introduction to cloudstack networking
DESCRIPTION
Introduction to the different CloudStack Networking models, CloudStack Networks and System VMsTRANSCRIPT
Introduction to CloudStack Networking
Geoff HigginbottomCTO ShapeBlue
[email protected]: @CloudStackGuru @ShapeBlue
@ShapeBlue #CloudStack #CCCEU13
Cloud Architect & ShapeBlue CTO Specialise in….
Designing & Building Clouds based on Apache CloudStack / Citrix CloudPlatform
Developing CloudStack training Blogging and sharing CloudStack knowledge
Involved with CloudStack before donation to Apache Designed Clouds for SunGard, Ascenty, BskyB, Trader Media,
M5 Hosting, Team Cymru, Interoute, University of Pennsylvania.…
CloudStack Committer (non-developer)
About Me
@ShapeBlue #CloudStack #CCCEU13
“ShapeBlue are expert builders of public & private clouds. They are the leading global independent CloudStack / CloudPlatform
integrator & consultancy”
About ShapeBlue
@ShapeBlue #CloudStack #CCCEU13
Why NaaS – The Use CasesVPS Cloud
www
VPS
VPS
VPS
NaaS
VM
VM
VM`
VM
VM
VM
www
@ShapeBlue #CloudStack #CCCEU13
Why NaaS – The Use CasesTier 1
Tier 2
Tier 3
NaaSVMVM
VMVM
VMVM
www
ACLs
ACLs
@ShapeBlue #CloudStack #CCCEU13
AWS Style L3 isolation – Massive Scale Simple Flat Network Each POD has a unique CIDR Optional Guest Isolation via Security Groups Optional NetScaler Integration - Elastic IPs and Elastic
LB Optional Nicira NVP Integration
Basic Networking
@ShapeBlue #CloudStack #CCCEU13
Isolate traffic between VMs Available for both Basic and Advanced Networking Only supported on XenServer 6.x and KVM XenServer 6.0.x requires the Cloud Support Package XenServer must use Linux Bridge and not Open
vSwitch xe-switch-network-backend bridge Must be implemented before adding to CloudStack
Security Groups
@ShapeBlue #CloudStack #CCCEU13
Security Groups Rules can be mapped to CIDR or another
Account/Security Group
@ShapeBlue #CloudStack #CCCEU13
This network model provides the most flexibility in defining guest networks and providing custom network offerings such as firewall, VPN, Load Balancer & VPC functionality.
Guest isolation is provided through layer-2 means such as VLANs or SDN technologies
Advanced Networking
@ShapeBlue #CloudStack #CCCEU13
Private and Shared Guest Networks Multiple Physical Networks Virtual Router for each Network providing:
DNS & DHCP Firewall Client VPN Load Balancing Source / Static NAT Port Forwarding
Advanced Networking
@ShapeBlue #CloudStack #CCCEU13
Effectively enables the deployment of multiple ‘Basic’ style networks which use Security Groups for isolation of VMs, but with each Network encapsulated within a unique VLAN.
Advanced Networking & Security Groups
@ShapeBlue #CloudStack #CCCEU13
Management Network
Secondary Storage
Management
Server(s)
MySQLDB(s)
Hosts
SSVM
CPVM
Traffic between CloudStack Management Servers and the various cloud components (Hosts, System VMs, Storage*, vCenter etc)
@ShapeBlue #CloudStack #CCCEU13
Guest Network – Advanced Zone
Virtual Router
www
VMVM
VM
Traffic between VMs within an Account, and their Virtual Router, Physical Load Balancer or Physical Firewall
@ShapeBlue #CloudStack #CCCEU13
Guest Network – Basic Zone
VMVM
VM
wwwTraffic between VMs on the network and their Internet Gateway
@ShapeBlue #CloudStack #CCCEU13
Guest Network – Basic Zone EIP / ELB
www
VMVM
VM
Citrix NetScaler
Traffic between VMs and the Internal Interface of the NetScaler
@ShapeBlue #CloudStack #CCCEU13
Public Network – Advanced Zone
Virtual Router
www
VMVM
VM
Traffic between the Virtual Router and the Internet Gateway
@ShapeBlue #CloudStack #CCCEU13
Public Network - Basic Zone EIP / ELB
www
VMVM
VM
Citrix NetScaler
Only present in a Basic Zone when a Citrix NetScaler is used to provide Elastic IP and Elastic LB
@ShapeBlue #CloudStack #CCCEU13
Public Network – System VMs
SSVM
www
CPVM
CPVM & SSVM both have a connection to the Public Network
@ShapeBlue #CloudStack #CCCEU13
Storage Network
Secondary Storage
Management
Server(s)
Hosts
SSVM
Traffic between SSVM and the Secondary Storage
Optional Network, traffic will use the Management Network if not configured.
If configured, there must be a route between Management and Storage Networks
It is NOT for Primary Storage Traffic
@ShapeBlue #CloudStack #CCCEU13
Physical ConnectivityUsers
Router
POD 1
Hosts
PrimaryStorage
Secondary Storage
Management
Server(s)
MySQLDB(s)
Admins & Users
POD 2
POD n
@ShapeBlue #CloudStack #CCCEU13
Basic Zone – Example IP Schema
L3 Switch
Host n
Host 1
POD 1192.168.0.0/2
6Res IPs 0.10 -
0.29Hosts 0.30 –
0.62
VR
DHCPDNSUserDataSec Groups
VMVM
VMVM
L2 Switch
www
Host n
Host 1
POD 2192.168.0.64/26
Res IPs 0.73 - 0.92Hosts 0.93 - 0.126
Guest IPs:172.16.2.2- 3.254
GW 172.16.2.1
L2 Switch
Host n
Host 1
POD 3192.168.0.128/26
Res IPs 0.138 – 0.147Hosts 0.149 – 0.190
Guest IPs:172.16.4.2 - 5.254
GW 172.16.4.1
L2 Switch
Guest IPs:172.16.0.2 -
1.254GW 172.16.0.1
@ShapeBlue #CloudStack #CCCEU13
Advanced Zone – Example IP Schema
L3 Switch
www
Host n
Host 2
POD 1 - XenServer
192.168.0.0/26Res IPs 0.10 -
0.29Hosts 0.30 –
0.62
Host 1
L2 SwitchVMb1
VRb VMb2
VRaVMa2
VMa1
VMa3Host n
Host 2
POD 2 - vSphere
192.168.2.0/22Res IPs 2.43 -
3.254Hosts 2.10 –
2.42
Host 1
L2 Switch
VMc3
VRc
VMc2
VMc1
Guest Networks10.1.1.0/24GW 10.1.1.1
Guest IPs 1.2 - 1.254
VLANs
VLANs
@ShapeBlue #CloudStack #CCCEU13
A Hardware or Virtual Appliance that provide Network Services to CloudStack e.g.
Network Service Providers
Virtual Router VPC Virtual Router Internal LBVM Citrix NetScaler F5 Load Balancer Juniper SRX Firewall
Nicira Nvp Midokura Midonet BigSwitch Vns Cisco VNMC
@ShapeBlue #CloudStack #CCCEU13
Private multi-tiered Virtual Networks ACLs to control traffic isolation Inter VLAN Routing Site-2-Site VPN Private Gateway
Virtual Private Clouds (VPC)
@ShapeBlue #CloudStack #CCCEU13
VPC Components
Virtual Router – Connects all the VPC Components
Network Tiers – Isolated Networks, each with unique VLAN and CIDR
VMVM
VMVM
VMVM
Tier 1VLAN 101
Tier 2VLAN 102
Tier 3VLAN 103
Virtual Router
@ShapeBlue #CloudStack #CCCEU13
VPC Components
Public Gateway
wwwVM
VM
VMVM
VMVM
Tier 1VLAN 101
Tier 2VLAN 102
Tier 3VLAN 103
Site-2-Site VPNLinked to Public Gateway
Remote DC or
Corporate Office
Virtual Router
@ShapeBlue #CloudStack #CCCEU13
Private GatewayCreated by Root AdminsConfigured by Users (Static Routes)
VPC Components
wwwVM
VM
VMVM
VMVM
Tier 1VLAN 101
Tier 2VLAN 102
Tier 3VLAN 103
Virtual Router
@ShapeBlue #CloudStack #CCCEU13
VPC Components
www
Physical Equipme
nt
Remote DC
Router
VMVM
VMVM
VMVM
Tier 1VLAN 101
Tier 2VLAN 102
Tier 3VLAN 103
Virtual Router
@ShapeBlue #CloudStack #CCCEU13
MPLS
VPC Components
wwwVM
VM
VMVM
VMVM
Tier 1VLAN 101
Tier 2VLAN 102
Tier 3VLAN 103
Virtual Router
@ShapeBlue #CloudStack #CCCEU13
Virtual Router
VM
VM
VM
VM
VM
VM
VPC Components
www
wwwVMVM
VMVM
VMVM
Tier 1VLAN 101
Tier 2VLAN 102
Tier 3VLAN 103
Virtual Router
@ShapeBlue #CloudStack #CCCEU13
Communication Ports
443
HTTPSConsole Access
80/443
HTTPFile
Share
ESXiKVM
XenServervCenter
2222/80/443
443
User – CSMAN 8080/8096CSMAN – CSMAN 9090/8250
CloudStack Management Servers
8250
CPVM
Virtual Router
SSVM
3922
CSMAN – MySQL 3306MySQL – MySQL 3306
MySQL Master & Slave
Secondary Storage
111/2049
@ShapeBlue #CloudStack #CCCEU13
System VMs & Their NetworksVirtual Router
Virtual Router
Public Networke.g. 82.64.20.2
Guest Networke.g. 10.1.1.17
Link Local (XenServer / KVM) e.g. 169.254.3.24Management (vSphere) e.g. 192.168.2.57
@ShapeBlue #CloudStack #CCCEU13
System VMs & Their NetworksVirtual Router
Virtual Router
www
VMVM
VM
DHCP, DNS , User Data, Source NAT, Static NAT, VPN,Firewall, Port Forwarding, Load Balancing
@ShapeBlue #CloudStack #CCCEU13
System VMs & Their NetworksSecondary Storage VM
SSVM
Public Networke.g. 82.64.20.3
Managemente.g. 192.168.3.28
Link Local (XenServer / KVM) e.g. 169.254.2.49Management (vSphere) e.g. 192.168.3.36
Storage NetworkIP address from Management OR Storage IP Ranges
@ShapeBlue #CloudStack #CCCEU13
System VMs & Their NetworksSSVM – VM Image / ISO Upload
Workflow
HTTP Server
1. User uploads VM Image / ISO to Public Web Server
CloudStack Management Server
2. User specifies VM Image / ISO Location via GUI or API SSVM
3. CloudStack sends request information to SSVM
Secondary Storage
4. SSVM fetches VM Image/ISO from HTTP Server and writes it to Secondary Storage
Management / LiLo
Public Storage
@ShapeBlue #CloudStack #CCCEU13
System VMs & Their NetworksConsole Proxy VM
CPVM
Public Networke.g. 82.64.20.4
Managemente.g. 192.168.2.58
Link Local (XenServer / KVM) e.g. 169.254.5.27Management (vSphere) e.g. 192.168.2.74
@ShapeBlue #CloudStack #CCCEU13
System VMs & Their NetworksCPVM – Remote
Connection
Management / LiLo
Public Management
CloudStack Management Server
1. User initiates a Console session
3. CS Forwards user identity and ticket to CPVM
CPVM
2. CS chooses suitable CPVM and creates a logon ticket for user
4. CS sends user redirection URL
realhostip.com
5. User resolves URL via realhostip.com
6. User is connected to CPVM via HTTPS Hypervisor
7. CPVM connects to Hypervisor via HTTPS
@ShapeBlue #CloudStack #CCCEU13
Numerous VPC Improvements Add & Remove NICs / Networks Multiple IPs on Single NIC Persistent Networks Configurable Default Egress Behaviour Non Contiguous VLAN Ranges Enhanced SRX & F5 Support PVLANs GLSB IPv6 – (Technical Demo)
Recent Networking Improvements (4.1 & 4.2)
@ShapeBlue #CloudStack #CCCEU13
Lots of great technical info on http://shapeblue.com/blog/
These slides can be found at www.slideshare.net/shapeblue
[email protected] @CloudStackGuru
Further Information