SlideShare a Scribd company logo

Build a Secure Multi-Tenant Cloud Network

Download as PPTX, PDF
Priti Desai
Priti Desai

Building a secure multi-tenant cloud necessitates proper tenant isolation and access control. Key network and security functions must scale independently based on the dynamic resource requirements across each tenant. Additionally, On-demand and self-service provisioning are required for achieving operational efficiencies. Robust, dynamic and elastic software abstractions are imperative to support applications built to run such complex environments. This slide deck covers: • Architectural design choices • Implementation blueprints • Operational best practices that have been made to build OpenStack cloud at Symantec.

Engineering
1 of 33
ARCHITECTING AND BUILDING A SECURE MULTI-TENANT CLOUD FOR SAAS APPLICATIONS Dilip Sundarraj Cloud Solutions Architect, Juniper Networks April 8th, 2015
Symantec CloudFire
What is Network Virtualization? • Independent of Physical Network Location or State • Logical Network across any server, any rack, any cluster, any data-center • Virtual Machines can migrate without requiring any reworking of security policies, load balancing, etc • New Workloads or Networks should not require provisioning of physical network • Nodes in Physical Network can fail without any disruption to Workload • Full Isolation for Multi-tenancy and Fault Tolerance • MAC and IP Addresses are completely private per tenant • Any failures or configuration errors by tenants do not affect other applications or tenants • Any failures in the virtual layer do not propagate to physical layer
OpenContrail • OpenSource Network Virtualization Platform for Cloud • Primary Use Cases: • Cloud Networking – IaaS, VPCs for Cloud SP, Private Cloud for Enterprises or SPs • NFV in SP networks – Value added services for SP edge networks.
OPENCONTRAIL ARCHITECTURE
Analytics CONTRAIL CONTROLLER ControlConfiguration x86 Host + Hypervisor ORCHESTRATOR x86 Host + Hypervisor Physical IP Network (no changes) vRouter vRouter Gateway Internet / WAN Legacy Infra. (VLAN, etc.) Bi-directional real-time message bus using XMPP Network orchestration Standard protocol (M- BGP) to talk with other Contrail controller instances Compute / Storage orchestration Accepts and converts orchestrator requests for VM creation, translates requests, and creates network Interacts with network elements for VM network provisioning and ensures uptime Real-time analytics engine collects, stores and analyzes network elements vRouter: Virtualized routing element handles localized control plane and forwarding plane work on the compute node Gateway: MX Series (or other router) serve as gateway improving scale & performance
OpenContrail <-> OpenStack
Openstack integration Horizon Nova API Compute Driver Virtual-IF Driver Nova Compute Contrail Agent vRouter (kernel) Virtual Router Nova Scheduler Neutron Driver Neutron Plugin Configuration Node Control Node 1 Create an Instance (VM Info, Network, IPAM, Policies, etc) 2 Schedule an Instance on the Compute Node 3 VM Network Properties 4 Create VM Interface 6 Publish VM Intf on IFMap 5 Add Port 7 VM Interface Config over XMPP Scripts
OpenContrail – Control Node • All Control Plane Nodes are active active • Each vRouter uses XMPP to connect with multiple Control Plane nodes for redundancy • Each Control Plane Node connects to multiple configuration nodes for redundancy • Control Plane Nodes federate using BGP Control Node "BGP module" Proxies XMPP Control Node Control Node Compute Node Compute Node Configuration Node Configuration Node IF-MAP XMPP IBGP IF-MAP Client Gateway Routers Service Nodes
OpenContrail - Compute Node
Compute node – Hypervisor, vRouter Compute Node Virtual Machine (Tenant B) Virtual Machine (Tenant C) Virtual Machine (Tenant C) vRouter Forwarding Plane Virtual Machine (Tenant A) Routing Instance (Tenant A) Routing Instance (Tenant B) Routing Instance (Tenant C) vRouter Agent Flow Table FIB Flow Table FIB Flow Table FIB Overlay tunnels MPLS over GRE or VXLAN JUNOSV CONTRAIL CONTROLLER JUNOSV CONTRAIL CONTROLLER XMPP Eth1Kernel Tap Interfaces (vif) pkt0 User Eth0 EthN Config VRFs Policy Table Top of Rack Switch XMPP
Compute node – Forwarding/Tunneling Overlay tunnels MPLS over GRE or VXLAN Compute Node vRouter Forwarding Plane Virtual Machine (VN-IP1) Routing Instance Flow Table FIB Eth1 (Phy-IP1) Tap Interfaces (vif) Compute Node vRouter Forwarding Plane Virtual Machine (VN-IP2) Routing Instance Flow Table FIB Eth1 (Phy-IP2) Tap Interfaces (vif) VIRTUAL PHYSICAL Virtual-IP2 Payload Virtual-IP2 Payload MPLS / VNI Phy-IP2 Virtual-IP2 Payload Virtual-IP2 Payload MPLS / VNI Phy-IP2 1. Guest OS ARPs for destination within subnet or default GW 2. VRouter receives the ARP and responds back with VRRP MAC 3. Guest OS sends traffic to the VRRP MAC, Vrouter encapsulates the packet with appropriate MPLS/VNI tag and GRE header 1. Physical Fabric Routers on Physical IP Address 1. Returning packets get forwarded to appropriate Routing Instance by the MPLS/VNI tag 1. VRouter de-capsulates the packet, and forwards it to the Guest OS
OPENCONTRAIL FEATURES @SYMC
DNSaaS Contrail offers 4 different DNS modes • Default DNS server • The host OS’s configured DNS server • Tenant DNS server • Tenants can use their own DNS servers (different from host OS’s DNS server) • Virtual DNS server • Contrail Controller provides a per tenant DNS server • None • VMs don’t have any DNS resolution capability One of these modes is selected when an IPAM instance is created for a domain.
Contrail Virtual DNS DNS Record Creation • Each IPAM -> Virtual DNS servers configured • Virtual Networks and VMs in IPAM use DNS domain of Virtual DNS server specified in IPAM • When a VM is spawned, • A & PTR records are added into the vDNS server of the virtual network’s IPAM NOTE: • DNS Records can also be added statically. • A, CNAME, PTR and NS records are also supported.
Contrail Virtual DNS DNS Resolution: 1. DNS requests from VM trapped to the vRouter agent on the hypervisor 2. vRouter agent then forwards DNS request to the controllers (which run BIND) for resolution. 3. BIND has the concept of views and every virtual DNS instance has its own isolated view view "default-domain-contrailtestdns" { rrset-order {order random;}; forwarders {172.16.70.254; }; zone "6.6.6.in-addr.arpa." IN { type master; file "/etc/contrail/dns/default-domain-contrailtestdns.6.6.6.in-addr.arpa.zone"; allow-update {127.0.0.1;}; }; zone "contrail.us" IN { type master; file "/etc/contrail/dns/default-domain-contrailtestdns.contrail.us.zone"; allow-update {127.0.0.1;}; }; };
DNS & IPAM Relationship • Neutron network maps to Contrail Virtual Network • network-ipam & virtual-DNS (Contrail specific constructs) • virtual-DNS object has domain as parent • network-ipam has project as parent. • So: • virtual-network ==refers-to==> network-ipam ==refers-to==> virtual-DNS
Contrail Virtual DNS @SYMC • By default, Contrail API server creates default-network- ipam object under the default-domain -> default-project hierarchy • However, using Contrail API hooks mechanism automatically • Create default-network-ipam object within a newly created project • Create default-virtual-DNS object within a newly created domain • Link them to provide vDNS functionality. • So, a new virtual-network when created, it is automatically linked to the project specific default-network-ipam and corresponding virtual DNS object
Floating IPs • Neutron supports the concept of floating IP (routable IP). • Instances are unaware of their Floating IP. • Every Virtual Network -> Routing Instance • Routing Instances • Define network connectivity between VMs in the Virtual Network • Contain routes only for VMs in the virtual network • Two Routing Instances (Virtual Networks) can be connected using • Neutron L3 agent • Contrail Network Policy (explained later) • By default, Virtual Network do not have access to a “public” (routable) network • A Gateway must be used to provide connectivity to "public" network from a virtual-network. • Floating IP support can be provided with • Simple Gateway – x86 based Software GW • Routing Device such as Juniper MX
Floating IP using Neutron L3 Router • Create an external network • neutron net-create public --router:external True • Create a router • neutron router-create router1 • Add interfaces from Virtual network to this router • neutron router-interface-add router1 SUBNET1_UUID • Set router-gateway-set on router instance • Connects a router to an external network, which enables that router to act as a NAT gateway for external connectivity. • neutron router-gateway-set router1 EXT_NET_ID
Spine Spine Leaf LeafLeaf BMS BMS BMS BMS Node Node Node Node Node Node Node Node Mountain View DC MX Router Internet Spine Spine Leaf LeafLeaf Node Node Node Node Node Node Node Node Node Node Node Node Boston DC Public VRF Intra- site VRF Internet MX Router Intra- site VRF Public VRF Intra-site VPN Multiple Floating IPs per VM @SYMC VMs in the MTV DC 1. Internet Routable Floating IP 2. IP Routable from Boston DC
LBaaS • LBaaS load balancer enables • Pool of VMs servicing apps accessible via a virtual IP. • Contrail LBaaS features: • Load balancing of traffic from clients to a pool of backend servers. The load balancer proxies all connections to its virtual IP. • Provides load balancing for HTTP, HTTPS, and TCP • Provides health monitoring capabilities for applications • Floating IP association to virtual IP for public access to the backend pool.
Contrail LBaaS Implementation
Contrail LBaaS Implementation • Supports OpenStack LBaaS Neutron APIs • Creation of virtual-ip, loadbalancer-pool, loadbalancer-member, and loadbalancer-healthmonitor. • Creates a Service Instance when a loadbalancer-pool is associated with a virtual-IP object. • Service scheduler launches a namespace & spawns HAProxy on it. • HAProxy parameters obtained from the load balancer objects. • HA of namespaces/HAProxy -> Active/Standby (2 diff computes)
Link Local Services Provides VMs access to specific services on IP Fabric infrastructure. • @SYMC • Keystone, Github, NTP, Logging, Monitoring and Metering services Once the link local service is configured, VMs can access the service using the link local address. • OpenStack Metadata Service on 169.254.169.254:80 is also implemented using Link Local Service (169.254.169.XXX, Service port) <-> (Destination IP, Service TCP/UDP port)
Contrail Network Policy • Enforces connectivity and policy enforcement between Virtual Networks • Follows the 5-tuple semantics • SRC/DST Virtual Network, SRC/DST Port, Protocol
Contrail Network Policy • Connectivity between two Virtual Networks is established by leaking routes between two Routing Instances when a network policy is created interconnecting the two VNs • Policy is enforced for specific traffic types by flow table programming in every vRouter which has the relevant Virtual Networks Compute Node Virtual Machine (Tenant B) Virtual Machine (Tenant C) Virtual Machine (Tenant C) vRouter Forwarding Plane Virtual Machine (Tenant A) Routing Instance (Tenant A) Routing Instance (Tenant B) Routing Instance (Tenant C) vRouter Agent Flow Table FIB Flow Table FIB Flow Table FIB Eth1Kernel Tap Interfaces (vif) pkt0 User Eth0 EthN Config VRFs Policy Table
Environments & Operations Environments • Lab: > 10 nodes • CI/CD test environment for SDN related features and functions • Staging: > 50 nodes • True IaaS for PaaS applications • Production: > 250 nodes • PaaS for end-user applications Operations: • Monitoring & Troubleshooting • Contrail Analytics feeds into OpsView & LMM • Upgrade • Phased upgrades during maintenance windows without application downtime.
TEST DRIVE OPENCONTRAIL
DEVSTACK + OPENCONTRAIL • WHAT? • Run OpenStack and OpenContrail on your laptop or in a VM • WHY? • Use to build & test OpenStack and OpenContrail code • Just play with OpenStack/OpenContrail features • HOW? • Ubuntu server/VM with 4GB RAM, access to github
DEVSTACK + OPENCONTRAIL (in-a-box) • Install packages: git-core, ant, build-essential, pkg-config • Download DevStack • (git clone git@github.com:/dsetia/devstack.git) • Edit localrc (set PHYSICAL_INTERFACE) • Run stack.sh • Installs Glance, Nova, Horizon, Keystone, Cinder • And OpenContrail (as a Neutron plugin)
RESOURCES • OpenContrail.org • E-Book, Architecture documents, blogs from developers/architects, slides, webinars • GitHub • https://github.com/Juniper/contrail-controller • https://github.com/Juniper/contrail-vrouter • https://github.com/Juniper/contrail-puppet • https://github.com/Juniper/contrail-web-controller • https://github.com/Juniper/contrail-neutron-plugin
Q&A

Recommended

OVN operationalization at scale at eBay
OVN operationalization at scale at eBayOVN operationalization at scale at eBay
OVN operationalization at scale at eBayAliasgar Ginwala
 
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)Thomas Graf
 
OVN DBs HA with scale test
OVN DBs HA with scale testOVN DBs HA with scale test
OVN DBs HA with scale testAliasgar Ginwala
 
Overview of Distributed Virtual Router (DVR) in Openstack/Neutron
Overview of Distributed Virtual Router (DVR) in Openstack/NeutronOverview of Distributed Virtual Router (DVR) in Openstack/Neutron
Overview of Distributed Virtual Router (DVR) in Openstack/Neutronvivekkonnect
 
Deploying IPv6 on OpenStack
Deploying IPv6 on OpenStackDeploying IPv6 on OpenStack
Deploying IPv6 on OpenStackVietnam Open Infrastructure User Group
 
VMware virtual SAN 6 overview
VMware virtual SAN 6 overviewVMware virtual SAN 6 overview
VMware virtual SAN 6 overviewsolarisyougood
 
OVN - Basics and deep dive
OVN - Basics and deep diveOVN - Basics and deep dive
OVN - Basics and deep diveTrinath Somanchi
 
Meetup 23 - 02 - OVN - The future of networking in OpenStack
Meetup 23 - 02 - OVN - The future of networking in OpenStackMeetup 23 - 02 - OVN - The future of networking in OpenStack
Meetup 23 - 02 - OVN - The future of networking in OpenStackVietnam Open Infrastructure User Group
 

Recommended

OVN operationalization at scale at eBay
OVN operationalization at scale at eBayOVN operationalization at scale at eBay
OVN operationalization at scale at eBayAliasgar Ginwala
 
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)Thomas Graf
 
OVN DBs HA with scale test
OVN DBs HA with scale testOVN DBs HA with scale test
OVN DBs HA with scale testAliasgar Ginwala
 
Overview of Distributed Virtual Router (DVR) in Openstack/Neutron
Overview of Distributed Virtual Router (DVR) in Openstack/NeutronOverview of Distributed Virtual Router (DVR) in Openstack/Neutron
Overview of Distributed Virtual Router (DVR) in Openstack/Neutronvivekkonnect
 
Deploying IPv6 on OpenStack
Deploying IPv6 on OpenStackDeploying IPv6 on OpenStack
Deploying IPv6 on OpenStackVietnam Open Infrastructure User Group
 
VMware virtual SAN 6 overview
VMware virtual SAN 6 overviewVMware virtual SAN 6 overview
VMware virtual SAN 6 overviewsolarisyougood
 
OVN - Basics and deep dive
OVN - Basics and deep diveOVN - Basics and deep dive
OVN - Basics and deep diveTrinath Somanchi
 
Meetup 23 - 02 - OVN - The future of networking in OpenStack
Meetup 23 - 02 - OVN - The future of networking in OpenStackMeetup 23 - 02 - OVN - The future of networking in OpenStack
Meetup 23 - 02 - OVN - The future of networking in OpenStackVietnam Open Infrastructure User Group
 
[2018] 오픈스택 5년 운영의 경험
[2018] 오픈스택 5년 운영의 경험[2018] 오픈스택 5년 운영의 경험
[2018] 오픈스택 5년 운영의 경험NHN FORWARD
 
Large scale overlay networks with ovn: problems and solutions
Large scale overlay networks with ovn: problems and solutionsLarge scale overlay networks with ovn: problems and solutions
Large scale overlay networks with ovn: problems and solutionsHan Zhou
 
Evolution of Openstack Networking at CERN
Evolution of Openstack Networking at CERNEvolution of Openstack Networking at CERN
Evolution of Openstack Networking at CERNBelmiro Moreira
 
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-RegionJi-Woong Choi
 
OpenStack networking
OpenStack networkingOpenStack networking
OpenStack networkingSim Janghoon
 
OVN 設定サンプル | OVN config example 2015/12/27
OVN 設定サンプル | OVN config example 2015/12/27OVN 設定サンプル | OVN config example 2015/12/27
OVN 設定サンプル | OVN config example 2015/12/27Kentaro Ebisawa
 
Neutron packet logging framework
Neutron packet logging frameworkNeutron packet logging framework
Neutron packet logging frameworkVietnam Open Infrastructure User Group
 
OpenvSwitch Deep Dive
OpenvSwitch Deep DiveOpenvSwitch Deep Dive
OpenvSwitch Deep Diverajdeep
 
君にもできる! にゅーとろん君になってみよー!! 「Neutronになって理解するOpenStack Net - OpenStack最新情報セミナー ...
君にもできる! にゅーとろん君になってみよー!! 「Neutronになって理解するOpenStack Net - OpenStack最新情報セミナー ...君にもできる! にゅーとろん君になってみよー!! 「Neutronになって理解するOpenStack Net - OpenStack最新情報セミナー ...
君にもできる! にゅーとろん君になってみよー!! 「Neutronになって理解するOpenStack Net - OpenStack最新情報セミナー ...VirtualTech Japan Inc.
 
Open vSwitch 패킷 처리 구조
Open vSwitch 패킷 처리 구조Open vSwitch 패킷 처리 구조
Open vSwitch 패킷 처리 구조Seung-Hoon Baek
 
VMware HCI solutions - 2020-01-16
VMware HCI solutions - 2020-01-16VMware HCI solutions - 2020-01-16
VMware HCI solutions - 2020-01-16David Pasek
 
Community Openstack 구축 사례
Community Openstack 구축 사례Community Openstack 구축 사례
Community Openstack 구축 사례Open Source Consulting
 
Red Hat OpenStack 17 저자직강+스터디그룹_5주차
Red Hat OpenStack 17 저자직강+스터디그룹_5주차Red Hat OpenStack 17 저자직강+스터디그룹_5주차
Red Hat OpenStack 17 저자직강+스터디그룹_5주차Nalee Jang
 
RethinkConn 2022!
RethinkConn 2022!RethinkConn 2022!
RethinkConn 2022!NATS
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes NetworkingCJ Cullen
 
Routed Provider Networks on OpenStack
Routed Provider Networks on OpenStack Routed Provider Networks on OpenStack
Routed Provider Networks on OpenStack Romana Project
 
Issues of OpenStack multi-region mode
Issues of OpenStack multi-region modeIssues of OpenStack multi-region mode
Issues of OpenStack multi-region modeJoe Huang
 
Building a Stretched Cluster using Virtual SAN 6.1
Building a Stretched Cluster using Virtual SAN 6.1Building a Stretched Cluster using Virtual SAN 6.1
Building a Stretched Cluster using Virtual SAN 6.1Duncan Epping
 
vSAN Beyond The Basics
vSAN Beyond The BasicsvSAN Beyond The Basics
vSAN Beyond The BasicsSumit Lahiri
 
NATS Connect Live!
NATS Connect Live!NATS Connect Live!
NATS Connect Live!NATS
 
OpenContrail deployment experience
OpenContrail deployment experienceOpenContrail deployment experience
OpenContrail deployment experienceJakub Pavlik
 
Opencontrail network virtualization
Opencontrail network virtualizationOpencontrail network virtualization
Opencontrail network virtualizationNicolai van der Smagt
 

More Related Content

What's hot

[2018] 오픈스택 5년 운영의 경험
[2018] 오픈스택 5년 운영의 경험[2018] 오픈스택 5년 운영의 경험
[2018] 오픈스택 5년 운영의 경험NHN FORWARD
 
Large scale overlay networks with ovn: problems and solutions
Large scale overlay networks with ovn: problems and solutionsLarge scale overlay networks with ovn: problems and solutions
Large scale overlay networks with ovn: problems and solutionsHan Zhou
 
Evolution of Openstack Networking at CERN
Evolution of Openstack Networking at CERNEvolution of Openstack Networking at CERN
Evolution of Openstack Networking at CERNBelmiro Moreira
 
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-RegionJi-Woong Choi
 
OpenStack networking
OpenStack networkingOpenStack networking
OpenStack networkingSim Janghoon
 
OVN 設定サンプル | OVN config example 2015/12/27
OVN 設定サンプル | OVN config example 2015/12/27OVN 設定サンプル | OVN config example 2015/12/27
OVN 設定サンプル | OVN config example 2015/12/27Kentaro Ebisawa
 
OpenvSwitch Deep Dive
OpenvSwitch Deep DiveOpenvSwitch Deep Dive
OpenvSwitch Deep Diverajdeep
 
君にもできる! にゅーとろん君になってみよー!! 「Neutronになって理解するOpenStack Net - OpenStack最新情報セミナー ...
君にもできる! にゅーとろん君になってみよー!! 「Neutronになって理解するOpenStack Net - OpenStack最新情報セミナー ...君にもできる! にゅーとろん君になってみよー!! 「Neutronになって理解するOpenStack Net - OpenStack最新情報セミナー ...
君にもできる! にゅーとろん君になってみよー!! 「Neutronになって理解するOpenStack Net - OpenStack最新情報セミナー ...VirtualTech Japan Inc.
 
Open vSwitch 패킷 처리 구조
Open vSwitch 패킷 처리 구조Open vSwitch 패킷 처리 구조
Open vSwitch 패킷 처리 구조Seung-Hoon Baek
 
VMware HCI solutions - 2020-01-16
VMware HCI solutions - 2020-01-16VMware HCI solutions - 2020-01-16
VMware HCI solutions - 2020-01-16David Pasek
 
Red Hat OpenStack 17 저자직강+스터디그룹_5주차
Red Hat OpenStack 17 저자직강+스터디그룹_5주차Red Hat OpenStack 17 저자직강+스터디그룹_5주차
Red Hat OpenStack 17 저자직강+스터디그룹_5주차Nalee Jang
 
RethinkConn 2022!
RethinkConn 2022!RethinkConn 2022!
RethinkConn 2022!NATS
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes NetworkingCJ Cullen
 
Routed Provider Networks on OpenStack
Routed Provider Networks on OpenStack Routed Provider Networks on OpenStack
Routed Provider Networks on OpenStack Romana Project
 
Issues of OpenStack multi-region mode
Issues of OpenStack multi-region modeIssues of OpenStack multi-region mode
Issues of OpenStack multi-region modeJoe Huang
 
Building a Stretched Cluster using Virtual SAN 6.1
Building a Stretched Cluster using Virtual SAN 6.1Building a Stretched Cluster using Virtual SAN 6.1
Building a Stretched Cluster using Virtual SAN 6.1Duncan Epping
 
vSAN Beyond The Basics
vSAN Beyond The BasicsvSAN Beyond The Basics
vSAN Beyond The BasicsSumit Lahiri
 
NATS Connect Live!
NATS Connect Live!NATS Connect Live!
NATS Connect Live!NATS
 

What's hot (20)

[2018] 오픈스택 5년 운영의 경험
[2018] 오픈스택 5년 운영의 경험[2018] 오픈스택 5년 운영의 경험
[2018] 오픈스택 5년 운영의 경험
 
Large scale overlay networks with ovn: problems and solutions
Large scale overlay networks with ovn: problems and solutionsLarge scale overlay networks with ovn: problems and solutions
Large scale overlay networks with ovn: problems and solutions
 
Evolution of Openstack Networking at CERN
Evolution of Openstack Networking at CERNEvolution of Openstack Networking at CERN
Evolution of Openstack Networking at CERN
 
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
[오픈소스컨설팅] Open Stack Ceph, Neutron, HA, Multi-Region
 
OpenStack networking
OpenStack networkingOpenStack networking
OpenStack networking
 
OVN 設定サンプル | OVN config example 2015/12/27
OVN 設定サンプル | OVN config example 2015/12/27OVN 設定サンプル | OVN config example 2015/12/27
OVN 設定サンプル | OVN config example 2015/12/27
 
Neutron packet logging framework
Neutron packet logging frameworkNeutron packet logging framework
Neutron packet logging framework
 
OpenvSwitch Deep Dive
OpenvSwitch Deep DiveOpenvSwitch Deep Dive
OpenvSwitch Deep Dive
 
君にもできる! にゅーとろん君になってみよー!! 「Neutronになって理解するOpenStack Net - OpenStack最新情報セミナー ...
君にもできる! にゅーとろん君になってみよー!! 「Neutronになって理解するOpenStack Net - OpenStack最新情報セミナー ...君にもできる! にゅーとろん君になってみよー!! 「Neutronになって理解するOpenStack Net - OpenStack最新情報セミナー ...
君にもできる! にゅーとろん君になってみよー!! 「Neutronになって理解するOpenStack Net - OpenStack最新情報セミナー ...
 
Open vSwitch 패킷 처리 구조
Open vSwitch 패킷 처리 구조Open vSwitch 패킷 처리 구조
Open vSwitch 패킷 처리 구조
 
VMware HCI solutions - 2020-01-16
VMware HCI solutions - 2020-01-16VMware HCI solutions - 2020-01-16
VMware HCI solutions - 2020-01-16
 
Community Openstack 구축 사례
Community Openstack 구축 사례Community Openstack 구축 사례
Community Openstack 구축 사례
 
Red Hat OpenStack 17 저자직강+스터디그룹_5주차
Red Hat OpenStack 17 저자직강+스터디그룹_5주차Red Hat OpenStack 17 저자직강+스터디그룹_5주차
Red Hat OpenStack 17 저자직강+스터디그룹_5주차
 
RethinkConn 2022!
RethinkConn 2022!RethinkConn 2022!
RethinkConn 2022!
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes Networking
 
Routed Provider Networks on OpenStack
Routed Provider Networks on OpenStack Routed Provider Networks on OpenStack
Routed Provider Networks on OpenStack
 
Issues of OpenStack multi-region mode
Issues of OpenStack multi-region modeIssues of OpenStack multi-region mode
Issues of OpenStack multi-region mode
 
Building a Stretched Cluster using Virtual SAN 6.1
Building a Stretched Cluster using Virtual SAN 6.1Building a Stretched Cluster using Virtual SAN 6.1
Building a Stretched Cluster using Virtual SAN 6.1
 
vSAN Beyond The Basics
vSAN Beyond The BasicsvSAN Beyond The Basics
vSAN Beyond The Basics
 
NATS Connect Live!
NATS Connect Live!NATS Connect Live!
NATS Connect Live!
 

Viewers also liked

OpenContrail deployment experience
OpenContrail deployment experienceOpenContrail deployment experience
OpenContrail deployment experienceJakub Pavlik
 
OpenStack and OpenContrail for FreeBSD platform by Michał Dubiel
OpenStack and OpenContrail for FreeBSD platform by Michał DubielOpenStack and OpenContrail for FreeBSD platform by Michał Dubiel
OpenStack and OpenContrail for FreeBSD platform by Michał Dubieleurobsdcon
 
How we took our server side application to the cloud and liked what we got, B...
How we took our server side application to the cloud and liked what we got, B...How we took our server side application to the cloud and liked what we got, B...
How we took our server side application to the cloud and liked what we got, B...DevOpsDays Tel Aviv
 
Kubernetes SDN performance and architecture
Kubernetes SDN performance and architectureKubernetes SDN performance and architecture
Kubernetes SDN performance and architectureJakub Pavlik
 
○○○で作るOpenStack+Contrail環境
○○○で作るOpenStack+Contrail環境○○○で作るOpenStack+Contrail環境
○○○で作るOpenStack+Contrail環境VirtualTech Japan Inc.
 
Using OpenContrail with Kubernetes
Using OpenContrail with KubernetesUsing OpenContrail with Kubernetes
Using OpenContrail with KubernetesMatt Baldwin
 
OpenStack & OpenContrail in Production
OpenStack & OpenContrail in ProductionOpenStack & OpenContrail in Production
OpenStack & OpenContrail in ProductionEdgar Magana
 
The Basic Introduction of Open vSwitch
The Basic Introduction of Open vSwitchThe Basic Introduction of Open vSwitch
The Basic Introduction of Open vSwitchTe-Yen Liu
 
Docker and Windows: The State of the Union
Docker and Windows: The State of the UnionDocker and Windows: The State of the Union
Docker and Windows: The State of the UnionElton Stoneman
 

Viewers also liked (12)

OpenContrail deployment experience
OpenContrail deployment experienceOpenContrail deployment experience
OpenContrail deployment experience
 
Opencontrail network virtualization
Opencontrail network virtualizationOpencontrail network virtualization
Opencontrail network virtualization
 
OpenStack and OpenContrail for FreeBSD platform by Michał Dubiel
OpenStack and OpenContrail for FreeBSD platform by Michał DubielOpenStack and OpenContrail for FreeBSD platform by Michał Dubiel
OpenStack and OpenContrail for FreeBSD platform by Michał Dubiel
 
Characteristics of SaaS applications
Characteristics of SaaS applicationsCharacteristics of SaaS applications
Characteristics of SaaS applications
 
How we took our server side application to the cloud and liked what we got, B...
How we took our server side application to the cloud and liked what we got, B...How we took our server side application to the cloud and liked what we got, B...
How we took our server side application to the cloud and liked what we got, B...
 
Kubernetes SDN performance and architecture
Kubernetes SDN performance and architectureKubernetes SDN performance and architecture
Kubernetes SDN performance and architecture
 
○○○で作るOpenStack+Contrail環境
○○○で作るOpenStack+Contrail環境○○○で作るOpenStack+Contrail環境
○○○で作るOpenStack+Contrail環境
 
Using OpenContrail with Kubernetes
Using OpenContrail with KubernetesUsing OpenContrail with Kubernetes
Using OpenContrail with Kubernetes
 
Moving To SaaS
Moving To SaaSMoving To SaaS
Moving To SaaS
 
OpenStack & OpenContrail in Production
OpenStack & OpenContrail in ProductionOpenStack & OpenContrail in Production
OpenStack & OpenContrail in Production
 
The Basic Introduction of Open vSwitch
The Basic Introduction of Open vSwitchThe Basic Introduction of Open vSwitch
The Basic Introduction of Open vSwitch
 
Docker and Windows: The State of the Union
Docker and Windows: The State of the UnionDocker and Windows: The State of the Union
Docker and Windows: The State of the Union
 

Similar to Build a Secure Multi-Tenant Cloud Network

Openstack meetup-pune-aug22-overview
Openstack meetup-pune-aug22-overviewOpenstack meetup-pune-aug22-overview
Openstack meetup-pune-aug22-overviewrajdeep
 
Quantum PTL Update - Grizzly Summit.pptx
Quantum PTL Update - Grizzly Summit.pptxQuantum PTL Update - Grizzly Summit.pptx
Quantum PTL Update - Grizzly Summit.pptxOpenStack Foundation
 
Quantum grizzly summit
Quantum grizzly summitQuantum grizzly summit
Quantum grizzly summitDan Wendlandt
 
NSX: La Virtualizzazione di Rete e il Futuro della Sicurezza
NSX: La Virtualizzazione di Rete e il Futuro della SicurezzaNSX: La Virtualizzazione di Rete e il Futuro della Sicurezza
NSX: La Virtualizzazione di Rete e il Futuro della SicurezzaVMUG IT
 
CloudStack Networking Deepdive CCCEU13
CloudStack Networking Deepdive CCCEU13CloudStack Networking Deepdive CCCEU13
CloudStack Networking Deepdive CCCEU13Chiradeep Vittal
 
Testing the limits of cloud networks
Testing the limits of cloud networksTesting the limits of cloud networks
Testing the limits of cloud networksPLUMgrid
 
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack NetworkingONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networkingmarkmcclain
 
Quantum for Cloud Operators - Folsom Conference
Quantum for Cloud Operators - Folsom Conference Quantum for Cloud Operators - Folsom Conference
Quantum for Cloud Operators - Folsom Conference Dan Wendlandt
 
Integrating OpenStack To Existing Infrastructure
Integrating OpenStack To Existing InfrastructureIntegrating OpenStack To Existing Infrastructure
Integrating OpenStack To Existing InfrastructureHui Cheng
 
Openstack Quantum yahoo meetup 1 23-13
Openstack Quantum yahoo meetup 1 23-13Openstack Quantum yahoo meetup 1 23-13
Openstack Quantum yahoo meetup 1 23-13Dan Wendlandt
 
OpenStack Quantum: Cloud Carrier Summit 2012
OpenStack Quantum: Cloud Carrier Summit 2012OpenStack Quantum: Cloud Carrier Summit 2012
OpenStack Quantum: Cloud Carrier Summit 2012Dan Wendlandt
 
Openstack Overview
Openstack OverviewOpenstack Overview
Openstack Overviewrajdeep
 
Inside Architecture of Neutron
Inside Architecture of NeutronInside Architecture of Neutron
Inside Architecture of Neutronmarkmcclain
 
Quantum Folsom Summit Developer Overview
Quantum Folsom Summit Developer OverviewQuantum Folsom Summit Developer Overview
Quantum Folsom Summit Developer OverviewDan Wendlandt
 
Network and Service Virtualization tutorial at ONUG Spring 2015
Network and Service Virtualization tutorial at ONUG Spring 2015Network and Service Virtualization tutorial at ONUG Spring 2015
Network and Service Virtualization tutorial at ONUG Spring 2015SDN Hub
 
Integrating OpenStack to Existing infrastructure
Integrating OpenStack to Existing infrastructureIntegrating OpenStack to Existing infrastructure
Integrating OpenStack to Existing infrastructurelaurabeckcahoon
 
VMUGbe 21 Filip Verloy
VMUGbe 21 Filip VerloyVMUGbe 21 Filip Verloy
VMUGbe 21 Filip VerloyFilip Verloy
 
PLNOG 13: Michał Dubiel: OpenContrail software architecture
PLNOG 13: Michał Dubiel: OpenContrail software architecturePLNOG 13: Michał Dubiel: OpenContrail software architecture
PLNOG 13: Michał Dubiel: OpenContrail software architecturePROIDEA
 
VMworld 2015: VMware NSX Deep Dive
VMworld 2015: VMware NSX Deep DiveVMworld 2015: VMware NSX Deep Dive
VMworld 2015: VMware NSX Deep DiveVMworld
 

Similar to Build a Secure Multi-Tenant Cloud Network (20)

Openstack meetup-pune-aug22-overview
Openstack meetup-pune-aug22-overviewOpenstack meetup-pune-aug22-overview
Openstack meetup-pune-aug22-overview
 
Quantum PTL Update - Grizzly Summit.pptx
Quantum PTL Update - Grizzly Summit.pptxQuantum PTL Update - Grizzly Summit.pptx
Quantum PTL Update - Grizzly Summit.pptx
 
Quantum grizzly summit
Quantum grizzly summitQuantum grizzly summit
Quantum grizzly summit
 
NSX: La Virtualizzazione di Rete e il Futuro della Sicurezza
NSX: La Virtualizzazione di Rete e il Futuro della SicurezzaNSX: La Virtualizzazione di Rete e il Futuro della Sicurezza
NSX: La Virtualizzazione di Rete e il Futuro della Sicurezza
 
CloudStack Networking Deepdive CCCEU13
CloudStack Networking Deepdive CCCEU13CloudStack Networking Deepdive CCCEU13
CloudStack Networking Deepdive CCCEU13
 
Testing the limits of cloud networks
Testing the limits of cloud networksTesting the limits of cloud networks
Testing the limits of cloud networks
 
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack NetworkingONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
 
Quantum for Cloud Operators - Folsom Conference
Quantum for Cloud Operators - Folsom Conference Quantum for Cloud Operators - Folsom Conference
Quantum for Cloud Operators - Folsom Conference
 
Integrating OpenStack To Existing Infrastructure
Integrating OpenStack To Existing InfrastructureIntegrating OpenStack To Existing Infrastructure
Integrating OpenStack To Existing Infrastructure
 
Openstack Quantum yahoo meetup 1 23-13
Openstack Quantum yahoo meetup 1 23-13Openstack Quantum yahoo meetup 1 23-13
Openstack Quantum yahoo meetup 1 23-13
 
OpenStack Quantum
OpenStack QuantumOpenStack Quantum
OpenStack Quantum
 
OpenStack Quantum: Cloud Carrier Summit 2012
OpenStack Quantum: Cloud Carrier Summit 2012OpenStack Quantum: Cloud Carrier Summit 2012
OpenStack Quantum: Cloud Carrier Summit 2012
 
Openstack Overview
Openstack OverviewOpenstack Overview
Openstack Overview
 
Inside Architecture of Neutron
Inside Architecture of NeutronInside Architecture of Neutron
Inside Architecture of Neutron
 
Quantum Folsom Summit Developer Overview
Quantum Folsom Summit Developer OverviewQuantum Folsom Summit Developer Overview
Quantum Folsom Summit Developer Overview
 
Network and Service Virtualization tutorial at ONUG Spring 2015
Network and Service Virtualization tutorial at ONUG Spring 2015Network and Service Virtualization tutorial at ONUG Spring 2015
Network and Service Virtualization tutorial at ONUG Spring 2015
 
Integrating OpenStack to Existing infrastructure
Integrating OpenStack to Existing infrastructureIntegrating OpenStack to Existing infrastructure
Integrating OpenStack to Existing infrastructure
 
VMUGbe 21 Filip Verloy
VMUGbe 21 Filip VerloyVMUGbe 21 Filip Verloy
VMUGbe 21 Filip Verloy
 
PLNOG 13: Michał Dubiel: OpenContrail software architecture
PLNOG 13: Michał Dubiel: OpenContrail software architecturePLNOG 13: Michał Dubiel: OpenContrail software architecture
PLNOG 13: Michał Dubiel: OpenContrail software architecture
 
VMworld 2015: VMware NSX Deep Dive
VMworld 2015: VMware NSX Deep DiveVMworld 2015: VMware NSX Deep Dive
VMworld 2015: VMware NSX Deep Dive
 

Recently uploaded

Stork Webinar | APM Transformational planning, Tool Selection & Performance T...
Stork Webinar | APM Transformational planning, Tool Selection & Performance T...Stork Webinar | APM Transformational planning, Tool Selection & Performance T...
Stork Webinar | APM Transformational planning, Tool Selection & Performance T...Stork
 
US Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of ActionUS Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of ActionMebane Rash
 
Paper Tube : Shigeru Ban projects and Case Study of Cardboard Cathedral .pdf
Paper Tube : Shigeru Ban projects and Case Study of Cardboard Cathedral .pdfPaper Tube : Shigeru Ban projects and Case Study of Cardboard Cathedral .pdf
Paper Tube : Shigeru Ban projects and Case Study of Cardboard Cathedral .pdfNainaShrivastava14
 
OOP concepts -in-Python programming language
OOP concepts -in-Python programming languageOOP concepts -in-Python programming language
OOP concepts -in-Python programming languageSmritiSharma901052
 
DEVICE DRIVERS AND INTERRUPTS SERVICE MECHANISM.pdf
DEVICE DRIVERS AND INTERRUPTS SERVICE MECHANISM.pdfDEVICE DRIVERS AND INTERRUPTS SERVICE MECHANISM.pdf
DEVICE DRIVERS AND INTERRUPTS SERVICE MECHANISM.pdfAkritiPradhan2
 
Energy Awareness training ppt for manufacturing process.pptx
Energy Awareness training ppt for manufacturing process.pptxEnergy Awareness training ppt for manufacturing process.pptx
Energy Awareness training ppt for manufacturing process.pptxsiddharthjain2303
 
Cost estimation approach: FP to COCOMO scenario based question
Cost estimation approach: FP to COCOMO scenario based questionCost estimation approach: FP to COCOMO scenario based question
Cost estimation approach: FP to COCOMO scenario based questionSneha Padhiar
 
Input Output Management in Operating System
Input Output Management in Operating SystemInput Output Management in Operating System
Input Output Management in Operating SystemRashmi Bhat
 
Virtual memory management in Operating System
Virtual memory management in Operating SystemVirtual memory management in Operating System
Virtual memory management in Operating SystemRashmi Bhat
 
ROBOETHICS-CCS345 ETHICS AND ARTIFICIAL INTELLIGENCE.ppt
ROBOETHICS-CCS345 ETHICS AND ARTIFICIAL INTELLIGENCE.pptROBOETHICS-CCS345 ETHICS AND ARTIFICIAL INTELLIGENCE.ppt
ROBOETHICS-CCS345 ETHICS AND ARTIFICIAL INTELLIGENCE.pptJohnWilliam111370
 
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTIONTHE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTIONjhunlian
 
Earthing details of Electrical Substation
Earthing details of Electrical SubstationEarthing details of Electrical Substation
Earthing details of Electrical Substationstephanwindworld
 
Levelling - Rise and fall - Height of instrument method
Levelling - Rise and fall - Height of instrument methodLevelling - Rise and fall - Height of instrument method
Levelling - Rise and fall - Height of instrument methodManicka Mamallan Andavar
 
Mine Environment II Lab_MI10448MI__________.pptx
Mine Environment II Lab_MI10448MI__________.pptxMine Environment II Lab_MI10448MI__________.pptx
Mine Environment II Lab_MI10448MI__________.pptxRomil Mishra
 
KCD Costa Rica 2024 - Nephio para parvulitos
KCD Costa Rica 2024 - Nephio para parvulitosKCD Costa Rica 2024 - Nephio para parvulitos
KCD Costa Rica 2024 - Nephio para parvulitosVictor Morales
 
11. Properties of Liquid Fuels in Energy Engineering.pdf
11. Properties of Liquid Fuels in Energy Engineering.pdf11. Properties of Liquid Fuels in Energy Engineering.pdf
11. Properties of Liquid Fuels in Energy Engineering.pdfHafizMudaserAhmad
 
Python Programming for basic beginners.pptx
Python Programming for basic beginners.pptxPython Programming for basic beginners.pptx
Python Programming for basic beginners.pptxmohitesoham12
 
SOFTWARE ESTIMATION COCOMO AND FP CALCULATION
SOFTWARE ESTIMATION COCOMO AND FP CALCULATIONSOFTWARE ESTIMATION COCOMO AND FP CALCULATION
SOFTWARE ESTIMATION COCOMO AND FP CALCULATIONSneha Padhiar
 
Immutable Image-Based Operating Systems - EW2024.pdf
Immutable Image-Based Operating Systems - EW2024.pdfImmutable Image-Based Operating Systems - EW2024.pdf
Immutable Image-Based Operating Systems - EW2024.pdfDrew Moseley
 
CS 3251 Programming in c all unit notes pdf
CS 3251 Programming in c all unit notes pdfCS 3251 Programming in c all unit notes pdf
CS 3251 Programming in c all unit notes pdfBalamuruganV28
 

Recently uploaded (20)

Stork Webinar | APM Transformational planning, Tool Selection & Performance T...
Stork Webinar | APM Transformational planning, Tool Selection & Performance T...Stork Webinar | APM Transformational planning, Tool Selection & Performance T...
Stork Webinar | APM Transformational planning, Tool Selection & Performance T...
 
US Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of ActionUS Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of Action
 
Paper Tube : Shigeru Ban projects and Case Study of Cardboard Cathedral .pdf
Paper Tube : Shigeru Ban projects and Case Study of Cardboard Cathedral .pdfPaper Tube : Shigeru Ban projects and Case Study of Cardboard Cathedral .pdf
Paper Tube : Shigeru Ban projects and Case Study of Cardboard Cathedral .pdf
 
OOP concepts -in-Python programming language
OOP concepts -in-Python programming languageOOP concepts -in-Python programming language
OOP concepts -in-Python programming language
 
DEVICE DRIVERS AND INTERRUPTS SERVICE MECHANISM.pdf
DEVICE DRIVERS AND INTERRUPTS SERVICE MECHANISM.pdfDEVICE DRIVERS AND INTERRUPTS SERVICE MECHANISM.pdf
DEVICE DRIVERS AND INTERRUPTS SERVICE MECHANISM.pdf
 
Energy Awareness training ppt for manufacturing process.pptx
Energy Awareness training ppt for manufacturing process.pptxEnergy Awareness training ppt for manufacturing process.pptx
Energy Awareness training ppt for manufacturing process.pptx
 
Cost estimation approach: FP to COCOMO scenario based question
Cost estimation approach: FP to COCOMO scenario based questionCost estimation approach: FP to COCOMO scenario based question
Cost estimation approach: FP to COCOMO scenario based question
 
Input Output Management in Operating System
Input Output Management in Operating SystemInput Output Management in Operating System
Input Output Management in Operating System
 
Virtual memory management in Operating System
Virtual memory management in Operating SystemVirtual memory management in Operating System
Virtual memory management in Operating System
 
ROBOETHICS-CCS345 ETHICS AND ARTIFICIAL INTELLIGENCE.ppt
ROBOETHICS-CCS345 ETHICS AND ARTIFICIAL INTELLIGENCE.pptROBOETHICS-CCS345 ETHICS AND ARTIFICIAL INTELLIGENCE.ppt
ROBOETHICS-CCS345 ETHICS AND ARTIFICIAL INTELLIGENCE.ppt
 
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTIONTHE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
 
Earthing details of Electrical Substation
Earthing details of Electrical SubstationEarthing details of Electrical Substation
Earthing details of Electrical Substation
 
Levelling - Rise and fall - Height of instrument method
Levelling - Rise and fall - Height of instrument methodLevelling - Rise and fall - Height of instrument method
Levelling - Rise and fall - Height of instrument method
 
Mine Environment II Lab_MI10448MI__________.pptx
Mine Environment II Lab_MI10448MI__________.pptxMine Environment II Lab_MI10448MI__________.pptx
Mine Environment II Lab_MI10448MI__________.pptx
 
KCD Costa Rica 2024 - Nephio para parvulitos
KCD Costa Rica 2024 - Nephio para parvulitosKCD Costa Rica 2024 - Nephio para parvulitos
KCD Costa Rica 2024 - Nephio para parvulitos
 
11. Properties of Liquid Fuels in Energy Engineering.pdf
11. Properties of Liquid Fuels in Energy Engineering.pdf11. Properties of Liquid Fuels in Energy Engineering.pdf
11. Properties of Liquid Fuels in Energy Engineering.pdf
 
Python Programming for basic beginners.pptx
Python Programming for basic beginners.pptxPython Programming for basic beginners.pptx
Python Programming for basic beginners.pptx
 
SOFTWARE ESTIMATION COCOMO AND FP CALCULATION
SOFTWARE ESTIMATION COCOMO AND FP CALCULATIONSOFTWARE ESTIMATION COCOMO AND FP CALCULATION
SOFTWARE ESTIMATION COCOMO AND FP CALCULATION
 
Immutable Image-Based Operating Systems - EW2024.pdf
Immutable Image-Based Operating Systems - EW2024.pdfImmutable Image-Based Operating Systems - EW2024.pdf
Immutable Image-Based Operating Systems - EW2024.pdf
 
CS 3251 Programming in c all unit notes pdf
CS 3251 Programming in c all unit notes pdfCS 3251 Programming in c all unit notes pdf
CS 3251 Programming in c all unit notes pdf
 

Build a Secure Multi-Tenant Cloud Network

  • 1. ARCHITECTING AND BUILDING A SECURE MULTI-TENANT CLOUD FOR SAAS APPLICATIONS Dilip Sundarraj Cloud Solutions Architect, Juniper Networks April 8th, 2015
  • 3. What is Network Virtualization? • Independent of Physical Network Location or State • Logical Network across any server, any rack, any cluster, any data-center • Virtual Machines can migrate without requiring any reworking of security policies, load balancing, etc • New Workloads or Networks should not require provisioning of physical network • Nodes in Physical Network can fail without any disruption to Workload • Full Isolation for Multi-tenancy and Fault Tolerance • MAC and IP Addresses are completely private per tenant • Any failures or configuration errors by tenants do not affect other applications or tenants • Any failures in the virtual layer do not propagate to physical layer
  • 4. OpenContrail • OpenSource Network Virtualization Platform for Cloud • Primary Use Cases: • Cloud Networking – IaaS, VPCs for Cloud SP, Private Cloud for Enterprises or SPs • NFV in SP networks – Value added services for SP edge networks.
  • 6. Analytics CONTRAIL CONTROLLER ControlConfiguration x86 Host + Hypervisor ORCHESTRATOR x86 Host + Hypervisor Physical IP Network (no changes) vRouter vRouter Gateway Internet / WAN Legacy Infra. (VLAN, etc.) Bi-directional real-time message bus using XMPP Network orchestration Standard protocol (M- BGP) to talk with other Contrail controller instances Compute / Storage orchestration Accepts and converts orchestrator requests for VM creation, translates requests, and creates network Interacts with network elements for VM network provisioning and ensures uptime Real-time analytics engine collects, stores and analyzes network elements vRouter: Virtualized routing element handles localized control plane and forwarding plane work on the compute node Gateway: MX Series (or other router) serve as gateway improving scale & performance
  • 8. Openstack integration Horizon Nova API Compute Driver Virtual-IF Driver Nova Compute Contrail Agent vRouter (kernel) Virtual Router Nova Scheduler Neutron Driver Neutron Plugin Configuration Node Control Node 1 Create an Instance (VM Info, Network, IPAM, Policies, etc) 2 Schedule an Instance on the Compute Node 3 VM Network Properties 4 Create VM Interface 6 Publish VM Intf on IFMap 5 Add Port 7 VM Interface Config over XMPP Scripts
  • 9. OpenContrail – Control Node • All Control Plane Nodes are active active • Each vRouter uses XMPP to connect with multiple Control Plane nodes for redundancy • Each Control Plane Node connects to multiple configuration nodes for redundancy • Control Plane Nodes federate using BGP Control Node "BGP module" Proxies XMPP Control Node Control Node Compute Node Compute Node Configuration Node Configuration Node IF-MAP XMPP IBGP IF-MAP Client Gateway Routers Service Nodes
  • 11. Compute node – Hypervisor, vRouter Compute Node Virtual Machine (Tenant B) Virtual Machine (Tenant C) Virtual Machine (Tenant C) vRouter Forwarding Plane Virtual Machine (Tenant A) Routing Instance (Tenant A) Routing Instance (Tenant B) Routing Instance (Tenant C) vRouter Agent Flow Table FIB Flow Table FIB Flow Table FIB Overlay tunnels MPLS over GRE or VXLAN JUNOSV CONTRAIL CONTROLLER JUNOSV CONTRAIL CONTROLLER XMPP Eth1Kernel Tap Interfaces (vif) pkt0 User Eth0 EthN Config VRFs Policy Table Top of Rack Switch XMPP
  • 12. Compute node – Forwarding/Tunneling Overlay tunnels MPLS over GRE or VXLAN Compute Node vRouter Forwarding Plane Virtual Machine (VN-IP1) Routing Instance Flow Table FIB Eth1 (Phy-IP1) Tap Interfaces (vif) Compute Node vRouter Forwarding Plane Virtual Machine (VN-IP2) Routing Instance Flow Table FIB Eth1 (Phy-IP2) Tap Interfaces (vif) VIRTUAL PHYSICAL Virtual-IP2 Payload Virtual-IP2 Payload MPLS / VNI Phy-IP2 Virtual-IP2 Payload Virtual-IP2 Payload MPLS / VNI Phy-IP2 1. Guest OS ARPs for destination within subnet or default GW 2. VRouter receives the ARP and responds back with VRRP MAC 3. Guest OS sends traffic to the VRRP MAC, Vrouter encapsulates the packet with appropriate MPLS/VNI tag and GRE header 1. Physical Fabric Routers on Physical IP Address 1. Returning packets get forwarded to appropriate Routing Instance by the MPLS/VNI tag 1. VRouter de-capsulates the packet, and forwards it to the Guest OS
  • 14. DNSaaS Contrail offers 4 different DNS modes • Default DNS server • The host OS’s configured DNS server • Tenant DNS server • Tenants can use their own DNS servers (different from host OS’s DNS server) • Virtual DNS server • Contrail Controller provides a per tenant DNS server • None • VMs don’t have any DNS resolution capability One of these modes is selected when an IPAM instance is created for a domain.
  • 15. Contrail Virtual DNS DNS Record Creation • Each IPAM -> Virtual DNS servers configured • Virtual Networks and VMs in IPAM use DNS domain of Virtual DNS server specified in IPAM • When a VM is spawned, • A & PTR records are added into the vDNS server of the virtual network’s IPAM NOTE: • DNS Records can also be added statically. • A, CNAME, PTR and NS records are also supported.
  • 16. Contrail Virtual DNS DNS Resolution: 1. DNS requests from VM trapped to the vRouter agent on the hypervisor 2. vRouter agent then forwards DNS request to the controllers (which run BIND) for resolution. 3. BIND has the concept of views and every virtual DNS instance has its own isolated view view "default-domain-contrailtestdns" { rrset-order {order random;}; forwarders {172.16.70.254; }; zone "6.6.6.in-addr.arpa." IN { type master; file "/etc/contrail/dns/default-domain-contrailtestdns.6.6.6.in-addr.arpa.zone"; allow-update {127.0.0.1;}; }; zone "contrail.us" IN { type master; file "/etc/contrail/dns/default-domain-contrailtestdns.contrail.us.zone"; allow-update {127.0.0.1;}; }; };
  • 17. DNS & IPAM Relationship • Neutron network maps to Contrail Virtual Network • network-ipam & virtual-DNS (Contrail specific constructs) • virtual-DNS object has domain as parent • network-ipam has project as parent. • So: • virtual-network ==refers-to==> network-ipam ==refers-to==> virtual-DNS
  • 18. Contrail Virtual DNS @SYMC • By default, Contrail API server creates default-network- ipam object under the default-domain -> default-project hierarchy • However, using Contrail API hooks mechanism automatically • Create default-network-ipam object within a newly created project • Create default-virtual-DNS object within a newly created domain • Link them to provide vDNS functionality. • So, a new virtual-network when created, it is automatically linked to the project specific default-network-ipam and corresponding virtual DNS object
  • 19. Floating IPs • Neutron supports the concept of floating IP (routable IP). • Instances are unaware of their Floating IP. • Every Virtual Network -> Routing Instance • Routing Instances • Define network connectivity between VMs in the Virtual Network • Contain routes only for VMs in the virtual network • Two Routing Instances (Virtual Networks) can be connected using • Neutron L3 agent • Contrail Network Policy (explained later) • By default, Virtual Network do not have access to a “public” (routable) network • A Gateway must be used to provide connectivity to "public" network from a virtual-network. • Floating IP support can be provided with • Simple Gateway – x86 based Software GW • Routing Device such as Juniper MX
  • 20. Floating IP using Neutron L3 Router • Create an external network • neutron net-create public --router:external True • Create a router • neutron router-create router1 • Add interfaces from Virtual network to this router • neutron router-interface-add router1 SUBNET1_UUID • Set router-gateway-set on router instance • Connects a router to an external network, which enables that router to act as a NAT gateway for external connectivity. • neutron router-gateway-set router1 EXT_NET_ID
  • 21. Spine Spine Leaf LeafLeaf BMS BMS BMS BMS Node Node Node Node Node Node Node Node Mountain View DC MX Router Internet Spine Spine Leaf LeafLeaf Node Node Node Node Node Node Node Node Node Node Node Node Boston DC Public VRF Intra- site VRF Internet MX Router Intra- site VRF Public VRF Intra-site VPN Multiple Floating IPs per VM @SYMC VMs in the MTV DC 1. Internet Routable Floating IP 2. IP Routable from Boston DC
  • 22. LBaaS • LBaaS load balancer enables • Pool of VMs servicing apps accessible via a virtual IP. • Contrail LBaaS features: • Load balancing of traffic from clients to a pool of backend servers. The load balancer proxies all connections to its virtual IP. • Provides load balancing for HTTP, HTTPS, and TCP • Provides health monitoring capabilities for applications • Floating IP association to virtual IP for public access to the backend pool.
  • 24. Contrail LBaaS Implementation • Supports OpenStack LBaaS Neutron APIs • Creation of virtual-ip, loadbalancer-pool, loadbalancer-member, and loadbalancer-healthmonitor. • Creates a Service Instance when a loadbalancer-pool is associated with a virtual-IP object. • Service scheduler launches a namespace & spawns HAProxy on it. • HAProxy parameters obtained from the load balancer objects. • HA of namespaces/HAProxy -> Active/Standby (2 diff computes)
  • 25. Link Local Services Provides VMs access to specific services on IP Fabric infrastructure. • @SYMC • Keystone, Github, NTP, Logging, Monitoring and Metering services Once the link local service is configured, VMs can access the service using the link local address. • OpenStack Metadata Service on 169.254.169.254:80 is also implemented using Link Local Service (169.254.169.XXX, Service port) <-> (Destination IP, Service TCP/UDP port)
  • 26. Contrail Network Policy • Enforces connectivity and policy enforcement between Virtual Networks • Follows the 5-tuple semantics • SRC/DST Virtual Network, SRC/DST Port, Protocol
  • 27. Contrail Network Policy • Connectivity between two Virtual Networks is established by leaking routes between two Routing Instances when a network policy is created interconnecting the two VNs • Policy is enforced for specific traffic types by flow table programming in every vRouter which has the relevant Virtual Networks Compute Node Virtual Machine (Tenant B) Virtual Machine (Tenant C) Virtual Machine (Tenant C) vRouter Forwarding Plane Virtual Machine (Tenant A) Routing Instance (Tenant A) Routing Instance (Tenant B) Routing Instance (Tenant C) vRouter Agent Flow Table FIB Flow Table FIB Flow Table FIB Eth1Kernel Tap Interfaces (vif) pkt0 User Eth0 EthN Config VRFs Policy Table
  • 28. Environments & Operations Environments • Lab: > 10 nodes • CI/CD test environment for SDN related features and functions • Staging: > 50 nodes • True IaaS for PaaS applications • Production: > 250 nodes • PaaS for end-user applications Operations: • Monitoring & Troubleshooting • Contrail Analytics feeds into OpsView & LMM • Upgrade • Phased upgrades during maintenance windows without application downtime.
  • 30. DEVSTACK + OPENCONTRAIL • WHAT? • Run OpenStack and OpenContrail on your laptop or in a VM • WHY? • Use to build & test OpenStack and OpenContrail code • Just play with OpenStack/OpenContrail features • HOW? • Ubuntu server/VM with 4GB RAM, access to github
  • 31. DEVSTACK + OPENCONTRAIL (in-a-box) • Install packages: git-core, ant, build-essential, pkg-config • Download DevStack • (git clone git@github.com:/dsetia/devstack.git) • Edit localrc (set PHYSICAL_INTERFACE) • Run stack.sh • Installs Glance, Nova, Horizon, Keystone, Cinder • And OpenContrail (as a Neutron plugin)
  • 32. RESOURCES • OpenContrail.org • E-Book, Architecture documents, blogs from developers/architects, slides, webinars • GitHub • https://github.com/Juniper/contrail-controller • https://github.com/Juniper/contrail-vrouter • https://github.com/Juniper/contrail-puppet • https://github.com/Juniper/contrail-web-controller • https://github.com/Juniper/contrail-neutron-plugin
  • 33. Q&A

Editor's Notes

  1. Tenants can use their own DNS servers using this mode. A list of servers can be configured in the IPAM
  2. DNS Domain received via DHCP DOMAIN-NAME option. Each record takes the type (A / CNAME / PTR / NS), class (IN), name, data and TTL values.
  3. While the core network resource in Neutron maps to virtual-network in Contrail, network-ipam and virtual-DNS are resources introduced by Contrail. network-ipam is also defined as a Neutron extension and can be used via Neutron API as Horizon does it here.. virtual-DNS will also be added as a Neutron extension in future. virtual-DNS object has domain as parent and network-ipam has project as parent. So: virtual-network ==refers-to==> network-ipam ==refers-to==> virtual-DNS
  4. Simple Gateway is a restricted implementation of gateway which can be used for experimental purposes. Simple gateway provides access to "public" network to virtual-networks.
  5. Explain about VRFs and RTs
  6. Metadata service is also a link-local service, with a fixed service name (metadata), a fixed service address (169.254.169.254:80), and a fabric address pointing to the server where the OpenStack Nova API server is running. All of the configuration and troubleshooting procedures for Contrail link-local services also apply to the metadata service. However, for metadata service, the flow is always set up to the compute node, so the vrouter agent will update and proxy the HTTP request. The vrouter agent listens on a local port to receive the metadata requests. Consequently, the reverse flow has the compute node as the source IP, the local port on which the agent is listening is the source port, and the instance’s metadata IP is the destination IP address.