Introduction to CloudStack Networking

Introduction to CloudStack Networking

Geoff HigginbottomCTO ShapeBlue

[email protected]: @CloudStackGuru @ShapeBlue

@ShapeBlue #CloudStack #CCCEU13

Cloud Architect & ShapeBlue CTO Specialise in….

Designing & Building Clouds based on Apache CloudStack / Citrix CloudPlatform

Developing CloudStack training Blogging and sharing CloudStack knowledge

Involved with CloudStack before donation to Apache Designed Clouds for SunGard, Ascenty, BskyB, Trader Media,

M5 Hosting, Team Cymru, Interoute, University of Pennsylvania.…

CloudStack Committer (non-developer)

About Me


“ShapeBlue are expert builders of public & private clouds. They are the leading global independent CloudStack / CloudPlatform

integrator & consultancy”

About ShapeBlue


Why NaaS – The Use CasesVPS Cloud

www

VPS

VPS

VPS

NaaS

VM

VM

VM`

VM

VM

VM

www


Why NaaS – The Use CasesTier 1

Tier 2

Tier 3

NaaSVMVM

VMVM

VMVM

www

ACLs

ACLs


AWS Style L3 isolation – Massive Scale Simple Flat Network Each POD has a unique CIDR Optional Guest Isolation via Security Groups Optional NetScaler Integration - Elastic IPs and Elastic

LB Optional Nicira NVP Integration

Basic Networking


Isolate traffic between VMs Available for both Basic and Advanced Networking Only supported on XenServer 6.x and KVM XenServer 6.0.x requires the Cloud Support Package XenServer must use Linux Bridge and not Open

vSwitch xe-switch-network-backend bridge Must be implemented before adding to CloudStack

Security Groups


Security Groups Rules can be mapped to CIDR or another

Account/Security Group


This network model provides the most flexibility in defining guest networks and providing custom network offerings such as firewall, VPN, Load Balancer & VPC functionality.

Guest isolation is provided through layer-2 means such as VLANs or SDN technologies

Advanced Networking


Private and Shared Guest Networks Multiple Physical Networks Virtual Router for each Network providing:

DNS & DHCP Firewall Client VPN Load Balancing Source / Static NAT Port Forwarding

Advanced Networking


Effectively enables the deployment of multiple ‘Basic’ style networks which use Security Groups for isolation of VMs, but with each Network encapsulated within a unique VLAN.

Advanced Networking & Security Groups


Management Network

Secondary Storage

Management

Server(s)

MySQLDB(s)

Hosts

SSVM

CPVM

Traffic between CloudStack Management Servers and the various cloud components (Hosts, System VMs, Storage*, vCenter etc)


Guest Network – Advanced Zone

Virtual Router

www

VMVM

VM

Traffic between VMs within an Account, and their Virtual Router, Physical Load Balancer or Physical Firewall


Guest Network – Basic Zone

VMVM

VM

wwwTraffic between VMs on the network and their Internet Gateway


Guest Network – Basic Zone EIP / ELB

www

VMVM

VM

Citrix NetScaler

Traffic between VMs and the Internal Interface of the NetScaler


Public Network – Advanced Zone

Virtual Router

www

VMVM

VM

Traffic between the Virtual Router and the Internet Gateway


Public Network - Basic Zone EIP / ELB

www

VMVM

VM

Citrix NetScaler

Only present in a Basic Zone when a Citrix NetScaler is used to provide Elastic IP and Elastic LB


Public Network – System VMs

SSVM

www

CPVM

CPVM & SSVM both have a connection to the Public Network


Storage Network

Secondary Storage

Management

Server(s)

Hosts

SSVM

Traffic between SSVM and the Secondary Storage

Optional Network, traffic will use the Management Network if not configured.

If configured, there must be a route between Management and Storage Networks

It is NOT for Primary Storage Traffic


Physical ConnectivityUsers

Router

POD 1

Hosts

PrimaryStorage

Secondary Storage

Management

Server(s)

MySQLDB(s)

Admins & Users

POD 2

POD n


Basic Zone – Example IP Schema

L3 Switch

Host n

Host 1

POD 1192.168.0.0/2

6Res IPs 0.10 -

0.29Hosts 0.30 –

0.62

VR

DHCPDNSUserDataSec Groups

VMVM

VMVM

L2 Switch

www

Host n

Host 1

POD 2192.168.0.64/26

Res IPs 0.73 - 0.92Hosts 0.93 - 0.126

Guest IPs:172.16.2.2- 3.254

GW 172.16.2.1

L2 Switch

Host n

Host 1

POD 3192.168.0.128/26

Res IPs 0.138 – 0.147Hosts 0.149 – 0.190

Guest IPs:172.16.4.2 - 5.254

GW 172.16.4.1

L2 Switch

Guest IPs:172.16.0.2 -

1.254GW 172.16.0.1


Advanced Zone – Example IP Schema

L3 Switch

www

Host n

Host 2

POD 1 - XenServer

192.168.0.0/26Res IPs 0.10 -

0.29Hosts 0.30 –

0.62

Host 1

L2 SwitchVMb1

VRb VMb2

VRaVMa2

VMa1

VMa3Host n

Host 2

POD 2 - vSphere

192.168.2.0/22Res IPs 2.43 -

3.254Hosts 2.10 –

2.42

Host 1

L2 Switch

VMc3

VRc

VMc2

VMc1

Guest Networks10.1.1.0/24GW 10.1.1.1

Guest IPs 1.2 - 1.254

VLANs

VLANs


A Hardware or Virtual Appliance that provide Network Services to CloudStack e.g.

Network Service Providers

Virtual Router VPC Virtual Router Internal LBVM Citrix NetScaler F5 Load Balancer Juniper SRX Firewall

Nicira Nvp Midokura Midonet BigSwitch Vns Cisco VNMC


Private multi-tiered Virtual Networks ACLs to control traffic isolation Inter VLAN Routing Site-2-Site VPN Private Gateway

Virtual Private Clouds (VPC)


VPC Components

Virtual Router – Connects all the VPC Components

Network Tiers – Isolated Networks, each with unique VLAN and CIDR

VMVM

VMVM

VMVM

Tier 1VLAN 101

Tier 2VLAN 102

Tier 3VLAN 103

Virtual Router


VPC Components

Public Gateway

wwwVM

VM

VMVM

VMVM

Tier 1VLAN 101

Tier 2VLAN 102

Tier 3VLAN 103

Site-2-Site VPNLinked to Public Gateway

Remote DC or

Corporate Office

Virtual Router


Private GatewayCreated by Root AdminsConfigured by Users (Static Routes)

VPC Components

wwwVM

VM

VMVM

VMVM

Tier 1VLAN 101

Tier 2VLAN 102

Tier 3VLAN 103

Virtual Router


VPC Components

www

Physical Equipme

nt

Remote DC

Router

VMVM

VMVM

VMVM

Tier 1VLAN 101

Tier 2VLAN 102

Tier 3VLAN 103

Virtual Router


MPLS

VPC Components

wwwVM

VM

VMVM

VMVM

Tier 1VLAN 101

Tier 2VLAN 102

Tier 3VLAN 103

Virtual Router


Virtual Router

VM

VM

VM

VM

VM

VM

VPC Components

www

wwwVMVM

VMVM

VMVM

Tier 1VLAN 101

Tier 2VLAN 102

Tier 3VLAN 103

Virtual Router


Communication Ports

443

HTTPSConsole Access

80/443

HTTPFile

Share

ESXiKVM

XenServervCenter

2222/80/443

443

User – CSMAN 8080/8096CSMAN – CSMAN 9090/8250

CloudStack Management Servers

8250

CPVM

Virtual Router

SSVM

3922

CSMAN – MySQL 3306MySQL – MySQL 3306

MySQL Master & Slave

Secondary Storage

111/2049


System VMs & Their NetworksVirtual Router

Virtual Router

Public Networke.g. 82.64.20.2

Guest Networke.g. 10.1.1.17

Link Local (XenServer / KVM) e.g. 169.254.3.24Management (vSphere) e.g. 192.168.2.57


System VMs & Their NetworksVirtual Router

Virtual Router

www

VMVM

VM

DHCP, DNS , User Data, Source NAT, Static NAT, VPN,Firewall, Port Forwarding, Load Balancing


System VMs & Their NetworksSecondary Storage VM

SSVM


Managemente.g. 192.168.3.28


Storage NetworkIP address from Management OR Storage IP Ranges


System VMs & Their NetworksSSVM – VM Image / ISO Upload

Workflow

HTTP Server

1. User uploads VM Image / ISO to Public Web Server

CloudStack Management Server

2. User specifies VM Image / ISO Location via GUI or API SSVM

3. CloudStack sends request information to SSVM

Secondary Storage

4. SSVM fetches VM Image/ISO from HTTP Server and writes it to Secondary Storage

Management / LiLo

Public Storage


System VMs & Their NetworksConsole Proxy VM

CPVM


Managemente.g. 192.168.2.58



System VMs & Their NetworksCPVM – Remote

Connection

Management / LiLo

Public Management

CloudStack Management Server

1. User initiates a Console session

3. CS Forwards user identity and ticket to CPVM

CPVM

2. CS chooses suitable CPVM and creates a logon ticket for user

4. CS sends user redirection URL

realhostip.com

5. User resolves URL via realhostip.com

6. User is connected to CPVM via HTTPS Hypervisor

7. CPVM connects to Hypervisor via HTTPS


Numerous VPC Improvements Add & Remove NICs / Networks Multiple IPs on Single NIC Persistent Networks Configurable Default Egress Behaviour Non Contiguous VLAN Ranges Enhanced SRX & F5 Support PVLANs GLSB IPv6 – (Technical Demo)

Recent Networking Improvements (4.1 & 4.2)


Lots of great technical info on http://shapeblue.com/blog/

These slides can be found at www.slideshare.net/shapeblue

[email protected] @CloudStackGuru

Further Information

http://shapeblue.com/blog/

http://shapeblue.com/blog/

http://www.slideshare.net/shapeblue

Introduction to CloudStack Networking

Technology

Transcript of Introduction to CloudStack Networking