SlideShare a Scribd company logo

Apache CloudStack Networking by Chiradeep Vittal

Download as PPTX, PDF
B
buildacloud

Apache CloudStack is a mature IAAS platform designed for scale and ease-of-use. However new cloud administrators typically struggle with networking in Apache CloudStack. Networking in CloudStack is full-featured, full of bells and whistles and by necessity complicated. This session will take the audience through the ins-and-outs of CloudStack Networking. Attendees will learn the motivations behind how CloudStack networking is architected, solutions to common networking requirements and future work. About Chiradeep Chiradeep Vittal is Distinguished Engineer in the Networking and Cloud Group at Citrix Systems. He is a maintainer in the Apache CloudStack project where he contributes to networking and storage parts of the Infrastructure-as-a-Service (IAAS) management system. He was a founding engineer at Cloud.com whose product CloudStack is now Apache CloudStack. CloudStack is deployed in more than 300 public and private clouds and powers some of the largest clouds in the world today.

Technology
1 of 29
Introduction to CloudStack Networking Silicon Valley CloudStack Meetup 9th October 2014
About me
Agenda • Introduction to CloudStack • Networking modes in CloudStack • Virtual Networking • Networking Internals • Advanced Topics
Apache CloudStack Apache CloudStack is a • scalable, • multi-tenant, • open source, • purpose-built, • cloud orchestration platform for • delivering turnkey Infrastructure-as-a-Service clouds
300+ Large Scale Production Clouds In Deployment Production sites with over 40,000+ Enterprise and Education Service Providers and Servers Web 2.0 Telcos
How did Amazon build its cloud? Amazon eCommerce Platform AWS API (EC2, S3, …) Amazon Orchestration Software Open Source Xen Hypervisor Commodity Servers Commodity Storage Networking
How can YOU build a CloudStack cloud? Amazon eCommerce Platform Optional Portal AWS API (EC2, S3, …) CloudStack or AWS API CloudStack Orchestration Software Amazon Orchestration Software Hypervisor (XenServer/KVM/vSphere/Hyper- Open Source Xen Hypervisor V/LXC) Networking Servers Storage
Image Secondary Storage End users DC Edge L3/L2 core Zone Architecture VM Pod Pod Pod Pod CloudStack Pod Access Sw MySQL Admin/User API Hypervisor (Xen /VMWare/KVM) Primary Storage NFS/ISCSI/FC VM VM Image Disk Disk
End users Networking concerns in a cloud Pod Pod Pod Pod Pod VM VM Disk Disk
Networking Concerns • Network virtualization – Multi-tenancy • Network services for virtual networks and machines • Network automation • Scalability
Networking Principles in Apache CloudStack • Flexibility – Allow various combinations of technology for L2-L7 network services – Allow different providers (vendors) for the same network service in a Cloud POP • Pluggability – Plugins allow vendors to drop in vendor-specific configuration and lifecycle management code • Service scalability – Scale out using virtual appliances when possible – Scale up using hardware appliances if needed
Network Flexibility Network Services • L2 connectivity • IPAM • DNS • Routing • ACL • Firewall • NAT • VPN • LB • IDS • IPS Network Isolation • No isolation • VLAN isolation • Overlays • L3 isolation Service Providers  Virtual appliances  Hardware firewalls  LB appliances  SDN controllers  IDS /IPS appliances  VRF  Hypervisor
Networking Modes • “Basic” mode – L3 isolation – Tenants share subnets – VMs placed into security groups • ACL governs communication between/within groups/outside – No VLANs – Excellent scaling (10s of thousands of hosts/VM) – Limited network services – Distributed network firewall using iptables on the hypervisor
Layer 3 cloud networking … DB Security Group Web Security Group DB VM Web VM … … Web VM Web VM Web VM Web VM Web VM DB VM Ingress Rule: Allow VMs in Web Security Group access to VMs in DB Security Group on Port 3306
L3 isolation with distributed firewalls Tenant 1 VM 1 10.1.0.2 Tenant 2 VM 1 10.1.0.3 Tenant 1 VM 2 10.1.0.4 Public Internet 10.1.0.1 Public IP address 65.37.141.11 65.37.141.24 65.37.141.36 65.37.141.80 L3 Core Load Balancer Pod 1 L2 Switch Pod 2 L2 10.1.8.1 … Switch Pod 3 L2 Switch 10.1.16.1 …
L3 isolation with distributed firewalls Tenant 1 VM 1 10.1.0.2 Tenant 2 VM 1 10.1.0.3 Tenant 1 VM 2 10.1.0.4 Tenant 1 VM 3 10.1.16.47 Tenant 1 VM 4 10.1.16.85 Public Internet 10.1.0.1 Public IP address 65.37.141.11 65.37.141.24 65.37.141.36 65.37.141.80 L3 Core Load Balancer Pod 1 L2 Switch Pod 2 L2 10.1.8.1 … Switch Pod 3 L2 Switch 10.1.16.1 …
L3 isolation with distributed firewalls Tenant 1 VM 1 10.1.0.2 Tenant 2 VM 1 10.1.0.3 Tenant 1 VM 2 10.1.0.4 Tenant 2 VM 2 10.1.16.12 Tenant 2 VM 3 10.1.16.21 Tenant 1 VM 3 10.1.16.47 Tenant 1 VM 4 10.1.16.85 Public Internet 10.1.0.1 Public IP address 65.37.141.11 65.37.141.24 65.37.141.36 65.37.141.80 L3 Core Load Balancer Pod 1 L2 Switch Pod 2 L2 10.1.8.1 … Switch Pod 3 L2 Switch 10.1.16.1 …
1 Firewall per Virtual Machine
VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM … VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM A Million Firewalls?
Networking Mode: Advanced • Network virtualization – Networks can have the same subnet range – Routing, ACL between networks – Services provided at the edge • NAT, Firewall, LB, VPN, etc
Virtual Network Appliances Network services are often provided by virtual appliances. These are either commercial appliances in the virtual form factor or Linux-based networking appliances Virtual Router Public Network Nic Virtual Network Nic Control Network Nic
Multi-tier virtual networking VLAN 2724 DB VM 1 Web VM 1 Web VM 2 Web VM 3 VLAN 101 App VM 1 App VM 2 VLAN 398 VR Internet Customer Premises IPSec VPN Private Gateway Loadbalancer (HW or Virtual) Network Services • IPAM • DNS • LB [intra] • S-2-S VPN • Static Routes • ACLs • NAT, PF • FW [ingress & egress]
Virtual networking with overlays GRE KEY 2724 DB VM 1 Web VM 1 Web VM 2 Web VM 3 GRE KEY 101 VR + vSwitches App VM 1 App VM 2 GRE KEY 398 Internet Customer Premises IPSec VPN Loadbalancer Private Gateway (Virtual) Network Services • IPAM • DNS • LB [intra] • S-2-S VPN • Static Routes • ACLs • NAT, PF • FW [ingress & egress]
Network Offerings • Cloud users are not exposed to the nature of the service provider • Cloud operator designs a service catalog and offers them to end users. – Gold = {LB + FW, using virtual appliances} – Platinum = {LB + FW + VPN, using hardware appliances} – Silver = {FW using virtual appliances, 10Mbps}
Example: Network Service offering
CLOUDSTACK ARCHITECTURE
CloudStack Architecture Plugin Framew ork Orchestration Engine Hyperviso r Plugins Hyperviso r Plugins Network Plugins Network Plugins Allocator Plugins Storage Plugins APIA PI API Hypervisor Resource Hypervisor Resource Network Resource Network Resource Storage Resource Storage Resource Physical Resources Allocator Plugins Allocator Plugins 1 2 4 3 5 6 7 8 9 Orchestration steps usually executed in sequence
Plugin interaction Orchestration Engine Plugin Frame work Network Network Plugins Plugins API API API Network Resource Network 5 1 2 Resource CloudSt ack DB Desired State 3 Desired State 4 Async Job Mgr 6 Operational State Desired State 7 8 Idempotent Idempotent Plugin should not update CloudStack objects
Plugin Interaction Details • Resource calls are expected to be idempotent • Plugins should not update CloudStack resources • Plugins can have their own tables inside the CloudStack DB • No automatic re-tries

Recommended

The Future of SDN in CloudStack by Chiradeep Vittal
The Future of SDN in CloudStack by Chiradeep VittalThe Future of SDN in CloudStack by Chiradeep Vittal
The Future of SDN in CloudStack by Chiradeep Vittalbuildacloud
 
Policy Based SDN Solution for DC and Branch Office by Suresh Boddapati
Policy Based SDN Solution for DC and Branch Office by Suresh BoddapatiPolicy Based SDN Solution for DC and Branch Office by Suresh Boddapati
Policy Based SDN Solution for DC and Branch Office by Suresh Boddapatibuildacloud
 
L4-L7 services for SDN and NVF by Youcef Laribi
L4-L7 services for SDN and NVF by Youcef LaribiL4-L7 services for SDN and NVF by Youcef Laribi
L4-L7 services for SDN and NVF by Youcef Laribibuildacloud
 
Jenkins, jclouds, CloudStack, and CentOS by David Nalley
Jenkins, jclouds, CloudStack, and CentOS by David NalleyJenkins, jclouds, CloudStack, and CentOS by David Nalley
Jenkins, jclouds, CloudStack, and CentOS by David Nalleybuildacloud
 
Intro to Zenoss by Andrew Kirch
Intro to Zenoss by Andrew KirchIntro to Zenoss by Andrew Kirch
Intro to Zenoss by Andrew Kirchbuildacloud
 
Guaranteeing Storage Performance by Mike Tutkowski
Guaranteeing Storage Performance by Mike TutkowskiGuaranteeing Storage Performance by Mike Tutkowski
Guaranteeing Storage Performance by Mike Tutkowskibuildacloud
 
Cloud Application Blueprints with Apache Brooklyn by Alex Henevald
Cloud Application Blueprints with Apache Brooklyn by Alex HenevaldCloud Application Blueprints with Apache Brooklyn by Alex Henevald
Cloud Application Blueprints with Apache Brooklyn by Alex Henevaldbuildacloud
 
Introduction to Apache CloudStack by David Nalley
Introduction to Apache CloudStack by David NalleyIntroduction to Apache CloudStack by David Nalley
Introduction to Apache CloudStack by David Nalleybuildacloud
 

Recommended

The Future of SDN in CloudStack by Chiradeep Vittal
The Future of SDN in CloudStack by Chiradeep VittalThe Future of SDN in CloudStack by Chiradeep Vittal
The Future of SDN in CloudStack by Chiradeep Vittalbuildacloud
 
Policy Based SDN Solution for DC and Branch Office by Suresh Boddapati
Policy Based SDN Solution for DC and Branch Office by Suresh BoddapatiPolicy Based SDN Solution for DC and Branch Office by Suresh Boddapati
Policy Based SDN Solution for DC and Branch Office by Suresh Boddapatibuildacloud
 
L4-L7 services for SDN and NVF by Youcef Laribi
L4-L7 services for SDN and NVF by Youcef LaribiL4-L7 services for SDN and NVF by Youcef Laribi
L4-L7 services for SDN and NVF by Youcef Laribibuildacloud
 
Jenkins, jclouds, CloudStack, and CentOS by David Nalley
Jenkins, jclouds, CloudStack, and CentOS by David NalleyJenkins, jclouds, CloudStack, and CentOS by David Nalley
Jenkins, jclouds, CloudStack, and CentOS by David Nalleybuildacloud
 
Intro to Zenoss by Andrew Kirch
Intro to Zenoss by Andrew KirchIntro to Zenoss by Andrew Kirch
Intro to Zenoss by Andrew Kirchbuildacloud
 
Guaranteeing Storage Performance by Mike Tutkowski
Guaranteeing Storage Performance by Mike TutkowskiGuaranteeing Storage Performance by Mike Tutkowski
Guaranteeing Storage Performance by Mike Tutkowskibuildacloud
 
Cloud Application Blueprints with Apache Brooklyn by Alex Henevald
Cloud Application Blueprints with Apache Brooklyn by Alex HenevaldCloud Application Blueprints with Apache Brooklyn by Alex Henevald
Cloud Application Blueprints with Apache Brooklyn by Alex Henevaldbuildacloud
 
Introduction to Apache CloudStack by David Nalley
Introduction to Apache CloudStack by David NalleyIntroduction to Apache CloudStack by David Nalley
Introduction to Apache CloudStack by David Nalleybuildacloud
 
Managing infrastructure with Application Policy by Mike Cohen
Managing infrastructure with Application Policy by Mike CohenManaging infrastructure with Application Policy by Mike Cohen
Managing infrastructure with Application Policy by Mike Cohenbuildacloud
 
Intro to Zenoss by Andrew Kirch
Intro to Zenoss by Andrew KirchIntro to Zenoss by Andrew Kirch
Intro to Zenoss by Andrew Kirchbuildacloud
 
Monitoring CloudStack in context with Converged Infrastructure by Mike Turnlund
Monitoring CloudStack in context with Converged Infrastructure by Mike TurnlundMonitoring CloudStack in context with Converged Infrastructure by Mike Turnlund
Monitoring CloudStack in context with Converged Infrastructure by Mike Turnlundbuildacloud
 
Rest api design by george reese
Rest api design by george reeseRest api design by george reese
Rest api design by george reesebuildacloud
 
Enterprise grade firewall and ssl termination to ac by will stevens
Enterprise grade firewall and ssl termination to ac by will stevensEnterprise grade firewall and ssl termination to ac by will stevens
Enterprise grade firewall and ssl termination to ac by will stevensbuildacloud
 
State of the cloud by reuven cohen
State of the cloud by reuven cohenState of the cloud by reuven cohen
State of the cloud by reuven cohenbuildacloud
 
Securing Your Cloud With the Xen Hypervisor by Russell Pavlicek
Securing Your Cloud With the Xen Hypervisor by Russell PavlicekSecuring Your Cloud With the Xen Hypervisor by Russell Pavlicek
Securing Your Cloud With the Xen Hypervisor by Russell Pavlicekbuildacloud
 
DevCloud - Setup and Demo on Apache CloudStack
DevCloud - Setup and Demo on Apache CloudStack DevCloud - Setup and Demo on Apache CloudStack
DevCloud - Setup and Demo on Apache CloudStack buildacloud
 
Cloud Network Virtualization with Juniper Contrail
Cloud Network Virtualization with Juniper ContrailCloud Network Virtualization with Juniper Contrail
Cloud Network Virtualization with Juniper Contrailbuildacloud
 
Ian rae panel cloud stack & cloud storage where are we at, and where do we ne...
Ian rae panel cloud stack & cloud storage where are we at, and where do we ne...Ian rae panel cloud stack & cloud storage where are we at, and where do we ne...
Ian rae panel cloud stack & cloud storage where are we at, and where do we ne...buildacloud
 
Troubleshooting Strategies for CloudStack Installations by Kirk Kosinski
Troubleshooting Strategies for CloudStack Installations by Kirk Kosinski Troubleshooting Strategies for CloudStack Installations by Kirk Kosinski
Troubleshooting Strategies for CloudStack Installations by Kirk Kosinski buildacloud
 
CloudStack University by Sebastien Goasguen
CloudStack University by Sebastien GoasguenCloudStack University by Sebastien Goasguen
CloudStack University by Sebastien Goasguenbuildacloud
 
Building Scalable, Resilient Infrastructure on CloudStack by Sebastian Stadil
Building Scalable, Resilient Infrastructure on CloudStack by Sebastian StadilBuilding Scalable, Resilient Infrastructure on CloudStack by Sebastian Stadil
Building Scalable, Resilient Infrastructure on CloudStack by Sebastian Stadilbuildacloud
 
Cloudstack Continuous Delivery
Cloudstack Continuous DeliveryCloudstack Continuous Delivery
Cloudstack Continuous Deliverybuildacloud
 
SDN in CloudStack
SDN in CloudStackSDN in CloudStack
SDN in CloudStackbuildacloud
 
Apalia/Amysta Cloud Usage Metering and Billing
Apalia/Amysta Cloud Usage Metering and BillingApalia/Amysta Cloud Usage Metering and Billing
Apalia/Amysta Cloud Usage Metering and Billingbuildacloud
 
BtrCloud CloudStack Plugin
BtrCloud CloudStack PluginBtrCloud CloudStack Plugin
BtrCloud CloudStack Pluginbuildacloud
 
UShareSoft Image Management for CloudStack
UShareSoft Image Management for CloudStackUShareSoft Image Management for CloudStack
UShareSoft Image Management for CloudStackbuildacloud
 
INRIA continuous integration plaftorm
INRIA continuous integration plaftormINRIA continuous integration plaftorm
INRIA continuous integration plaftormbuildacloud
 
PaaS on top of CloudStack
PaaS on top of CloudStackPaaS on top of CloudStack
PaaS on top of CloudStackbuildacloud
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 

More Related Content

More from buildacloud

Managing infrastructure with Application Policy by Mike Cohen
Managing infrastructure with Application Policy by Mike CohenManaging infrastructure with Application Policy by Mike Cohen
Managing infrastructure with Application Policy by Mike Cohenbuildacloud
 
Intro to Zenoss by Andrew Kirch
Intro to Zenoss by Andrew KirchIntro to Zenoss by Andrew Kirch
Intro to Zenoss by Andrew Kirchbuildacloud
 
Monitoring CloudStack in context with Converged Infrastructure by Mike Turnlund
Monitoring CloudStack in context with Converged Infrastructure by Mike TurnlundMonitoring CloudStack in context with Converged Infrastructure by Mike Turnlund
Monitoring CloudStack in context with Converged Infrastructure by Mike Turnlundbuildacloud
 
Rest api design by george reese
Rest api design by george reeseRest api design by george reese
Rest api design by george reesebuildacloud
 
Enterprise grade firewall and ssl termination to ac by will stevens
Enterprise grade firewall and ssl termination to ac by will stevensEnterprise grade firewall and ssl termination to ac by will stevens
Enterprise grade firewall and ssl termination to ac by will stevensbuildacloud
 
State of the cloud by reuven cohen
State of the cloud by reuven cohenState of the cloud by reuven cohen
State of the cloud by reuven cohenbuildacloud
 
Securing Your Cloud With the Xen Hypervisor by Russell Pavlicek
Securing Your Cloud With the Xen Hypervisor by Russell PavlicekSecuring Your Cloud With the Xen Hypervisor by Russell Pavlicek
Securing Your Cloud With the Xen Hypervisor by Russell Pavlicekbuildacloud
 
DevCloud - Setup and Demo on Apache CloudStack
DevCloud - Setup and Demo on Apache CloudStack DevCloud - Setup and Demo on Apache CloudStack
DevCloud - Setup and Demo on Apache CloudStack buildacloud
 
Cloud Network Virtualization with Juniper Contrail
Cloud Network Virtualization with Juniper ContrailCloud Network Virtualization with Juniper Contrail
Cloud Network Virtualization with Juniper Contrailbuildacloud
 
Ian rae panel cloud stack & cloud storage where are we at, and where do we ne...
Ian rae panel cloud stack & cloud storage where are we at, and where do we ne...Ian rae panel cloud stack & cloud storage where are we at, and where do we ne...
Ian rae panel cloud stack & cloud storage where are we at, and where do we ne...buildacloud
 
Troubleshooting Strategies for CloudStack Installations by Kirk Kosinski
Troubleshooting Strategies for CloudStack Installations by Kirk Kosinski Troubleshooting Strategies for CloudStack Installations by Kirk Kosinski
Troubleshooting Strategies for CloudStack Installations by Kirk Kosinski buildacloud
 
CloudStack University by Sebastien Goasguen
CloudStack University by Sebastien GoasguenCloudStack University by Sebastien Goasguen
CloudStack University by Sebastien Goasguenbuildacloud
 
Building Scalable, Resilient Infrastructure on CloudStack by Sebastian Stadil
Building Scalable, Resilient Infrastructure on CloudStack by Sebastian StadilBuilding Scalable, Resilient Infrastructure on CloudStack by Sebastian Stadil
Building Scalable, Resilient Infrastructure on CloudStack by Sebastian Stadilbuildacloud
 
Cloudstack Continuous Delivery
Cloudstack Continuous DeliveryCloudstack Continuous Delivery
Cloudstack Continuous Deliverybuildacloud
 
SDN in CloudStack
SDN in CloudStackSDN in CloudStack
SDN in CloudStackbuildacloud
 
Apalia/Amysta Cloud Usage Metering and Billing
Apalia/Amysta Cloud Usage Metering and BillingApalia/Amysta Cloud Usage Metering and Billing
Apalia/Amysta Cloud Usage Metering and Billingbuildacloud
 
BtrCloud CloudStack Plugin
BtrCloud CloudStack PluginBtrCloud CloudStack Plugin
BtrCloud CloudStack Pluginbuildacloud
 
UShareSoft Image Management for CloudStack
UShareSoft Image Management for CloudStackUShareSoft Image Management for CloudStack
UShareSoft Image Management for CloudStackbuildacloud
 
INRIA continuous integration plaftorm
INRIA continuous integration plaftormINRIA continuous integration plaftorm
INRIA continuous integration plaftormbuildacloud
 
PaaS on top of CloudStack
PaaS on top of CloudStackPaaS on top of CloudStack
PaaS on top of CloudStackbuildacloud
 

More from buildacloud (20)

Managing infrastructure with Application Policy by Mike Cohen
Managing infrastructure with Application Policy by Mike CohenManaging infrastructure with Application Policy by Mike Cohen
Managing infrastructure with Application Policy by Mike Cohen
 
Intro to Zenoss by Andrew Kirch
Intro to Zenoss by Andrew KirchIntro to Zenoss by Andrew Kirch
Intro to Zenoss by Andrew Kirch
 
Monitoring CloudStack in context with Converged Infrastructure by Mike Turnlund
Monitoring CloudStack in context with Converged Infrastructure by Mike TurnlundMonitoring CloudStack in context with Converged Infrastructure by Mike Turnlund
Monitoring CloudStack in context with Converged Infrastructure by Mike Turnlund
 
Rest api design by george reese
Rest api design by george reeseRest api design by george reese
Rest api design by george reese
 
Enterprise grade firewall and ssl termination to ac by will stevens
Enterprise grade firewall and ssl termination to ac by will stevensEnterprise grade firewall and ssl termination to ac by will stevens
Enterprise grade firewall and ssl termination to ac by will stevens
 
State of the cloud by reuven cohen
State of the cloud by reuven cohenState of the cloud by reuven cohen
State of the cloud by reuven cohen
 
Securing Your Cloud With the Xen Hypervisor by Russell Pavlicek
Securing Your Cloud With the Xen Hypervisor by Russell PavlicekSecuring Your Cloud With the Xen Hypervisor by Russell Pavlicek
Securing Your Cloud With the Xen Hypervisor by Russell Pavlicek
 
DevCloud - Setup and Demo on Apache CloudStack
DevCloud - Setup and Demo on Apache CloudStack DevCloud - Setup and Demo on Apache CloudStack
DevCloud - Setup and Demo on Apache CloudStack
 
Cloud Network Virtualization with Juniper Contrail
Cloud Network Virtualization with Juniper ContrailCloud Network Virtualization with Juniper Contrail
Cloud Network Virtualization with Juniper Contrail
 
Ian rae panel cloud stack & cloud storage where are we at, and where do we ne...
Ian rae panel cloud stack & cloud storage where are we at, and where do we ne...Ian rae panel cloud stack & cloud storage where are we at, and where do we ne...
Ian rae panel cloud stack & cloud storage where are we at, and where do we ne...
 
Troubleshooting Strategies for CloudStack Installations by Kirk Kosinski
Troubleshooting Strategies for CloudStack Installations by Kirk Kosinski Troubleshooting Strategies for CloudStack Installations by Kirk Kosinski
Troubleshooting Strategies for CloudStack Installations by Kirk Kosinski
 
CloudStack University by Sebastien Goasguen
CloudStack University by Sebastien GoasguenCloudStack University by Sebastien Goasguen
CloudStack University by Sebastien Goasguen
 
Building Scalable, Resilient Infrastructure on CloudStack by Sebastian Stadil
Building Scalable, Resilient Infrastructure on CloudStack by Sebastian StadilBuilding Scalable, Resilient Infrastructure on CloudStack by Sebastian Stadil
Building Scalable, Resilient Infrastructure on CloudStack by Sebastian Stadil
 
Cloudstack Continuous Delivery
Cloudstack Continuous DeliveryCloudstack Continuous Delivery
Cloudstack Continuous Delivery
 
SDN in CloudStack
SDN in CloudStackSDN in CloudStack
SDN in CloudStack
 
Apalia/Amysta Cloud Usage Metering and Billing
Apalia/Amysta Cloud Usage Metering and BillingApalia/Amysta Cloud Usage Metering and Billing
Apalia/Amysta Cloud Usage Metering and Billing
 
BtrCloud CloudStack Plugin
BtrCloud CloudStack PluginBtrCloud CloudStack Plugin
BtrCloud CloudStack Plugin
 
UShareSoft Image Management for CloudStack
UShareSoft Image Management for CloudStackUShareSoft Image Management for CloudStack
UShareSoft Image Management for CloudStack
 
INRIA continuous integration plaftorm
INRIA continuous integration plaftormINRIA continuous integration plaftorm
INRIA continuous integration plaftorm
 
PaaS on top of CloudStack
PaaS on top of CloudStackPaaS on top of CloudStack
PaaS on top of CloudStack
 

Recently uploaded

SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 

Recently uploaded (20)

SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 

Apache CloudStack Networking by Chiradeep Vittal

  • 1. Introduction to CloudStack Networking Silicon Valley CloudStack Meetup 9th October 2014
  • 3. Agenda • Introduction to CloudStack • Networking modes in CloudStack • Virtual Networking • Networking Internals • Advanced Topics
  • 4. Apache CloudStack Apache CloudStack is a • scalable, • multi-tenant, • open source, • purpose-built, • cloud orchestration platform for • delivering turnkey Infrastructure-as-a-Service clouds
  • 5. 300+ Large Scale Production Clouds In Deployment Production sites with over 40,000+ Enterprise and Education Service Providers and Servers Web 2.0 Telcos
  • 6. How did Amazon build its cloud? Amazon eCommerce Platform AWS API (EC2, S3, …) Amazon Orchestration Software Open Source Xen Hypervisor Commodity Servers Commodity Storage Networking
  • 7. How can YOU build a CloudStack cloud? Amazon eCommerce Platform Optional Portal AWS API (EC2, S3, …) CloudStack or AWS API CloudStack Orchestration Software Amazon Orchestration Software Hypervisor (XenServer/KVM/vSphere/Hyper- Open Source Xen Hypervisor V/LXC) Networking Servers Storage
  • 8. Image Secondary Storage End users DC Edge L3/L2 core Zone Architecture VM Pod Pod Pod Pod CloudStack Pod Access Sw MySQL Admin/User API Hypervisor (Xen /VMWare/KVM) Primary Storage NFS/ISCSI/FC VM VM Image Disk Disk
  • 9. End users Networking concerns in a cloud Pod Pod Pod Pod Pod VM VM Disk Disk
  • 10. Networking Concerns • Network virtualization – Multi-tenancy • Network services for virtual networks and machines • Network automation • Scalability
  • 11. Networking Principles in Apache CloudStack • Flexibility – Allow various combinations of technology for L2-L7 network services – Allow different providers (vendors) for the same network service in a Cloud POP • Pluggability – Plugins allow vendors to drop in vendor-specific configuration and lifecycle management code • Service scalability – Scale out using virtual appliances when possible – Scale up using hardware appliances if needed
  • 12. Network Flexibility Network Services • L2 connectivity • IPAM • DNS • Routing • ACL • Firewall • NAT • VPN • LB • IDS • IPS Network Isolation • No isolation • VLAN isolation • Overlays • L3 isolation Service Providers  Virtual appliances  Hardware firewalls  LB appliances  SDN controllers  IDS /IPS appliances  VRF  Hypervisor
  • 13. Networking Modes • “Basic” mode – L3 isolation – Tenants share subnets – VMs placed into security groups • ACL governs communication between/within groups/outside – No VLANs – Excellent scaling (10s of thousands of hosts/VM) – Limited network services – Distributed network firewall using iptables on the hypervisor
  • 14. Layer 3 cloud networking … DB Security Group Web Security Group DB VM Web VM … … Web VM Web VM Web VM Web VM Web VM DB VM Ingress Rule: Allow VMs in Web Security Group access to VMs in DB Security Group on Port 3306
  • 15. L3 isolation with distributed firewalls Tenant 1 VM 1 10.1.0.2 Tenant 2 VM 1 10.1.0.3 Tenant 1 VM 2 10.1.0.4 Public Internet 10.1.0.1 Public IP address 65.37.141.11 65.37.141.24 65.37.141.36 65.37.141.80 L3 Core Load Balancer Pod 1 L2 Switch Pod 2 L2 10.1.8.1 … Switch Pod 3 L2 Switch 10.1.16.1 …
  • 16. L3 isolation with distributed firewalls Tenant 1 VM 1 10.1.0.2 Tenant 2 VM 1 10.1.0.3 Tenant 1 VM 2 10.1.0.4 Tenant 1 VM 3 10.1.16.47 Tenant 1 VM 4 10.1.16.85 Public Internet 10.1.0.1 Public IP address 65.37.141.11 65.37.141.24 65.37.141.36 65.37.141.80 L3 Core Load Balancer Pod 1 L2 Switch Pod 2 L2 10.1.8.1 … Switch Pod 3 L2 Switch 10.1.16.1 …
  • 17. L3 isolation with distributed firewalls Tenant 1 VM 1 10.1.0.2 Tenant 2 VM 1 10.1.0.3 Tenant 1 VM 2 10.1.0.4 Tenant 2 VM 2 10.1.16.12 Tenant 2 VM 3 10.1.16.21 Tenant 1 VM 3 10.1.16.47 Tenant 1 VM 4 10.1.16.85 Public Internet 10.1.0.1 Public IP address 65.37.141.11 65.37.141.24 65.37.141.36 65.37.141.80 L3 Core Load Balancer Pod 1 L2 Switch Pod 2 L2 10.1.8.1 … Switch Pod 3 L2 Switch 10.1.16.1 …
  • 18. 1 Firewall per Virtual Machine
  • 19. VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM … VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM VM … VM VM A Million Firewalls?
  • 20. Networking Mode: Advanced • Network virtualization – Networks can have the same subnet range – Routing, ACL between networks – Services provided at the edge • NAT, Firewall, LB, VPN, etc
  • 21. Virtual Network Appliances Network services are often provided by virtual appliances. These are either commercial appliances in the virtual form factor or Linux-based networking appliances Virtual Router Public Network Nic Virtual Network Nic Control Network Nic
  • 22. Multi-tier virtual networking VLAN 2724 DB VM 1 Web VM 1 Web VM 2 Web VM 3 VLAN 101 App VM 1 App VM 2 VLAN 398 VR Internet Customer Premises IPSec VPN Private Gateway Loadbalancer (HW or Virtual) Network Services • IPAM • DNS • LB [intra] • S-2-S VPN • Static Routes • ACLs • NAT, PF • FW [ingress & egress]
  • 23. Virtual networking with overlays GRE KEY 2724 DB VM 1 Web VM 1 Web VM 2 Web VM 3 GRE KEY 101 VR + vSwitches App VM 1 App VM 2 GRE KEY 398 Internet Customer Premises IPSec VPN Loadbalancer Private Gateway (Virtual) Network Services • IPAM • DNS • LB [intra] • S-2-S VPN • Static Routes • ACLs • NAT, PF • FW [ingress & egress]
  • 24. Network Offerings • Cloud users are not exposed to the nature of the service provider • Cloud operator designs a service catalog and offers them to end users. – Gold = {LB + FW, using virtual appliances} – Platinum = {LB + FW + VPN, using hardware appliances} – Silver = {FW using virtual appliances, 10Mbps}
  • 27. CloudStack Architecture Plugin Framew ork Orchestration Engine Hyperviso r Plugins Hyperviso r Plugins Network Plugins Network Plugins Allocator Plugins Storage Plugins APIA PI API Hypervisor Resource Hypervisor Resource Network Resource Network Resource Storage Resource Storage Resource Physical Resources Allocator Plugins Allocator Plugins 1 2 4 3 5 6 7 8 9 Orchestration steps usually executed in sequence
  • 28. Plugin interaction Orchestration Engine Plugin Frame work Network Network Plugins Plugins API API API Network Resource Network 5 1 2 Resource CloudSt ack DB Desired State 3 Desired State 4 Async Job Mgr 6 Operational State Desired State 7 8 Idempotent Idempotent Plugin should not update CloudStack objects
  • 29. Plugin Interaction Details • Resource calls are expected to be idempotent • Plugins should not update CloudStack resources • Plugins can have their own tables inside the CloudStack DB • No automatic re-tries

Editor's Notes

  1. Need a better slide than this
  2. Here is a quick look at a few of the customers who are running Citrix cloud offerings today in their environment, we’ve seen a lot of growth in the enterprise and education market over the last year with the likes of Disney, Nokia and SAP, BT and TaTa on the public cloud front, and Spotify and Edmunds.com are some of our web 2.0s.
  3. The combination of services and service providers have to work in different isolation contexts in a multi-tenant cloud. Some cloud operators do not want any isolation and merely want the self-service nature of the cloud. Others want to use traditional vlan isolation in order to interoperate with legacy services and equipment. Others want to adopt SDN approaches using overlays. By far the most scalable way is to use L3 isolation and security groups.
  4. Related VMs are placed into security groups: for example, web vms are placed in the web security group and the db vms are in the DB security group. By default all ingress traffic to the vm is dropped. To allow web vms to communicate to DB vms, the cloud user calls an api to allow access on the database’s tcp port.
  5. Each pod has a different subnet. When a VM is started in a pod, it acquires a free ip in that pod’s subnet. Different tenants can land up in the same pod and hence share the same L2 subnet. Because security groups deny all by default, each VM needs a host-based firewall (embedded in the hypervisor dom0) to enforce this. This also prevents stuff like DHCP and ARP snooping. To prevent attacks, multicast and broadcast are blocked by the firewall
  6. As a tenant starts more vms, the vms can land in different pods. The cloud user cannot make any assumptions about L2 connectivity between their vms.
  7. As vms get created and destroyed, CloudStack has to ensure the configuration of the host-based firewalls (iptables) is consistent with the security group rules programmed by the cloud user
  8. 40,000 hypervisors in a data center x 25 vms / hypervisor = 1 million firewalls to be orchestrated by CloudStack