Cloud stack networking shapeblue technical deep dive

5,443 views

Published on

Geoff Higginbottom of ShapeBlue gives a 60 minute master class in CloudStack networking

Published in: Technology
2 Comments
13 Likes
Statistics
Notes
No Downloads
Views
Total views
5,443
On SlideShare
0
From Embeds
0
Number of Embeds
426
Actions
Shares
0
Downloads
0
Comments
2
Likes
13
Embeds 0
No embeds

No notes for slide
  • 17 min
  • 22 min
  • 23 min
  • 23 min
  • 27 min
  • 29 min
  • 31 min
  • 33 min
  • 35 min
  • 37 min
  • 40 min
  • 45 min
  • Cloud stack networking shapeblue technical deep dive

    1. 1. CloudStack Networking Technical Deep Dive Geoff Higginbottom CTO ShapeBlue geoff.higginbottom@shapeblue.com Twitter: @ShapeBlue, @CloudStackGuru
    2. 2. www.shapeblue.com
    3. 3. www.shapeblue.com Why NaaS – The Use Cases VPS Cloud
    4. 4. www.shapeblue.com Why NaaS – The Use Cases CloudVPS
    5. 5. www.shapeblue.com Physical Connectivity
    6. 6. www.shapeblue.com  Management Network  Traffic between CloudStack Management Servers and the various cloud components (Hosts, System VMs, Storage*, vCenter etc) CloudStack Physical Networks
    7. 7. www.shapeblue.com  Public Network  Only available in an Advanced Zone, or a Basic Zone when using NetScaler Elastic IP (ELIP) / Elastic Load Balancer (ELLB)  Connects VMs to the public Internet via a Virtual Router or NetScaler  Enables services such as:  Source NAT  Static NAT  Load Balancing  Port Forwarding  Firewall  VPN CloudStack Physical Networks
    8. 8. www.shapeblue.com  Guest Network  Basic Zone (with or without Security Groups)  Traffic between VMs on the network  Basic Zone with ELIP / ELLB  Traffic between VMs and the Internal Interface of the NetScaler  Advanced Zones  Traffic between VMs within a Network, and their Virtual/Physical Router, Physical Load Balancer or Physical Firewall CloudStack Physical Networks
    9. 9. www.shapeblue.com  Storage Network  Handles traffic between the Secondary Storage VM, Hosts & Management Server, to/from the Secondary Storage Servers  Optional Network, traffic will use the Management Network if not configured  If configured, there must be a route between Management, Hosts and Storage Networks  It is not for Primary Storage Traffic  Not used for Template Deployment from Sec to Pri Storage, Hosts mount Sec Storage directly CloudStack Physical Networks
    10. 10. www.shapeblue.com  A Hardware or Virtual Appliance which provide Network Services to CloudStack e.g.  Virtual Router  VPC Virtual Router  Citrix NetScaler  F5 Load Balancer  Juniper SRX Firewall  Nicira NVP  Security Groups Network Service Providers
    11. 11. www.shapeblue.com  AWS Style L3 isolation – Massive Scale  Simple Flat Network  Each POD has a unique CIDR  Optional Guest Isolation via Security Groups  Optional NetScaler Integration - Elastic IPs and Elastic LB  Optional Nicira NVP Integration Basic Networking
    12. 12. www.shapeblue.com  Isolate traffic between VMs  Only supported in Basic Networking in CloudStack*  Only supported on XenServer 6.x and KVM  XenServer 6.0.x requires the Cloud Support Package  XenServer must use Linux Bridge and not Open vSwitch  xe-switch-network-backend bridge  Must be implemented before adding to CloudStack Security Groups
    13. 13. www.shapeblue.com  Must be specified when the Zone is created  Uses Ingress and Egress Rules to control traffic flow  Default is all outbound traffic allowed, all inbound denied  Rules can be mapped to CIDR or another Account/Security Group Security Groups
    14. 14. www.shapeblue.com  Citrix NetScaler can provide Elastic IP & Elastic LB  Has Security Groups enabled  A Public Network IP Range is assigned during Zone Setup  The Public IP Range is assigned to the External Interface of the NetScaler Appliance  Provides a Static NAT (1:1) service to VMs  When the VM is powered off the Elastic IP is released Basic Zone with Elastic IP
    15. 15. www.shapeblue.com Citrix NetScaler – Elastic IP/LB
    16. 16. www.shapeblue.com Basic Zone – Example IP Schema
    17. 17. www.shapeblue.com  Default ‘Add Zone Wizard’ skips the Traffic Label Settings Using Multiple NICs
    18. 18. www.shapeblue.com  Guest Networks isolated by VLANs  Private and Shared Guest Networks  Multiple Physical Networks  Virtual Router for each Network providing:  DNS & DHCP  Firewall  Client VPN  Load Balancing  Source / Static NAT  Port Forwarding Advanced Networking
    19. 19. www.shapeblue.com Adv Zone – Example IP Schema
    20. 20. www.shapeblue.com  New to 4.1  Blocks all outbound traffic by default Adv Zone - Egress Rules Example of an ‘Allow All’ Egress Rule Examples of other common Egress Rules
    21. 21. www.shapeblue.com  Firewall  Allow traffic into network  Port Forwarding  Pass traffic to a specified VM Adv Zone - Firewall & Port Forwarding
    22. 22. www.shapeblue.com  Load Balancing Algorithms  Round Robin  Least Connections  Source  Stickiness  None  Source Based  AppCookie  LBCookie Adv Zone - Load Balancing
    23. 23. www.shapeblue.com  User VPN  IPSec VPN  Win/MAC  Connects to Guest Network Adv Zone - User VPN
    24. 24. www.shapeblue.com  Enable Static NAT Adv Zone - Static NAT
    25. 25. www.shapeblue.com  Allocate VM Adv Zone - Static NAT
    26. 26. www.shapeblue.com  Only Firewall Rules exist due to 1-2-1 mapping  Public IP is also used for Outbound Traffic from this VM Adv Zone - Static NAT
    27. 27. www.shapeblue.com  Private multi-tiered Virtual Networks  ACLs to control traffic isolation  Inter VLAN Routing  Site-2-Site VPN  Private Gateway Virtual Private Clouds (VPC)
    28. 28. www.shapeblue.com  No Conserve Mode so unique Public IP Required for:  Port Forwarding (1 IP per Tier)  Load Balancing (only 1 Tier can be Load Balanced)  Cannot operate in Redundant Mode (VRRP)  Default Egress is Allow All Virtual Private Clouds (VPC)
    29. 29. www.shapeblue.com Private Gateway Created by Root Admins Configured by Users (Static Routes) VPC Components Virtual Router – Connects all the VPC ComponentsNetwork Tiers – Isolated Networks, each with unique VLAN and CIDR Public Gateway Site-2-Site VPN Linked to Public Gateway
    30. 30. www.shapeblue.com Creating a VPC Super CIDR Covers All Tiers
    31. 31. www.shapeblue.com VPC - Add 1st Tier Note how Network CIDR is a Subnet of the Super CIDR
    32. 32. www.shapeblue.com VPC - Add 2nd Tier Note how Network CIDR is a Different Subnet of the Super CIDR There can be only 1 Load Balanced Tier
    33. 33. www.shapeblue.com VPC - Add VMs
    34. 34. www.shapeblue.com VPC - Add VMs - Network Selection
    35. 35. www.shapeblue.com VPC - Configure ACLs
    36. 36. www.shapeblue.com VPC - Configure ACLs
    37. 37. www.shapeblue.com VPC - Acquire Public IPs
    38. 38. www.shapeblue.com VPC - Acquire Public IPs
    39. 39. www.shapeblue.com VPC - Acquire Public IPs
    40. 40. www.shapeblue.com VPC - Add Port Forwarding ACLs = Firewall Rules
    41. 41. www.shapeblue.com VPC - Add Port Forwarding
    42. 42. www.shapeblue.com VPC - Load Balancing
    43. 43. www.shapeblue.com VPC - Public IP Single Use IP used for Port Forwarding IP used for Load Balancing
    44. 44. www.shapeblue.com VPC - Public IP Single Use
    45. 45. www.shapeblue.com VPC - Add Private Gateway
    46. 46. www.shapeblue.com VPC vs VR Networks
    47. 47. www.shapeblue.com VPC - Adding Static Routes
    48. 48. www.shapeblue.com VPC - Adding Static Routes
    49. 49. www.shapeblue.com  VPN Gateway must be enabled first  Once enabled the VPN Customer Gateway can be configured VPC - Site-2-Site VPN
    50. 50. www.shapeblue.com  A VPN Connection can then be mapped to the VPN Customer Gateway  As long as both ends of the VPN are configured correctly, the VPN Connection should be established. VPC - Site-2-Site VPN
    51. 51. www.shapeblue.com  Following VPN End Points Officially Supported  CISCO ISR with IOS 12.4 or later  Juniper J-Series routers with JunOS 9.5 or later  “its expected any device running supported operating systems should work”  Not Officially Supported  VPC-VPC VPN not officially supported yet but does appear to work  Tested between CS 4.1 – 4.1 and CS 4.1 - CP 3.0.6 Patch D VPC - Site-2-Site VPN
    52. 52. www.shapeblue.com  Option 1:  Create VM using API and map to both Networks  API Parameter ‘hypervisor’ must be specified  Option 2:  Create VM on VPC using GUI  Use AddNicToVirtualMachine API Command to add 2nd NIC Create VM on VPC & Standard Network
    53. 53. www.shapeblue.com  New API Commands for 4.1  addNicToVirtualMachine  updateDefaultNicForVirtualMachine  removeDefaultNicForVirtualMachine  Effectively enables VMs to be ‘moved’ to different networks Add - Update - Remove NICs
    54. 54. www.shapeblue.com System VMs & Their Networks Virtual Router
    55. 55. www.shapeblue.com System VMs & Their Networks Virtual Router
    56. 56. www.shapeblue.com System VMs & Their Networks Secondary Storage VM
    57. 57. www.shapeblue.com System VMs & Their Networks SSVM – VM Image / ISO Upload Workflow
    58. 58. www.shapeblue.com System VMs & Their Networks Console Proxy VM
    59. 59. www.shapeblue.com System VMs & Their Networks CPVM – Remote Connection
    60. 60. www.shapeblue.com Communication Ports
    61. 61. www.shapeblue.com  Management VLANs – Up to 7 Layers  Strict control of traffic flow between Management Layers  Bypassing Virtual Router  Isolated Networks for Guest Management by Service Provider  Shared Networks for Guest Backups  Connecting VMs to Physical Servers via Assigned VLAN IDs  VLAN Limitations Real World Problems / Requirements
    62. 62. www.shapeblue.com  Software Defined Networking  Remove VLAN Limitations  Bring full control of Network into CloudStack GUI  Massive Scalability  L2 Networks which Span DCs  Examples of SDN Providers  Nicira NVP – Supported since 4.0  Midokura – Support coming in 4.2 The Future
    63. 63. www.shapeblue.com Questions?
    64. 64. CloudStack Networking Technical Deep Dive Geoff Higginbottom CTO ShapeBlue geoff.higginbottom@shapeblue.com Twitter: @ShapeBlue, @CloudStackGuru

    ×