Understanding Virtual Networking in the Cloud - RightScale Compute 2013

935 views

Published on

Speaker: Josep Blanquer - Chief Architect, RightScale

Managing networking constructs in public and private clouds is a complex task. Add to that the different names, semantics, and capabilities that each cloud exposes, and you have a sure recipe for a headache. We will describe how subnets, firewalls, security groups, routing tables, virtual network interfaces, and other constructs map to the names and semantics in various public and private clouds. In this session we will present RightScale Networks Manager, a distilled definition of networking concepts that works across clouds. Networks Manager is a single pane of glass — UI and API — for your cloud networking infrastructure, saving you headaches from networking idiosyncrasies.

Published in: Technology, Business
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
935
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
38
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide
  • In this talk I’m going to make the case that managing cloud networking is hardand show the preview of what we’ve been working on at RS that can help you with that complexity, even across cloud providers
  • Understanding Virtual Networking in the Cloud - RightScale Compute 2013

    1. 1. april25-26sanfranciscocloud success starts hereUnderstanding and ManagingMultiCloud NetworkingJosep M. Blanquer, Chief Architect
    2. 2. #2#2#RightscaleComputeIn this talk…• Introduction and Goals• Landscape• Public: AWS / GCE / Azure / Rackspace…• Private: CloudStack / Eucalyptus / OpenStack…• MultiCloud Resource Abstractions• Resource Hierarchy, Naming and Semantics• Managing these resources through the UI and API• Conclusion
    3. 3. #3#3#RightscaleComputeIntro• Networking is messy…
    4. 4. #4#4#RightscaleComputeIntroduction• Networking is messy…even in the Cloud!• Different Cloud Providers pick different designs• Leads to different exposed API resources, different behavior• Also leads to different naming conventions, and APIs semantics• Cloud software can also be heavily customized on installation• So even for the same cloud type, two clouds can behave quite differently• All of this changes very rapidly• New versions of APIs, expose new resources• Some changes break semantic compatibility or become defaults
    5. 5. #5#5#RightscaleComputeIntroduction (contd.)• So what does this mean for me? (you must be wondering…)• Headaches, and possible hair loss
    6. 6. #6#6#RightscaleComputeIntroduction (contd.)• But… mess and variability is not bad, it is necessary• In fact, it is great!• Companies need choice and configuration flexibility• One size doesn’t fit all• You must embrace it• Take advantage of the features and characteristics that make sense foryou• But not at the cost of loosing focus on your business• So• Instead of grooming an army of experts on cloud networking• Let others do that for you so you don’t have to“Maintain control, without having to be bogged down with non-businessdetails”
    7. 7. #7#7#RightscaleCompute• Don’t look at your cloud networking from this perspectiveIntroduction (contd.)
    8. 8. #8#8#RightscaleCompute• …look at your cloud networking from this perspectiveIntroduction (contd.)
    9. 9. #9#rightscalecomputeCloud Networking LandscapeDifferent strokes for different folks
    10. 10. #10#10#RightscaleComputeCloud Networking Landscape• Embracing the choices• Amazon EC2• Google Compute Engine• CloudStack• Not covered today: Azure, Rackspace, Eucalyptus, Openstack…
    11. 11. #11#11#RightscaleComputeAmazon EC2• Each region can have multiple VPCs• Each VPC defines a network isolation perimeter• Incoming/Outgoing communication must go through GWAmazon EC2VPCs…xNGW
    12. 12. #12#12#RightscaleComputeAmazon EC2• Subnets further segment VPCs into IP CIDR groups• Instances can be connected to a Subnet through an ENI• A Subnet is scoped to a single Availability ZoneAmazon EC2SubnetsElastic NetworkInterfacesSubnet 1Elastic NetworkInterfacesSubnet 2Elastic NetworkInterfacesSubnet 3VPCs…xNGW
    13. 13. #13#13#RightscaleComputeAmazon EC2• A VPC also scopes (and therefore contains)• SecurityGroups• Routing Tables• Network ACLsSecurity GroupsAmazon EC2Routing TablesNetwork ACLsSubnetsElastic NetworkInterfacesSubnet 1Elastic NetworkInterfacesSubnet 2Elastic NetworkInterfacesSubnet 3VPCs…xNGW
    14. 14. #14#14#RightscaleComputeAmazon EC2• Instances can be bound to multiple Subnets (of a matching AZ)• The Security Groups are bound to each attached ENI• And not to the Instance as a wholeSecurity GroupsAmazon EC2Routing TablesNetwork ACLsSubnetsElastic NetworkInterfacesSubnet 1Elastic NetworkInterfacesSubnet 2Elastic NetworkInterfacesSubnet 3VPCs…xNGW
    15. 15. #15#15#RightscaleComputeAmazon EC2 (Classic)• There is a single (implicit) network for each region• Incoming/Outgoing traffic is fully NATtedAmazon EC2SingleNetworkx1NAT
    16. 16. #16#16#RightscaleComputeAmazon EC2 (Classic)• There aren’t any Subnets, Routing Tables or Network ACLs• Security Groups are scoped to the implicit single NetworkSecurity GroupsAmazon EC2Routing TablesNetwork ACLsSubnetsSingleNetworkx1NAT
    17. 17. #17#17#RightscaleComputeAmazon EC2 (Classic)Security GroupsAmazon EC2Routing TablesNetwork ACLsSubnetsSingleNetworkx1NAT• There aren’t any subnets, routing tables or Network ACLs• Security Groups are scoped to the implicit single Network• And their rules apply to the Instance as a whole (only 1 implicit Interface)
    18. 18. #18#18#RightscaleComputeGoogle Compute Engine• GCE cloud is global: there aren’t different regional endpoints• Networks within the cloud define a network isolation perimeter• Incoming/Outgoing communication must go through the GWAmazon EC2Networks…xNGW
    19. 19. #19#19#RightscaleComputeGoogle Compute Engine• A Network cannot be further segmented• A Network has firewalls (some functionality is close to a SG)• Routing controls are currently not exposedFirewalls (SG-like)Amazon EC2FirewallsNetworks…xNSubnetsGWRouting Tables
    20. 20. #20#20#RightscaleComputeGoogle Compute Engine• A Network can span multiple Zones• And Firewall rules can be applied to instances in a global wayFirewalls (SG-like)Amazon EC2FirewallsNetworks…xNSubnetsGWRouting Tables
    21. 21. #21#21#RightscaleCompute…CloudStack: Basic Mode• Flat Networking (modeled after EC2 Classic)• One (Shared) Network per ZoneAmazon EC2NetworkxNNAT
    22. 22. #22#22#RightscaleComputeCloudStack: Basic Mode• Supports SecurityGroups• But they belong to the “Domain” and apply to all uses of the shared networkSecurity GroupsAmazon EC2SubnetsRouting TablesNetwork ACLsNATNetworkxN
    23. 23. #23#23#RightscaleComputeCloudStack: Basic Mode• Instances within a Network are scoped to a Zone• Each instance can have multiple SecurityGroups attached to itSecurity GroupsAmazon EC2SubnetsRouting TablesNetwork ACLsNATNetworkxN
    24. 24. #24#24#RightscaleComputeCloudStack: Advanced Mode• A Cloud can have multiple Networks• Each Network is scoped to a ZoneAmazon EC2Networks…GWxN
    25. 25. #25#25#RightscaleComputeCloudStack: Advanced Mode• There is no further segmentation based on Subnets• Supports Firewalls (and SGs if the network is shared)Amazon EC2FirewallsNetworks…xNSubnetsGWSecurity GroupsRouting Tables* Except KVM
    26. 26. #26#26#RightscaleComputeCloudStack: Advanced Mode (VPC)• A Cloud can have multiple VPCs• A VPC is scoped to a ZoneAmazon EC2VPCs…xNGW
    27. 27. #27#27#RightscaleComputeCloudStack: Advanced Mode (VPC)• A VPC is segmented by Tiers (still scoped to a Zone)• No explicit Network interface support in APIAmazon EC2VPCs…xNTiersElastic NetworkInterfacesTier 1Elastic NetworkInterfacesTier 2Elastic NetworkInterfacesTier 3GW
    28. 28. #28#28#RightscaleComputeCloudStack: Advanced Mode (VPC)• Support for:• Static Routing• FirewallsAmazon EC2FirewallsVPCs…xNSecurity Groups TiersElastic NetworkInterfacesTier 1Elastic NetworkInterfacesTier 2Elastic NetworkInterfacesTier 3GWRouting Tables
    29. 29. #29#29#RightscaleComputeCloudStack: Advanced Mode (VPC)• Note: a CloudStack cloud can mix all 3 networking modes:• Basic, Advanced and VPC• The mode is set at the Zone levelAmazon EC2FirewallsVPCs…xNSecurity Groups TiersElastic NetworkInterfacesTier 1Elastic NetworkInterfacesTier 2Elastic NetworkInterfacesTier 3GWRouting Tables
    30. 30. #30#rightscalecomputeMulticloud Resource AbstractionsRightscale’s Abstractions
    31. 31. #31#31#RightscaleComputeMultiCloud Resource HierarchyCloudNetworksInstancesSubnets NetworkInterfacesIpAddressBindingsSecurityGroupsNetwork ACLsRouting TablesIpAddressesImagesVolume SnapshotsVolumesDatacenters
    32. 32. #32#32#RightscaleComputeMulticloud Network Abstractions• A Cloud has multiple Networks• A Network defines an isolation perimeter (and has a CIDR block)• Incoming/Outgoing communication must go through GWsAmazon EC2Networks…xNGW
    33. 33. #33#33#RightscaleComputeMulticloud Network Abstractions• Subnets further segment Networks into IP CIDR sub-blocks• Instances can be connected to a Subnet through NetworkInterfaces• A Subnet is scoped to one (or zero) DatacentersAmazon EC2SubnetsNetworkInterfacesSubnet 1NetworkInterfacesSubnet 2NetworkInterfacesSubnet 3Networks…xNGW
    34. 34. #34#34#RightscaleComputeMulticloud Network Abstractions• Networks contain:• SecurityGroups• Routing Tables• Network ACLsSecurity GroupsAmazon EC2Routing TablesNetwork ACLsSubnetsNetworkInterfacesSubnet 1NetworkInterfacesSubnet 2NetworkInterfacesSubnet 3Networks…xNGW
    35. 35. #35#35#RightscaleComputeMulticloud Network Abstractions• Instances are launched within a Datacenter (placement)• Instances connected to multiple Subnets via Network Interfaces(connectivity)• Connectivity restrictions may apply based on the Cloud.• SecurityGroups are bound to Network Interfaces (i.e, different rules per subnet)Security GroupsAmazon EC2Routing TablesNetwork ACLsSubnetsNetworkInterfacesSubnet 1NetworkInterfacesSubnet 2NetworkInterfacesSubnet 3Networks…xNGW
    36. 36. #36#36#RightscaleComputeMulticloud Network AbstractionsSecurity GroupsAmazon EC2Routing TablesNetwork ACLsSubnetsNetworkInterfacesSubnet 1NetworkInterfacesSubnet 2NetworkInterfacesSubnet 3Networks…xNGW
    37. 37. #37#37#RightscaleComputeMulticloud Network AbstractionsSecurity GroupsAmazon EC2Routing TablesNetwork ACLsSubnetsNetworkInterfacesSubnet 1NetworkInterfacesSubnet 2NetworkInterfacesSubnet 3Networks…xNGWVolumesImages +Volume SnapshotsDatacentersDC 1DC 2…
    38. 38. #38#38#RightscaleComputeMulticloud Network AbstractionsSecurity GroupsAmazon EC2Routing TablesNetwork ACLsSubnetsNetworkInterfacesSubnet 1NetworkInterfacesSubnet 2NetworkInterfacesSubnet 3Networks…xNGWVolumesImages +Volume SnapshotsDatacentersDC 1DC 2…IP Addresses(assignable)IpAddress BindingsInstance+[IP]+[ports]
    39. 39. #39#39#RightscaleComputeManaging Multicloud Resources• Accessible both through our new UI and API• It presents a single interface for your cloud Networkinfrastructure• Aggregates resources across regions, providers and software versions.• Network/Security operators design and analyze from a single pane ofglass• Infrastructure operators can manage those abstractions in deployments• How will this look in the UI?...
    40. 40. #40#40#RightscaleComputeManaging Multicloud Resources: UI
    41. 41. #41#41#RightscaleComputeManaging Multicloud Resources: UI: Awesome Game US (East)
    42. 42. #42#42#RightscaleComputeManaging Multicloud Resources: UI: Awesome Game US (East)
    43. 43. #43#43#RightscaleComputeManaging Multicloud Resources: UI: Awesome Game US (East)
    44. 44. #44#44#RightscaleComputeManaging Multicloud Resources: UI: Awesome Game US (East)
    45. 45. #45#45#RightscaleComputeManaging Multicloud Resources: UI: Awesome Game US (East)
    46. 46. #46#46#RightscaleComputeManaging Multicloud Resources: API• RESTful API : multicloud as of version 1.5• Creating a Network/Subnet• New resources, very simple attributes (Name, CIDR…)POST /api/networks{name : “Foobar App Network”,cidr_block : “10.1.2.0/24”,cloud_href : “/api/clouds/1234”,tenancy : “default”}HTTP Code: 201 CreatedLocation: /api/networks/10
    47. 47. #47#47#RightscaleComputeManaging Multicloud Resources: API• Creating a Server• Can specify which Network it belongs to• Can set the list of subnets it needs to be attached to (or default subnet)• Alternatively, can specify which already existing Network Interfaces toattachPOST /api/servers{name: “My Foobar Server”,network_href : “/api/networks/10”,subnet_hrefs : [ “/api/subnets/11”, “/api/subnets/12” ],security_group_href : [ “/api/security_groups/6”, “/api/security_groups/7” ],datacenter_href : “/api/datacenters/1”,…cloud_settings, server_template, inputs …}HTTP Code: 201 CreatedLocation: “/api/servers/50”
    48. 48. #48#48#RightscaleComputeManaging Multicloud Resources: API• IpAddressBinding resource also manage ports:• Attaching an IP without port ranges maps all ports of the IP to the instance• An IpAddress can be restricted to a port range (for clouds that support it)POST /api/ip_address_bindings{instance_href : “/api/instances/1”,public_ip_address_href : “/api/ip_addresses/2”,protocol : “tcp”,public_port : 80, *optionalprivate_port: 8080 *optional}HTTP Code: 201 CreatedLocation: /api/ip_address_bindings/9
    49. 49. #49#49#RightscaleComputeManaging Multicloud Resources: API• Available soon:• Networks• Subnets• SecurityGroups (bound to Networks an NetworkInterfaces)• IpAddresses / Bindings (with the port forwarding abstractions)• Routing tables and Network ACLs• API and UI are being designed• Implementation not started yet• But expect being able to create/delete routes and rules soon
    50. 50. #50#50#RightscaleComputeNote on Synthetic Resources• What about resources that are required but non-existent incloud?• A server can be connected to subnets (and SecurityGroups through them)• We will create (wrap) these resource synthetically for you• So you can have consistency for clients using the API.• Example: Subnets in Amazon EC2 classic
    51. 51. #51#51#RightscaleComputeSynthetic Resources for EC2 Classic• EC2 classic doesn’t have subnets• But you still want to create your servers using the same abstractionsSecurity GroupsAmazon EC2Routing TablesNetwork ACLsSubnetsSingleNetworkx1NAT
    52. 52. #52#52#RightscaleComputeSynthetic Resources for EC2 Classic• We will create a Synthetic Network to refer to the implicit classic EC2Network• We will create one Synthetic Subnet for each available Datacenter• So you can specify the server configuration in a consistent manner• Regardless of EC2 Classic, Amazon VPC, or any other cloudsSecurity GroupsAmazon EC2Routing TablesNetwork ACLsSynthetic SubnetsSingleNetworkx1NATSyntheticInterface 1Synth Subnet 1Elastic NetworkInterfacesSynth Subnet 2Elastic NetworkInterfacesSynth Subnet 3
    53. 53. #53#53#RightscaleComputeSummary• Cloud Networking is messy and it varies greatly• But choice and configurability is very important• RightScale abstractions allow you to• Operate and manage your Cloud networking from a single pane of glass• Using higher level, easier abstractions• While keeping the power to go down to the guts when needed• Available through a both UI and API• Portable across clouds, cloud providers and cloud versions• Give it a try• Manage your Networking more consistently, and at a higher level• While still taking advantage of the cloud features that make sense for you• But not at the cost of loosing focus on your business• You don’t have to be a multicloud user to get the advantages…
    54. 54. april25-26sanfranciscocloud success starts hereQuestions?

    ×