introduction to cloudstack networking

Introduction to CloudStack Networking

Geoff HigginbottomCTO ShapeBlue

geoff.higginbottom@shapeblue.comTwitter: @CloudStackGuru @ShapeBlue

@ShapeBlue #CloudStack #CCCEU13

Cloud Architect & ShapeBlue CTO Specialise in….

Designing & Building Clouds based on Apache CloudStack / Citrix CloudPlatform

Developing CloudStack training Blogging and sharing CloudStack knowledge

Involved with CloudStack before donation to Apache Designed Clouds for SunGard, Ascenty, BskyB, Trader Media,

M5 Hosting, Team Cymru, Interoute, University of Pennsylvania.…

CloudStack Committer (non-developer)

About Me

@ShapeBlue #CloudStack #CCCEU13

“ShapeBlue are expert builders of public & private clouds. They are the leading global independent CloudStack / CloudPlatform

integrator & consultancy”

About ShapeBlue

@ShapeBlue #CloudStack #CCCEU13

Why NaaS – The Use CasesVPS Cloud

www

VPS

VPS

VPS

NaaS

VM

VM

VM`

VM

VM

VM

www

@ShapeBlue #CloudStack #CCCEU13

Why NaaS – The Use CasesTier 1

Tier 2

Tier 3

NaaSVMVM

VMVM

VMVM

www

ACLs

ACLs

@ShapeBlue #CloudStack #CCCEU13

AWS Style L3 isolation – Massive Scale Simple Flat Network Each POD has a unique CIDR Optional Guest Isolation via Security Groups Optional NetScaler Integration - Elastic IPs and Elastic

LB Optional Nicira NVP Integration

Basic Networking

@ShapeBlue #CloudStack #CCCEU13

Isolate traffic between VMs Available for both Basic and Advanced Networking Only supported on XenServer 6.x and KVM XenServer 6.0.x requires the Cloud Support Package XenServer must use Linux Bridge and not Open

vSwitch xe-switch-network-backend bridge Must be implemented before adding to CloudStack

Security Groups

@ShapeBlue #CloudStack #CCCEU13

Security Groups Rules can be mapped to CIDR or another

Account/Security Group

@ShapeBlue #CloudStack #CCCEU13

This network model provides the most flexibility in defining guest networks and providing custom network offerings such as firewall, VPN, Load Balancer & VPC functionality.

Guest isolation is provided through layer-2 means such as VLANs or SDN technologies

Advanced Networking

@ShapeBlue #CloudStack #CCCEU13

Private and Shared Guest Networks Multiple Physical Networks Virtual Router for each Network providing:

DNS & DHCP Firewall Client VPN Load Balancing Source / Static NAT Port Forwarding

Advanced Networking

@ShapeBlue #CloudStack #CCCEU13

Effectively enables the deployment of multiple ‘Basic’ style networks which use Security Groups for isolation of VMs, but with each Network encapsulated within a unique VLAN.

Advanced Networking & Security Groups

@ShapeBlue #CloudStack #CCCEU13

Management Network

Secondary Storage

Management

Server(s)

MySQLDB(s)

Hosts

SSVM

CPVM

Traffic between CloudStack Management Servers and the various cloud components (Hosts, System VMs, Storage*, vCenter etc)

@ShapeBlue #CloudStack #CCCEU13

Guest Network – Advanced Zone

Virtual Router

www

VMVM

VM

Traffic between VMs within an Account, and their Virtual Router, Physical Load Balancer or Physical Firewall

@ShapeBlue #CloudStack #CCCEU13

Guest Network – Basic Zone

VMVM

VM

wwwTraffic between VMs on the network and their Internet Gateway

@ShapeBlue #CloudStack #CCCEU13

Guest Network – Basic Zone EIP / ELB

www

VMVM

VM

Citrix NetScaler

Traffic between VMs and the Internal Interface of the NetScaler

@ShapeBlue #CloudStack #CCCEU13

Public Network – Advanced Zone

Virtual Router

www

VMVM

VM

Traffic between the Virtual Router and the Internet Gateway

@ShapeBlue #CloudStack #CCCEU13

Public Network - Basic Zone EIP / ELB

www

VMVM

VM

Citrix NetScaler

Only present in a Basic Zone when a Citrix NetScaler is used to provide Elastic IP and Elastic LB

@ShapeBlue #CloudStack #CCCEU13

Public Network – System VMs

SSVM

www

CPVM

CPVM & SSVM both have a connection to the Public Network

@ShapeBlue #CloudStack #CCCEU13

Storage Network

Secondary Storage

Management

Server(s)

Hosts

SSVM

Traffic between SSVM and the Secondary Storage

Optional Network, traffic will use the Management Network if not configured.

If configured, there must be a route between Management and Storage Networks

It is NOT for Primary Storage Traffic

@ShapeBlue #CloudStack #CCCEU13

Physical ConnectivityUsers

Router

POD 1

Hosts

PrimaryStorage

Secondary Storage

Management

Server(s)

MySQLDB(s)

Admins & Users

POD 2

POD n

@ShapeBlue #CloudStack #CCCEU13

Basic Zone – Example IP Schema

L3 Switch

Host n

Host 1

POD 1192.168.0.0/2

6Res IPs 0.10 -

0.29Hosts 0.30 –

0.62

VR

DHCPDNSUserDataSec Groups

VMVM

VMVM

L2 Switch

www

Host n

Host 1

POD 2192.168.0.64/26

Res IPs 0.73 - 0.92Hosts 0.93 - 0.126

Guest IPs:172.16.2.2- 3.254

GW 172.16.2.1

L2 Switch

Host n

Host 1

POD 3192.168.0.128/26

Res IPs 0.138 – 0.147Hosts 0.149 – 0.190

Guest IPs:172.16.4.2 - 5.254

GW 172.16.4.1

L2 Switch

Guest IPs:172.16.0.2 -

1.254GW 172.16.0.1

@ShapeBlue #CloudStack #CCCEU13

Advanced Zone – Example IP Schema

L3 Switch

www

Host n

Host 2

POD 1 - XenServer

192.168.0.0/26Res IPs 0.10 -

0.29Hosts 0.30 –

0.62

Host 1

L2 SwitchVMb1

VRb VMb2

VRaVMa2

VMa1

VMa3Host n

Host 2

POD 2 - vSphere

192.168.2.0/22Res IPs 2.43 -

3.254Hosts 2.10 –

2.42

Host 1

L2 Switch

VMc3

VRc

VMc2

VMc1

Guest Networks10.1.1.0/24GW 10.1.1.1

Guest IPs 1.2 - 1.254

VLANs

VLANs

@ShapeBlue #CloudStack #CCCEU13

A Hardware or Virtual Appliance that provide Network Services to CloudStack e.g.

Network Service Providers

Virtual Router VPC Virtual Router Internal LBVM Citrix NetScaler F5 Load Balancer Juniper SRX Firewall

Nicira Nvp Midokura Midonet BigSwitch Vns Cisco VNMC

@ShapeBlue #CloudStack #CCCEU13

Private multi-tiered Virtual Networks ACLs to control traffic isolation Inter VLAN Routing Site-2-Site VPN Private Gateway

Virtual Private Clouds (VPC)

@ShapeBlue #CloudStack #CCCEU13

VPC Components

Virtual Router – Connects all the VPC Components

Network Tiers – Isolated Networks, each with unique VLAN and CIDR

VMVM

VMVM

VMVM

Tier 1VLAN 101

Tier 2VLAN 102

Tier 3VLAN 103

Virtual Router

@ShapeBlue #CloudStack #CCCEU13

VPC Components

Public Gateway

wwwVM

VM

VMVM

VMVM

Tier 1VLAN 101

Tier 2VLAN 102

Tier 3VLAN 103

Site-2-Site VPNLinked to Public Gateway

Remote DC or

Corporate Office

Virtual Router

@ShapeBlue #CloudStack #CCCEU13

Private GatewayCreated by Root AdminsConfigured by Users (Static Routes)

VPC Components

wwwVM

VM

VMVM

VMVM

Tier 1VLAN 101

Tier 2VLAN 102

Tier 3VLAN 103

Virtual Router

@ShapeBlue #CloudStack #CCCEU13

VPC Components

www

Physical Equipme

nt

Remote DC

Router

VMVM

VMVM

VMVM

Tier 1VLAN 101

Tier 2VLAN 102

Tier 3VLAN 103

Virtual Router

@ShapeBlue #CloudStack #CCCEU13

MPLS

VPC Components

wwwVM

VM

VMVM

VMVM

Tier 1VLAN 101

Tier 2VLAN 102

Tier 3VLAN 103

Virtual Router

@ShapeBlue #CloudStack #CCCEU13

Virtual Router

VM

VM

VM

VM

VM

VM

VPC Components

www

wwwVMVM

VMVM

VMVM

Tier 1VLAN 101

Tier 2VLAN 102

Tier 3VLAN 103

Virtual Router

@ShapeBlue #CloudStack #CCCEU13

Communication Ports

443

HTTPSConsole Access

80/443

HTTPFile

Share

ESXiKVM

XenServervCenter

2222/80/443

443

User – CSMAN 8080/8096CSMAN – CSMAN 9090/8250

CloudStack Management Servers

8250

CPVM

Virtual Router

SSVM

3922

CSMAN – MySQL 3306MySQL – MySQL 3306

MySQL Master & Slave

Secondary Storage

111/2049

@ShapeBlue #CloudStack #CCCEU13

System VMs & Their NetworksVirtual Router

Virtual Router

Public Networke.g. 82.64.20.2

Guest Networke.g. 10.1.1.17

Link Local (XenServer / KVM) e.g. 169.254.3.24Management (vSphere) e.g. 192.168.2.57

@ShapeBlue #CloudStack #CCCEU13

System VMs & Their NetworksVirtual Router

Virtual Router

www

VMVM

VM

DHCP, DNS , User Data, Source NAT, Static NAT, VPN,Firewall, Port Forwarding, Load Balancing

@ShapeBlue #CloudStack #CCCEU13

System VMs & Their NetworksSecondary Storage VM

SSVM

Public Networke.g. 82.64.20.3

Managemente.g. 192.168.3.28

Link Local (XenServer / KVM) e.g. 169.254.2.49Management (vSphere) e.g. 192.168.3.36

Storage NetworkIP address from Management OR Storage IP Ranges

@ShapeBlue #CloudStack #CCCEU13

System VMs & Their NetworksSSVM – VM Image / ISO Upload

Workflow

HTTP Server

1. User uploads VM Image / ISO to Public Web Server

CloudStack Management Server

2. User specifies VM Image / ISO Location via GUI or API SSVM

3. CloudStack sends request information to SSVM

Secondary Storage

4. SSVM fetches VM Image/ISO from HTTP Server and writes it to Secondary Storage

Management / LiLo

Public Storage

@ShapeBlue #CloudStack #CCCEU13

System VMs & Their NetworksConsole Proxy VM

CPVM

Public Networke.g. 82.64.20.4

Managemente.g. 192.168.2.58

Link Local (XenServer / KVM) e.g. 169.254.5.27Management (vSphere) e.g. 192.168.2.74

@ShapeBlue #CloudStack #CCCEU13

System VMs & Their NetworksCPVM – Remote

Connection

Management / LiLo

Public Management

CloudStack Management Server

1. User initiates a Console session

3. CS Forwards user identity and ticket to CPVM

CPVM

2. CS chooses suitable CPVM and creates a logon ticket for user

4. CS sends user redirection URL

realhostip.com

5. User resolves URL via realhostip.com

6. User is connected to CPVM via HTTPS Hypervisor

7. CPVM connects to Hypervisor via HTTPS

@ShapeBlue #CloudStack #CCCEU13

Numerous VPC Improvements Add & Remove NICs / Networks Multiple IPs on Single NIC Persistent Networks Configurable Default Egress Behaviour Non Contiguous VLAN Ranges Enhanced SRX & F5 Support PVLANs GLSB IPv6 – (Technical Demo)

Recent Networking Improvements (4.1 & 4.2)

@ShapeBlue #CloudStack #CCCEU13

Lots of great technical info on http://shapeblue.com/blog/

These slides can be found at www.slideshare.net/shapeblue

geoff.higginbottom@shapeblue.com @CloudStackGuru

Further Information