Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Сергей Сверчков "Want to build a secure private cloud for IoT with high availability and scalability in mind? Learn how to from a real-life example developed for the healthcare industry"


Published on

We will share first-hand experience in how to build secure, highly available, and scalable private clouds for IoT industries, using OpenStack and Amazon Web Services. Join the talk to learn about unique techniques for connecting private customer networks to the cloud and providing support for WebSocket, TCP, and HTTP devices. This discussion will also cover Cloud Foundry, an open source cloud-native platform for rapid development of 12-factor applications.

Published in: Education
  • Be the first to comment

  • Be the first to like this

Сергей Сверчков "Want to build a secure private cloud for IoT with high availability and scalability in mind? Learn how to from a real-life example developed for the healthcare industry"

  1. 1. Building an IoT cloud for the Healthcare: How to Solve Networking Challenges and Still Have High Availability
  2. 2. 2 Requirements
  3. 3. @altoros Implementation Requirements ● Build an IoT healthcare cloud solution: ○ Connect devices and users at customer sites ○ Thousands of devices ○ Dozens of customers ● Cloud implementation should be portable between ○ OpenStack running on HW ○ Public cloud provider like Amazon AWS
  4. 4. @altoros Implementation Requirements ● High availability and scalability: ○ A hardware AND/OR infrastructure platform ○ Cloud services and applications ○ Scalability (the scale can grow by a factor of 100) ● VPN connectivity is essential: ○ Devices with WebSocket, TCP, and HTTP ○ HTTP devices are bi-directional ○ Non-VPN connectivity should be supported
  5. 5. @altoros Technology Stack for Portable Platform ● Cloud Foundry PaaS ● Cassandra for device data ● MariaDB Galera for structured data ● RabbitMQ as message bus ● ElasticSearch, Logstash, Kibana (ELK) for logs ● Monitoring and alerting with Zabbix
  6. 6. @altoros Technology Stack for Portable Platform
  7. 7. @altoros Technology Stack for Portable Platform
  8. 8. When It Comes to HW and OpenStack
  9. 9. @altoros Cloud Platform on OpenStack: Deployment View
  10. 10. @altoros Cloud Platform on OpenStack: Network Model ● Cisco ASA 5545 as cloud firewall: ○ Up to VPN 2500 tunnels and 400 Mbps of encrypted traffic ○ Up to 300 VLANs ○ Supports Site2Site and administrative VPN ○ Can be clustered in Active / Standby mode ● Networks: ○ Administrative, native VLAN ○ Cloud “Public”, VLAN 101 ○ OpenStack management, VLAN 102 ○ OpenStack storage, VLAN 103 ○ Networks for VMs 192.168.[111-120].0/24, VLAN 110-120
  11. 11. @altoros Cloud Platform on OpenStack: Physical Networking
  12. 12. @altoros Cloud Platform on OpenStack: Services
  13. 13. @altoros Cloud Platform on OpenStack: Resources Cloud Attribute OpenStack Cloud VPN endpoint (HTTPS) Provider Public IP Domain name(s) *.cloud1.cloudprovider.CORP (internal DNS) * (public DNS) DNS servers NTP servers ntp1.cloud1.cloudprovider.corp Cloud Foundry API endpoint VPN types: 1. Cisco Any Connect VPN adapter – Administrator 2. Site to Site VPN between networks - Cisco ASA to Cisco ASA - Checkpoint to Cisco ASA…
  14. 14. @altoros Cloud Platform on OpenStack: VPN Model Site2Site VPN: - For Customer 2 VPN Network Address Translation (NAT) is required. Use special NAT network (RFC 6598)
  15. 15. @altoros Cloud Platform on OpenStack: VPN Networking VPN Type Networks Exposed DNS servers Cloud Foundry endpoints Cisco AnyConnect Administrative VPN Site2Site VPN Only DNS and Cloud Foundry addresses Site2Site VPN, with NAT Only DNS and Cloud Foundry addresses
  16. 16. @altoros Cloud Platform on OpenStack: DNS resolution options ● Configure DNS zone forwarding to cloud DNS server ○ Setup DNS zone forwarding in customer network zone: *.cloud1.cloudprovider.corp -- no NAT DNS servers:, -- with NAT DNS servers:, ● Use public DNS records for resolving private IP addresses ○ Create A-records at a public domain owned by cloud provider (sub-domains) Name: * Addresses:,
  17. 17. @altoros Cloud Platform on OpenStack: Domains and Routes ● Cloud Foundry routing to support internal and public DNS names: ○ Create shared domain(s): $ cf domains Getting domains in as admin... name status type cf.cloud1.cloudprovider.corp shared shared tcp-cf.cloud1.cloudprovider.corp shared tcp ○ Map additional route(s) to an application: $cf map-route deviceserver --hostname deviceserver
  18. 18. @altoros Cloud Platform on OpenStack: Device Connectivity
  19. 19. When It Comes to AWS
  20. 20. @altoros Cloud Platform on AWS
  21. 21. @altoros Thank you!