Post on 14-Apr-2017
Copyright 2013 Alcatel-‐Lucent. All rights reserved. CONFIDENTIAL -‐ SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW
PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION Nuage Networks
Copyright 2013 Alcatel-‐Lucent. All rights reserved. CONFIDENTIAL -‐ SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW
PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION Nuage Networks
Nuage Networks Enterprise-‐Grade Networking in OpenStack
@martenhauville @jonasvermeulen
Marten Hauville Principal Solu-ons Architect ANZ
Jonas Vermeulen Product Line Manager EMEA
Copyright 2013 Alcatel-‐Lucent. All rights reserved. CONFIDENTIAL -‐ SOLELY FOR AUTHORIZED PERSONS HAVING A NEED TO KNOW
PROPRIETARY – USE PURSUANT TO COMPANY INSTRUCTION Nuage Networks
…or how enterprise IT needs to deliver networking with High Availability, Scalability &
Interoperability across complex multi site environments; seamlessly with existing heterogeneous infrastructure & vendors.
Oh, and interconnect OpenStack private clouds
with external public clouds too.
What does Enterprise want?
§ Faster Tme to market § Lower cost, higher quality § Reduced OpEx § Ubiquitous, easy to manage, maintain, consume
Enterprise technology drivers § Self service from catalogue § On demand Service § OpEx model for charging (charge-‐back) § Pool of resources that can be easily adjusted § Availability of integrated applicaTons in shared
environment – ApplicaTon PaaS § Short cycle provisioning
Enterprise requires complexity
§ ExisTng hardware, hypervisors, pla]orms § Pla]orms, Apps that cannot be virtualised § MulTple Data Centres, remote branches § Remote workers § OperaTonal & Maintenance costs
Enterprise requires complexity
§ Pressure from business to perform § Hidden IT – AWS workloads § ReporTng, compliance § Limited highly skilled staff
Enterprise networking needs
Scalable Up and Out, resilient and federated
AbstracDon AbstracTon of the network topologies and
complexiTes, offers service velocity
Flexibility IntegraTon with third-‐party
physical networking infrastructure
Extensibility Services need to be extended across data
centers, public or private
Enterprise ConsumpDon
OpenStack delivers to Enterprise § Enable faster turn up for business § Enable efficiency, minimise cost § DevOps, DevOps, DevOps § Open ecosystem of vendors & soaware § Freedom of choice § Strong(er) enterprise vendor support
ApplicaTon Networks Policy Templates
Users
ApplicaTon Types
Business Rules
Policy EvaluaTon
Firewall
Firewall
W
BL BL
W
Firewall W W
Firewall
Firewall
W
BL BL
W
Firewall
Firewall
W
BL BL
W
BL BL
Design once, re-‐use mulDple Dmes
Policy Approach to Networking
Networks need Flexibility
§ DHCP, DNS § IPAM § Load Balancing § Firewalls § Traffic Flows: Edge, North-‐South, East-‐West § AuthenTcaTon: users & elements § Security, reporTng, compliance
Enterprises deploy services across datacenters
Network Services
• Layer 2 Extension? • True L2/L3 DR? • Dynamic Service
Provisioning?
Enterprise Environment Physical/Virtual Servers, Global Distribution, Multi Cloud Platform
> Nuage VSC
> T1 RedHat OSP >> Compute 2 >> Compute 3 > F5 > Palo Alto Networks > Nuage VSD
> T1 RedHat OSP >> Controller >> Compute 1 > Infoblox
> T2 Canonical OS [MaaS Setup] >> Controller >> Compute 1 >> Compute 2 > Avi Networks
SJC
TOR
WDC
HKG
Themes Addressed from a technical perspecDve
AbstracTon
Scalability
Flexilibity
Extensibility
Enterprise Needs
Networks in Dev/Test/Prod
# Endpoints / # subnets / #...
XaaS ConnecTvity
Stretched / Hybrid Cloud
Examples
Internet/Intranet
Dev
Management
Dev Environment Networking needs
Exportable Policy for each App
Lots of (Distributed) RouTng Instances
PotenTal overlap of IP space
AbstracDon and Velocity across Dev/Test/Prod
Internet/Intranet
Dev
Management
Test Environment Networking needs
Re-‐Usable Policy from Dev
Very large Distributed RouTng Instance
Unique IP space
Test
AbstracDon and Velocity across Dev/Test/Prod
Internet/Intranet
Dev
Management
Prod Environment Networking needs
Re-‐Usable Policy from Test
Very large Distributed RouTng Instance
Unique IP space
Test
AbstracDon and Velocity across Dev/Test/Prod
Prod
AbstracDon and Velocity across Dev/Test/Prod
Desire to re-‐use policy, but network structure is different between Dev <-‐> Test/Prod
1. Modify cookbooks between environments 2. Use external system for defining topology and enforcing
policies è Nuage Networks allows external definiTon and mapping into tenant-‐structure
AbstracDon and Velocity across Dev/Test/Prod
§ Distr Router can span across mulTple tenants
§ Tenants only see their own subnets
§ Security-‐groups to limit E-‐W traffic flows
1 Logical Router
1 Project maps to >=1 Tenant
Example for Test-‐Environment
AbstracDon and Velocity across Dev/Test/Prod CM-‐Tools
Define Policies per ApplicaTon
Apply, Merge, Finetune & Get
Approval
Commit Final
Test PROD
Design Once, Re-‐Use
DEV
AbstracDon and Velocity across Dev/Test/Prod Top PolicyList Owner: Net Admin
Bomom PolicyList Owner: Net Admin
B2CSitePolicyList Priority: 5
Owner: B2BSite-‐Admin
StockApp PolicyList Priority: 10 Owner: StockNW
Rule 1: Port SSH allow
Rule 2: Port Telnet drop
Rule 3: Port HTTP drop
Rule 2: Port 8080 Allow to App
Rule 6: Port SQL Allow Internal
Rule 11: Port 443 drop
Rule 7: Port 70 allow
Rule 888: Port 80 allow
Rule 1: All drop
Infrastructure Policies
ApplicaTon Policies
Infrastructure Policies Design Once, Re-‐Use
AbstracDon and Velocity across Dev/Test/Prod CM-‐Tools
Test PROD
Design Once, Re-‐Use
DEV
Backout / Roll-‐Back
Re-‐Test
Roll-‐Back to N-‐1
Scaling network primiDves § Large Difference between Dev <-‐> Test/Prod § Scaling impact
§ Virtual Routers – Highest for Dev à ~1500 § Subnets – Highest for Test / Prod à 400+ per router § Security/Policy Groups – Highest for Test / Prod à 2000+
Scaling network primiDves
Nuage VSC
…
Servers as VMs in AWS VPC
Nuage VSD § Scaling Test in AWS
§ 80 subnets / 40 routers § 20K instances (500/server)
§ Instances are Docker containers § 140K ACLs (7 ACLs per VM)
§ ConfiguraTon § VSD running as C3.4xlarge (16-‐core) § VSC running as C3.2xlarge ( 8 core) § VRS running as M3.xlarge
§ Time to create: 8 minutes * *(when AWS VPC behaves)
Default = Centralized – Virtualized -‐ Single-‐Tenant
core plugin service plugin
FWaaS
Neutron-‐Server
LBaaS VPNaaS
Compute-‐Node
VM VM
Compute-‐Node
VM VM
Network-‐Node
LB
FW
VPN
LB
FW
VPN
Logical Tenant Network 1
Logica Tenant Network 2
Flexibility to connect XaaS
Flexibility to connect XaaS
Compute-‐Node
§ Typically for Legacy Non-‐Virtualized Appliances
§ ConnecTvity § Interface to gateway § Per-‐Tenant service provided through
Provider-‐Networks (VLAN) § Examples
§ LBaaS: F5 § FWaaS: PaloAlto
Centralized -‐ Non-‐Virtualized -‐ MulD-‐Tenant
core plugin
nuage
service plugin
FWaaS
Neutron-‐Server
LBaaS VPNaaS
Compute-‐Node
VRS
Logical Tenant Network 1
VM VM
Logica Tenant Network 2
nuage-‐gateway
FW / LB
Context 1
Context 2
VM VM VM VM
VLAN = Provider Network
§ Services as Tenant-‐VM’s § Tenant-‐VMs are distributed using
OpenStack placement algorithm § Management via XaaS Plugin
§ Example: AVI LB
Distributed – Virtualized – Single-‐Tenant
core plugin
nuage
service plugin
FWaaS
Neutron-‐Server
LBaaS VPNaaS
Logical Tenant Network 1
Compute-‐Node
VRS
VM VM VM LB1
Compute-‐Node
VRS
VM VM
Compute-‐Node
VRS
VM LB2
Logica Tenant Network 2
Flexibility to connect XaaS
§ Traffic gets locally redirected to an Agent running in the HV § VM, process, docker
§ Example Agent tasks § Proxy ARP / DHCP § Meta-‐data Agent § Storage Proxy for Swia § L5-‐L7 (Eg IDS/DPI)
Distributed – Agent – MulD-‐Tenant
core plugin
nuage
service plugin
FWaaS
Neutron-‐Server
LBaaS VPNaaS
Compute-‐Node
VRS
Tenant Network 1
VM VM
Tenant Network 2
VM VM VM VM
Compute-‐Node
VRS
VM VM VM VM VM VM
Agent 1 2
Agent 1 2
Flexibility to connect XaaS
Site 1 -‐ Private
Keystone
Nova
Neutron
Site 2 -‐ Private
Keystone
Nova
Neutron
Site x -‐ Public
Keystone
Nova
Neutron
Users Users Users
Network Network Network
Extending clouds to other sites
IdenTty FederaTon
Can I federate the network ? = Can I have a single subnet across sites ?
= Can I amach a new subnet to a router defined in another site ? = Can my VM communicate with a VM at a different site ?
= Can my security policies encompass VMs from different sites ?
Kilo
Site 1 -‐ Private
Keystone
Nova
Neutron
Site 2 -‐ Private
Keystone
Nova
Neutron
Site x -‐ Public
Keystone
Nova
Neutron
Network Network Network
Users
Extending clouds to other sites
Site 1 -‐ Private
Keystone
Nova
Neutron
Site 1 -‐ Private
Keystone
Nova
Neutron
Site x -‐ Public
Keystone
Nova
Neutron
Users IdenTty FederaTon
Network FederaTon with Nuage
nuage nuage nuage Network
Centralized definiTon, sharing policy
Kilo
Extending clouds to other sites
Site 1 -‐ Private
Keystone
Nova
Neutron
Site 2 -‐ Private
Keystone
Nova
Neutron
Site x -‐ Public
Keystone
Nova
Neutron
Users IdenTty FederaTon
Network FederaTon with Nuage
nuage nuage nuage Network
Federated Policy: Policy requested from “Home VSD” for the router
ü Stretched subnets ü New subnet amached to router of other site ü VMs can communicate across sites ü Security policies across sites
Kilo
Extending clouds to other sites
Conclusions
AbstracTon
Scalability
Flexilibity
Extensibility
Enterprise Needs
Network Policies
Distr Control Plane
Any XaaS Topology
Network FederaTon
Delivered through