Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Simple, Scalable and Secure Networking for Data Centers with Project Calico

1,288 views

Published on

Traditional overlay networks using VXLAN are more complicated to setup and diagnose than is necessary for the majority of data centers. Calico offers an alternative Layer 3 solution - aside from simplicity, this also offers benefits in terms of improved scale and security.

These are the Calico slides from the SDN Switzerland meetup on 13/11/2015,

Published in: Software
  • Be the first to comment

Simple, Scalable and Secure Networking for Data Centers with Project Calico

  1. 1. THE BRAINS OF THE NEW GLOBAL NETWORK SIMPLE, SCALABLE AND SECURE NETWORKING FOR DATA CENTERS Emma Gordon 13/11/2015
  2. 2.  Evolution of Docker Networking  Why Calico?  Quick Demo  Thoughts on Security in the new world of micro-services IN THIS TALK… Metaswitch Networks | Proprietary and confidential | © 2014 | 2
  3. 3.  Libnetwork in Docker 1.9 (released last week!)  Pluggable architecture  Different network drivers available  Default is ‘bridge’  Container Network Model  Network Isolation Metaswitch Networks | Proprietary and confidential | © 2014 | 3 WHAT’S NEW IN DOCKER NETWORKING?
  4. 4.  Multi Host Networking  Using the ‘overlay’ network driver  which uses VXLAN Metaswitch Networks | Proprietary and confidential | © 2014 | 4 WHAT’S NEW IN DOCKER NETWORKING? Virtual L2 segments, implemented in software by virtual switch vSwitch vSwitch vSwitch Linux Linux Linux Encap / de- encap (& flooding!) Outer MAC Outer IP Outer UDP VXLAN Inner MAC Inner IP Inner TCP/UDP Payload Data Router services required to hop between tenants NAT required for public Internet access On/off-ramp required to get to NAS, etc. Virtual L2 segments, implemented in software by virtual switch
  5. 5. WHAT IF WE BUILT A DATA CENTER LIKE THE INTERNET? IP App IP App IP App IP App IP App IP App IP App IP App Router Router Router BGP BGP
  6. 6. WHAT IF WE BUILT A DATA CENTER LIKE THE INTERNET? IP App IP App IP App IP App IP App IP App IP App IP App BGP BGP Compute NodeCompute Node VMs / LXCs Router Router Router VMs / LXCs … this is Project Calico!
  7. 7. An (Apache licensed) open source project to enable networking of workloads in a data center / cloud environment Objectives: WHAT IS CALICO? SimpleScale Open Thousands of servers, 100k’s of workloads Don’t demand users to be networking experts Open source and open standards
  8. 8. TECHNICAL DETAILS  Architecture components  Orchestrator plug-in  etcd – distributed, highly available datastore  Felix agent - forwarding table update, security policy  BIRD – route distribution, network integration  Linux kernel – layer 3 forwarding and ACL enforcement  Build on and contribute to many existing open source projects Any physical fabric (L2, L3, MPLS, …) Cloud OS / Orchestration SystemCloud OS / Orchestration System Compute NodeCompute NodeCompute Node Linux kernel Cloud OS / Orchestration System BIRD Felix Routes ACLs Workload VM / Container Eth0 Eth1 Calico Plugin …
  9. 9. LIFE BEFORE AND AFTER CALICO Metaswitch Networks | Proprietary and confidential | © 2014 | 11 Before Calico After Calico Scale challenges above few hundred servers / thousands of workloads Scale to millions of workloads with minimal CPU and network overhead Troubleshooting connectivity issues can take hours What is happening is “obvious” – traceroute, ping, etc., work as expected EXITOn/off ramps + NAT to break out of overlay Path from workload to non-virtual device or public internet (or even between data centers) is just a route High availability / load balancing across links requires LB function (virtual or physical) and/or app-specific logic Equal Cost Multi-Path (ECMP) & Anycast just work, enabling scalable resilience and full utilization of physical links C C N A CCNA or equivalent required to understand end-to-end networking, deploy applications Basic IP networking knowledge only required
  10. 10. DEMO
  11. 11. REMEMBER 3-TIER ARCHITECTURES?
  12. 12. GETTING MEDIEVAL
  13. 13. FAST FORWARD TO THE PRESENT
  14. 14. INCREASED COMPLEXITY
  15. 15. RESOURCE FUNGIBILITY
  16. 16. TEAR DOWN THE WALLS?
  17. 17. THE OPPORTUNITY?
  18. 18. THE OPPORTUNITY?
  19. 19. THE DISTRIBUTED FIREWALL Network Fabric eth0eth0 eth0 192.168.1.2 Routing Routing eth0 192.168.1.3 eth0 192.168.1.4 eth0 192.168.1.7 eth0 192.168.1.6 eth0 192.168.1.5 10.0.0.1 10.0.0.2
  20. 20. PROJECT CALICO ARCHITECTURE eth0 192.168.1.2 eth0 192.168.1.4 eth0 192.168.1.7 Felix Routes iptables Route Reflector Kernel BIRD
  21. 21. WE WELCOME YOUR FEEDBACK AND CONTRIBUTIONS   Website  www.projectcalico.org  Github  github.com/projectcalico  Mailing list  projectcalico.org/contact/  Freenode IRC: #calico  Slack Community  https://calicousers.slack.com  Twitter  @projectcalico Metaswitch Networks | Proprietary and confidential | © 2014 | 24

×