to be ordered correctly  Need to quarantine infected VMs Create scripts to update security groups on demand for quarantine needs  Automate all of this as scripts, and whenever any of the dependencies change (infra or other apps), update the scripts as needed.
  • 20.
    Where we aretoday…  We have good abstractions for representing logical networks/routers/services  However, our abstractions are very low level. We spread application description across multiple abstractions like: L2/L3 address allocation Routing rules Security Groups Service configuration  Requires manual reconciliation Can we do better?
  • 21.
    What Abstractions areneeded? 2-tier (Web & App) PCI-compliant app deployed either in production or for dev a) Developer intent: The application must ● Close all ports but 80 for the web tier ● Use LB for access to the web tier ● Allow no network communication to DB tier except from the web tier ● Use existing user db for provisioning ● Use existing bigdata app for events ● Use existing payment service for billing ● Use existing monitoring app for billing b) Cloud operator intent: ● Applications deployed for production may have access to the internet. ● Applications deployed for development should not have internet access. ● Any traffic from internet must be inspected by a DMZ firewall. ● Any infected application must be quarantined c) Compliance officer intent: ● All traffic to the payment service must be inspected by an audited firewall rule set
  • 22.
    Groups A new2-tier PCI app (app tier and web tier) can be deployed either for production or for development. a) Developer intent: The application must ● Close all ports but 80 for the web tier ● Use LB for access to the web tier ● Allow no network communication to DB tier except from the web tier ● Use existing user db for provisioning ● Use existing bigdata app for events ● Use existing payment service for billing ● Use existing monitoring app for billing b) Cloud operator intent: ● Applications deployed for production may have access to the internet. ● Applications deployed for development should not have internet access. ● Any traffic from internet must be inspected by a DMZ firewall. ● Any infected application must be quarantined c) Compliance officer intent: ● All traffic to the payment service must be inspected by an audited firewall rule set Groups
  • 23.
    Traffic Classifiers Anew 2-tier PCI app (app tier and web tier) can be deployed either for production or for development. a) Developer intent: The application must ● Close all ports but 80 for the web tier ● Use LB for access to the web tier ● Allow no network communication to DB tier except from the web tier ● Use existing user db for provisioning ● Use existing bigdata app for events ● Use existing payment service for billing ● Use existing monitoring app for billing b) Cloud operator intent: ● Applications deployed for production may have access to the internet. ● Applications deployed for development should not have internet access. ● Any traffic from internet must be inspected by a DMZ firewall. ● Any infected application must be quarantined c) Compliance officer intent: ● All traffic to the payment service must be inspected by an audited firewall rule set Groups Classifiers
  • 24.
    Policy Tags Anew 2-tier PCI app (app tier and web tier) can be deployed either for production or for development. a) Developer intent: The application must ● Close all ports but 80 for the web tier ● Use LB for access to the web tier ● Allow no network communication to DB tier except from the web tier ● Use existing user db for provisioning ● Use existing bigdata app for events ● Use existing payment service for billing ● Use existing monitoring app for billing b) Cloud operator intent: ● Applications deployed for production may have access to the internet. ● Applications deployed for development should not have internet access. ● Any traffic from internet must be inspected by a DMZ firewall. ● Any infected application must be quarantined c) Compliance officer intent: ● All traffic to the payment service must be inspected by an audited firewall rule set Groups Classifiers Policy Tags
  • 25.
    Policy Actions Anew 2-tier PCI app (app tier and web tier) can be deployed either for production or for development. a) Developer intent: The application must ● Close all ports but 80 for the web tier ● Use LB for access to the web tier ● Allow no network communication to DB tier except from the web tier ● Use existing user db for provisioning ● Use existing bigdata app for events ● Use existing payment service for billing ● Use existing monitoring app for billing b) Cloud operator intent: ● Applications deployed for production may have access to the internet. ● Applications deployed for development should not have internet access. ● Any traffic from internet must be inspected by a DMZ firewall. ● Any infected application must be quarantined c) Compliance officer intent: ● All traffic to the payment service must be inspected by an audited firewall rule set Groups Classifiers Policy Tags Actions
  • 26.
    Group-Based Policy Model Policy Tags Policy Rules Set Policy Rule Policy Rule Policy Rule Group Classifier Classifier Action Action Service Chain
  • 27.
    Agenda  Vision  GBP Model  GBP Architecture  Demo
  • 28.
    Architecture Approach oSimplification of automation o Capture user intent declaratively o Separation of concerns by role o Reusable constructs
  • 29.
    Architecture 1. NeutronDriver supports any existing Neutron plugin / ML2 driver 2. ODL Driver Other infrastructure components (future) supports ODL GBP Swift … 3. Native drivers will be supplied by vendors CLI Horizon Heat Group Policy Neutron Driver GBP Drivers Neutron Existing Plugins and ML2 Drivers Group Policy Nova Cinder To be defined
  • 30.
    Application Policy MyApp Servers App Server RuleSet High Availability Service Chain My Web Servers Web Server RuleSet
  • 31.
    Existing Application Consumer Policy My App Servers App Server RuleSet High Availability Service Chain My Web Servers Web Server RuleSet App DB RuleSet App Database User DB RuleSet User Database Payment RuleSet Payment Service Monitoring DB RuleSet Monitoring Service Monitoring V2 Service Existing Applications Security Service Chain
  • 32.
    Infrastructure Policy Layering My App Servers App Server RuleSet My Web Servers Web Server RuleSet App DB RuleSet App Database User DB RuleSet User Database Payment RuleSet Payment Service Monitoring DB RuleSet Monitoring Service Monitoring V2 Service Existing Applications Outsid e Acces s Security Service Chain High Availability Security Service Chain Service Chain GBP renders the Services into a composed Chain
  • 33.
    Agenda  Vision  GBP Model  GBP Architecture  Demo
  • 34.
  • 35.
  • 37.
    References  GBPwiki page to get more information on how to install and work with GBP: https://wiki.openstack.org/wiki/GroupBasedPolicy  GBP Design Summit Session: Tuesday November 4, 2014 12:05 - 12:45 Dufy (Le Meridien) http://kilodesignsummit.sched.org/event/98dc4255384e340 682137c8a7ee7e60d#.VFKCJYt4r4w  Try it out https://wiki.openstack.org/wiki/GroupBasedPolicy/InstallDe vstack

Editor's Notes

  • #4 Before we start on the topic of policy, I think we need to level set ourselves on why we are all here. We manage infrastructure and infrastructure EXISTS to run applications. An applications need to be deliverable in a way that is scalable, easy, reliable, and fast! ----- Meeting Notes (10/14/14 11:18) ----- we must automate application processes and well in infrastructure underneath.
  • #5 So, we did what smart people do – we developed automation. But our automation tools to date are mostly borrowed from human middleware. We took the things we used to type into our consoles and we embedded them in cripts and tools. Even our APIs are so level as they are not much help here. The end result is indeed automated but hardly scalable, easy, reliable.
  • #6 How many of you like being micromanaged? Do you think tools do better micromanaged as well? In reality what we’ve done is the industrialization of these bad practices. ----- Meeting Notes (10/14/14 11:20) ----- this is not the answer
  • #7 Now lets think about this in openStack. OpenStack was designed to offer a set of abstraction layers across different types of systems and architectures. But the abstractions today are still too detailed and low level for automation: networking I’m specifying L2/L3, Devops is great until its time to manage BGP… The result is to close a coupling between the automation and the underlying infrastructure. ----- Meeting Notes (10/14/14 11:30) ----- couple
  • #8  ----- Meeting Notes (10/14/14 11:30) ----- What is happening is that the details are leaking from the individuals systems trhough to the automation. This was ok when systems were simple but more and more domain details leak into the automation. This introduces complexity and reduces effectiviness. Complexity is the the enemy of automation and scale.
  • #9 And who does this impact the most? The poor application guy who has to define his services and build automation against them. He needs to understands a lot about how each of these detailed layers works and interacts. It is NOT easy or fast
  • #10 But remember IT exists to run applications. APplication guy know how his application looks. He knows how it interacts with other things. By the time you get to the interfaces of the cloud platform, all you think about is implementation details. THe intent is lost. THIS IS BAD. This is root of the problem we are facing.
  • #11 So what should we be doing? We have to capture intent. Networking is the worst but not the only culprit here. ----- Meeting Notes (10/14/14 11:30) ----- AN pplicaiton comprises of multiple components – each of them is compromised of units of compute with the same behavior. You have to scale them up and down and control them through a set of rules. Then you have to know how thye consume infrastructure. (re-arrange animation) app upper left reasons then say there are many of these. They are defined by different people. There is no one person who knows everything. If you rely on this model and clearly identify rules of consumption, networking and security becomes implicit.
  • #12  ----- Meeting Notes (10/14/14 11:30) ----- each of these surfaces should be indepdnent inputs where roles and division of labor are honored An unlike orchestration, this is a continuous enforcement loop. Each of these surfaces change and the system must react in any dynamic environment. For example, if there is a failure, you should be able to reconverge without manual intervention.
  • #13 We have to rethink the abstractions we are using to describe things to better capture intent. Automation tools must provide a set of intent-based interfaces to reflect the structural requirements of the application as well as how application consume other resources. Other systems must expose their own intent-based abstractions enforce its own policy loop in an autonomous domain specific manner. ANd all enformcement should be influenced and enforced through a set of gov and ops constraints.
  • #14 This is how we really make things scalable, easy, reliable, and fast!