Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Сергей Сверчков "Want to build a secure private cloud for IoT with high availability and scalability in mind? Learn how to from a real-life example developed for the healthcare industry"

151 views

Published on

We will share first-hand experience in how to build secure, highly available, and scalable private clouds for IoT industries, using OpenStack and Amazon Web Services. Join the talk to learn about unique techniques for connecting private customer networks to the cloud and providing support for WebSocket, TCP, and HTTP devices. This discussion will also cover Cloud Foundry, an open source cloud-native platform for rapid development of 12-factor applications.

Published in: Education
  • Be the first to comment

  • Be the first to like this

Сергей Сверчков "Want to build a secure private cloud for IoT with high availability and scalability in mind? Learn how to from a real-life example developed for the healthcare industry"

  1. 1. Building an IoT cloud for the Healthcare: How to Solve Networking Challenges and Still Have High Availability
  2. 2. 2 Requirements
  3. 3. @altoros Implementation Requirements ● Build an IoT healthcare cloud solution: ○ Connect devices and users at customer sites ○ Thousands of devices ○ Dozens of customers ● Cloud implementation should be portable between ○ OpenStack running on HW ○ Public cloud provider like Amazon AWS
  4. 4. @altoros Implementation Requirements ● High availability and scalability: ○ A hardware AND/OR infrastructure platform ○ Cloud services and applications ○ Scalability (the scale can grow by a factor of 100) ● VPN connectivity is essential: ○ Devices with WebSocket, TCP, and HTTP ○ HTTP devices are bi-directional ○ Non-VPN connectivity should be supported
  5. 5. @altoros Technology Stack for Portable Platform ● Cloud Foundry PaaS ● Cassandra for device data ● MariaDB Galera for structured data ● RabbitMQ as message bus ● ElasticSearch, Logstash, Kibana (ELK) for logs ● Monitoring and alerting with Zabbix
  6. 6. @altoros Technology Stack for Portable Platform https://docs.cloudfoundry.org/
  7. 7. @altoros Technology Stack for Portable Platform https://docs.cloudfoundry.org/concepts/architecture/
  8. 8. When It Comes to HW and OpenStack
  9. 9. @altoros Cloud Platform on OpenStack: Deployment View
  10. 10. @altoros Cloud Platform on OpenStack: Network Model ● Cisco ASA 5545 as cloud firewall: ○ Up to VPN 2500 tunnels and 400 Mbps of encrypted traffic ○ Up to 300 VLANs ○ Supports Site2Site and administrative VPN ○ Can be clustered in Active / Standby mode ● Networks: ○ Administrative 10.30.0.0/24, native VLAN ○ Cloud “Public” 172.30.0.0/24, VLAN 101 ○ OpenStack management 192.168.100.0/24, VLAN 102 ○ OpenStack storage 192.168.200.0/24, VLAN 103 ○ Networks for VMs 192.168.[111-120].0/24, VLAN 110-120
  11. 11. @altoros Cloud Platform on OpenStack: Physical Networking
  12. 12. @altoros Cloud Platform on OpenStack: Services
  13. 13. @altoros Cloud Platform on OpenStack: Resources Cloud Attribute OpenStack Cloud VPN endpoint (HTTPS) Provider Public IP Domain name(s) *.cloud1.cloudprovider.CORP (internal DNS) *.vpn-cloud1.cloudprovider.com (public DNS) DNS servers 172.30.0.240 172.30.0.254 NTP servers ntp1.cloud1.cloudprovider.corp 172.30.0.252 172.30.0.253 Cloud Foundry API endpoint https://api.cf.cloud1.cloudprovider.CORP 172.30.0.80 172.30.0.81 VPN types: 1. Cisco Any Connect VPN adapter – Administrator 2. Site to Site VPN between networks - Cisco ASA to Cisco ASA - Checkpoint to Cisco ASA…
  14. 14. @altoros Cloud Platform on OpenStack: VPN Model Site2Site VPN: - For Customer 2 VPN Network Address Translation (NAT) is required. Use special NAT network 100.64.0.0/10 (RFC 6598)
  15. 15. @altoros Cloud Platform on OpenStack: VPN Networking VPN Type Networks Exposed DNS servers Cloud Foundry endpoints Cisco AnyConnect Administrative VPN 10.30.0.0/24 172.30.0.0/24 172.30.0.253 172.30.0.254 172.30.0.80 172.30.0.81 Site2Site VPN Only DNS and Cloud Foundry addresses 172.30.0.253 172.30.0.254 172.30.0.80 172.30.0.81 Site2Site VPN, with NAT Only DNS and Cloud Foundry addresses 100.64.30.253 100.64.30.254 100.64.30.80 100.64.30.81
  16. 16. @altoros Cloud Platform on OpenStack: DNS resolution options ● Configure DNS zone forwarding to cloud DNS server ○ Setup DNS zone forwarding in customer network zone: *.cloud1.cloudprovider.corp -- no NAT DNS servers: 172.30.0.253, 172.30.0.254 -- with NAT DNS servers: 100.64.30.253, 100.64.30.254 ● Use public DNS records for resolving private IP addresses ○ Create A-records at a public domain owned by cloud provider (sub-domains) Name: *.vpn-cloud1.cloudprovider.com Addresses: 100.64.30.80, 100.65.30.81
  17. 17. @altoros Cloud Platform on OpenStack: Domains and Routes ● Cloud Foundry routing to support internal and public DNS names: ○ Create shared domain(s): $ cf domains Getting domains in as admin... name status type cf.cloud1.cloudprovider.corp shared vpn-cloud1.cloudprovider.com shared tcp-cf.cloud1.cloudprovider.corp shared tcp ○ Map additional route(s) to an application: $cf map-route deviceserver vpn-cloud1.cloudprovider.com --hostname deviceserver
  18. 18. @altoros Cloud Platform on OpenStack: Device Connectivity
  19. 19. When It Comes to AWS
  20. 20. @altoros Cloud Platform on AWS
  21. 21. @altoros sergey.sverchkov@altoros.com altoros.com blog.altoros.com Thank you!

×