Upload
tanya-denisyuk
View
100
Download
1
Embed Size (px)
Citation preview
Building an IoT cloud for the Healthcare: How to Solve Networking Challenges and Still Have
High Availability
2
Requirements
@altoros
Implementation Requirements
● Build an IoT healthcare cloud solution:○ Connect devices and users at customer sites○ Thousands of devices○ Dozens of customers
● Cloud implementation should be portable between○ OpenStack running on HW○ Public cloud provider like Amazon AWS
@altoros
Implementation Requirements
● High availability and scalability:○ A hardware AND/OR infrastructure platform○ Cloud services and applications○ Scalability (the scale can grow by a factor of 100)
● VPN connectivity is essential:○ Devices with WebSocket, TCP, and HTTP○ HTTP devices are bi-directional○ Non-VPN connectivity should be supported
@altoros
Technology Stack for Portable Platform
● Cloud Foundry PaaS● Cassandra for device data● MariaDB Galera for structured data● RabbitMQ as message bus● ElasticSearch, Logstash, Kibana (ELK) for logs● Monitoring and alerting with Zabbix
@altoros
Technology Stack for Portable Platform
https://docs.cloudfoundry.org/
@altoros
Technology Stack for Portable Platformhttps://docs.cloudfoundry.org/concepts/architecture/
When It Comes to HW and OpenStack
@altoros
Cloud Platform on OpenStack: Deployment View
@altoros
Cloud Platform on OpenStack: Network Model● Cisco ASA 5545 as cloud firewall:
○ Up to VPN 2500 tunnels and 400 Mbps of encrypted traffic
○ Up to 300 VLANs ○ Supports Site2Site and administrative VPN○ Can be clustered in Active / Standby mode
● Networks:○ Administrative 10.30.0.0/24, native VLAN○ Cloud “Public” 172.30.0.0/24, VLAN 101○ OpenStack management 192.168.100.0/24, VLAN 102 ○ OpenStack storage 192.168.200.0/24, VLAN 103○ Networks for VMs 192.168.[111-120].0/24, VLAN 110-
120
@altoros
Cloud Platform on OpenStack: Physical Networking
@altoros
Cloud Platform on OpenStack: Services
@altoros
Cloud Platform on OpenStack: ResourcesCloud Attribute OpenStack Cloud
VPN endpoint (HTTPS) Provider Public IP
Domain name(s)
*.cloud1.cloudprovider.CORP (internal DNS)
*.vpn-cloud1.cloudprovider.com (public DNS)
DNS servers172.30.0.240172.30.0.254
NTP servers
ntp1.cloud1.cloudprovider.corp
172.30.0.252172.30.0.253
Cloud Foundry API endpoint
https://api.cf.cloud1.cloudprovider.CORP
172.30.0.80172.30.0.81
VPN types:
1. Cisco Any Connect VPN adapter – Administrator
2. Site to Site VPN between networks - Cisco ASA to Cisco ASA - Checkpoint to Cisco ASA…
@altoros
Cloud Platform on OpenStack: VPN Model
Site2Site VPN:- For Customer 2 VPN Network Address
Translation (NAT) is required. Use special NAT network 100.64.0.0/10 (RFC 6598)
@altoros
Cloud Platform on OpenStack: VPN Networking
VPN Type Networks Exposed DNS servers Cloud Foundry endpoints
Cisco AnyConnect Administrative VPN 10.30.0.0/24
172.30.0.0/24172.30.0.253172.30.0.254
172.30.0.80172.30.0.81
Site2Site VPNOnly DNS and Cloud Foundry addresses
172.30.0.253172.30.0.254
172.30.0.80172.30.0.81
Site2Site VPN, with NAT Only DNS and Cloud
Foundry addresses100.64.30.253100.64.30.254
100.64.30.80100.64.30.81
@altoros
Cloud Platform on OpenStack: DNS resolution options
● Configure DNS zone forwarding to cloud DNS server○ Setup DNS zone forwarding in customer network
zone: *.cloud1.cloudprovider.corp
-- no NAT
DNS servers: 172.30.0.253, 172.30.0.254-- with NATDNS servers: 100.64.30.253, 100.64.30.254
● Use public DNS records for resolving private IP addresses○ Create A-records at a public domain owned by cloud provider (sub-domains)
Name: *.vpn-cloud1.cloudprovider.comAddresses: 100.64.30.80, 100.65.30.81
@altoros
Cloud Platform on OpenStack: Domains and Routes
● Cloud Foundry routing to support internal and public DNS names:○ Create shared domain(s):
$ cf domainsGetting domains in as admin...name status typecf.cloud1.cloudprovider.corp sharedvpn-cloud1.cloudprovider.com shared
tcp-cf.cloud1.cloudprovider.corp shared tcp
○ Map additional route(s) to an application:
$cf map-route deviceserver vpn-cloud1.cloudprovider.com --hostname deviceserver
@altoros
Cloud Platform on OpenStack: Device Connectivity
When It Comes to AWS
@altoros
Cloud Platform on AWS