vmworld 2013: vcloud hybrid service jump start part three of five: vcloud hybrid service: advanced...
DESCRIPTION
VMworld 2013 Ninad Desai, VMware Greg Herzog, VMware Jon Kim, Force 3 Gregory Stemberger, Force 3 Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshareTRANSCRIPT
![Page 1: VMworld 2013: vCloud Hybrid Service Jump Start Part Three of Five: vCloud Hybrid Service: Advanced Networking and Security](https://reader035.vdocuments.us/reader035/viewer/2022081404/5577e061d8b42a7b7b8b4b69/html5/thumbnails/1.jpg)
vCloud Hybrid Service Jump Start Part Three of Five:
vCloud Hybrid Service:
Advanced Networking and Security
Ninad Desai, VMware
Greg Herzog, VMware
Jon Kim, Force 3
Gregory Stemberger, Force 3
PHC5488
#PHC5488
![Page 2: VMworld 2013: vCloud Hybrid Service Jump Start Part Three of Five: vCloud Hybrid Service: Advanced Networking and Security](https://reader035.vdocuments.us/reader035/viewer/2022081404/5577e061d8b42a7b7b8b4b69/html5/thumbnails/2.jpg)
2
What’s in It for You?
You will leave with:
An understanding of the vCloud Hybrid Service networking building blocks
A strong networking foundation for building a complex Hybrid Cloud
An understanding of advanced networking use cases and security
![Page 3: VMworld 2013: vCloud Hybrid Service Jump Start Part Three of Five: vCloud Hybrid Service: Advanced Networking and Security](https://reader035.vdocuments.us/reader035/viewer/2022081404/5577e061d8b42a7b7b8b4b69/html5/thumbnails/3.jpg)
3
Agenda
vCloud Hybrid Service Introduction
• Basic Stack and Constructs
Networking
• Key Components • Network Virtualization
• Edge Gateway
• Services Overview
• Advanced Use Cases • Complex Networking
• Sharepoint Networking
• Datacenter Extension
Security
• Application Firewall
• Application Security
![Page 4: VMworld 2013: vCloud Hybrid Service Jump Start Part Three of Five: vCloud Hybrid Service: Advanced Networking and Security](https://reader035.vdocuments.us/reader035/viewer/2022081404/5577e061d8b42a7b7b8b4b69/html5/thumbnails/4.jpg)
4
vCloud Hybrid Service Networking is Easy and Powerful
Key Takeaways
• Building blocks you are used to – vSphere, VXLAN, vCNS, vCD
• Flexible and Powerful
• Supports all your most complex networking
• IPSEC VPN
• Stretched Applications
• Layer 2 Extension - BYOIP
• Advanced application security
![Page 5: VMworld 2013: vCloud Hybrid Service Jump Start Part Three of Five: vCloud Hybrid Service: Advanced Networking and Security](https://reader035.vdocuments.us/reader035/viewer/2022081404/5577e061d8b42a7b7b8b4b69/html5/thumbnails/5.jpg)
5
Minimum size: 120GB vRAM 30GHz vCPU
Starts at: 6 TB
50 Mbps allocated 1 Gbps burstable 3 Public IPs
Your own private cloud instance
Physically isolated
vCloud Hybrid Service: Any Mixture Of Two Flavors
Starts at: 2 TB
10 Mbps allocated 50 Mbps burstable 2 Public IPs
Logically isolated
Guaranteed resource allocation
Dedicated Cloud Virtual Private Cloud
Minimum size: 20GB vRAM 5GHz vCPU
(burst to 10GHz)
![Page 6: VMworld 2013: vCloud Hybrid Service Jump Start Part Three of Five: vCloud Hybrid Service: Advanced Networking and Security](https://reader035.vdocuments.us/reader035/viewer/2022081404/5577e061d8b42a7b7b8b4b69/html5/thumbnails/6.jpg)
6
Dedicated vCloud Stack per Dedicated Cloud
Fully Integrated vCloud Stack
vCloud Management and Automation
vCloud Hybrid Service Management Console
vCloud Infrastructure
vCloud Networking and Security
vCloud Director with vCloud Connector
vSphere / vCenter
Customer A
Physically
Isolated Servers Storage pool VPN and
Network pool
…
Dedicated Cloud
![Page 7: VMworld 2013: vCloud Hybrid Service Jump Start Part Three of Five: vCloud Hybrid Service: Advanced Networking and Security](https://reader035.vdocuments.us/reader035/viewer/2022081404/5577e061d8b42a7b7b8b4b69/html5/thumbnails/7.jpg)
7
Hybrid Service Basic Networking Constructs
Organization Network (isolated) Organization Network (Customer Controlled)
![Page 8: VMworld 2013: vCloud Hybrid Service Jump Start Part Three of Five: vCloud Hybrid Service: Advanced Networking and Security](https://reader035.vdocuments.us/reader035/viewer/2022081404/5577e061d8b42a7b7b8b4b69/html5/thumbnails/8.jpg)
8
Network Virtualization in vCloud Hybrid Service
vCloud Hybrid Service
Networking & Security
vCloud Hybrid Service
vSphere
VXLAN
Integrated Management Console
Edge Gateway
Secures the edge of the virtual datacenter and
delivers network services:
Firewall
NAT
Load Balancer
Site-to-Site IPSec VPN
Active/Standby High Availability
Stateful Session Failover
VXLAN
Foundation for elastic portable virtual
datacenters. Encapsulation allows
Isolation between Organization Networks
Bring-your-own private IPv4 layer 3
address space
vCloud Hybrid Service Networking
• Nine routable IP spaces
• Intuitive design replicates traditional networks
• Customizable to support production applications
VDC 1 VDC 2
![Page 9: VMworld 2013: vCloud Hybrid Service Jump Start Part Three of Five: vCloud Hybrid Service: Advanced Networking and Security](https://reader035.vdocuments.us/reader035/viewer/2022081404/5577e061d8b42a7b7b8b4b69/html5/thumbnails/9.jpg)
9
Available Services
Firewall – Basic Session
NAT – Basic Session
DHCP – Basic Session
Load Balancer
VPN
![Page 10: VMworld 2013: vCloud Hybrid Service Jump Start Part Three of Five: vCloud Hybrid Service: Advanced Networking and Security](https://reader035.vdocuments.us/reader035/viewer/2022081404/5577e061d8b42a7b7b8b4b69/html5/thumbnails/10.jpg)
10
Edge Gateway Services – Load Balancing
Pool Servers
Load Balanced
- Round Robin
- IP Hash
- URI
- Least Connected
Virtual Server –
- Virtual IP (Public IP)
- Front end traffic
- Assigned to a server pool
Can have multiple virtual servers
and pools
Edge gateway
Load balancer
![Page 11: VMworld 2013: vCloud Hybrid Service Jump Start Part Three of Five: vCloud Hybrid Service: Advanced Networking and Security](https://reader035.vdocuments.us/reader035/viewer/2022081404/5577e061d8b42a7b7b8b4b69/html5/thumbnails/11.jpg)
11
Load Balancer – Pool Servers
Pool Servers
• HTTP/HTTPS/TCP
• Load Balancing Methods
• IP Hash
• Round Robin
• URI
• Least Connected
• Health Check
• Each with +TCP as mode
• Monitoring Ports
• Add Servers
• Ratio Weight
• Change Ports/Services per Server
![Page 12: VMworld 2013: vCloud Hybrid Service Jump Start Part Three of Five: vCloud Hybrid Service: Advanced Networking and Security](https://reader035.vdocuments.us/reader035/viewer/2022081404/5577e061d8b42a7b7b8b4b69/html5/thumbnails/12.jpg)
12
Load Balancer – Virtual Servers
Virtual Servers
• Apply on outside network
• Server Pool
• Persistence Method
• HTTP – Cookie
• HTTPS – Session ID
![Page 13: VMworld 2013: vCloud Hybrid Service Jump Start Part Three of Five: vCloud Hybrid Service: Advanced Networking and Security](https://reader035.vdocuments.us/reader035/viewer/2022081404/5577e061d8b42a7b7b8b4b69/html5/thumbnails/13.jpg)
13
IPSEC VPN Overview
vCNS 5.1 Edge/vCloud Hybrid Service features include IPSEC VPN
• Definition:
• Internet Protocol Security (IPsec) is a protocol suite for securing Internet
Protocol (IP) communications by authenticating and encrypting each IP
packet of a communication session
• Create a secured tunnel using the IPSEC VPN service from one physical/virtual
datacenter to another
IPSEC is a framework of open standards
“Protect the series of internet tubes with VPN!”
![Page 14: VMworld 2013: vCloud Hybrid Service Jump Start Part Three of Five: vCloud Hybrid Service: Advanced Networking and Security](https://reader035.vdocuments.us/reader035/viewer/2022081404/5577e061d8b42a7b7b8b4b69/html5/thumbnails/14.jpg)
14
VPN Architecture Diagram
vSphere (On-Premise)
Sharepoint-Routed Network
(10.0.10.0/24)
vCHS Edge Gateway
LEP – 69.194.137.230
Peer ID – 10.0.1.150
Peer IP – 68.108.102.47
10.0.1.150
10.0.10.1
External Router
10.0.1.1
68.108.102.47
192.168.109.1
vCloud Hybrid Service
69.194.137.230
vSphere Edge Gateway
LEP – 10.0.1.150
Peer ID – 69.194.137.230
Peer IP – 69.194.137.230
VPN Traffic Virtual
Machine 1
Virtual
Machine 2
Sharepoint-Default Routed Network
(192.168.109/24)
IP Protocol ID 50 (ESP)
IP Protocol ID 51 (AH)
UDP Port 500 (IKE)
UDP Port 4500
![Page 15: VMworld 2013: vCloud Hybrid Service Jump Start Part Three of Five: vCloud Hybrid Service: Advanced Networking and Security](https://reader035.vdocuments.us/reader035/viewer/2022081404/5577e061d8b42a7b7b8b4b69/html5/thumbnails/15.jpg)
15
Hybrid Service is Just Another Site – Networking & Security
US East Region
US West Region
The Same
Networking
Topology
Full network
virtualization at
layer 2 and layer 3
Layer 2
Extensions
Your Data Center vCloud Hybrid Service
The Same
Security Policies
Integrated L4-7
services for
Firewall/NAT,
IPSec VPN, Load
Balancers, VXLAN
gateways
Primary
Regional Office
Regional Office
![Page 16: VMworld 2013: vCloud Hybrid Service Jump Start Part Three of Five: vCloud Hybrid Service: Advanced Networking and Security](https://reader035.vdocuments.us/reader035/viewer/2022081404/5577e061d8b42a7b7b8b4b69/html5/thumbnails/16.jpg)
16
Advanced Use Cases
Complex Networking
Stretched Application Networking Example
• Sharepoint
Datacenter Extension
• Keep your same IP and MAC address
Force 3 Use Case
![Page 17: VMworld 2013: vCloud Hybrid Service Jump Start Part Three of Five: vCloud Hybrid Service: Advanced Networking and Security](https://reader035.vdocuments.us/reader035/viewer/2022081404/5577e061d8b42a7b7b8b4b69/html5/thumbnails/17.jpg)
17
Complex Networking
Flexibile and Powerful
Can replicate existing complex topology
Same constructs you are used to
Don’t have to figure it out – weird mappings etc.
• Problem translating standard enterprise networking to new models
• Virtual Gateways, Security Groups, Elastic IPs
10 interfaces and additional Gateways if necessary
Supports existing virtual appliances
![Page 18: VMworld 2013: vCloud Hybrid Service Jump Start Part Three of Five: vCloud Hybrid Service: Advanced Networking and Security](https://reader035.vdocuments.us/reader035/viewer/2022081404/5577e061d8b42a7b7b8b4b69/html5/thumbnails/18.jpg)
18
vCloud Hybrid Service Advanced Networking
Web Servers
VM
App Servers DB Servers
Organization Network (DMZ) Org Net 1
VM VM Log Servers
RSA
Edge Gateway
10 Total Interfaces
9 For Customer Use
Static Routes between Zones
3rd Party Appliance
Customer Supplied
F5, RSA, Cisco
Organization Network (Test/Dev)
Organization Network (Isolated)
VM
Org Net 1 Organization Network (App)
VM VM VM VM VM VM
![Page 19: VMworld 2013: vCloud Hybrid Service Jump Start Part Three of Five: vCloud Hybrid Service: Advanced Networking and Security](https://reader035.vdocuments.us/reader035/viewer/2022081404/5577e061d8b42a7b7b8b4b69/html5/thumbnails/19.jpg)
19
Sharepoint Networking
Stretched Application
Uses Layer 3 Tunnel – IPSEC
Data stays on premise
Load Balancing and additional demand is in the cloud
Internet access in cloud for scalability
No holes in firewall – no direct access to internet traffic
![Page 20: VMworld 2013: vCloud Hybrid Service Jump Start Part Three of Five: vCloud Hybrid Service: Advanced Networking and Security](https://reader035.vdocuments.us/reader035/viewer/2022081404/5577e061d8b42a7b7b8b4b69/html5/thumbnails/20.jpg)
20
VPN Architecture Diagram
Sharepoint-Routed Network
(10.0.10.0/24)
vCHS Edge Gateway
LEP – 69.194.137.230
Peer ID – 10.0.1.150
Peer IP – 68.108.102.47
10.0.1.150
10.0.10.1
External Router
10.0.1.1
68.108.102.47
192.168.109.1
69.194.137.230
vSphere Edge Gateway
LEP – 10.0.1.150
Peer ID – 69.194.137.230
Peer IP – 69.194.137.230
VPN Traffic
Internet Traffic
Virtual
Machine 2
Sharepoint-Default Routed Network
(192.168.109/24)
IP Protocol ID 50 (ESP)
IP Protocol ID 51 (AH)
UDP Port 500 (IKE)
UDP Port 4500
Sharepoint
VM SQL
VM
Domain
Controller
VM
Domain
Controller
VM
Local Sharepoint Application
vSphere (On-Premise)
Remote Sharepoint Application
vCloud Hybrid Service
![Page 21: VMworld 2013: vCloud Hybrid Service Jump Start Part Three of Five: vCloud Hybrid Service: Advanced Networking and Security](https://reader035.vdocuments.us/reader035/viewer/2022081404/5577e061d8b42a7b7b8b4b69/html5/thumbnails/21.jpg)
21
When Would You Use Stretch Deployed Networks? DCE
Application Dependency on IP Address
Application Dependency on MAC Address
• Licensing requirement
External Application Interdependencies
• Hard Coded IP Addresses
• Lack of DNS usage
Existing Security Rules
• Switch ACL’s
• Existing Firewalls
![Page 22: VMworld 2013: vCloud Hybrid Service Jump Start Part Three of Five: vCloud Hybrid Service: Advanced Networking and Security](https://reader035.vdocuments.us/reader035/viewer/2022081404/5577e061d8b42a7b7b8b4b69/html5/thumbnails/22.jpg)
22
DCE Logical Architecture (vSphere Private Cloud)
![Page 23: VMworld 2013: vCloud Hybrid Service Jump Start Part Three of Five: vCloud Hybrid Service: Advanced Networking and Security](https://reader035.vdocuments.us/reader035/viewer/2022081404/5577e061d8b42a7b7b8b4b69/html5/thumbnails/23.jpg)
23
Stretched Network Considerations
Stretched virtual machines use On Premise Network Gateway
• All Network traffic traverses VPN
Active Directory Sites and Services
• “Stretched” network is part of On Premise Site in AD
• DNS/AD calls for vCloud servers will traverse VPN
• Cannot split a network between sites
vApp Limitations
• 128 Virtual machines per vApp
• Single vApp container with power operations
![Page 24: VMworld 2013: vCloud Hybrid Service Jump Start Part Three of Five: vCloud Hybrid Service: Advanced Networking and Security](https://reader035.vdocuments.us/reader035/viewer/2022081404/5577e061d8b42a7b7b8b4b69/html5/thumbnails/24.jpg)
24
Stretch Deploy (DCE) Architecture Diagram
Stretch1
Local Application
vCloud Director (On-Premise)
vCHS Edge Gateway
10.0.1.150
10.0.10.1
External Router
10.0.1.1
68.108.102.47
Sharepoint-Default Routed Network
(192.168.109/24)
192.168.109.1
Remote Application
vCloud Hybrid Service
69.194.137.230
vSphere Edge Gateway
SSLVPN
Traffic
Stretch2
vShield Edge
192.168.2.101 192.168.2.102
10.0.10.6 10.0.10.7
Stretch1
Stretch-Routed vAPP Network
(192.168.2.0/24)
192.168.2.101
vShield Edge Sharepoint-Routed Network
(10.0.10.0/24)
Stretch-Routed vAPP Network
(192.168.2.0/24)
SSLVPN – Port 443
![Page 25: VMworld 2013: vCloud Hybrid Service Jump Start Part Three of Five: vCloud Hybrid Service: Advanced Networking and Security](https://reader035.vdocuments.us/reader035/viewer/2022081404/5577e061d8b42a7b7b8b4b69/html5/thumbnails/25.jpg)
25
Force 3 Use Case
Jon S. Kim, Security Practice Director, Force 3
Gregory Stemberger, Principal Network Security Architect, Force 3
![Page 26: VMworld 2013: vCloud Hybrid Service Jump Start Part Three of Five: vCloud Hybrid Service: Advanced Networking and Security](https://reader035.vdocuments.us/reader035/viewer/2022081404/5577e061d8b42a7b7b8b4b69/html5/thumbnails/26.jpg)
26
Case Study – Force 3, Inc.
Building Upon vCloud Hybrid Networking Model
Privatization of the Public Cloud
Enabling Advanced and Networking Functions
Cloud Becomes a Virtual Extension of the Enterprise
www.force3.com
![Page 27: VMworld 2013: vCloud Hybrid Service Jump Start Part Three of Five: vCloud Hybrid Service: Advanced Networking and Security](https://reader035.vdocuments.us/reader035/viewer/2022081404/5577e061d8b42a7b7b8b4b69/html5/thumbnails/27.jpg)
27
Case Study Architecture – Force 3, Inc.
![Page 28: VMworld 2013: vCloud Hybrid Service Jump Start Part Three of Five: vCloud Hybrid Service: Advanced Networking and Security](https://reader035.vdocuments.us/reader035/viewer/2022081404/5577e061d8b42a7b7b8b4b69/html5/thumbnails/28.jpg)
28
Advanced Security
Application Security
• Infrastructure
• Firewall
• User access
![Page 29: VMworld 2013: vCloud Hybrid Service Jump Start Part Three of Five: vCloud Hybrid Service: Advanced Networking and Security](https://reader035.vdocuments.us/reader035/viewer/2022081404/5577e061d8b42a7b7b8b4b69/html5/thumbnails/29.jpg)
29
Application Security – Infrastructure Best Practices
Application segmentation
• Use dedicated cloud
• Segmented compute
• Segmented Network NIC
SharePoint Web application
Dev / Test
VDC 2
VDC 1
VDC 3
• Separate VDCs per use case
• Separate connectivity per use case
• Direct connect
• IPsec
Internet
Direct
Connect
IPSec VPN Dedicate
cloud
![Page 30: VMworld 2013: vCloud Hybrid Service Jump Start Part Three of Five: vCloud Hybrid Service: Advanced Networking and Security](https://reader035.vdocuments.us/reader035/viewer/2022081404/5577e061d8b42a7b7b8b4b69/html5/thumbnails/30.jpg)
30
Firewall for Three Tier Applications
VDC
Allow:
HTTP
HTTPS
SSH
Mgmt
Allow:
HTTP
HTTPS
App -access
Allow:
App-access
SSH
Mgmt
(HTTPS)
Edge Gateway - Firewall
Allow:
SQL
Mgmt
Web tier
Allow:
SQL
SSH
Allow:
App tier
SSH
Mgmt
(HTTPS)
NAT/LB
Web tier App tier DB
![Page 31: VMworld 2013: vCloud Hybrid Service Jump Start Part Three of Five: vCloud Hybrid Service: Advanced Networking and Security](https://reader035.vdocuments.us/reader035/viewer/2022081404/5577e061d8b42a7b7b8b4b69/html5/thumbnails/31.jpg)
31
Configuring Firewall Rules
![Page 32: VMworld 2013: vCloud Hybrid Service Jump Start Part Three of Five: vCloud Hybrid Service: Advanced Networking and Security](https://reader035.vdocuments.us/reader035/viewer/2022081404/5577e061d8b42a7b7b8b4b69/html5/thumbnails/32.jpg)
32
Application Security – Access Rights
Administration rights
• Clearly identify individuals,
and rights that the
individuals get
• An enterprise admin
can have more than
one type of right
• Rights help enforce
secure cloud usage
User rights
• End user rights for VM owners
• End user cannot do any admin activity
• Users have limited visibility to
cloud resources
![Page 33: VMworld 2013: vCloud Hybrid Service Jump Start Part Three of Five: vCloud Hybrid Service: Advanced Networking and Security](https://reader035.vdocuments.us/reader035/viewer/2022081404/5577e061d8b42a7b7b8b4b69/html5/thumbnails/33.jpg)
33
vCloud Hybrid Service Networking is Easy and Powerful
You will leave with:
An understanding of the vCloud Hybrid Service networking building blocks
A strong networking foundation for building a complex Hybrid Cloud
An understanding of advanced networking use cases and security
Key Takeaways
• Building blocks you are used to – vSphere, VXLAN, vCNS, vCD
• Flexible and Powerful
• Supports all your complex networking
• IPSEC VPN
• Stretched Applications
• Layer 2 Extension - BYOIP
• Advanced application security
![Page 34: VMworld 2013: vCloud Hybrid Service Jump Start Part Three of Five: vCloud Hybrid Service: Advanced Networking and Security](https://reader035.vdocuments.us/reader035/viewer/2022081404/5577e061d8b42a7b7b8b4b69/html5/thumbnails/34.jpg)
34
Call to Action/Resources
Keep up with the latest on vCloud Hybrid Service
• Facebook - https://www.facebook.com/vmwarevcloud
• Blog - http://blogs.vmware.com/vcloud/
• Twitter - @vcloud
1
Call to Action
Get more information about the service: http://vcloud.vmware.com
Hands on Labs
HOL HBD 1301 vCloud Hybrid Service – Jumpstart for vSphere Admins
HOL HBD 1302 vCloud Hybrid Service – Networking and Security
HOL HBD 1303 vCloud Hybrid Service – Manage Your Cloud
Breakout Sessions – PHCxxxx
vCloud Hybrid Service Jumpstart Series
PHC1001-Group Discussion- vCHS Networking with Greg Herzog
2
![Page 35: VMworld 2013: vCloud Hybrid Service Jump Start Part Three of Five: vCloud Hybrid Service: Advanced Networking and Security](https://reader035.vdocuments.us/reader035/viewer/2022081404/5577e061d8b42a7b7b8b4b69/html5/thumbnails/35.jpg)
35
Q & A
![Page 36: VMworld 2013: vCloud Hybrid Service Jump Start Part Three of Five: vCloud Hybrid Service: Advanced Networking and Security](https://reader035.vdocuments.us/reader035/viewer/2022081404/5577e061d8b42a7b7b8b4b69/html5/thumbnails/36.jpg)
THANK YOU
![Page 37: VMworld 2013: vCloud Hybrid Service Jump Start Part Three of Five: vCloud Hybrid Service: Advanced Networking and Security](https://reader035.vdocuments.us/reader035/viewer/2022081404/5577e061d8b42a7b7b8b4b69/html5/thumbnails/37.jpg)
![Page 38: VMworld 2013: vCloud Hybrid Service Jump Start Part Three of Five: vCloud Hybrid Service: Advanced Networking and Security](https://reader035.vdocuments.us/reader035/viewer/2022081404/5577e061d8b42a7b7b8b4b69/html5/thumbnails/38.jpg)
vCloud Hybrid Service Jump Start Part Three of Five:
vCloud Hybrid Service:
Advanced Networking and Security
Ninad Desai, VMware
Greg Herzog, VMware
Jon Kim, Force 3
Gregory Stemberger, Force 3
PHC5488
#PHC5488