O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.
CloudStack Networking
Technical Deep Dive
Geoff Higginbottom
CTO ShapeBlue
geoff.higginbottom@shapeblue.com
Twitter: @Shap...
www.shapeblue.com
www.shapeblue.com
Why NaaS – The Use Cases
VPS Cloud
www.shapeblue.com
Why NaaS – The Use Cases
CloudVPS
www.shapeblue.com
Physical Connectivity
www.shapeblue.com
 Management Network
 Traffic between CloudStack Management Servers and the various
cloud components (H...
www.shapeblue.com
 Public Network
 Only available in an Advanced Zone, or a Basic Zone when using NetScaler
Elastic IP (...
www.shapeblue.com
 Guest Network
 Basic Zone (with or without Security Groups)
 Traffic between VMs on the network
 Ba...
www.shapeblue.com
 Storage Network
 Handles traffic between the Secondary Storage VM, Hosts &
Management Server, to/from...
www.shapeblue.com
 A Hardware or Virtual Appliance which provide Network Services
to CloudStack e.g.
 Virtual Router
 V...
www.shapeblue.com
 AWS Style L3 isolation – Massive Scale
 Simple Flat Network
 Each POD has a unique CIDR
 Optional G...
www.shapeblue.com
 Isolate traffic between VMs
 Only supported in Basic Networking in CloudStack*
 Only supported on Xe...
www.shapeblue.com
 Must be specified when the Zone is created
 Uses Ingress and Egress Rules to control traffic flow
 D...
www.shapeblue.com
 Citrix NetScaler can provide Elastic IP & Elastic LB
 Has Security Groups enabled
 A Public Network ...
www.shapeblue.com
Citrix NetScaler – Elastic IP/LB
www.shapeblue.com
Basic Zone – Example IP Schema
www.shapeblue.com
 Default ‘Add Zone Wizard’ skips the Traffic Label Settings
Using Multiple NICs
www.shapeblue.com
 Guest Networks isolated by VLANs
 Private and Shared Guest Networks
 Multiple Physical Networks
 Vi...
www.shapeblue.com
Adv Zone – Example IP Schema
www.shapeblue.com
 New to 4.1
 Blocks all outbound traffic by default
Adv Zone - Egress Rules
Example of an ‘Allow All’ ...
www.shapeblue.com
 Firewall
 Allow traffic into network
 Port Forwarding
 Pass traffic to a specified VM
Adv Zone - Fi...
www.shapeblue.com
 Load Balancing Algorithms
 Round Robin
 Least Connections
 Source
 Stickiness
 None
 Source Base...
www.shapeblue.com
 User VPN
 IPSec VPN
 Win/MAC
 Connects to Guest
Network
Adv Zone - User VPN
www.shapeblue.com
 Enable Static NAT
Adv Zone - Static NAT
www.shapeblue.com
 Allocate VM
Adv Zone - Static NAT
www.shapeblue.com
 Only Firewall Rules exist due to
1-2-1 mapping
 Public IP is also used for
Outbound Traffic from this...
www.shapeblue.com
 Private multi-tiered Virtual Networks
 ACLs to control traffic isolation
 Inter VLAN Routing
 Site-...
www.shapeblue.com
 No Conserve Mode so unique Public IP Required for:
 Port Forwarding (1 IP per Tier)
 Load Balancing ...
www.shapeblue.com
Private Gateway
Created by Root Admins
Configured by Users (Static Routes)
VPC Components
Virtual Router...
www.shapeblue.com
Creating a VPC
Super CIDR Covers All Tiers
www.shapeblue.com
VPC - Add 1st Tier
Note how Network CIDR is a Subnet of the Super CIDR
www.shapeblue.com
VPC - Add 2nd Tier
Note how Network CIDR is a Different Subnet of the Super CIDR
There can be only 1 Loa...
www.shapeblue.com
VPC - Add VMs
www.shapeblue.com
VPC - Add VMs - Network Selection
www.shapeblue.com
VPC - Configure ACLs
www.shapeblue.com
VPC - Configure ACLs
www.shapeblue.com
VPC - Acquire Public IPs
www.shapeblue.com
VPC - Acquire Public IPs
www.shapeblue.com
VPC - Acquire Public IPs
www.shapeblue.com
VPC - Add Port Forwarding
ACLs =
Firewall Rules
www.shapeblue.com
VPC - Add Port Forwarding
www.shapeblue.com
VPC - Load Balancing
www.shapeblue.com
VPC - Public IP Single Use
IP used for
Port
Forwarding
IP used for
Load
Balancing
www.shapeblue.com
VPC - Public IP Single Use
www.shapeblue.com
VPC - Add Private Gateway
www.shapeblue.com
VPC vs VR Networks
www.shapeblue.com
VPC - Adding Static Routes
www.shapeblue.com
VPC - Adding Static Routes
www.shapeblue.com
 VPN Gateway must be enabled first
 Once enabled the VPN Customer Gateway can be configured
VPC - Site...
www.shapeblue.com
 A VPN Connection can then be mapped to the VPN Customer
Gateway
 As long as both ends of the VPN are ...
www.shapeblue.com
 Following VPN End Points Officially Supported
 CISCO ISR with IOS 12.4 or later
 Juniper J-Series ro...
www.shapeblue.com
 Option 1:
 Create VM using API and map to both Networks
 API Parameter ‘hypervisor’ must be specifie...
www.shapeblue.com
 New API Commands for 4.1
 addNicToVirtualMachine
 updateDefaultNicForVirtualMachine
 removeDefaultN...
www.shapeblue.com
System VMs & Their Networks
Virtual Router
www.shapeblue.com
System VMs & Their Networks
Virtual Router
www.shapeblue.com
System VMs & Their Networks
Secondary Storage VM
www.shapeblue.com
System VMs & Their Networks
SSVM – VM Image / ISO Upload Workflow
www.shapeblue.com
System VMs & Their Networks
Console Proxy VM
www.shapeblue.com
System VMs & Their Networks
CPVM – Remote Connection
www.shapeblue.com
Communication Ports
www.shapeblue.com
 Management VLANs – Up to 7 Layers
 Strict control of traffic flow between Management Layers
 Bypassi...
www.shapeblue.com
 Software Defined Networking
 Remove VLAN Limitations
 Bring full control of Network into CloudStack ...
www.shapeblue.com
Questions?
CloudStack Networking
Technical Deep Dive
Geoff Higginbottom
CTO ShapeBlue
geoff.higginbottom@shapeblue.com
Twitter: @Shap...
Próximos SlideShares
Carregando em…5
×
Próximos SlideShares
CloudStack Networking
Avançar

Compartilhar

Cloud stack networking shapeblue technical deep dive

Geoff Higginbottom of ShapeBlue gives a 60 minute master class in CloudStack networking

Cloud stack networking shapeblue technical deep dive

  1. 1. CloudStack Networking Technical Deep Dive Geoff Higginbottom CTO ShapeBlue geoff.higginbottom@shapeblue.com Twitter: @ShapeBlue, @CloudStackGuru
  2. 2. www.shapeblue.com
  3. 3. www.shapeblue.com Why NaaS – The Use Cases VPS Cloud
  4. 4. www.shapeblue.com Why NaaS – The Use Cases CloudVPS
  5. 5. www.shapeblue.com Physical Connectivity
  6. 6. www.shapeblue.com  Management Network  Traffic between CloudStack Management Servers and the various cloud components (Hosts, System VMs, Storage*, vCenter etc) CloudStack Physical Networks
  7. 7. www.shapeblue.com  Public Network  Only available in an Advanced Zone, or a Basic Zone when using NetScaler Elastic IP (ELIP) / Elastic Load Balancer (ELLB)  Connects VMs to the public Internet via a Virtual Router or NetScaler  Enables services such as:  Source NAT  Static NAT  Load Balancing  Port Forwarding  Firewall  VPN CloudStack Physical Networks
  8. 8. www.shapeblue.com  Guest Network  Basic Zone (with or without Security Groups)  Traffic between VMs on the network  Basic Zone with ELIP / ELLB  Traffic between VMs and the Internal Interface of the NetScaler  Advanced Zones  Traffic between VMs within a Network, and their Virtual/Physical Router, Physical Load Balancer or Physical Firewall CloudStack Physical Networks
  9. 9. www.shapeblue.com  Storage Network  Handles traffic between the Secondary Storage VM, Hosts & Management Server, to/from the Secondary Storage Servers  Optional Network, traffic will use the Management Network if not configured  If configured, there must be a route between Management, Hosts and Storage Networks  It is not for Primary Storage Traffic  Not used for Template Deployment from Sec to Pri Storage, Hosts mount Sec Storage directly CloudStack Physical Networks
  10. 10. www.shapeblue.com  A Hardware or Virtual Appliance which provide Network Services to CloudStack e.g.  Virtual Router  VPC Virtual Router  Citrix NetScaler  F5 Load Balancer  Juniper SRX Firewall  Nicira NVP  Security Groups Network Service Providers
  11. 11. www.shapeblue.com  AWS Style L3 isolation – Massive Scale  Simple Flat Network  Each POD has a unique CIDR  Optional Guest Isolation via Security Groups  Optional NetScaler Integration - Elastic IPs and Elastic LB  Optional Nicira NVP Integration Basic Networking
  12. 12. www.shapeblue.com  Isolate traffic between VMs  Only supported in Basic Networking in CloudStack*  Only supported on XenServer 6.x and KVM  XenServer 6.0.x requires the Cloud Support Package  XenServer must use Linux Bridge and not Open vSwitch  xe-switch-network-backend bridge  Must be implemented before adding to CloudStack Security Groups
  13. 13. www.shapeblue.com  Must be specified when the Zone is created  Uses Ingress and Egress Rules to control traffic flow  Default is all outbound traffic allowed, all inbound denied  Rules can be mapped to CIDR or another Account/Security Group Security Groups
  14. 14. www.shapeblue.com  Citrix NetScaler can provide Elastic IP & Elastic LB  Has Security Groups enabled  A Public Network IP Range is assigned during Zone Setup  The Public IP Range is assigned to the External Interface of the NetScaler Appliance  Provides a Static NAT (1:1) service to VMs  When the VM is powered off the Elastic IP is released Basic Zone with Elastic IP
  15. 15. www.shapeblue.com Citrix NetScaler – Elastic IP/LB
  16. 16. www.shapeblue.com Basic Zone – Example IP Schema
  17. 17. www.shapeblue.com  Default ‘Add Zone Wizard’ skips the Traffic Label Settings Using Multiple NICs
  18. 18. www.shapeblue.com  Guest Networks isolated by VLANs  Private and Shared Guest Networks  Multiple Physical Networks  Virtual Router for each Network providing:  DNS & DHCP  Firewall  Client VPN  Load Balancing  Source / Static NAT  Port Forwarding Advanced Networking
  19. 19. www.shapeblue.com Adv Zone – Example IP Schema
  20. 20. www.shapeblue.com  New to 4.1  Blocks all outbound traffic by default Adv Zone - Egress Rules Example of an ‘Allow All’ Egress Rule Examples of other common Egress Rules
  21. 21. www.shapeblue.com  Firewall  Allow traffic into network  Port Forwarding  Pass traffic to a specified VM Adv Zone - Firewall & Port Forwarding
  22. 22. www.shapeblue.com  Load Balancing Algorithms  Round Robin  Least Connections  Source  Stickiness  None  Source Based  AppCookie  LBCookie Adv Zone - Load Balancing
  23. 23. www.shapeblue.com  User VPN  IPSec VPN  Win/MAC  Connects to Guest Network Adv Zone - User VPN
  24. 24. www.shapeblue.com  Enable Static NAT Adv Zone - Static NAT
  25. 25. www.shapeblue.com  Allocate VM Adv Zone - Static NAT
  26. 26. www.shapeblue.com  Only Firewall Rules exist due to 1-2-1 mapping  Public IP is also used for Outbound Traffic from this VM Adv Zone - Static NAT
  27. 27. www.shapeblue.com  Private multi-tiered Virtual Networks  ACLs to control traffic isolation  Inter VLAN Routing  Site-2-Site VPN  Private Gateway Virtual Private Clouds (VPC)
  28. 28. www.shapeblue.com  No Conserve Mode so unique Public IP Required for:  Port Forwarding (1 IP per Tier)  Load Balancing (only 1 Tier can be Load Balanced)  Cannot operate in Redundant Mode (VRRP)  Default Egress is Allow All Virtual Private Clouds (VPC)
  29. 29. www.shapeblue.com Private Gateway Created by Root Admins Configured by Users (Static Routes) VPC Components Virtual Router – Connects all the VPC ComponentsNetwork Tiers – Isolated Networks, each with unique VLAN and CIDR Public Gateway Site-2-Site VPN Linked to Public Gateway
  30. 30. www.shapeblue.com Creating a VPC Super CIDR Covers All Tiers
  31. 31. www.shapeblue.com VPC - Add 1st Tier Note how Network CIDR is a Subnet of the Super CIDR
  32. 32. www.shapeblue.com VPC - Add 2nd Tier Note how Network CIDR is a Different Subnet of the Super CIDR There can be only 1 Load Balanced Tier
  33. 33. www.shapeblue.com VPC - Add VMs
  34. 34. www.shapeblue.com VPC - Add VMs - Network Selection
  35. 35. www.shapeblue.com VPC - Configure ACLs
  36. 36. www.shapeblue.com VPC - Configure ACLs
  37. 37. www.shapeblue.com VPC - Acquire Public IPs
  38. 38. www.shapeblue.com VPC - Acquire Public IPs
  39. 39. www.shapeblue.com VPC - Acquire Public IPs
  40. 40. www.shapeblue.com VPC - Add Port Forwarding ACLs = Firewall Rules
  41. 41. www.shapeblue.com VPC - Add Port Forwarding
  42. 42. www.shapeblue.com VPC - Load Balancing
  43. 43. www.shapeblue.com VPC - Public IP Single Use IP used for Port Forwarding IP used for Load Balancing
  44. 44. www.shapeblue.com VPC - Public IP Single Use
  45. 45. www.shapeblue.com VPC - Add Private Gateway
  46. 46. www.shapeblue.com VPC vs VR Networks
  47. 47. www.shapeblue.com VPC - Adding Static Routes
  48. 48. www.shapeblue.com VPC - Adding Static Routes
  49. 49. www.shapeblue.com  VPN Gateway must be enabled first  Once enabled the VPN Customer Gateway can be configured VPC - Site-2-Site VPN
  50. 50. www.shapeblue.com  A VPN Connection can then be mapped to the VPN Customer Gateway  As long as both ends of the VPN are configured correctly, the VPN Connection should be established. VPC - Site-2-Site VPN
  51. 51. www.shapeblue.com  Following VPN End Points Officially Supported  CISCO ISR with IOS 12.4 or later  Juniper J-Series routers with JunOS 9.5 or later  “its expected any device running supported operating systems should work”  Not Officially Supported  VPC-VPC VPN not officially supported yet but does appear to work  Tested between CS 4.1 – 4.1 and CS 4.1 - CP 3.0.6 Patch D VPC - Site-2-Site VPN
  52. 52. www.shapeblue.com  Option 1:  Create VM using API and map to both Networks  API Parameter ‘hypervisor’ must be specified  Option 2:  Create VM on VPC using GUI  Use AddNicToVirtualMachine API Command to add 2nd NIC Create VM on VPC & Standard Network
  53. 53. www.shapeblue.com  New API Commands for 4.1  addNicToVirtualMachine  updateDefaultNicForVirtualMachine  removeDefaultNicForVirtualMachine  Effectively enables VMs to be ‘moved’ to different networks Add - Update - Remove NICs
  54. 54. www.shapeblue.com System VMs & Their Networks Virtual Router
  55. 55. www.shapeblue.com System VMs & Their Networks Virtual Router
  56. 56. www.shapeblue.com System VMs & Their Networks Secondary Storage VM
  57. 57. www.shapeblue.com System VMs & Their Networks SSVM – VM Image / ISO Upload Workflow
  58. 58. www.shapeblue.com System VMs & Their Networks Console Proxy VM
  59. 59. www.shapeblue.com System VMs & Their Networks CPVM – Remote Connection
  60. 60. www.shapeblue.com Communication Ports
  61. 61. www.shapeblue.com  Management VLANs – Up to 7 Layers  Strict control of traffic flow between Management Layers  Bypassing Virtual Router  Isolated Networks for Guest Management by Service Provider  Shared Networks for Guest Backups  Connecting VMs to Physical Servers via Assigned VLAN IDs  VLAN Limitations Real World Problems / Requirements
  62. 62. www.shapeblue.com  Software Defined Networking  Remove VLAN Limitations  Bring full control of Network into CloudStack GUI  Massive Scalability  L2 Networks which Span DCs  Examples of SDN Providers  Nicira NVP – Supported since 4.0  Midokura – Support coming in 4.2 The Future
  63. 63. www.shapeblue.com Questions?
  64. 64. CloudStack Networking Technical Deep Dive Geoff Higginbottom CTO ShapeBlue geoff.higginbottom@shapeblue.com Twitter: @ShapeBlue, @CloudStackGuru
  • donghyunlee121772

    Jul. 22, 2016
  • eogus0511

    Apr. 26, 2016
  • nestorlobo1

    Apr. 12, 2016
  • ezequielm

    Apr. 12, 2016
  • gurvesh1

    Sep. 26, 2015
  • EleniSantorinaiou

    Sep. 23, 2015
  • ssuser92ef12

    Aug. 13, 2015
  • herzel97

    Jun. 14, 2015
  • nontster

    Jun. 11, 2014
  • sunil0308

    May. 20, 2014
  • yyri

    Dec. 4, 2013
  • renaudrocroi

    Oct. 21, 2013
  • alex890714

    Aug. 14, 2013

Geoff Higginbottom of ShapeBlue gives a 60 minute master class in CloudStack networking

Vistos

Vistos totais

6.762

No Slideshare

0

De incorporações

0

Número de incorporações

509

Ações

Baixados

0

Compartilhados

0

Comentários

0

Curtir

13

×