l4-l7 application services with avi networks
TRANSCRIPT
1
OpenStack Advanced Networking Services:
LBaaSJames SherlowAvi Networks
@jsherlow@AviNetworks
2
Network VirtualizationLayers
Switches, LAN(Broadcast Domain)
L2 Neutron: Network
Routers, IP SubnetsL3 Neutron: Router,
Subnet
FirewallsLoad Balancers
(ADC)DNS
VPN Servers…
L4 – L7
Neutron Services: FWaaSLBaaS
DesignateVPNaaS
….
Physical World Virtual World
3
LBaaS in NeutronAPIs• LBaaS v1.0 API
– Introduced in Grizzly– Lacks several key advanced features: SSL support, rules based
switching• LBaaS v2.0 API
– Introduced in Kilo– Implementation currently in progress
• Horizon/Heat integration• L7 rules• Neutron flavors
4
LBaaS v2.0 Model
- name- description- healthmonitor_id- protocol- lb_algorithm- members- admin_state_up- provisioning_status- operating_status- session persistence
Pool
- pool_id- address- protocol_port- weight- admin_state_up- subnet_id- provisioning_status- operating_status
Member
- name- description- vip_port_id- vip_subnet_id- vip_address- provisioning_status- operating_status- provider
LoadBalancer
- Type (ping, TCP, HTTP, HTTPS)- delay- timeout- max_retries- http_method- url_path- expected_codes- provisioning_status- admin_state_up
HealthMonitor
- loadbalancer_id- bytes_in- bytes_out- active_connections- total_connections
LB Statistics
1
*
1
1*
1
10..1
- name- description- default_pool_id- loadbalancer_id- protocol- protocol_port- default_tls_container_id- sni_containers- connection_limit- provisioning_status- operating_status- admin_state_up
Listener
- listener_id- tls_container_id- position
SNI Container
10..1
1
*
5
LBaaS APIs: Limitations(Not a comprehensive list)• Missing protocols
– UDP– Non-HTTP SSL termination
• SSL– Missing support for backend (client) SSL cert
• Use case: Pools with backend servers that require client SSL certs– SSL protocol and cipher-list control
• E.g., SSLv3 is broken and should not be used for external applications• Prefer EC ciphers over RSA: Perfect-Forward Secrecy
– Support for only one default cert
• Custom health monitoring– E.g., Monitor on a different port than the port configured for members– Non-http protocols: e.g., MySQL
6
Reference Implementation (HAProxy)
• One HAProxy process per Pool/VIP
• Running on Network NodeVM
VMVMVM VM
VMVM
VM VM
VM
VM VMVM
VM
Compute Nodes
Network Node(s)
Keystone
Controller Node(s)
Neutron w/LBaaS
……
LBaaS Agent
HAProxyHAProx
yHAProxyHAProx
yNorth-South Traffic
East-West Traffic
7
Reference Implementation (HAProxy)
Reference Implementation (Haproxy)Scalability Limited
• Runs on shared Neutron nodes, creating a large fan-in• Traffic “tromboning”• Complex to manage multiple Neutron nodes / HAProxy
instancesHigh Availability None
• Will need other solutions (e.g., PaceMaker) for achieving HA
Tenant Isolation Best effort; No strong guarantees• No per-tenant SLA service• Common pool of resources: network nodes
Not suitable for enterprise-grade clouds
8
Service-VM ArchitectureDistributed load balancer with a centralized control plane
LB1
LB2LB
3LB4
OpenStackLegacy Next Generation
OpenStack
VM
VMVMVM VM
VMVM
VM VM
VM
VM VMVM
VM
VM
VMVMVM VM
VMVM
VM VM
VM
VM VMVM
VM
Controllers
Service Engine
Avi Networks Proprietary and Confidential 2016
REST API
Avi Vantage for OpenStack LBaaSDrop-In replacement for HAProxy with Enterprise Class Load Balancing & App Monitoring
10
Demos
11
Avi’s Elastic Application Delivery & MonitoringDrop-in Replacement for HAProxy with Full-featured Elastic ADC Self-service automation Single-point of management and integration Multi-tenancy with Keystone integration Elastic & Auto-scale Active/Active & N+1 HA Application & End-user performance monitoring Comprehensive Security Insights and DDoS mitigation
12
Thanks!https://www.avinetworks.com/try