Post on 16-Jul-2015
vCloud Hybrid Service Networking Technical Deep Dive
HBC2068
Ninad Desai, VMware, Inc David Hill, VMware, Inc
Disclaimer • This presentation may contain product features that are currently under development. • This overview of new technology represents no commitment from VMware to deliver these
features in any generally available product. • Features are subject to change, and must not be included in contracts, purchase orders, or
sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery. • Pricing and packaging for any new technologies or features discussed or presented have not
been determined.
CONFIDENTIAL 2
3 3
VMware vCloud Hybrid Service VMware vCloud Air
What is vCloud Air Network Services built on??
vCloud Air Networking – Built on vCNS …. Moving to NSX Fully Integrated vCloud Stack
vCloud Management and Automation
vCloud Air Management Console
vCloud Infrastructure
vCloud Networking and Security
vCloud Director with vCloud Connector
vSphere / vCenter
Customer A
Physically Isolated Servers Storage pool
VPN and Network pool
…
Dedicated Cloud
• Being replaced by NSX-v manager in the vCloud Air Management stack
• Backward compatible with current vCNS based stack
• Existing policies and features stay intact
• Foundation for new networking features
How do I connect to vCloud Air ?
Options to Connect to vCloud Air
z
Customer Data Center vCloud Air Private WAN /
Direct Connect / Cross Connect
IPsec Tunnel
Public
INTERNET
Many Connectivity Choices To Support Many Use Cases
INTERNET
INTERNET
Connecting to vCloud Air
• Over the Public Internet – With Public IPs – Use NAT for address translation – By default F/W set to deny all and NAT not configured
INTERNET
• IPsec VPN – vCloud Air features include IPsec VPN – Multiple VPN tunnels can terminate to Edge Gateway – Can connect to most of the major on-prem VPN devices
• Direct Connect
– Dedicated private connection – Secure and high speed – Extension to customer’s MPLS or data center cage
Connecting via IPsec VPN
CONFIDENTIAL VPN Traffic
INTERNET
vSphere Edge Gateway § LEP – 10.0.1.150
§ Peer ID – 69.194.137.230
§ Peer IP – 69.194.137.230
10.0.10.0/24
10.0.10.1
10.0.1.150
10.0.1.1
68.108.102.47
IP Protocol ID 50 (ESP) IP Protocol ID 51 (AH) UDP Port 500 (IKE) UDP Port 4500 69.194.137.230
192.168.109.2/24
192.168.109.1
Edge Gateway § LEP – 69.194.137.230
§ Peer ID – 10.0.1.150
§ Peer IP – 68.108.102.47
EDGE GATEWAY
EDGE GATEWAY
What Networking Services do we offer?
vCloud Air - Options and Gateway Choices..
CONFIDENTIAL 13
§ Shared Cloud • Logically separated network, compute and
storage
§ 5GHz CPU (burstable to 10GHz) § 20GB RAM, 2TB storage § No vDC segmentation § One Edge Gateway
§ Dedicated Cloud • Physically separated hosts • Logically separated network and storage
§ 30GHz CPU, 120GB RAM, 6TB § Segment vDCs based on orgs § Multiple Edge Gateways
VDC1 VDC2
VDC3 VDC4 VDC
vCloud Air Basic Networking Constructs
INTERNET
Routed/Gateway Networks
(up to 9 networks)
Isolated Network
External Network (managed by VMware)
NAT FW Load Balancer IPsec DHCP Static routing
Customers vDC EDGE
GATEWAY
Configuration Access Options
CONFIDENTIAL 15
vCloud Air Management Web Portal - For basic networking configurations
Configuration Access Options
CONFIDENTIAL 16
vCloud Air Management Web Portal - For basic networking configurations
For Advanced configurations
Configuration Access Options
CONFIDENTIAL 17
vCloud Director management portal - For advanced networking configs
Can I bring my Private IP space along?
Yes! Via Network Address Translation (NAT)
• Need to create F/W rules to allow traffic
• IPv4 NAT
• Source NAT & Destination NAT rules. – Supports multiple rules on multiple interfaces
• Can use internal/private IP space – Bring your own internal IP space – Create/Manage subnets within IP space – Multiple IP space under the same gateway
NAT rules: - SNAT & DNAT rules
- Options include protocol/port selection
Gateway Public IPs
Internal IPs
10.x.x.x 172.16.x.x 192.168.x.x
Organization Net 1 Organization Net 2 Organization Net 3
EDGE GATEWAY
But …. Can I stretch my Layer 2 network on to vCloud Air?
vCloud Connector Data Center L2 Extension
CONFIDENTIAL 21
(192.168.50.0/24)
184.61.71.155
74.204.180.41
VPN Traffic
INTERNET
(192.168.50.0/24)
Default Gateway = 192.168.50.10
50.34 50.35
50.36 50.37
50.33
100.33
(192.168.50.0/24)
50.10
100.10
SSL
SSL
EDGE GATEWAY
EDGE GATEWAY
EDGE GATEWAY
Corp Firewall
Layer 2 Extensions – Updated with NSX
vCloud Air
INTERNET
INTERNET
VLAN 10 VLAN 11
SSL Client Default Router
vNIC Trunk VLAN 10-11
Site A: Non-NSX VLAN Backed Network
L3 Network, VPN, Direct Connect
EDGE GATEWAY
(NSX)
vCloud Air Client
Okay.. So I have a typical multi-tier app (LAMP/WAMP stack)…. Can I bring it to vCloud Air?
Firewall for Multi-Tier Applications
Web tier App tier DB Tier
INTERNET
Firewall • 5 Tuple F/W policies
– Protocol, Source/Dest. IP, Source/Dest. Port • Stateful Firewall
• FIPS-140-2 Crypto
• Common Criteria EAL 4
Load Balancing
• VIP and pool servers
• Health check
Load Balancing
Server Pool
VIP: 66.44.4.1 EDGE
GATEWAY
Direct Connect Use Cases
Direct Connect – Use Cases
26
Ø Can I have a private connection to vCloud Air?
Ø Can vCloud Air be part of my MPLS connection?
Ø Can I cross connect in to vCloud Air?
Ø Can I extend my layer 2 network on to this direct
connect interface?
vCloud Air Direct Connect Customer Co-Lo Cage vCloud Air
Data Center owner operated/managed
vCloud Air connection point
Customer Data Center vCloud Air
NSP connection (MPLS, E-Line etc.)
vCloud Air managed
vCloud Air managed
Cross connect use case
WAN connectivity use case
vCloud Air connection point
Direct Connect – With vCloud Air
28
DMZ Network (192.168.52.0/24)
Private Network (192.168.50.0/24)
Private Network (192.168.100.x/24)
Headquarters
NSP termination point
EDGE GATEWAY
INTERNET vCloud Air
Connection point
MDF/MMR
Untagged Layer 2 connection (1G, 10G)
10.2.2.2 10.2.2.1
MPLS (from NSP)
Private Network (192.168.50.0/24)
Branch office
10.2.2..x/24
10.1.1.x/24 10.3.3.x/24
Direct Connect – With vCloud Air
29
DMZ Network (192.168.52.0/24)
Private Network (192.168.50.0/24)
Private Network (192.168.50.x/24)
Headquarters
NSP termination point
EDGE GATEWAY
INTERNET vCloud Air
Connection point
MDF/MMR
Untagged Layer 2 connection (1G, 10G)
10.2.2.2 10.2.2.1
MPLS (from NSP)
Private Network (192.168.50.0/24)
Branch office
10.2.2..x/24
10.1.1.x/24 10.3.3.x/24
Direct Connect – Using Existing Security
CONFIDENTIAL 30
1 Gbps / 10 Gbps Direct Connect Traffic
DMZ Network (192.168.52.0/24)
Internet
Private Network (192.168.50.0/24)
Private Network (192.168.110.0/24)
10.1.1.x/24 10.1.1.x/24
EDGE GATEWAY
IDS
Existing Security Policies & Appliances
IGW
Direct Connect – Private Line
IPS
Cross Connect
CONFIDENTIAL 31
1 or 10 Gbps Direct Connect Traffic
DMZ Network (192.168.52.0/24)
Private Network (192.168.50.0/24)
Private Network (192.168.110.0/24)
CUSTOMER CAGE
Direct Connect Line
EDGE GATEWAY
Direct Connect – Extended Layer 2
CONFIDENTIAL 32
Internet
10.1.1.x/24 10.1.1.x/24
10.1.1.x/24 10.1.1.x/24
Co-Lo cage
IDS
Existing Security Policies & Appliances
IGW
Direct Connect – Private Line
IPS Direct Access Network
How about global availability of applications?
Global Load Balancing – Dyn Example
CONFIDENTIAL
34
vCNS Virtual Server 192.240.153.11
vCNS Virtual Server 74.204.180.41
Virtual Private Cloud (West) Dedicated Cloud (East)
.11 .12 .11 .12
vCNS Pool Servers 192.168.109.11 192.168.109.12
vCNS Pool Servers 192.168.205.11 192.168.205.12
Traffic Director
INTERNET
DYN Load Balancing
EDGE GATEWAY
LB
EDGE GATEWAY
LB
Advanced Networking - Hybrid Horizon View Logical Architecture
WDC (On Premises)
EDGE GATEWAY
EDGE GATEWAY
(192.168.20.0/24 Public-NET)
IPSec VPN IPSec VPN
DT01 DT02
(192.168.3.0/24 Desktop-NET)
AD01 .41
AD02 .42
ViewCS .5
vCloud Air Las Vegas (IaaS)
ViewSS .5
ViewSS .5
(192.168.2.0/24 Public-NET)
view.vmtm.org
(192.168.1.0/24 Corp-NET)
66.45.200.37 69.194.137.139 PCoIP and Blast
vCloud Air and F5 – Global Load balancing
CONFIDENTIAL 36
(192.168.100.0/24 Corp-NET)
AD05 AD06
(192.168.200.0/24 Public-NET)
(10.10.10.0/24 BIP-Internal-NET)
BIP02
DNAT Any:Any Firewall Any:Any
10.0.10.0/24
10.0.10.1
10.0.1.150
BIP02
INTERNET
EDGE GATEWAY
..And what about network security - IPS/IDS?
Trend Micro Based – IPS/IDS
CONFIDENTIAL 38
Firewall
Log Inspection
Anti-Malware
Integrity Monitoring
Web Reputation
Intrusion Prevention
Deep Security Manager and Relay
PROTECTION MODULES
Deep Security Database
MANAGEMENT
Protected VMs
Deep Security Manager
EDGE GATEWAY
Deep Security Agent
Database
vCloud Air – Security Solution via Trend Micro
CONFIDENTIAL 39
Choice of Networking Services Applications…
CONFIDENTIAL 40
Virtual
vCloud Air Recovery Service
“No.. No… the world was destroyed… this is a backup”
Recovery as a Service – Networking
Ø How do I maintain the same network configs?
Ø Do I need to re-do the network configs?
Ø Do I need to ‘stretch’ my network?
Ø How can I maintain my IP settings on VMs?
Disaster Recovery – Networking
• Pre-create networks on DR cloud with same private IP space, name and relevant properties • When VMs are replicated, the IPs of the VMs are retaind
• When a disaster occurs and VMs on the DR turn on, simply connect VMs to pre-existing networks
43
WDC (On Premises)
DT01 DT02
(192.168.3.0/24 Desktop-NET)
AD01 .41
AD02 .42
ViewCS .5
ViewSS .5
(192.168.2.0/24 Public-NET)
(192.168.1.0/24 Corp-NET)
EDGE GATEWAY
Replicate EDGE
GATEWAY
(192.168.3.0/24 Desktop-NET)
(192.168.1.0/24 Corp-NET)
(192.168.2.0/24 Public-NET)
DR vDC
VMware vCloud Air - Virtual Private Cloud OnDemand
Interested in participating in the vCloud Air OnDemand Beta Progam? The Product Team from vCloud Air is now accepting candidates interested in participating in the Fall 2014 beta program
44
Visit vmware.com/go/ondemand to sign up
vmware.com/go/ondemand
VMware vCloud Air 5 Starting Points Program
VMworld 2014
45
Star%ng Point Session ID TOPIC
Dev/Test HBC2577 Hybrid Sandboxing – Create the Ul>mate On and Off Premises Test/Dev Factory
Extend Exis>ng Applica>ons HBC2066 Architect the Hybrid Cloud for
Exchange and Lync
Disaster Recovery HBC 1534 Recovery as a Service (RaaS) with vCloud Hybrid Service
Modernize Enterprise Applica>ons
HBC 2609 Smells Like Team Spirit: Achieve Hybrid Opera>ons Nirvana with vCloud Hybrid Service
Create Next Genera>on Applica>ons
HBC 1917 Build Your First Mobile Applica>on…In the Cloud…In 60 minutes
Learn the fundamentals on vCloud Air by attending any or all of our 5 Starting Point breakout sessions within the Hybrid Cloud Track
45
Attend any of these breakout sessions and earn a free vCloud Air “Dilbert” t-shirt.
Hybrid Cloud Hands On Labs
Check out the Expert Led and Self Paced vCloud Air Hands on Labs
CONFIDENTIAL 46
HOL: Expert-Led Workshop ELW-HBD-1481 Hybrid Cloud Jumpstart Workshop
HOL: Expert-Led Workshop ELW-HBD-1484 Disaster Recovery to the Cloud Workshop
HOL: Self Paced Lab SPL-HBD-1481 vCloud Hybrid Service - Jump Start for vSphere Admins
HOL: Self Paced Lab SPL-HBD-1482 vCloud Hybrid Service - Networking & Security
HOL: Self Paced Lab SPL-HBD-1483 vCloud Hybrid Service - Manage Your Cloud
Session ID Title Learn the fundamentals on vCloud Air by attending any or all of our 5 Starting Point breakout sessions within the Hybrid Cloud Track as well as our Hands on Labs
Try any of these HOLs and earn a free vCloud Air “Dilbert” t-shirt.
Hybrid Cloud Theater Schedule - VMware Booth (Solutions Exchange)
47
In addition to the breakout sessions within the Hybrid Cloud track, check out our THEATER schedule for the week from the VMware booth at the Solutions Exchange
Sunday 5:00pm - What is this Hybrid Cloud Thing Anyway? Monday 12:15pm - Getting Started with Hybrid Cloud - 5 Use Cases Monday 1:30pm - vCloud Air OnDemand Monday 3:45pm - What is this Hybrid Cloud Thing, Anyway? Monday 5:30pm - Hybrid Cloud DevOps: How to keep your Devs from Running Wild Tuesday 12:15pm - Project NEE - Delivering Hands-on Education at Cloud Scale Tuesday 1:00pm - vCloud Air Network Tuesday 2:45pm - Disaster Recovery with vCloud Air Tuesday 4:00pm - Getting Started with Hybrid Cloud - 5 Use Cases Tuesday 5:30pm - Hybrid Management on vCloud Air Wednesday 10:15am - vCloud Air OnDemand Wednesday 12:45pm - The Internet of Things: Virtual Machines, vCloud Air, vCenter Operations and the Intel IoT Gateway Wednesday 2:15pm - Disaster Recovery with vCloud Air Wednesday 3:30pm - Another Day in Paradise....Going Full Hybrid with vCloud Air Wednesday 4:30pm - RAD in the Hybrid Cloud
Thank You Q&A
Thank You
Fill out a survey Every completed survey is entered into a
drawing for a $25 VMware company store gift certificate
vCloud Hybrid Service Networking Technical Deep Dive
HBC2068
Ninad Desai, VMware, Inc David Hill, VMware, Inc