Enterprise-Grade Networking in OpenStack

37

Transcript of Enterprise-Grade Networking in OpenStack

Copyright  2013  Alcatel-­‐Lucent.  All  rights  reserved.  CONFIDENTIAL  -­‐  SOLELY  FOR  AUTHORIZED  PERSONS  HAVING  A  NEED  TO  KNOW    

PROPRIETARY  –  USE  PURSUANT  TO  COMPANY  INSTRUCTION  Nuage  Networks  

Copyright  2013  Alcatel-­‐Lucent.  All  rights  reserved.  CONFIDENTIAL  -­‐  SOLELY  FOR  AUTHORIZED  PERSONS  HAVING  A  NEED  TO  KNOW    

PROPRIETARY  –  USE  PURSUANT  TO  COMPANY  INSTRUCTION  Nuage  Networks  

Nuage  Networks    Enterprise-­‐Grade  Networking  in  OpenStack  

 @martenhauville      @jonasvermeulen  

Marten  Hauville  Principal  Solu-ons  Architect  ANZ    

Jonas  Vermeulen  Product  Line  Manager  EMEA        

Copyright  2013  Alcatel-­‐Lucent.  All  rights  reserved.  CONFIDENTIAL  -­‐  SOLELY  FOR  AUTHORIZED  PERSONS  HAVING  A  NEED  TO  KNOW    

PROPRIETARY  –  USE  PURSUANT  TO  COMPANY  INSTRUCTION  Nuage  Networks  

…or how enterprise IT needs to deliver networking with High Availability, Scalability &

Interoperability across complex multi site environments; seamlessly with existing heterogeneous infrastructure & vendors.

Oh, and interconnect OpenStack private clouds

with external public clouds too.  

What  does  Enterprise  want?  

§  Faster  Tme  to  market  §  Lower  cost,  higher  quality  §  Reduced  OpEx  §  Ubiquitous,  easy  to  manage,  maintain,  consume  

Enterprise  technology  drivers  §  Self  service  from  catalogue  §  On  demand  Service  §  OpEx  model  for  charging  (charge-­‐back)  §  Pool  of  resources  that  can  be  easily  adjusted  §  Availability  of  integrated  applicaTons  in  shared  

environment  –  ApplicaTon  PaaS  §  Short  cycle  provisioning  

Enterprise  requires  complexity  

§  ExisTng  hardware,  hypervisors,  pla]orms  §  Pla]orms,  Apps  that  cannot  be  virtualised  §  MulTple  Data  Centres,  remote  branches  §  Remote  workers  §  OperaTonal  &  Maintenance  costs  

Enterprise  requires  complexity  

§  Pressure  from  business  to  perform  §  Hidden  IT  –  AWS  workloads  §  ReporTng,  compliance  §  Limited  highly  skilled  staff  

Enterprise  networking  needs  

Scalable  Up  and  Out,  resilient  and  federated  

AbstracDon  AbstracTon  of  the  network  topologies  and  

complexiTes,  offers  service  velocity  

Flexibility  IntegraTon  with  third-­‐party    

physical  networking  infrastructure  

Extensibility  Services  need  to  be  extended  across  data  

centers,  public  or  private  

Enterprise  ConsumpDon  

Consumable  Enterprise  IT    

OpenStack  delivers  to  Enterprise    §  Enable  faster  turn  up  for  business  §  Enable  efficiency,  minimise  cost  §  DevOps,  DevOps,  DevOps  §  Open  ecosystem  of  vendors  &  soaware  §  Freedom  of  choice  §  Strong(er)  enterprise  vendor  support  

Enterprise  networking  can  be  complex  

ApplicaTon  Networks  Policy  Templates  

Users  

ApplicaTon  Types  

Business  Rules  

Policy  EvaluaTon  

Firewall  

Firewall  

W  

BL  BL  

W  

Firewall  W   W  

Firewall  

Firewall  

W  

BL  BL  

W  

Firewall  

Firewall  

W  

BL  BL  

W  

BL  BL  

Design  once,  re-­‐use  mulDple  Dmes  

Policy  Approach  to  Networking  

Networks  need  Flexibility  

§  DHCP,  DNS  §  IPAM  §  Load  Balancing  §  Firewalls  §  Traffic  Flows:  Edge,  North-­‐South,  East-­‐West  §  AuthenTcaTon:  users  &  elements  §  Security,  reporTng,  compliance  

Enterprises  deploy  services  across  datacenters  

Network  Services  

•  Layer  2  Extension?  •  True  L2/L3  DR?  •  Dynamic  Service  

Provisioning?  

Enterprise Environment Physical/Virtual Servers, Global Distribution, Multi Cloud Platform

>  Nuage  VSC  

>  T1  RedHat  OSP        >>  Compute  2        >>  Compute  3  >  F5    >  Palo  Alto  Networks   >  Nuage  VSD  

>  T1  RedHat  OSP        >>  Controller        >>  Compute  1  >  Infoblox  

>  T2  Canonical  OS          [MaaS  Setup]        >>  Controller        >>  Compute  1        >>  Compute  2  >  Avi  Networks  

SJC  

TOR  

WDC  

HKG  

Themes  Addressed  from  a  technical  perspecDve  

AbstracTon  

Scalability  

Flexilibity  

Extensibility    

Enterprise  Needs  

Networks  in  Dev/Test/Prod  

#  Endpoints  /  #  subnets  /  #...  

XaaS  ConnecTvity  

Stretched  /  Hybrid  Cloud  

Examples  

Internet/Intranet  

Dev  

Management  

Dev  Environment  Networking  needs  

Exportable  Policy  for  each  App  

Lots  of  (Distributed)  RouTng  Instances  

PotenTal  overlap  of  IP  space  

 

AbstracDon  and  Velocity  across  Dev/Test/Prod  

Internet/Intranet  

Dev  

Management  

Test  Environment  Networking  needs  

Re-­‐Usable  Policy  from  Dev  

Very  large  Distributed  RouTng  Instance  

Unique  IP  space  

Test  

AbstracDon  and  Velocity  across  Dev/Test/Prod  

Internet/Intranet  

Dev  

Management  

Prod  Environment  Networking  needs  

Re-­‐Usable  Policy  from  Test  

Very  large  Distributed  RouTng  Instance    

Unique  IP  space  

 

 

 

Test  

AbstracDon  and  Velocity  across  Dev/Test/Prod  

Prod  

AbstracDon  and  Velocity  across  Dev/Test/Prod  

Desire  to  re-­‐use  policy,  but  network  structure  is  different  between  Dev  <-­‐>  Test/Prod  

1.  Modify  cookbooks  between  environments  2.  Use  external  system  for  defining  topology  and  enforcing  

policies  è  Nuage  Networks  allows  external  definiTon  and  mapping  into  tenant-­‐structure  

AbstracDon  and  Velocity  across  Dev/Test/Prod  

§  Distr  Router  can  span  across  mulTple  tenants  

§  Tenants  only  see  their  own  subnets  

§  Security-­‐groups  to  limit  E-­‐W  traffic  flows  

1  Logical  Router  

1  Project  maps  to  >=1  Tenant  

Example  for  Test-­‐Environment  

AbstracDon  and  Velocity  across  Dev/Test/Prod  CM-­‐Tools  

Define  Policies  per  ApplicaTon  

 

Apply,  Merge,  Finetune  &  Get  

Approval  

Commit  Final  

Test   PROD  

Design  Once,  Re-­‐Use  

DEV  

AbstracDon  and  Velocity  across  Dev/Test/Prod  Top  PolicyList  Owner:  Net  Admin  

Bomom  PolicyList  Owner:  Net  Admin  

B2CSitePolicyList  Priority:  5  

Owner:  B2BSite-­‐Admin  

StockApp  PolicyList    Priority:  10  Owner:  StockNW  

Rule  1:  Port  SSH  allow  

Rule  2:  Port  Telnet  drop  

Rule  3:  Port  HTTP  drop  

Rule  2:  Port  8080  Allow  to  App  

Rule  6:  Port  SQL  Allow  Internal  

Rule  11:  Port  443  drop  

Rule  7:  Port  70  allow  

Rule  888:  Port  80  allow  

Rule  1:  All  drop  

Infrastructure  Policies  

ApplicaTon  Policies  

Infrastructure  Policies   Design  Once,  Re-­‐Use  

AbstracDon  and  Velocity  across  Dev/Test/Prod  CM-­‐Tools  

Test   PROD  

Design  Once,  Re-­‐Use  

DEV  

Backout  /    Roll-­‐Back  

Re-­‐Test    

Roll-­‐Back  to  N-­‐1  

Scaling  network  primiDves  §  Large  Difference  between  Dev  <-­‐>  Test/Prod  §  Scaling  impact  

§  Virtual  Routers  –  Highest  for  Dev  à  ~1500  §  Subnets  –  Highest  for  Test  /  Prod  à  400+  per  router  §  Security/Policy  Groups  –  Highest  for  Test  /  Prod  à  2000+  

Scaling  network  primiDves  

Nuage  VSC  

…  

Servers  as  VMs    in  AWS  VPC  

Nuage  VSD  §  Scaling  Test  in  AWS  

§  80  subnets  /  40  routers  §  20K  instances  (500/server)  

§  Instances  are  Docker  containers  §  140K  ACLs  (7  ACLs  per  VM)      

§  ConfiguraTon  §    VSD  running  as  C3.4xlarge  (16-­‐core)  §    VSC  running  as  C3.2xlarge  (  8  core)  §    VRS  running  as  M3.xlarge  

§  Time  to  create:      8  minutes  *    *(when  AWS  VPC  behaves)  

Default  =    Centralized  –  Virtualized  -­‐  Single-­‐Tenant  

core  plugin  service  plugin  

FWaaS  

Neutron-­‐Server  

LBaaS   VPNaaS  

Compute-­‐Node  

VM  VM  

Compute-­‐Node  

VM  VM  

Network-­‐Node  

LB  

FW  

VPN  

LB  

FW  

VPN  

Logical  Tenant  Network  1  

Logica  Tenant  Network  2  

Flexibility  to  connect  XaaS  

Flexibility  to  connect  XaaS  

Compute-­‐Node  

§  Typically  for  Legacy  Non-­‐Virtualized  Appliances  

§  ConnecTvity  §  Interface  to  gateway  §  Per-­‐Tenant  service  provided  through  

Provider-­‐Networks  (VLAN)  §  Examples  

§  LBaaS:  F5  §  FWaaS:  PaloAlto  

Centralized    -­‐  Non-­‐Virtualized  -­‐    MulD-­‐Tenant  

core  plugin  

nuage  

service  plugin  

FWaaS  

Neutron-­‐Server  

LBaaS   VPNaaS  

Compute-­‐Node  

VRS  

Logical  Tenant  Network  1  

VM   VM  

Logica  Tenant  Network  2  

nuage-­‐gateway  

FW  /  LB  

Context  1  

Context  2  

VM  VM   VM  VM  

VLAN  =  Provider  Network  

§  Services  as  Tenant-­‐VM’s  §  Tenant-­‐VMs  are  distributed  using  

OpenStack  placement  algorithm  §  Management  via  XaaS  Plugin  

§  Example:  AVI  LB  

Distributed  –  Virtualized  –  Single-­‐Tenant  

core  plugin  

nuage  

service  plugin  

FWaaS  

Neutron-­‐Server  

LBaaS   VPNaaS  

Logical  Tenant  Network  1  

Compute-­‐Node  

VRS  

VM  VM  VM  LB1  

Compute-­‐Node  

VRS  

VM  VM  

Compute-­‐Node  

VRS  

VM  LB2  

Logica  Tenant  Network  2  

Flexibility  to  connect  XaaS  

§  Traffic  gets  locally  redirected  to  an  Agent  running  in  the  HV  §  VM,  process,  docker  

§  Example  Agent  tasks  §  Proxy  ARP  /  DHCP  §  Meta-­‐data  Agent    §  Storage  Proxy  for  Swia  §  L5-­‐L7  (Eg  IDS/DPI)  

Distributed  –  Agent  –  MulD-­‐Tenant    

core  plugin  

nuage  

service  plugin  

FWaaS  

Neutron-­‐Server  

LBaaS   VPNaaS  

Compute-­‐Node  

VRS  

Tenant  Network  1  

VM   VM  

Tenant  Network  2  

VM  VM   VM  VM  

Compute-­‐Node  

VRS  

VM   VM  VM  VM   VM  VM  

Agent  1   2  

Agent  1   2  

Flexibility  to  connect  XaaS  

Site  1  -­‐  Private  

Keystone  

Nova  

Neutron  

Site  2  -­‐  Private  

Keystone  

Nova  

Neutron  

Site  x  -­‐  Public  

Keystone  

Nova  

Neutron  

Users   Users  Users  

Network   Network   Network  

Extending  clouds  to  other  sites  

IdenTty  FederaTon  

Can  I  federate  the  network  ?  =  Can  I  have  a  single  subnet  across  sites  ?  

=  Can  I  amach  a  new  subnet  to  a  router  defined  in  another  site  ?  =  Can  my  VM  communicate  with  a  VM  at  a  different  site  ?  

=  Can  my  security  policies  encompass  VMs  from    different  sites  ?  

Kilo  

Site  1  -­‐  Private  

Keystone  

Nova  

Neutron  

Site  2  -­‐  Private  

Keystone  

Nova  

Neutron  

Site  x  -­‐  Public  

Keystone  

Nova  

Neutron  

Network   Network   Network  

Users  

Extending  clouds  to  other  sites  

Site  1  -­‐  Private  

Keystone  

Nova  

Neutron  

Site  1  -­‐  Private  

Keystone  

Nova  

Neutron  

Site  x  -­‐  Public  

Keystone  

Nova  

Neutron  

Users  IdenTty  FederaTon  

Network  FederaTon  with  Nuage  

nuage   nuage   nuage  Network  

Centralized  definiTon,  sharing  policy  

Kilo  

Extending  clouds  to  other  sites  

Site  1  -­‐  Private  

Keystone  

Nova  

Neutron  

Site  2  -­‐  Private  

Keystone  

Nova  

Neutron  

Site  x  -­‐  Public  

Keystone  

Nova  

Neutron  

Users  IdenTty  FederaTon  

Network  FederaTon  with  Nuage  

nuage   nuage   nuage  Network  

Federated  Policy:  Policy  requested  from  “Home  VSD”  for  the  router    

ü   Stretched  subnets  ü   New  subnet  amached  to  router  of  other  site  ü   VMs  can  communicate  across  sites  ü   Security  policies  across  sites  

Kilo  

Extending  clouds  to  other  sites  

Conclusions  

AbstracTon  

Scalability  

Flexilibity  

Extensibility    

Enterprise  Needs  

Network  Policies  

Distr  Control  Plane  

Any  XaaS  Topology  

Network  FederaTon  

Delivered  through  

THANK  YOU    

See  Nuage  Networks  in  acTon  at  4:15PM  Avi  Networks  Booth  T9    OpenStack  Private  Cloud  Case  Study  by  Nuage  Networks  &  Avi  Networks