2. About Me
Cloud Architect & ShapeBlue CTO
Specialise in….
Designing & Building Clouds based on Apache CloudStack / Citrix
CloudPlatform
Developing CloudStack training
Blogging and sharing CloudStack knowledge
Involved with CloudStack before donation to Apache
Designed Clouds for SunGard, Ascenty, BskyB, Trader Media,
M5 Hosting, Team Cymru, Interoute, University of Pennsylvania.…
CloudStack Committer (non-developer)
@ShapeBlue #CloudStack #CCCEU13
3. About ShapeBlue
“ShapeBlue are expert builders of public & private
clouds. They are the leading global independent
CloudStack / CloudPlatform integrator &
consultancy”
@ShapeBlue #CloudStack #CCCEU13
4. Why NaaS – The Use Cases
VPS
Cloud
@ShapeBlue #CloudStack #CCCEU13
5. Why NaaS – The Use Cases
@ShapeBlue #CloudStack #CCCEU13
6. Basic Networking
AWS Style L3 isolation – Massive Scale
Simple Flat Network
Each POD has a unique CIDR
Optional Guest Isolation via Security Groups
Optional NetScaler Integration - Elastic IPs and Elastic LB
Optional Nicira NVP Integration
@ShapeBlue #CloudStack #CCCEU13
7. Security Groups
Isolate traffic between VMs
Available for both Basic and Advanced Networking
Only supported on XenServer 6.x and KVM
XenServer 6.0.x requires the Cloud Support Package
XenServer must use Linux Bridge and not Open vSwitch
xe-switch-network-backend bridge
Must be implemented before adding to CloudStack
@ShapeBlue #CloudStack #CCCEU13
8. Security Groups
Rules can be mapped to CIDR or another Account/Security Group
@ShapeBlue #CloudStack #CCCEU13
9. Advanced Networking
This network model provides the most flexibility in defining
guest networks and providing custom network offerings such as
firewall, VPN, Load Balancer & VPC functionality.
Guest isolation is provided through layer-2 means such as VLANs
or SDN technologies
@ShapeBlue #CloudStack #CCCEU13
10. Advanced Networking
Private and Shared Guest Networks
Multiple Physical Networks
Virtual Router for each Network providing:
DNS & DHCP
Firewall
Client VPN
Load Balancing
Source / Static NAT
Port Forwarding
@ShapeBlue #CloudStack #CCCEU13
11. Advanced Networking & Security Groups
Effectively enables the deployment of multiple ‘Basic’ style
networks which use Security Groups for isolation of VMs, but
with each Network encapsulated within a unique VLAN.
@ShapeBlue #CloudStack #CCCEU13
12. Management Network
Traffic between CloudStack
Management Servers and the
various cloud components (Hosts,
System VMs, Storage*, vCenter etc)
@ShapeBlue #CloudStack #CCCEU13
13. Guest Network – Advanced Zone
Traffic between VMs within an
Account, and their Virtual Router,
Physical Load Balancer or Physical
Firewall
@ShapeBlue #CloudStack #CCCEU13
14. Guest Network – Basic Zone
Traffic between VMs on the network
and their Internet Gateway
@ShapeBlue #CloudStack #CCCEU13
15. Guest Network – Basic Zone EIP / ELB
Traffic between VMs and the
Internal Interface of the NetScaler
@ShapeBlue #CloudStack #CCCEU13
16. Public Network – Advanced Zone
Traffic between the Virtual Router
and the Internet Gateway
@ShapeBlue #CloudStack #CCCEU13
17. Public Network - Basic Zone EIP / ELB
Only present in a Basic Zone when a
Citrix NetScaler is used to provide
Elastic IP and Elastic LB
@ShapeBlue #CloudStack #CCCEU13
18. Public Network – System VMs
CPVM & SSVM both have a connection to the Public Network
@ShapeBlue #CloudStack #CCCEU13
19. Storage Network
Traffic between SSVM and the Secondary Storage
Optional Network, traffic will use the
Management Network if not configured.
If configured, there must be a route between
Management and Storage Networks
It is NOT for Primary Storage Traffic
@ShapeBlue #CloudStack #CCCEU13
21. Basic Zone – Example IP Schema
@ShapeBlue #CloudStack #CCCEU13
22. Advanced Zone – Example IP Schema
@ShapeBlue #CloudStack #CCCEU13
23. Network Service Providers
A Hardware or Virtual Appliance that provide Network Services
to CloudStack e.g.
Virtual Router
VPC Virtual Router
Internal LBVM
Citrix NetScaler
F5 Load Balancer
Juniper SRX Firewall
Nicira Nvp
Midokura Midonet
BigSwitch Vns
Cisco VNMC
@ShapeBlue #CloudStack #CCCEU13
24. Virtual Private Clouds (VPC)
Private multi-tiered Virtual Networks
ACLs to control traffic isolation
Inter VLAN Routing
Site-2-Site VPN
Private Gateway
@ShapeBlue #CloudStack #CCCEU13
25. VPC Components
Virtual Router – Connects
all the VPC Components
Network Tiers – Isolated Networks,
each with unique VLAN and CIDR
@ShapeBlue #CloudStack #CCCEU13
39. Further Information
Lots of great technical info on http://shapeblue.com/blog/
These slides can be found at www.slideshare.net/shapeblue
geoff.higginbottom@shapeblue.com
@CloudStackGuru
@ShapeBlue #CloudStack #CCCEU13
Notas do Editor
eSkyCityBroker BinSunGardCiscoOrangeT-Mobile
Guest VMs and Hosts can be on different VLANs even though Admin Guide states they cannot
XenServer requires the CloudStack Support Package to be installed BEFORE adding to CloudStack in order to use Security GroupsSecurity Groups - Guest VM will be assigned to ‘default’ security Group if none is specified – Denies all inbound but allows all outbound. VMs can belong to multiple security groups but not the Default SG and another SG. Ingress and Egress rules control the flow of traffic into and out of Security Groups. If no Egress rules have been specified all outbound traffic is allowed, however once an Egress Rule has been created, only traffic specified by Egress Rules, in response to an Ingress Rule or related to DHCP & DNS queries is allowed out.
A Zone can be either Basic OR Advanced
Private – limited to one accountShared – Accessible to either the whole Zone, a Domain (with or without subdomains), an Account or Project
A Zone can be either Basic OR Advanced
Traffic between CloudStack Management Servers and the various cloud componentsSecondary Storage also uses the Management Network of the optional ‘Storage’ network has not been configured.
Advanced ZoneTraffic between VMs and their VR
Basic Zone
Basic Zone with EIP / ELB has a Public Network
Enables services such as:Source NATStatic NATLoad BalancingPort ForwardingFirewallVPN
Netscaler EIP & ELB
SSVM & CPVM each have a Public Interface
Optional NetworkSSVMManagement ServersHostsNOT FOR PRIMARY STORAGE