Embed Size (px)
Citation preview
Copyright 2013 Alcatel-‐Lucent. All rights reserved. CONFIDENTIAL -‐ SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW
PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION Nuage Networks
Copyright 2013 Alcatel-‐Lucent. All rights reserved. CONFIDENTIAL -‐ SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW
PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION Nuage Networks
Nuage Networks Enterprise-‐Grade Networking in OpenStack
@martenhauville @jonasvermeulen
Marten Hauville Principal Solu-ons Architect ANZ
Jonas Vermeulen Product Line Manager EMEA
Copyright 2013 Alcatel-‐Lucent. All rights reserved. CONFIDENTIAL -‐ SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW
PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION Nuage Networks
…or how enterprise IT needs to deliver networking with High Availability, Scalability &
Interoperability across complex multi site environments; seamlessly with existing heterogeneous infrastructure & vendors.
Oh, and interconnect OpenStack private clouds
with external public clouds too.
What does Enterprise want?
§ Faster Tme to market § Lower cost, higher quality § Reduced OpEx § Ubiquitous, easy to manage, maintain, consume
Enterprise technology drivers § Self service from catalogue § On demand Service § OpEx model for charging (charge-‐back) § Pool of resources that can be easily adjusted § Availability of integrated applicaTons in shared
environment – ApplicaTon PaaS § Short cycle provisioning
Enterprise requires complexity
§ ExisTng hardware, hypervisors, pla]orms § Pla]orms, Apps that cannot be virtualised § MulTple Data Centres, remote branches § Remote workers § OperaTonal & Maintenance costs
Enterprise requires complexity
§ Pressure from business to perform § Hidden IT – AWS workloads § ReporTng, compliance § Limited highly skilled staff
Enterprise networking needs
Scalable Up and Out, resilient and federated
AbstracDon AbstracTon of the network topologies and
complexiTes, offers service velocity
Flexibility IntegraTon with third-‐party
physical networking infrastructure
Extensibility Services need to be extended across data
centers, public or private
Enterprise ConsumpDon
Consumable Enterprise IT
OpenStack delivers to Enterprise § Enable faster turn up for business § Enable efficiency, minimise cost § DevOps, DevOps, DevOps § Open ecosystem of vendors & soaware § Freedom of choice § Strong(er) enterprise vendor support
Enterprise networking can be complex
ApplicaTon Networks Policy Templates
Users
ApplicaTon Types
Business Rules
Policy EvaluaTon
Firewall
Firewall
W
BL BL
W
Firewall W W
Firewall
Firewall
W
BL BL
W
Firewall
Firewall
W
BL BL
W
BL BL
Design once, re-‐use mulDple Dmes
Policy Approach to Networking
Networks need Flexibility
§ DHCP, DNS § IPAM § Load Balancing § Firewalls § Traffic Flows: Edge, North-‐South, East-‐West § AuthenTcaTon: users & elements § Security, reporTng, compliance
Enterprises deploy services across datacenters
Network Services
• Layer 2 Extension? • True L2/L3 DR? • Dynamic Service
Provisioning?
Enterprise Environment Physical/Virtual Servers, Global Distribution, Multi Cloud Platform
> Nuage VSC
> T1 RedHat OSP >> Compute 2 >> Compute 3 > F5 > Palo Alto Networks > Nuage VSD
> T1 RedHat OSP >> Controller >> Compute 1 > Infoblox
> T2 Canonical OS [MaaS Setup] >> Controller >> Compute 1 >> Compute 2 > Avi Networks
SJC
TOR
WDC
HKG
Themes Addressed from a technical perspecDve
AbstracTon
Scalability
Flexilibity
Extensibility
Enterprise Needs
Networks in Dev/Test/Prod
# Endpoints / # subnets / #...
XaaS ConnecTvity
Stretched / Hybrid Cloud
Examples
Internet/Intranet
Dev
Management
Dev Environment Networking needs
Exportable Policy for each App
Lots of (Distributed) RouTng Instances
PotenTal overlap of IP space
AbstracDon and Velocity across Dev/Test/Prod
Internet/Intranet
Dev
Management
Test Environment Networking needs
Re-‐Usable Policy from Dev
Very large Distributed RouTng Instance
Unique IP space
Test
AbstracDon and Velocity across Dev/Test/Prod
Internet/Intranet
Dev
Management
Prod Environment Networking needs
Re-‐Usable Policy from Test
Very large Distributed RouTng Instance
Unique IP space
Test
AbstracDon and Velocity across Dev/Test/Prod
Prod
AbstracDon and Velocity across Dev/Test/Prod
Desire to re-‐use policy, but network structure is different between Dev <-‐> Test/Prod
1. Modify cookbooks between environments 2. Use external system for defining topology and enforcing
policies è Nuage Networks allows external definiTon and mapping into tenant-‐structure
AbstracDon and Velocity across Dev/Test/Prod
§ Distr Router can span across mulTple tenants
§ Tenants only see their own subnets
§ Security-‐groups to limit E-‐W traffic flows
1 Logical Router
1 Project maps to >=1 Tenant
Example for Test-‐Environment
AbstracDon and Velocity across Dev/Test/Prod CM-‐Tools
Define Policies per ApplicaTon
Apply, Merge, Finetune & Get
Approval
Commit Final
Test PROD
Design Once, Re-‐Use
DEV
AbstracDon and Velocity across Dev/Test/Prod Top PolicyList Owner: Net Admin
Bomom PolicyList Owner: Net Admin
B2CSitePolicyList Priority: 5
Owner: B2BSite-‐Admin
StockApp PolicyList Priority: 10 Owner: StockNW
Rule 1: Port SSH allow
Rule 2: Port Telnet drop
Rule 3: Port HTTP drop
Rule 2: Port 8080 Allow to App
Rule 6: Port SQL Allow Internal
Rule 11: Port 443 drop
Rule 7: Port 70 allow
Rule 888: Port 80 allow
Rule 1: All drop
Infrastructure Policies
ApplicaTon Policies
Infrastructure Policies Design Once, Re-‐Use
AbstracDon and Velocity across Dev/Test/Prod CM-‐Tools
Test PROD
Design Once, Re-‐Use
DEV
Backout / Roll-‐Back
Re-‐Test
Roll-‐Back to N-‐1
Scaling network primiDves § Large Difference between Dev <-‐> Test/Prod § Scaling impact
§ Virtual Routers – Highest for Dev à ~1500 § Subnets – Highest for Test / Prod à 400+ per router § Security/Policy Groups – Highest for Test / Prod à 2000+
Scaling network primiDves
Nuage VSC
…
Servers as VMs in AWS VPC
Nuage VSD § Scaling Test in AWS
§ 80 subnets / 40 routers § 20K instances (500/server)
§ Instances are Docker containers § 140K ACLs (7 ACLs per VM)
§ ConfiguraTon § VSD running as C3.4xlarge (16-‐core) § VSC running as C3.2xlarge ( 8 core) § VRS running as M3.xlarge
§ Time to create: 8 minutes * *(when AWS VPC behaves)
Default = Centralized – Virtualized -‐ Single-‐Tenant
core plugin service plugin
FWaaS
Neutron-‐Server
LBaaS VPNaaS
Compute-‐Node
VM VM
Compute-‐Node
VM VM
Network-‐Node
LB
FW
VPN
LB
FW
VPN
Logical Tenant Network 1
Logica Tenant Network 2
Flexibility to connect XaaS
Flexibility to connect XaaS
Compute-‐Node
§ Typically for Legacy Non-‐Virtualized Appliances
§ ConnecTvity § Interface to gateway § Per-‐Tenant service provided through
Provider-‐Networks (VLAN) § Examples
§ LBaaS: F5 § FWaaS: PaloAlto
Centralized -‐ Non-‐Virtualized -‐ MulD-‐Tenant
core plugin
nuage
service plugin
FWaaS
Neutron-‐Server
LBaaS VPNaaS
Compute-‐Node
VRS
Logical Tenant Network 1
VM VM
Logica Tenant Network 2
nuage-‐gateway
FW / LB
Context 1
Context 2
VM VM VM VM
VLAN = Provider Network
§ Services as Tenant-‐VM’s § Tenant-‐VMs are distributed using
OpenStack placement algorithm § Management via XaaS Plugin
§ Example: AVI LB
Distributed – Virtualized – Single-‐Tenant
core plugin
nuage
service plugin
FWaaS
Neutron-‐Server
LBaaS VPNaaS
Logical Tenant Network 1
Compute-‐Node
VRS
VM VM VM LB1
Compute-‐Node
VRS
VM VM
Compute-‐Node
VRS
VM LB2
Logica Tenant Network 2
Flexibility to connect XaaS
§ Traffic gets locally redirected to an Agent running in the HV § VM, process, docker
§ Example Agent tasks § Proxy ARP / DHCP § Meta-‐data Agent § Storage Proxy for Swia § L5-‐L7 (Eg IDS/DPI)
Distributed – Agent – MulD-‐Tenant
core plugin
nuage
service plugin
FWaaS
Neutron-‐Server
LBaaS VPNaaS
Compute-‐Node
VRS
Tenant Network 1
VM VM
Tenant Network 2
VM VM VM VM
Compute-‐Node
VRS
VM VM VM VM VM VM
Agent 1 2
Agent 1 2
Flexibility to connect XaaS
Site 1 -‐ Private
Keystone
Nova
Neutron
Site 2 -‐ Private
Keystone
Nova
Neutron
Site x -‐ Public
Keystone
Nova
Neutron
Users Users Users
Network Network Network
Extending clouds to other sites
IdenTty FederaTon
Can I federate the network ? = Can I have a single subnet across sites ?
= Can I amach a new subnet to a router defined in another site ? = Can my VM communicate with a VM at a different site ?
= Can my security policies encompass VMs from different sites ?
Kilo
Site 1 -‐ Private
Keystone
Nova
Neutron
Site 2 -‐ Private
Keystone
Nova
Neutron
Site x -‐ Public
Keystone
Nova
Neutron
Network Network Network
Users
Extending clouds to other sites
Site 1 -‐ Private
Keystone
Nova
Neutron
Site 1 -‐ Private
Keystone
Nova
Neutron
Site x -‐ Public
Keystone
Nova
Neutron
Users IdenTty FederaTon
Network FederaTon with Nuage
nuage nuage nuage Network
Centralized definiTon, sharing policy
Kilo
Extending clouds to other sites
Site 1 -‐ Private
Keystone
Nova
Neutron
Site 2 -‐ Private
Keystone
Nova
Neutron
Site x -‐ Public
Keystone
Nova
Neutron
Users IdenTty FederaTon
Network FederaTon with Nuage
nuage nuage nuage Network
Federated Policy: Policy requested from “Home VSD” for the router
ü Stretched subnets ü New subnet amached to router of other site ü VMs can communicate across sites ü Security policies across sites
Kilo
Extending clouds to other sites
Conclusions
AbstracTon
Scalability
Flexilibity
Extensibility
Enterprise Needs
Network Policies
Distr Control Plane
Any XaaS Topology
Network FederaTon
Delivered through
THANK YOU
See Nuage Networks in acTon at 4:15PM Avi Networks Booth T9 OpenStack Private Cloud Case Study by Nuage Networks & Avi Networks
