vmware solutions and the datacenter · • private routed (external org nat-routed) • connected...

VMWARE SOLUTIONS AND THE DATACENTER

Fredric Linder

2 Copyright © 2012 Juniper Networks, Inc. www.juniper.net

MORE THAN VSPHERE

Vmware

Offering

Core

Cloud

DR / Replication

VDI / Applications

Management

vSphere

vCenter

vCloud Director

Chargeback

VMware IT Business Management Suite

Site Recovery Manager

Storage Appliance

Vmware View

vCenter Operations Suite

vCenter Operations


INFRASTRUCTURE AS A SERVICE (IAAS)

Most commonly adaptable strategy in the Enterprise

Building resource pools for consumption

CPU – Memory

– Server Virtualization

Storage

– SAN

Network

– QoS, VLAN, Bandwith

Requirements:

•Dedicate resources based on service demands

•Monitor resource out take to guarantee resources

Vmware vSphere

vCloud Suite


PLATFORM AS A SERVICE (PAAS)

Delivering the foundation to building new SaaS applications

.

New application platform to build NextGen Applications

Distributed application model

Metering and subscription based model

IaaS aware Requirements:

•Dedicate resources based on service demands

•Monitor resource out take to guarantee resources

•Metering and subscription infrastructure

Vmware vSphere

vFabric Suite


SOFTWARE AS A SERVICE (SAAS)

Delivering SaaS applications.

SLA driven Model

End user experience

Pay per use

Requirements:

•Dynamic resource allocation based on service demands

•Continues End-to-End SLA metering

•Automatic End-to-End adaptation of resources to meet SLA

Vmware vSphere

Operations Suite

IT Buiness Management Suite


VMWARE VSPHERE AND VCENTER SERVER

Clusters and Resource Pools Provide cloud compute

DRS is a requirement for the cluster

Shared storage

vMotion compatible or EVC enabled

Datastores Provide cloud storage

Abstract away underlying storage type

Portgroups Provide cloud networking

Abstract away underlying networking infrastructure

vSwitch, vNetwork Distributed Switch or Nexus 1000V, IBM 5000v

vNetwork Distributed Switch

Resource Pools

FC StorageiSCSI Storage NFS Storage

vCenter Server

ESXi/ESX hosts


NETWORKING OPTIONS IN VMWARE

vSwitch Types

• -

• One or more per host

• Basic functionality

• -

• One or more per cluster

• LACP, BPDU filters, Port Mirroring, SR-IOV

• Requirement for 3rd party switches

• VXLAN support (With vShield and Security Package)

vSwitch



VXLAN - PRINCIPLES

Identifier : 24bit segment VNI (up to 16M VXLAN)

Only VMs in the same VXLAN (VNI) can communicate

together

Tunneling L2 over L3 (MAC-over-UDP, UDP port not defined at

this time)

VM are not aware of VXLAN, only VTEP.

Today VXLAN Tunnel End Point (VTEP) would be setup on

vSwitch, but could be on physical switches, routers or

servers (VXLAN gateways)…


DRS CLUSTER DESIGN (8-12 HOSTS PER CLUSTER)

V

M

V

M


ACTIVE PASSIVE DESIGN

V

M V

M

V

M

NFS, iSCSI, FCoE NFS, iSCSI, FCoE

Storage Replication

V

M


STETCHED CLUSTER DESIGN

Affinity Groups Affinity Groups V

M V

M

V

M

NFS, iSCSI, FCoE NFS, iSCSI, FCoE

Storage Replication


VMWARE VCLOUD COMPONENTS

VMware vSphere and vCenter Servers

VMware vCloud Director

vShield for VMware Cloud Director


VMWARE VCLOUD DIRECTOR

Define standard infrastructure tiers called

Virtual Datacenters

Pool virtualized infrastructure resources

across multiple vCenter Servers

Define standard collections of VMs

called vApps

Create Organizations and manage users

Provide UI for users to self provision

vApps into Virtual Datacenters

Provide secure multi-tenancy using

vShield Edge


VMware vCloud Director

VMWARE VCLOUD STACK

Secure Private Cloud

Organization: Marketing Organization: Finance

Organization VDCs Catalogs Organization VDCs Catalogs

VMware vSphere

VMware vCenter Server

Resource Pools Datastores Port Groups

(Go

ld)

(Bro

nze)

Provider Virtual Datacenters

(Sil

ver)

Users & Policies Users & Policies


Organisation Network

Application Network

External Network

FW

FW

App

VM

App

VM

App

VM

vShield

vShield


EXTERNAL NETWORK: OVERVIEW

Created at the vSphere level as a port group on a vSS or vDS

Port group is mapped to a vCloud Director external network

Mapping is on a one to one basis

Use cases

• Internet access

• Provider supplied network endpoints

• IP based storage

• Backup servers

• Access to physical managed services

• Backhauled networking to a customer datacenter

• VPN access to a private cloud

• MPLS termination


EXTERNAL NETWORKS: IN VSPHERE

Dedicate vDS for statically mapped networks i.e. “Provider vDS”

Avoid vSS unless using scripting to duplicate port groups to hosts

Use unique VLANs per port group to avoid broadcast overlap

Below is an example of VLAN isolated External Networks:


EXTERNAL NETWORKS: IN VMWARE VCLOUD DIRECTOR

In VMware vCloud Director, create an external network by

mapping it to a portgroup


ORGANIZATION NETWORKS: OVERVIEW

Contained within an organization

Allows vApps within the organization to communicate with each other or external endpoints

Can be connected to external networks as:

• Public (External Org Direct)

• Bridged connection to an external network

• Others outside the organization can see

• Private Routed (External Org NAT-Routed)

• Connected to an External Network through a vShield Edge

• Can be configured for NAT & Firewall

…or left unconnected to external

• Private Internal (Internal Org)

• No External connectivity

Backed by Network Pools


VAPP NETWORKS: OVERVIEW

Contained within a vApp

• Inherently Private Internal

Allows VMs in a vApp to communicate with each other or …by connecting them

to Org networks, other vApps

Can be connected to Org Networks as

• Public (Direct)

• Bridged connection to a organization network

• Private Routed

• Connected to a organization network through a vShield Edge

• Can be configured for NAT & Firewall

Backed by a Network Pool


Organisation Network

Application Network

External Network

FW

FW

App

VM

App

VM

App

VM

vShield

vShield

VMware vShield

Provides network edge security

Provides firewall, NAT, port forwarding, IP

masquerading and DHCP functionality (enforces

multi-tenancy)

Edge appliances deployed and managed by VMware

vCloud Director on vSphere.

NOTE:

Does not include site-to-site VPN and load balancer


TYPES OF NETWORK POOLS Portgroup-backed

• Create isolated portgroups in vSphere manually or with automation

• Attach a collection of them to VMware vCloud Director

VLAN-backed

• VMware vCloud Director will automatically create portgroups as needed, and use a range of VLANs to isolate

them

VMware vCloud Director Network Isolation-backed

• Proprietary network isolation technology

Network Pool Building Blocks

VLAN Backed + VLAN tags

VCDNI + one VLAN for transport

Portgroup backed or portgroups vSwitch vNetwork Distributed Switch




OrgNet (vCD-NI)

AppNet (vCD-NI)

ExternalNet (VLAN)

FW

FW

App

VM

App

VM

App

VM

vShield

vShield


TRAFFIC FLOW EXAMPLE


VCLOUD API RESTful

Designed for web infrastructure

Extensible, Modular

Released in “Open” form

Version 0.9 currently public

Spans vCenter Instances

Operate across multiple vCenter Servers

100% Virtual

VIM API Unchanged

With OVF standard, unlocks ability to

move vApps across clouds (Hybrid cloud

use case)


2 LOGICAL APIS FOR VMWARE VCLOUD DIRECTOR

1: VMware vCloud Director “Admin API”

• Automate VCD Management

• Attach virtual/physical

resources

• Manage organizations, users,

etc.

• RESTful for loose coupling

to existing systems

2: vCloud API

• Standard way to consume

vCloud Resources


ORCHESTRATION + VMWARE CLOUD DIRECTOR

Financial Systems

End Users

Redwood Portal

Orchestration Engine

Datastores

vCenter Chargeback

VMware vCloud IaaS

VMware vSphere

Hosts

Approval Systems

Asset Systems

CMDB ….

User Portal + vCloud API

vCloud API

Physical Config

1. User Workflow Initiation

2. User Resource Interaction

vSphere API

VCD Portal


JUNIPER SOLUTIONS


OrgNet (vCD-NI)

AppNet (vCD-NI)

ExternalNet (VLAN)

FW

FW

App

VM

App

VM

App

VM

vShield

vShield

JUNIPER SOLUTIONS


vGW

OrgNet (vCD-NI)

AppNet (vCD-NI)

ExternalNet (VLAN)

FW

FW

App

VM

App

VM

App

VM

vShield

vShield

FW SRX

JUNIPER SOLUTIONS


vGW

OrgNet (vCD-NI)

AppNet (vCD-NI)

ExternalNet (VLAN)

FW

FW

App

VM

App

VM

App

VM

vShield

vShield

FW vSRX

JUNIPER SOLUTIONS


vGW

OrgNet (vCD-NI)

AppNet (vCD-NI)

ExternalNet (VLAN)

FW

FW

App

VM

App

VM

App

VM

vSRX

vSRX


VGW – NETWORK VISIBILITY

Navigate

See traffic flows

Troubleshoot

Benefits:

Visibility to all VM communications

Ability to spot design issues with security policies

Single click to more detail on VMs

Export flows for analysis


VGW – INTROSPECTION

“X-ray” VMs and automate compliance enforcement

Benefits:

Know exactly what’s installed in a VM

Automatically attach relevant security policy!

Define & enforce a ‘”gold” image (template or VM)


VGW – SMART GROUPS

Smart Groups allow for the use of attributes to create dynamic system associations.

Benefits:

Tie vGW product discoveries to Smart Group definitions.

Tie vCenter and VM config attributes to Smart Group definitions

Attributes are read real time so if a VM changes in vCenter, it’s instantly updated in vGW

Priority and precedence level can be

defined to Tier Groups easily

Smart Groups help

capability allows

administrator to see

name, description and

values of attributes


STRM

VGW AND HOW VGW CAN HELP ORHESTRATE SECURITY

VM1 VM2 VM3 ALTOR

vGW

VMware vSphere

Network

Juniper SRX

with IDP

Juniper EX

Switch

Central Policy Management

Zone Synchronization

Traffic Mirroring to IPS

vGW

Firewall Event Syslogs

Netflow for Inter-VM Traffic

Orchistration API’s


Network Admin

Server Admin

DC MANAGEABILITY CHALLENGES WITH SERVER VIRTUALIZATION

1. Blurred roles between

the server and

network admin.

2. No automation/

orchestration

to sync-up the 2 networks.

3. VM Migration can fail.

4. Proprietary products

& protocols

B

A Virtual n/w

Physical n/w

P P

VM1 VM2 VM3 VM1 VM2

A


SOLUTIONS WITH JUNOS SPACE VIRTUAL CONTROL

1. Clear roles and

responsibilities

2. Automated

orchestration between

physical and virtual

networks

3. Scalable solution –

allows VMs to move

freely

4. Open Architecture

Network Admin

Server Admin

VM1 VM2

Virtual

Control

A

A A

A

Virtual n/w

Physical n/w

P P A A

VM2 VM3 VM1


NETWORK RELATED ACCESS

Server Admin should not have the following access

• Move network

• This can be a security concern

• Configure network

• Remove network

Server Admin should have

• Assign network

• To assign a network to a VM


• One device

• One hop

• Non Blocking

WILL QFABRIC HELP ME ORCHESTRATE

Application

QFabric Director

Orchestration Engine • As Qfabric Director acts a the brain for the fabric

you only have to request relevant information to

this device in order to guarantee required

characteristics from the application

• Less devices to orchestrate

• Less complex

• Simpler to deploy applications based on SLA


JUNIPER’S OPEN CLOUD ORCHESTRATION MODEL

Network

Cloud Governance and Lifecycle Management

Network Abstraction, Orchestration and Automation

Routing

Switching

Security

x86 - Platform from Intel

Containers Virtual

Machines

Lin

ux

Win

dow

s

PH

P

Java

Rails

Node.js

Serv

ice

Compute Storage

Hyper-V KVM

Juniper provides an open interface model for cloud orchestration X

ML

AP

I, J

un

os S

cri

ptin

g

Ju

no

s S

pa

ce

Op

en

flo

w

QUESTIONS?

vmware solutions and the datacenter · • private routed (external org nat-routed) • connected...

Documents