CCC14 - CloudStack Networking · @ShapeBlue #CloudStack #CCCNA14 Isolate traffic between VMs...

CloudStack NetworkingPaul Angus

Cloud Architect [email protected]

@CloudyAngus@ShapeBlue

@ShapeBlue #CloudStack #CCCNA14

Cloud Architect with ShapeBlue Worked with CloudStack since 2.2.13 Specialising in deployment of CloudStack

and supporting infrastructure Orange, TomTom, PaddyPower, Ascenty,

BSkyB, SunGard, T‐Mobile I view CloudStack from a ‘What can cloud

consumers practically do with it’ point‐of‐view

About Me


“ShapeBlue are expert builders of public & private clouds. They are the leading global CloudStack /

CloudPlatform integrator & consultancy”

About ShapeBlue


Why NaaS – The Use CasesVPS Cloud

NaaS


Logical Networking Models Basic Advanced

CloudStack Networking


AWS Style L3 isolation – Massive Scale Simple Flat Network Each POD has a unique CIDR Optional Guest Isolation via Security Groups Optional NetScaler Integration ‐ Elastic IPs and Elastic LB Optional Nicira NVP Integration

Basic Networking


Isolate traffic between VMs Available for both Basic and Advanced Networking XenServer must use Linux Bridge and not Open vSwitch

xe‐switch‐network‐backend bridge Edit sysctl to enable net.bridge.bridge‐nf‐call‐iptables and

net.bridge.bridge‐nf‐call‐arptables Must be implemented before adding to CloudStack

Security Groups


Security Groups Rules can be mapped to CIDR or another Account/Security Group


This network model provides the most flexibility in defining guest networks and providing custom network offerings such as firewall, VPN, Load Balancer & VPC functionality.

Guest isolation is provided through layer‐2 means such as VLANs or SDN technologies

Advanced Networking


Private and Shared Guest Networks Multiple Physical Networks Virtual Router for each Network providing:

DNS & DHCP Firewall Client VPN Load Balancing Source / Static NAT Port Forwarding

Advanced Networking


Effectively enables the deployment of multiple ‘Basic’ style networks which use Security Groups for isolation of VMs, but with each Network encapsulated within a unique VLAN.

Advanced Networking & Security Groups


Management Network

Traffic between CloudStack Management Servers and the various cloud components (Hosts, System VMs, Storage*, vCenter etc)


Guest Network – Basic & Advanced


Guest Network – Basic Zone EIP / ELB


Public Network – Basic & Advanced


Public Network – System VMs

CPVM, SSVM & VRs have a connection to the Public Network*VRs only have public connection in Advanced Network


Storage Network


Physical Connectivity


Basic Zone – Example IP Schema


Advanced Zone – Example IP Schema


A Hardware or Virtual Appliance that provide Network Services to CloudStack e.g.

Network Service Providers

Virtual Router VPC Virtual Router Internal LBVM Citrix NetScaler F5 Load Balancer Juniper SRX Firewall Nicira Nvp

Midokura Midonet BigSwitch Vns Cisco VNMC Baremetal DHCP* Baremetal PXE* Palo Alto* Ovs (GRE/VXLAN) *new in 4.3


Private multi‐tiered Virtual Networks ACLs to control traffic isolation Inter VLAN Routing Site‐2‐Site VPN Private Gateway VPC‐2‐VPC VPN* User VPN*

Virtual Private Clouds (VPC)

*new in 4.3


VPC Components

Virtual Router – Connects all the VPC Components

Network Tiers – Isolated Networks, each with unique VLAN and CIDR


VPC Components

Public Gateway


VPC Components

Site‐2‐Site VPNLinked to Public Gateway


VPC Components

User VPNLinked to Public Gateway


VPC Components

VPC‐2‐VPC VPNLinked to Public Gateway


Private GatewayCreated by Root AdminsConfigured by Users (Static Routes)

VPC Components


VPC Components


Communication Ports

CCC14 - CloudStack Networking · @ShapeBlue #CloudStack #CCCNA14 Isolate traffic between VMs...

Documents

Transcript of CCC14 - CloudStack Networking · @ShapeBlue #CloudStack #CCCNA14 Isolate traffic between VMs...