Understanding Virtual Networking in the Cloud - RightScale Compute 2013

  • Published on
    20-Aug-2015

  • View
    533

  • Download
    2

Embed Size (px)

Transcript

  1. 1. april25-26sanfranciscocloud success starts hereUnderstanding and ManagingMultiCloud NetworkingJosep M. Blanquer, Chief Architect
  2. 2. #2#2#RightscaleComputeIn this talk Introduction and Goals Landscape Public: AWS / GCE / Azure / Rackspace Private: CloudStack / Eucalyptus / OpenStack MultiCloud Resource Abstractions Resource Hierarchy, Naming and Semantics Managing these resources through the UI and API Conclusion
  3. 3. #3#3#RightscaleComputeIntro Networking is messy
  4. 4. #4#4#RightscaleComputeIntroduction Networking is messyeven in the Cloud! Different Cloud Providers pick different designs Leads to different exposed API resources, different behavior Also leads to different naming conventions, and APIs semantics Cloud software can also be heavily customized on installation So even for the same cloud type, two clouds can behave quite differently All of this changes very rapidly New versions of APIs, expose new resources Some changes break semantic compatibility or become defaults
  5. 5. #5#5#RightscaleComputeIntroduction (contd.) So what does this mean for me? (you must be wondering) Headaches, and possible hair loss
  6. 6. #6#6#RightscaleComputeIntroduction (contd.) But mess and variability is not bad, it is necessary In fact, it is great! Companies need choice and configuration flexibility One size doesnt fit all You must embrace it Take advantage of the features and characteristics that make sense foryou But not at the cost of loosing focus on your business So Instead of grooming an army of experts on cloud networking Let others do that for you so you dont have toMaintain control, without having to be bogged down with non-businessdetails
  7. 7. #7#7#RightscaleCompute Dont look at your cloud networking from this perspectiveIntroduction (contd.)
  8. 8. #8#8#RightscaleCompute look at your cloud networking from this perspectiveIntroduction (contd.)
  9. 9. #9#rightscalecomputeCloud Networking LandscapeDifferent strokes for different folks
  10. 10. #10#10#RightscaleComputeCloud Networking Landscape Embracing the choices Amazon EC2 Google Compute Engine CloudStack Not covered today: Azure, Rackspace, Eucalyptus, Openstack
  11. 11. #11#11#RightscaleComputeAmazon EC2 Each region can have multiple VPCs Each VPC defines a network isolation perimeter Incoming/Outgoing communication must go through GWAmazon EC2VPCsxNGW
  12. 12. #12#12#RightscaleComputeAmazon EC2 Subnets further segment VPCs into IP CIDR groups Instances can be connected to a Subnet through an ENI A Subnet is scoped to a single Availability ZoneAmazon EC2SubnetsElastic NetworkInterfacesSubnet 1Elastic NetworkInterfacesSubnet 2Elastic NetworkInterfacesSubnet 3VPCsxNGW
  13. 13. #13#13#RightscaleComputeAmazon EC2 A VPC also scopes (and therefore contains) SecurityGroups Routing Tables Network ACLsSecurity GroupsAmazon EC2Routing TablesNetwork ACLsSubnetsElastic NetworkInterfacesSubnet 1Elastic NetworkInterfacesSubnet 2Elastic NetworkInterfacesSubnet 3VPCsxNGW
  14. 14. #14#14#RightscaleComputeAmazon EC2 Instances can be bound to multiple Subnets (of a matching AZ) The Security Groups are bound to each attached ENI And not to the Instance as a wholeSecurity GroupsAmazon EC2Routing TablesNetwork ACLsSubnetsElastic NetworkInterfacesSubnet 1Elastic NetworkInterfacesSubnet 2Elastic NetworkInterfacesSubnet 3VPCsxNGW
  15. 15. #15#15#RightscaleComputeAmazon EC2 (Classic) There is a single (implicit) network for each region Incoming/Outgoing traffic is fully NATtedAmazon EC2SingleNetworkx1NAT
  16. 16. #16#16#RightscaleComputeAmazon EC2 (Classic) There arent any Subnets, Routing Tables or Network ACLs Security Groups are scoped to the implicit single NetworkSecurity GroupsAmazon EC2Routing TablesNetwork ACLsSubnetsSingleNetworkx1NAT
  17. 17. #17#17#RightscaleComputeAmazon EC2 (Classic)Security GroupsAmazon EC2Routing TablesNetwork ACLsSubnetsSingleNetworkx1NAT There arent any subnets, routing tables or Network ACLs Security Groups are scoped to the implicit single Network And their rules apply to the Instance as a whole (only 1 implicit Interface)
  18. 18. #18#18#RightscaleComputeGoogle Compute Engine GCE cloud is global: there arent different regional endpoints Networks within the cloud define a network isolation perimeter Incoming/Outgoing communication must go through the GWAmazon EC2NetworksxNGW
  19. 19. #19#19#RightscaleComputeGoogle Compute Engine A Network cannot be further segmented A Network has firewalls (some functionality is close to a SG) Routing controls are currently not exposedFirewalls (SG-like)Amazon EC2FirewallsNetworksxNSubnetsGWRouting Tables
  20. 20. #20#20#RightscaleComputeGoogle Compute Engine A Network can span multiple Zones And Firewall rules can be applied to instances in a global wayFirewalls (SG-like)Amazon EC2FirewallsNetworksxNSubnetsGWRouting Tables
  21. 21. #21#21#RightscaleComputeCloudStack: Basic Mode Flat Networking (modeled after EC2 Classic) One (Shared) Network per ZoneAmazon EC2NetworkxNNAT
  22. 22. #22#22#RightscaleComputeCloudStack: Basic Mode Supports SecurityGroups But they belong to the Domain and apply to all uses of the shared networkSecurity GroupsAmazon EC2SubnetsRouting TablesNetwork ACLsNATNetworkxN
  23. 23. #23#23#RightscaleComputeCloudStack: Basic Mode Instances within a Network are scoped to a Zone Each instance can have multiple SecurityGroups attached to itSecurity GroupsAmazon EC2SubnetsRouting TablesNetwork ACLsNATNetworkxN
  24. 24. #24#24#RightscaleComputeCloudStack: Advanced Mode A Cloud can have multiple Networks Each Network is scoped to a ZoneAmazon EC2NetworksGWxN
  25. 25. #25#25#RightscaleComputeCloudStack: Advanced Mode There is no further segmentation based on Subnets Supports Firewalls (and SGs if the network is shared)Amazon EC2FirewallsNetworksxNSubnetsGWSecurity GroupsRouting Tables* Except KVM
  26. 26. #26#26#RightscaleComputeCloudStack: Advanced Mode (VPC) A Cloud can have multiple VPCs A VPC is scoped to a ZoneAmazon EC2VPCsxNGW
  27. 27. #27#27#RightscaleComputeCloudStack: Advanced Mode (VPC) A VPC is segmented by Tiers (still scoped to a Zone) No explicit Network interface support in APIAmazon EC2VPCsxNTiersElastic NetworkInterfacesTier 1Elastic NetworkInterfacesTier 2Elastic NetworkInterfacesTier 3GW
  28. 28. #28#28#RightscaleComputeCloudStack: Advanced Mode (VPC) Support for: Static Routing FirewallsAmazon EC2FirewallsVPCsxNSecurity Groups TiersElastic NetworkInterfacesTier 1Elastic NetworkInterfacesTier 2Elastic NetworkInterfacesTier 3GWRouting Tables
  29. 29. #29#29#RightscaleComputeCloudStack: Advanced Mode (VPC) Note: a CloudStack cloud can mix all 3 networking modes: Basic, Advanced and VPC The mode is set at the Zone levelAmazon EC2FirewallsVPCsxNSecurity Groups TiersElastic NetworkInterfacesTier 1Elastic NetworkInterfacesTier 2Elastic NetworkInterfacesTier 3GWRouting Tables
  30. 30. #30#rightscalecomputeMulticloud Resource AbstractionsRightscales Abstractions
  31. 31. #31#31#RightscaleComputeMultiCloud Resource HierarchyCloudNetworksInstancesSubnets NetworkInterfacesIpAddressBindingsSecurityGroupsNetwork ACLsRouting TablesIpAddressesImagesVolume SnapshotsVolumesDatacenters
  32. 32. #32#32#RightscaleComputeMulticloud Network Abstractions A Cloud has multiple Networks A Network defines an isolation perimeter (and has a CIDR block) Incoming/Outgoing communication must go through GWsAmazon EC2NetworksxNGW
  33. 33. #33#33#RightscaleComputeMulticloud Network Abstractions Subnets further segment Networks into IP CIDR sub-blocks Instances can be connected to a Subnet through NetworkInterfaces A Subnet is scoped to one (or zero) DatacentersAmazon EC2SubnetsNetworkInterfacesSubnet 1NetworkInterfacesSubnet 2NetworkInterfacesSubnet 3NetworksxNGW
  34. 34. #34#34#RightscaleComputeMulticloud Network Abstractions Networks contain: SecurityGroups Routing Tables Network ACLsSecurity GroupsAmazon EC2Routing TablesNetwork ACLsSubnetsNetworkInterfacesSubnet 1NetworkInterfacesSubnet 2NetworkInterfacesSubnet 3NetworksxNGW
  35. 35. #35#35#RightscaleComputeMulticloud Network Abstractions Instances are launched within a Datacenter (placement) Instances connected to multiple Subnets via Network Interfaces(connectivity) Connectivity restrictions may apply based on the Cloud. SecurityGroups are bound to Network Interfaces (i.e, different rules per subnet)Security GroupsAmazon EC2Routing TablesNetwork ACLsSubnetsNetworkInterfacesSubnet 1NetworkInterfacesSubnet 2NetworkInterfacesSubnet 3NetworksxNGW
  36. 36. #36#36#RightscaleComputeMulticloud Network AbstractionsSecurity GroupsAmazon EC2Routing TablesNetwork ACLsSubnetsNetworkInterfacesSubnet 1NetworkInterfacesSubnet 2NetworkInterfacesSubnet 3NetworksxNGW
  37. 37. #37#37#RightscaleComputeMulticloud Network AbstractionsSecurity GroupsAmazon EC2Routing TablesNetwork ACLsSubnetsNetworkInterfacesSubnet 1NetworkInterfacesSubnet 2NetworkInterfacesSubnet 3NetworksxNGWVolumesImages +Volume SnapshotsDatacentersDC 1DC 2
  38. 38. #38#38#RightscaleComputeMulticloud Network AbstractionsSecurity GroupsAmazon EC2Routing TablesNetwork ACLsSubnetsNetworkInterfacesSubnet 1NetworkInterfacesSubnet 2NetworkInterfacesSubnet 3NetworksxNGWVolumesImages +Volume SnapshotsDatacentersDC 1DC 2IP Addresses(assignable)IpAddress BindingsInstance+[IP]+[ports]
  39. 39. #39#39#RightscaleComputeManaging Multicloud Resources Accessible both through our new UI and API It presents a single interface for your cloud Networkinfrastructure Aggregates resources across regions, providers and software versions. Network/Security operators design and analyze from a single pane ofglass Infrastructure operators can manage those abstractions in deployments How will this look in the UI?...
  40. 40. #40#40#RightscaleComputeManaging Multicloud Resources: UI
  41. 41. #41#41#RightscaleComputeManaging Multicloud Resources: UI: Awesome Game US (East)
  42. 42. #42#42#RightscaleComputeManaging Multicloud Resources: UI: Awesome Game US (East)
  43. 43. #43#43#RightscaleComputeManaging Multicloud Resources: UI: Awesome Game US (East)
  44. 44. #44#44#RightscaleComputeManaging Multicloud Resources: UI: Awesome Game US (East)
  45. 45. #45#45#RightscaleComputeManaging Multicloud Resources: UI: Awesome Game US (East)
  46. 46. #46#46#RightscaleComputeManaging Multicloud Resources: API RESTful API : multicloud as of version 1.5 Creating a Network/Subnet New resources, very simple attributes (Name, CIDR)POST /api/networks{name : Foobar App Network,cidr_block : 10.1.2.0/24,cloud_href : /api/clouds/1234,tenancy : default}HTTP Code: 201 CreatedLocation: /api/networks/10
  47. 47. #47#47#RightscaleComputeManaging Multicloud Resources: API Creating a Server Can specify which Network it belongs to Can set the list of subnets it needs to be attached to (or default subnet) Alternatively, can specify which already existing Network Interfaces toattachPOST /api/servers{name: My Foobar Server,network_href : /api/networks/10,subnet_hrefs : [ /api/subnets/11, /api/subnets/12 ],security_group_href : [ /api/security_groups/6, /api/security_groups/7 ],datacenter_href : /api/datacenters/1,cloud_settings, server_template, inputs }HTTP Code: 201 CreatedLocation: /api/servers/50
  48. 48. #48#48#RightscaleComputeManaging Multicloud Resources: API IpAddressBinding resource also manage ports: Attaching an IP without port ranges maps all ports of the IP to the instance An IpAddress can be restricted to a port range (for clouds that support it)POST /api/ip_address_bindings{instance_href : /api/instances/1,public_ip_address_href : /api/ip_addresses/2,protocol : tcp,public_port : 80, *optionalprivate_port: 8080 *optional}HTTP Code: 201 CreatedLocation: /api/ip_address_bindings/9
  49. 49. #49#49#RightscaleComputeManaging Multicloud Resources: API Available soon: Networks Subnets SecurityGroups (bound to Networks an NetworkInterfaces) IpAddresses / Bindings (with the port forwarding abstractions) Routing tables and Network ACLs API and UI are being designed Implementation not started yet But expect being able to create/delete routes and rules soon
  50. 50. #50#50#RightscaleComputeNote on Synthetic Resources What about resources that are required but non-existent incloud? A server can be connected to subnets (and SecurityGroups through them) We will create (wrap) these resource synthetically for you So you can have consistency for clients using the API. Example: Subnets in Amazon EC2 classic
  51. 51. #51#51#RightscaleComputeSynthetic Resources for EC2 Classic EC2 classic doesnt have subnets But you still want to create your servers using the same abstractionsSecurity GroupsAmazon EC2Routing TablesNetwork ACLsSubnetsSingleNetworkx1NAT
  52. 52. #52#52#RightscaleComputeSynthetic Resources for EC2 Classic We will create a Synthetic Network to refer to the implicit classic EC2Network We will create one Synthetic Subnet for each available Datacenter So you can specify the server configuration in a consistent manner Regardless of EC2 Classic, Amazon VPC, or any other cloudsSecurity GroupsAmazon EC2Routing TablesNetwork ACLsSynthetic SubnetsSingleNetworkx1NATSyntheticInterface 1Synth Subnet 1Elastic NetworkInterfacesSynth Subnet 2Elastic NetworkInterfacesSynth Subnet 3
  53. 53. #53#53#RightscaleComputeSummary Cloud Networking is messy and it varies greatly But choice and configurability is very important RightScale abstractions allow you to Operate and manage your Cloud networking from a single pane of glass Using higher level, easier abstractions While keeping the power to go down to the guts when needed Available through a both UI and API Portable across clouds, cloud providers and cloud versions Give it a try Manage your Networking more consistently, and at a higher level While still taking advantage of the cloud features that make sense for you But not at the cost of loosing focus on your business You dont have to be a multicloud user to get the advantages
  54. 54. april25-26sanfranciscocloud success starts hereQuestions?