Priti Desai, profile picture
Uploaded byPriti Desai
PPTX, PDF3,271 views

Secure Multi Tenant Cloud with OpenContrail

The document discusses architecting and building a secure multi-tenant cloud infrastructure for SaaS applications, highlighting the importance of network virtualization for workloads. It introduces OpenContrail, an open-source network virtualization platform, and details its architecture, features, and integration with OpenStack. Key topics include DNS management within the virtual networks, floating IPs, load balancing, and network policy enforcement to ensure isolation and fault tolerance among tenants.

Embed presentation

Downloaded 170 times
ARCHITECTING AND BUILDING A SECURE MULTI-TENANT CLOUD FOR SAAS APPLICATIONS Dilip Sundarraj Cloud Solutions Architect, Juniper Networks April 8th, 2015
Symantec CloudFire
What is Network Virtualization? • Independent of Physical Network Location or State • Logical Network across any server, any rack, any cluster, any data-center • Virtual Machines can migrate without requiring any reworking of security policies, load balancing, etc • New Workloads or Networks should not require provisioning of physical network • Nodes in Physical Network can fail without any disruption to Workload • Full Isolation for Multi-tenancy and Fault Tolerance • MAC and IP Addresses are completely private per tenant • Any failures or configuration errors by tenants do not affect other applications or tenants • Any failures in the virtual layer do not propagate to physical layer
OpenContrail • OpenSource Network Virtualization Platform for Cloud • Primary Use Cases: • Cloud Networking – IaaS, VPCs for Cloud SP, Private Cloud for Enterprises or SPs • NFV in SP networks – Value added services for SP edge networks.
OPENCONTRAIL ARCHITECTURE
Analytics CONTRAIL CONTROLLER ControlConfiguration x86 Host + Hypervisor ORCHESTRATOR x86 Host + Hypervisor Physical IP Network (no changes) vRouter vRouter Gateway Internet / WAN Legacy Infra. (VLAN, etc.) Bi-directional real-time message bus using XMPP Network orchestration Standard protocol (M- BGP) to talk with other Contrail controller instances Compute / Storage orchestration Accepts and converts orchestrator requests for VM creation, translates requests, and creates network Interacts with network elements for VM network provisioning and ensures uptime Real-time analytics engine collects, stores and analyzes network elements vRouter: Virtualized routing element handles localized control plane and forwarding plane work on the compute node Gateway: MX Series (or other router) serve as gateway improving scale & performance
OpenContrail <-> OpenStack
Openstack integration Horizon Nova API Compute Driver Virtual-IF Driver Nova Compute Contrail Agent vRouter (kernel) Virtual Router Nova Scheduler Neutron Driver Neutron Plugin Configuration Node Control Node 1 Create an Instance (VM Info, Network, IPAM, Policies, etc) 2 Schedule an Instance on the Compute Node 3 VM Network Properties 4 Create VM Interface 6 Publish VM Intf on IFMap 5 Add Port 7 VM Interface Config over XMPP Scripts
OpenContrail – Control Node • All Control Plane Nodes are active active • Each vRouter uses XMPP to connect with multiple Control Plane nodes for redundancy • Each Control Plane Node connects to multiple configuration nodes for redundancy • Control Plane Nodes federate using BGP Control Node "BGP module" Proxies XMPP Control Node Control Node Compute Node Compute Node Configuration Node Configuration Node IF-MAP XMPP IBGP IF-MAP Client Gateway Routers Service Nodes
OpenContrail - Compute Node
Compute node – Hypervisor, vRouter Compute Node Virtual Machine (Tenant B) Virtual Machine (Tenant C) Virtual Machine (Tenant C) vRouter Forwarding Plane Virtual Machine (Tenant A) Routing Instance (Tenant A) Routing Instance (Tenant B) Routing Instance (Tenant C) vRouter Agent Flow Table FIB Flow Table FIB Flow Table FIB Overlay tunnels MPLS over GRE or VXLAN JUNOSV CONTRAIL CONTROLLER JUNOSV CONTRAIL CONTROLLER XMPP Eth1Kernel Tap Interfaces (vif) pkt0 User Eth0 EthN Config VRFs Policy Table Top of Rack Switch XMPP
Compute node – Forwarding/Tunneling Overlay tunnels MPLS over GRE or VXLAN Compute Node vRouter Forwarding Plane Virtual Machine (VN-IP1) Routing Instance Flow Table FIB Eth1 (Phy-IP1) Tap Interfaces (vif) Compute Node vRouter Forwarding Plane Virtual Machine (VN-IP2) Routing Instance Flow Table FIB Eth1 (Phy-IP2) Tap Interfaces (vif) VIRTUAL PHYSICAL Virtual-IP2 Payload Virtual-IP2 Payload MPLS / VNI Phy-IP2 Virtual-IP2 Payload Virtual-IP2 Payload MPLS / VNI Phy-IP2 1. Guest OS ARPs for destination within subnet or default GW 2. VRouter receives the ARP and responds back with VRRP MAC 3. Guest OS sends traffic to the VRRP MAC, Vrouter encapsulates the packet with appropriate MPLS/VNI tag and GRE header 1. Physical Fabric Routers on Physical IP Address 1. Returning packets get forwarded to appropriate Routing Instance by the MPLS/VNI tag 1. VRouter de-capsulates the packet, and forwards it to the Guest OS
OPENCONTRAIL FEATURES @SYMC
DNSaaS Contrail offers 4 different DNS modes • Default DNS server • The host OS’s configured DNS server • Tenant DNS server • Tenants can use their own DNS servers (different from host OS’s DNS server) • Virtual DNS server • Contrail Controller provides a per tenant DNS server • None • VMs don’t have any DNS resolution capability One of these modes is selected when an IPAM instance is created for a domain.
Contrail Virtual DNS DNS Record Creation • Each IPAM -> Virtual DNS servers configured • Virtual Networks and VMs in IPAM use DNS domain of Virtual DNS server specified in IPAM • When a VM is spawned, • A & PTR records are added into the vDNS server of the virtual network’s IPAM NOTE: • DNS Records can also be added statically. • A, CNAME, PTR and NS records are also supported.
Contrail Virtual DNS DNS Resolution: 1. DNS requests from VM trapped to the vRouter agent on the hypervisor 2. vRouter agent then forwards DNS request to the controllers (which run BIND) for resolution. 3. BIND has the concept of views and every virtual DNS instance has its own isolated view view "default-domain-contrailtestdns" { rrset-order {order random;}; forwarders {172.16.70.254; }; zone "6.6.6.in-addr.arpa." IN { type master; file "/etc/contrail/dns/default-domain-contrailtestdns.6.6.6.in-addr.arpa.zone"; allow-update {127.0.0.1;}; }; zone "contrail.us" IN { type master; file "/etc/contrail/dns/default-domain-contrailtestdns.contrail.us.zone"; allow-update {127.0.0.1;}; }; };
DNS & IPAM Relationship • Neutron network maps to Contrail Virtual Network • network-ipam & virtual-DNS (Contrail specific constructs) • virtual-DNS object has domain as parent • network-ipam has project as parent. • So: • virtual-network ==refers-to==> network-ipam ==refers-to==> virtual-DNS
Contrail Virtual DNS @SYMC • By default, Contrail API server creates default-network- ipam object under the default-domain -> default-project hierarchy • However, using Contrail API hooks mechanism automatically • Create default-network-ipam object within a newly created project • Create default-virtual-DNS object within a newly created domain • Link them to provide vDNS functionality. • So, a new virtual-network when created, it is automatically linked to the project specific default-network-ipam and corresponding virtual DNS object
Floating IPs • Neutron supports the concept of floating IP (routable IP). • Instances are unaware of their Floating IP. • Every Virtual Network -> Routing Instance • Routing Instances • Define network connectivity between VMs in the Virtual Network • Contain routes only for VMs in the virtual network • Two Routing Instances (Virtual Networks) can be connected using • Neutron L3 agent • Contrail Network Policy (explained later) • By default, Virtual Network do not have access to a “public” (routable) network • A Gateway must be used to provide connectivity to "public" network from a virtual-network. • Floating IP support can be provided with • Simple Gateway – x86 based Software GW • Routing Device such as Juniper MX
Floating IP using Neutron L3 Router • Create an external network • neutron net-create public --router:external True • Create a router • neutron router-create router1 • Add interfaces from Virtual network to this router • neutron router-interface-add router1 SUBNET1_UUID • Set router-gateway-set on router instance • Connects a router to an external network, which enables that router to act as a NAT gateway for external connectivity. • neutron router-gateway-set router1 EXT_NET_ID
Spine Spine Leaf LeafLeaf BMS BMS BMS BMS Node Node Node Node Node Node Node Node Mountain View DC MX Router Internet Spine Spine Leaf LeafLeaf Node Node Node Node Node Node Node Node Node Node Node Node Boston DC Public VRF Intra- site VRF Internet MX Router Intra- site VRF Public VRF Intra-site VPN Multiple Floating IPs per VM @SYMC VMs in the MTV DC 1. Internet Routable Floating IP 2. IP Routable from Boston DC
LBaaS • LBaaS load balancer enables • Pool of VMs servicing apps accessible via a virtual IP. • Contrail LBaaS features: • Load balancing of traffic from clients to a pool of backend servers. The load balancer proxies all connections to its virtual IP. • Provides load balancing for HTTP, HTTPS, and TCP • Provides health monitoring capabilities for applications • Floating IP association to virtual IP for public access to the backend pool.
Contrail LBaaS Implementation
Contrail LBaaS Implementation • Supports OpenStack LBaaS Neutron APIs • Creation of virtual-ip, loadbalancer-pool, loadbalancer-member, and loadbalancer-healthmonitor. • Creates a Service Instance when a loadbalancer-pool is associated with a virtual-IP object. • Service scheduler launches a namespace & spawns HAProxy on it. • HAProxy parameters obtained from the load balancer objects. • HA of namespaces/HAProxy -> Active/Standby (2 diff computes)
Link Local Services Provides VMs access to specific services on IP Fabric infrastructure. • @SYMC • Keystone, Github, NTP, Logging, Monitoring and Metering services Once the link local service is configured, VMs can access the service using the link local address. • OpenStack Metadata Service on 169.254.169.254:80 is also implemented using Link Local Service (169.254.169.XXX, Service port) <-> (Destination IP, Service TCP/UDP port)
Contrail Network Policy • Enforces connectivity and policy enforcement between Virtual Networks • Follows the 5-tuple semantics • SRC/DST Virtual Network, SRC/DST Port, Protocol
Contrail Network Policy • Connectivity between two Virtual Networks is established by leaking routes between two Routing Instances when a network policy is created interconnecting the two VNs • Policy is enforced for specific traffic types by flow table programming in every vRouter which has the relevant Virtual Networks Compute Node Virtual Machine (Tenant B) Virtual Machine (Tenant C) Virtual Machine (Tenant C) vRouter Forwarding Plane Virtual Machine (Tenant A) Routing Instance (Tenant A) Routing Instance (Tenant B) Routing Instance (Tenant C) vRouter Agent Flow Table FIB Flow Table FIB Flow Table FIB Eth1Kernel Tap Interfaces (vif) pkt0 User Eth0 EthN Config VRFs Policy Table
Environments & Operations Environments • Lab: > 10 nodes • CI/CD test environment for SDN related features and functions • Staging: > 50 nodes • True IaaS for PaaS applications • Production: > 250 nodes • PaaS for end-user applications Operations: • Monitoring & Troubleshooting • Contrail Analytics feeds into OpsView & LMM • Upgrade • Phased upgrades during maintenance windows without application downtime.
TEST DRIVE OPENCONTRAIL
DEVSTACK + OPENCONTRAIL • WHAT? • Run OpenStack and OpenContrail on your laptop or in a VM • WHY? • Use to build & test OpenStack and OpenContrail code • Just play with OpenStack/OpenContrail features • HOW? • Ubuntu server/VM with 4GB RAM, access to github
DEVSTACK + OPENCONTRAIL (in-a-box) • Install packages: git-core, ant, build-essential, pkg-config • Download DevStack • (git clone git@github.com:/dsetia/devstack.git) • Edit localrc (set PHYSICAL_INTERFACE) • Run stack.sh • Installs Glance, Nova, Horizon, Keystone, Cinder • And OpenContrail (as a Neutron plugin)
RESOURCES • OpenContrail.org • E-Book, Architecture documents, blogs from developers/architects, slides, webinars • GitHub • https://github.com/Juniper/contrail-controller • https://github.com/Juniper/contrail-vrouter • https://github.com/Juniper/contrail-puppet • https://github.com/Juniper/contrail-web-controller • https://github.com/Juniper/contrail-neutron-plugin
Q&A

More Related Content

PPSX
Contrail Deep-dive - Cloud Network Services at Scale
byMarketingArrowECS_CZ
 
PPTX
Contrail Basics
byKimberly Macias
 
PDF
Cloud Network Virtualization with Juniper Contrail
bybuildacloud
 
PDF
PLNOG 13: Nicolai van der Smagt: SDN
byPROIDEA
 
PPSX
Service Chaining - Cloud Network Services at Scale
byMarketingArrowECS_CZ
 
PDF
OpenStack and OpenContrail for FreeBSD platform by Michał Dubiel
byeurobsdcon
 
PDF
Banv meetup-contrail
bynvirters
 
PPTX
OpenStack MeetUp - OpenContrail Presentation
byStacy Véronneau
 
Contrail Deep-dive - Cloud Network Services at Scale
byMarketingArrowECS_CZ
 
Contrail Basics
byKimberly Macias
 
Cloud Network Virtualization with Juniper Contrail
bybuildacloud
 
PLNOG 13: Nicolai van der Smagt: SDN
byPROIDEA
 
Service Chaining - Cloud Network Services at Scale
byMarketingArrowECS_CZ
 
OpenStack and OpenContrail for FreeBSD platform by Michał Dubiel
byeurobsdcon
 
Banv meetup-contrail
bynvirters
 
OpenStack MeetUp - OpenContrail Presentation
byStacy Véronneau
 

What's hot

PDF
Contrail Enabler for agile cloud services
byJuniper Networks (日本)
 
PPTX
The Juniper SDN Landscape
byChris Jones
 
PDF
[OpenStack 스터디] OpenStack With Contrail
byOpenStack Korea Community
 
PPTX
Reference design for v mware nsx
bysolarisyougood
 
PPSX
Juniper Contrail VNS A BASIC introduction
byMarketingArrowECS_CZ
 
PDF
Deployment of Juniper Contrail in AVG Technologies
byMarketingArrowECS_CZ
 
PPTX
SDN Controller
bytcp cloud
 
PDF
NFV в сетях операторов связи
byTERMILAB. Интернет - лаборатория
 
PDF
Kubernetes OpenContrail Meetup
byLachlan Evenson
 
PDF
MidoNet 101
byalexbikfalvi
 
PPTX
OpenContrail deployment experience
byJakub Pavlik
 
PPTX
Cloudstack conference open_contrail v4
byozkan01
 
PDF
Using OpenContrail with Kubernetes
byMatt Baldwin
 
PDF
Accelerating SDN Applications with Open Source Network Overlays
byCumulus Networks
 
PPTX
OpenContrail Silicon Valley Meetup Aug 25 2015
byScott Sneddon
 
PDF
NFV SDN Summit March 2014 D3 03 bruno_rijsman NFV with OpenContrail
byozkan01
 
PPTX
OpenStack: Virtual Routers On Compute Nodes
byclayton_oneill
 
PDF
ONIC Japan 2016 - Contrail アップデート
byJuniper Networks (日本)
 
PPTX
OpenContrail Presentation at Openstack Days Tokyo Japan Feb 13 2014
byozkan01
 
PPTX
Open contrail slides for BANV meetup
byScott Edwards
 
Contrail Enabler for agile cloud services
byJuniper Networks (日本)
 
The Juniper SDN Landscape
byChris Jones
 
[OpenStack 스터디] OpenStack With Contrail
byOpenStack Korea Community
 
Reference design for v mware nsx
bysolarisyougood
 
Juniper Contrail VNS A BASIC introduction
byMarketingArrowECS_CZ
 
Deployment of Juniper Contrail in AVG Technologies
byMarketingArrowECS_CZ
 
SDN Controller
bytcp cloud
 
NFV в сетях операторов связи
byTERMILAB. Интернет - лаборатория
 
Kubernetes OpenContrail Meetup
byLachlan Evenson
 
MidoNet 101
byalexbikfalvi
 
OpenContrail deployment experience
byJakub Pavlik
 
Cloudstack conference open_contrail v4
byozkan01
 
Using OpenContrail with Kubernetes
byMatt Baldwin
 
Accelerating SDN Applications with Open Source Network Overlays
byCumulus Networks
 
OpenContrail Silicon Valley Meetup Aug 25 2015
byScott Sneddon
 
NFV SDN Summit March 2014 D3 03 bruno_rijsman NFV with OpenContrail
byozkan01
 
OpenStack: Virtual Routers On Compute Nodes
byclayton_oneill
 
ONIC Japan 2016 - Contrail アップデート
byJuniper Networks (日本)
 
OpenContrail Presentation at Openstack Days Tokyo Japan Feb 13 2014
byozkan01
 
Open contrail slides for BANV meetup
byScott Edwards
 

Viewers also liked

PDF
Opencontrail network virtualization
byNicolai van der Smagt
 
PPTX
The Basic Introduction of Open vSwitch
byTe-Yen Liu
 
PPTX
○○○で作るOpenStack+Contrail環境
byVirtualTech Japan Inc.
 
PDF
Kubernetes SDN performance and architecture
byJakub Pavlik
 
PPT
Moving To SaaS
byAlistair Croll
 
PPTX
OpenStack & OpenContrail in Production
byEdgar Magana
 
PPTX
Docker and Windows: The State of the Union
byElton Stoneman
 
PDF
How we took our server side application to the cloud and liked what we got, B...
byDevOpsDays Tel Aviv
 
PDF
Characteristics of SaaS applications
byComprinno Technologies
 
Opencontrail network virtualization
byNicolai van der Smagt
 
The Basic Introduction of Open vSwitch
byTe-Yen Liu
 
○○○で作るOpenStack+Contrail環境
byVirtualTech Japan Inc.
 
Kubernetes SDN performance and architecture
byJakub Pavlik
 
Moving To SaaS
byAlistair Croll
 
OpenStack & OpenContrail in Production
byEdgar Magana
 
Docker and Windows: The State of the Union
byElton Stoneman
 
How we took our server side application to the cloud and liked what we got, B...
byDevOpsDays Tel Aviv
 
Characteristics of SaaS applications
byComprinno Technologies
 

Similar to Secure Multi Tenant Cloud with OpenContrail

PDF
Openstack Networking Internals - first part
bylilliput12
 
PPTX
OpenStack Quantum Intro (OS Meetup 3-26-12)
byDan Wendlandt
 
PPTX
OpenStack Neutron behind the Scenes
byAnil Bidari ( CEO , Cloud Enabled)
 
PPTX
OpenStack Neutron Behind The Senes
byopenstackindia
 
PDF
TIME Journey to the SPACE
byMyNOG
 
PDF
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
bymarkmcclain
 
PPTX
Quantum Folsom Summit Developer Overview
byDan Wendlandt
 
PPTX
PLNOG 13: Michał Dubiel: OpenContrail software architecture
byPROIDEA
 
PDF
Open stack networking_101_update_2014-os-meetups
byyfauser
 
PPTX
Midokura OpenStack Day Korea Talk: MidoNet Open Source Network Virtualization...
byDan Mihai Dumitriu
 
PDF
Software Defined Networks (SDN) na przykładzie rozwiązania OpenContrail.
bySemihalf
 
PPTX
Am 04 track1--salvatore orlando--openstack-apac-2012-final
byOpenCity Community
 
PDF
Introduction to Software Defined Networking and OpenStack Neutron
bySana Khan
 
PPT
Iaas on xcp
byThe Linux Foundation
 
PDF
Ct nyc-philly open stack meetups april 2014 final
byozkan01
 
PPTX
Simplifying openstack instances networking
byMohamed ELMesseiry
 
PDF
09 (IDNOG02) Services SDN & NFV Delivering more with less by Mochammad Irzan
byIndonesia Network Operators Group
 
DOCX
Handouts for east coast hands on exercises v1
byozkan01
 
PPTX
Odl virtualization-20140520
byNEC Corporation
 
PDF
Banv meetup 04162014
byozkan01
 
Openstack Networking Internals - first part
bylilliput12
 
OpenStack Quantum Intro (OS Meetup 3-26-12)
byDan Wendlandt
 
OpenStack Neutron behind the Scenes
byAnil Bidari ( CEO , Cloud Enabled)
 
OpenStack Neutron Behind The Senes
byopenstackindia
 
TIME Journey to the SPACE
byMyNOG
 
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
bymarkmcclain
 
Quantum Folsom Summit Developer Overview
byDan Wendlandt
 
PLNOG 13: Michał Dubiel: OpenContrail software architecture
byPROIDEA
 
Open stack networking_101_update_2014-os-meetups
byyfauser
 
Midokura OpenStack Day Korea Talk: MidoNet Open Source Network Virtualization...
byDan Mihai Dumitriu
 
Software Defined Networks (SDN) na przykładzie rozwiązania OpenContrail.
bySemihalf
 
Am 04 track1--salvatore orlando--openstack-apac-2012-final
byOpenCity Community
 
Introduction to Software Defined Networking and OpenStack Neutron
bySana Khan
 
Iaas on xcp
byThe Linux Foundation
 
Ct nyc-philly open stack meetups april 2014 final
byozkan01
 
Simplifying openstack instances networking
byMohamed ELMesseiry
 
09 (IDNOG02) Services SDN & NFV Delivering more with less by Mochammad Irzan
byIndonesia Network Operators Group
 
Handouts for east coast hands on exercises v1
byozkan01
 
Odl virtualization-20140520
byNEC Corporation
 
Banv meetup 04162014
byozkan01
 

Recently uploaded

PPTX
Optimizing Plant Maintenance — Key Elements of a Successful Maintenance Plan ...
byMaintWiz Technologies Private Limited
 
PDF
Hybrid Anomaly Detection Mechanism for IOT Networks
byIJCNCJournal
 
PDF
Modeltomodel_Transformation_with_ATL (1).pdf
byISEMENSIAS
 
PPTX
Track & Monitor Preventive Maintenance — Best Practices with MaintWiz CMMS
byMaintWiz Technologies Private Limited
 
PPTX
How to Create an Effective Monthly Preventive Maintenance Plan
byMaintWiz Technologies Private Limited
 
PPTX
Industrial Plant Safety – Comprehensive Guide for Workplace Safety & Risk Pre...
byMaintWiz Technologies Private Limited
 
PPTX
How to Implement Kaizen in Your Organization for Continuous Improvement Success
byMaintWiz Technologies Private Limited
 
PDF
PROPEX-RAG: Prompt-Driven GraphRAG for Multi-Hop QA
byapurvakarne
 
PPTX
Civil_Engineering_Technician_Skill_Assessment_2025_2026_Presentation.pptx
byCDR Australia Engineer
 
PPTX
22PEOIT4C Session 4 Breath First Search & Depth First Search.pptx
bymailmegokilavani
 
PPTX
Introduction to Civil Engineering-Defination, Branches of civil engineering a...
byvidyanand kadam
 
PPT
Intro AI DBATU.ppt ppt useful engineering
bydevinjon990
 
PPTX
Data Science with R Final yrUnit II.pptx
byOsmania University
 
PPTX
UNIT -3 -DIGITAL AND MOBILE FORENSICS FORENSIC READINESS-.pptx
byjemimaa3
 
PDF
AI-Driven CTI for Business: Emerging Threats, Attack Strategies, and Defensiv...
byAIRCC Publishing Corporation
 
PPTX
22PEOIT4C Session 9 Local search in continuous space.pptx
bymailmegokilavani
 
PPTX
Plant Bio-additives (2).pptxA plant bioadditive is a functional substance der...
byMadan Bhandari university and St. Xavier's college , Maitighar
 
PPTX
KTU 2024 SCHEME -PEMET 413 COMPOSITE MATERIALS MODULE 1 LECTURE 1.pptx
byVinayB68
 
PPT
24CYT13 - Chemistry for Electronics and Computer Systems-Unit-V-E Waste & Its...
byKrishnaveniKrishnara1
 
PDF
Bee problems on the basic engineering of electrical
byVinodkumar941730
 
Optimizing Plant Maintenance — Key Elements of a Successful Maintenance Plan ...
byMaintWiz Technologies Private Limited
 
Hybrid Anomaly Detection Mechanism for IOT Networks
byIJCNCJournal
 
Modeltomodel_Transformation_with_ATL (1).pdf
byISEMENSIAS
 
Track & Monitor Preventive Maintenance — Best Practices with MaintWiz CMMS
byMaintWiz Technologies Private Limited
 
How to Create an Effective Monthly Preventive Maintenance Plan
byMaintWiz Technologies Private Limited
 
Industrial Plant Safety – Comprehensive Guide for Workplace Safety & Risk Pre...
byMaintWiz Technologies Private Limited
 
How to Implement Kaizen in Your Organization for Continuous Improvement Success
byMaintWiz Technologies Private Limited
 
PROPEX-RAG: Prompt-Driven GraphRAG for Multi-Hop QA
byapurvakarne
 
Civil_Engineering_Technician_Skill_Assessment_2025_2026_Presentation.pptx
byCDR Australia Engineer
 
22PEOIT4C Session 4 Breath First Search & Depth First Search.pptx
bymailmegokilavani
 
Introduction to Civil Engineering-Defination, Branches of civil engineering a...
byvidyanand kadam
 
Intro AI DBATU.ppt ppt useful engineering
bydevinjon990
 
Data Science with R Final yrUnit II.pptx
byOsmania University
 
UNIT -3 -DIGITAL AND MOBILE FORENSICS FORENSIC READINESS-.pptx
byjemimaa3
 
AI-Driven CTI for Business: Emerging Threats, Attack Strategies, and Defensiv...
byAIRCC Publishing Corporation
 
22PEOIT4C Session 9 Local search in continuous space.pptx
bymailmegokilavani
 
Plant Bio-additives (2).pptxA plant bioadditive is a functional substance der...
byMadan Bhandari university and St. Xavier's college , Maitighar
 
KTU 2024 SCHEME -PEMET 413 COMPOSITE MATERIALS MODULE 1 LECTURE 1.pptx
byVinayB68
 
24CYT13 - Chemistry for Electronics and Computer Systems-Unit-V-E Waste & Its...
byKrishnaveniKrishnara1
 
Bee problems on the basic engineering of electrical
byVinodkumar941730
 

Secure Multi Tenant Cloud with OpenContrail

  • 1.
    ARCHITECTING AND BUILDINGA SECURE MULTI-TENANT CLOUD FOR SAAS APPLICATIONS Dilip Sundarraj Cloud Solutions Architect, Juniper Networks April 8th, 2015
  • 2.
  • 3.
    What is NetworkVirtualization? • Independent of Physical Network Location or State • Logical Network across any server, any rack, any cluster, any data-center • Virtual Machines can migrate without requiring any reworking of security policies, load balancing, etc • New Workloads or Networks should not require provisioning of physical network • Nodes in Physical Network can fail without any disruption to Workload • Full Isolation for Multi-tenancy and Fault Tolerance • MAC and IP Addresses are completely private per tenant • Any failures or configuration errors by tenants do not affect other applications or tenants • Any failures in the virtual layer do not propagate to physical layer
  • 4.
    OpenContrail • OpenSource NetworkVirtualization Platform for Cloud • Primary Use Cases: • Cloud Networking – IaaS, VPCs for Cloud SP, Private Cloud for Enterprises or SPs • NFV in SP networks – Value added services for SP edge networks.
  • 5.
  • 6.
    Analytics CONTRAIL CONTROLLER ControlConfiguration x86 Host+ Hypervisor ORCHESTRATOR x86 Host + Hypervisor Physical IP Network (no changes) vRouter vRouter Gateway Internet / WAN Legacy Infra. (VLAN, etc.) Bi-directional real-time message bus using XMPP Network orchestration Standard protocol (M- BGP) to talk with other Contrail controller instances Compute / Storage orchestration Accepts and converts orchestrator requests for VM creation, translates requests, and creates network Interacts with network elements for VM network provisioning and ensures uptime Real-time analytics engine collects, stores and analyzes network elements vRouter: Virtualized routing element handles localized control plane and forwarding plane work on the compute node Gateway: MX Series (or other router) serve as gateway improving scale & performance
  • 7.
  • 8.
    Openstack integration Horizon Nova API Compute Driver Virtual-IF Driver NovaCompute Contrail Agent vRouter (kernel) Virtual Router Nova Scheduler Neutron Driver Neutron Plugin Configuration Node Control Node 1 Create an Instance (VM Info, Network, IPAM, Policies, etc) 2 Schedule an Instance on the Compute Node 3 VM Network Properties 4 Create VM Interface 6 Publish VM Intf on IFMap 5 Add Port 7 VM Interface Config over XMPP Scripts
  • 9.
    OpenContrail – ControlNode • All Control Plane Nodes are active active • Each vRouter uses XMPP to connect with multiple Control Plane nodes for redundancy • Each Control Plane Node connects to multiple configuration nodes for redundancy • Control Plane Nodes federate using BGP Control Node "BGP module" Proxies XMPP Control Node Control Node Compute Node Compute Node Configuration Node Configuration Node IF-MAP XMPP IBGP IF-MAP Client Gateway Routers Service Nodes
  • 10.
  • 11.
    Compute node –Hypervisor, vRouter Compute Node Virtual Machine (Tenant B) Virtual Machine (Tenant C) Virtual Machine (Tenant C) vRouter Forwarding Plane Virtual Machine (Tenant A) Routing Instance (Tenant A) Routing Instance (Tenant B) Routing Instance (Tenant C) vRouter Agent Flow Table FIB Flow Table FIB Flow Table FIB Overlay tunnels MPLS over GRE or VXLAN JUNOSV CONTRAIL CONTROLLER JUNOSV CONTRAIL CONTROLLER XMPP Eth1Kernel Tap Interfaces (vif) pkt0 User Eth0 EthN Config VRFs Policy Table Top of Rack Switch XMPP
  • 12.
    Compute node –Forwarding/Tunneling Overlay tunnels MPLS over GRE or VXLAN Compute Node vRouter Forwarding Plane Virtual Machine (VN-IP1) Routing Instance Flow Table FIB Eth1 (Phy-IP1) Tap Interfaces (vif) Compute Node vRouter Forwarding Plane Virtual Machine (VN-IP2) Routing Instance Flow Table FIB Eth1 (Phy-IP2) Tap Interfaces (vif) VIRTUAL PHYSICAL Virtual-IP2 Payload Virtual-IP2 Payload MPLS / VNI Phy-IP2 Virtual-IP2 Payload Virtual-IP2 Payload MPLS / VNI Phy-IP2 1. Guest OS ARPs for destination within subnet or default GW 2. VRouter receives the ARP and responds back with VRRP MAC 3. Guest OS sends traffic to the VRRP MAC, Vrouter encapsulates the packet with appropriate MPLS/VNI tag and GRE header 1. Physical Fabric Routers on Physical IP Address 1. Returning packets get forwarded to appropriate Routing Instance by the MPLS/VNI tag 1. VRouter de-capsulates the packet, and forwards it to the Guest OS
  • 13.
  • 14.
    DNSaaS Contrail offers 4different DNS modes • Default DNS server • The host OS’s configured DNS server • Tenant DNS server • Tenants can use their own DNS servers (different from host OS’s DNS server) • Virtual DNS server • Contrail Controller provides a per tenant DNS server • None • VMs don’t have any DNS resolution capability One of these modes is selected when an IPAM instance is created for a domain.
  • 15.
    Contrail Virtual DNS DNSRecord Creation • Each IPAM -> Virtual DNS servers configured • Virtual Networks and VMs in IPAM use DNS domain of Virtual DNS server specified in IPAM • When a VM is spawned, • A & PTR records are added into the vDNS server of the virtual network’s IPAM NOTE: • DNS Records can also be added statically. • A, CNAME, PTR and NS records are also supported.
  • 16.
    Contrail Virtual DNS DNSResolution: 1. DNS requests from VM trapped to the vRouter agent on the hypervisor 2. vRouter agent then forwards DNS request to the controllers (which run BIND) for resolution. 3. BIND has the concept of views and every virtual DNS instance has its own isolated view view "default-domain-contrailtestdns" { rrset-order {order random;}; forwarders {172.16.70.254; }; zone "6.6.6.in-addr.arpa." IN { type master; file "/etc/contrail/dns/default-domain-contrailtestdns.6.6.6.in-addr.arpa.zone"; allow-update {127.0.0.1;}; }; zone "contrail.us" IN { type master; file "/etc/contrail/dns/default-domain-contrailtestdns.contrail.us.zone"; allow-update {127.0.0.1;}; }; };
  • 17.
    DNS & IPAMRelationship • Neutron network maps to Contrail Virtual Network • network-ipam & virtual-DNS (Contrail specific constructs) • virtual-DNS object has domain as parent • network-ipam has project as parent. • So: • virtual-network ==refers-to==> network-ipam ==refers-to==> virtual-DNS
  • 18.
    Contrail Virtual DNS@SYMC • By default, Contrail API server creates default-network- ipam object under the default-domain -> default-project hierarchy • However, using Contrail API hooks mechanism automatically • Create default-network-ipam object within a newly created project • Create default-virtual-DNS object within a newly created domain • Link them to provide vDNS functionality. • So, a new virtual-network when created, it is automatically linked to the project specific default-network-ipam and corresponding virtual DNS object
  • 19.
    Floating IPs • Neutronsupports the concept of floating IP (routable IP). • Instances are unaware of their Floating IP. • Every Virtual Network -> Routing Instance • Routing Instances • Define network connectivity between VMs in the Virtual Network • Contain routes only for VMs in the virtual network • Two Routing Instances (Virtual Networks) can be connected using • Neutron L3 agent • Contrail Network Policy (explained later) • By default, Virtual Network do not have access to a “public” (routable) network • A Gateway must be used to provide connectivity to "public" network from a virtual-network. • Floating IP support can be provided with • Simple Gateway – x86 based Software GW • Routing Device such as Juniper MX
  • 20.
    Floating IP usingNeutron L3 Router • Create an external network • neutron net-create public --router:external True • Create a router • neutron router-create router1 • Add interfaces from Virtual network to this router • neutron router-interface-add router1 SUBNET1_UUID • Set router-gateway-set on router instance • Connects a router to an external network, which enables that router to act as a NAT gateway for external connectivity. • neutron router-gateway-set router1 EXT_NET_ID
  • 21.
    Spine Spine Leaf LeafLeaf BMS BMS BMS BMS Node Node Node Node Node Node Node Node MountainView DC MX Router Internet Spine Spine Leaf LeafLeaf Node Node Node Node Node Node Node Node Node Node Node Node Boston DC Public VRF Intra- site VRF Internet MX Router Intra- site VRF Public VRF Intra-site VPN Multiple Floating IPs per VM @SYMC VMs in the MTV DC 1. Internet Routable Floating IP 2. IP Routable from Boston DC
  • 22.
    LBaaS • LBaaS loadbalancer enables • Pool of VMs servicing apps accessible via a virtual IP. • Contrail LBaaS features: • Load balancing of traffic from clients to a pool of backend servers. The load balancer proxies all connections to its virtual IP. • Provides load balancing for HTTP, HTTPS, and TCP • Provides health monitoring capabilities for applications • Floating IP association to virtual IP for public access to the backend pool.
  • 23.
  • 24.
    Contrail LBaaS Implementation •Supports OpenStack LBaaS Neutron APIs • Creation of virtual-ip, loadbalancer-pool, loadbalancer-member, and loadbalancer-healthmonitor. • Creates a Service Instance when a loadbalancer-pool is associated with a virtual-IP object. • Service scheduler launches a namespace & spawns HAProxy on it. • HAProxy parameters obtained from the load balancer objects. • HA of namespaces/HAProxy -> Active/Standby (2 diff computes)
  • 25.
    Link Local Services ProvidesVMs access to specific services on IP Fabric infrastructure. • @SYMC • Keystone, Github, NTP, Logging, Monitoring and Metering services Once the link local service is configured, VMs can access the service using the link local address. • OpenStack Metadata Service on 169.254.169.254:80 is also implemented using Link Local Service (169.254.169.XXX, Service port) <-> (Destination IP, Service TCP/UDP port)
  • 26.
    Contrail Network Policy •Enforces connectivity and policy enforcement between Virtual Networks • Follows the 5-tuple semantics • SRC/DST Virtual Network, SRC/DST Port, Protocol
  • 27.
    Contrail Network Policy •Connectivity between two Virtual Networks is established by leaking routes between two Routing Instances when a network policy is created interconnecting the two VNs • Policy is enforced for specific traffic types by flow table programming in every vRouter which has the relevant Virtual Networks Compute Node Virtual Machine (Tenant B) Virtual Machine (Tenant C) Virtual Machine (Tenant C) vRouter Forwarding Plane Virtual Machine (Tenant A) Routing Instance (Tenant A) Routing Instance (Tenant B) Routing Instance (Tenant C) vRouter Agent Flow Table FIB Flow Table FIB Flow Table FIB Eth1Kernel Tap Interfaces (vif) pkt0 User Eth0 EthN Config VRFs Policy Table
  • 28.
    Environments & Operations Environments •Lab: > 10 nodes • CI/CD test environment for SDN related features and functions • Staging: > 50 nodes • True IaaS for PaaS applications • Production: > 250 nodes • PaaS for end-user applications Operations: • Monitoring & Troubleshooting • Contrail Analytics feeds into OpsView & LMM • Upgrade • Phased upgrades during maintenance windows without application downtime.
  • 29.
  • 30.
    DEVSTACK + OPENCONTRAIL •WHAT? • Run OpenStack and OpenContrail on your laptop or in a VM • WHY? • Use to build & test OpenStack and OpenContrail code • Just play with OpenStack/OpenContrail features • HOW? • Ubuntu server/VM with 4GB RAM, access to github
  • 31.
    DEVSTACK + OPENCONTRAIL(in-a-box) • Install packages: git-core, ant, build-essential, pkg-config • Download DevStack • (git clone git@github.com:/dsetia/devstack.git) • Edit localrc (set PHYSICAL_INTERFACE) • Run stack.sh • Installs Glance, Nova, Horizon, Keystone, Cinder • And OpenContrail (as a Neutron plugin)
  • 32.
    RESOURCES • OpenContrail.org • E-Book,Architecture documents, blogs from developers/architects, slides, webinars • GitHub • https://github.com/Juniper/contrail-controller • https://github.com/Juniper/contrail-vrouter • https://github.com/Juniper/contrail-puppet • https://github.com/Juniper/contrail-web-controller • https://github.com/Juniper/contrail-neutron-plugin
  • 33.

Editor's Notes

  • #15 Tenants can use their own DNS servers using this mode. A list of servers can be configured in the IPAM
  • #16 DNS Domain received via DHCP DOMAIN-NAME option. Each record takes the type (A / CNAME / PTR / NS), class (IN), name, data and TTL values.
  • #18 While the core network resource in Neutron maps to virtual-network in Contrail, network-ipam and virtual-DNS are resources introduced by Contrail. network-ipam is also defined as a Neutron extension and can be used via Neutron API as Horizon does it here.. virtual-DNS will also be added as a Neutron extension in future. virtual-DNS object has domain as parent and network-ipam has project as parent. So: virtual-network ==refers-to==> network-ipam ==refers-to==> virtual-DNS
  • #20 Simple Gateway is a restricted implementation of gateway which can be used for experimental purposes. Simple gateway provides access to "public" network to virtual-networks.
  • #21 Explain about VRFs and RTs
  • #26 Metadata service is also a link-local service, with a fixed service name (metadata), a fixed service address (169.254.169.254:80), and a fabric address pointing to the server where the OpenStack Nova API server is running. All of the configuration and troubleshooting procedures for Contrail link-local services also apply to the metadata service. However, for metadata service, the flow is always set up to the compute node, so the vrouter agent will update and proxy the HTTP request. The vrouter agent listens on a local port to receive the metadata requests. Consequently, the reverse flow has the compute node as the source IP, the local port on which the agent is listening is the source port, and the instance’s metadata IP is the destination IP address.