Embed Size (px)
DESCRIPTION
VMworld 2013 Ninad Desai, VMware Greg Herzog, VMware Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshare
Citation preview
vCloud Hybrid Service Jump Start Part Two of Five:
vCloud Hybrid Service:
Networking and Security Basics
Ninad Desai, VMware
Greg Herzog, VMware
PHC5409
#PHC5409
2
What’s in it for You?
You will leave with:
An understanding of the vCloud Hybrid Service networking building blocks
A strong networking foundation for building a Hybrid Cloud
The Security concepts you need to be successful
3
Agenda
vCloud Hybrid Service Introduction
• Basic Stack and Constructs
Networking
• Key Components
• Network Virtualization
• Edge Gateway
• Services Overview
• Default Setup
Security
• Infrastructure Security
• Network Security
• User Access Security
4
Why is Networking with the vCloud Hybrid Service so Easy?
Key Takeaways
• Same stuff you know – vSphere, VXLAN, vCNS, vCloud Director
• Seemless integration – vCloud Connector
• No changes to apps
• No having to figure out weird networking models
• Security you know and understand – Role Based Access Control
5
vCloud Hybrid Service: Any Mixture of Two Flavors
Minimum size: 120GB vRAM 30GHz vCPU
Starts at: 6 TB
50 Mbps allocated 1 Gbps burstable 3 Public IPs
Your own private cloud instance
Physically isolated
Minimum size: 20GB vRAM 5GHz vCPU
(burst to 10GHz)
Starts at: 2 TB
10 Mbps allocated 50 Mbps burstable 2 Public IPs
Logically isolated
Guaranteed resource allocation
Dedicated Cloud Virtual Private Cloud
6
Dedicated vCloud Stack per Dedicated Cloud
Fully Integrated vCloud Stack
vCloud Management and Automation
vCloud Hybrid Service Management Console
vCloud Infrastructure
vCloud Networking and Security
vCloud Director with vCloud Connector
vSphere / vCenter
Customer A
Physically
Isolated Servers Storage pool VPN and
Network pool
…
Dedicated Cloud
7
Hybrid Service Basic Networking Constructs
Organization Network (isolated) Organization Network (Customer Controlled)
8
Network Virtualization in vCloud Hybrid Service
vCloud Hybrid Service
Networking & Security
vCloud Hybrid Service
vSphere
VDC 1 VDC 2
VXLAN
Integrated Management Console
Edge Gateway
Secures the edge of the virtual datacenter and
delivers network services:
Firewall
NAT
Load Balancer
Site-to-Site IPSec VPN
Active/Standby High Availability
Stateful Session Failover
VXLAN
Foundation for elastic portable virtual
datacenters. Encapsulation allows
Isolation between Organization Networks
Bring-your-own private IPv4 layer 3
address space
10GbE network interconnect with 20G link aggregation
vCloud Hybrid Service Networking
• Nine routable IP spaces
• Intuitive design replicates traditional networks
• Customizable to support production applications
9
vCloud Hybrid Service Advanced Networking
Web Servers
VM
App Servers DB Servers
Organization Network (DMZ) Org Net 1
VM VM Log Servers
RSA
Edge Gateway
10 Total Interfaces
9 For Customer Use
Static Routes between Zones
3rd Party Appliance
Customer Supplied
F5, RSA, Cisco, Riverbed
Organization Network (Test/Dev)
Organization Network (Isolated)
VM
Org Net 1 Organization Network (App)
VM VM VM VM VM VM
10
Available Services
IP Address
DHCP
Firewall
NAT
Load Balancer
VPN
11
IP Address Assignment
IP Pool
• Pool of IPs created by default
on auto generated isolated and
routed networks
• VMs attached to those networks
get IP addresses from that
default pool
Static IP
• Fixed IP for a VM
• Change configuration in
vCloud Director
DHCP
• Part of edge gateway service
• Change configuration in vCloud Director
• Basic DHCP service
12
DHCP Service on vCloud Hybrid Service Edge Gateway
Assign an IP
range on a
desired network
13
Firewall Rules
Where do they live?
What do they do?
Routed Network 1 Routed Network 2 Routed Network 3
Firewall Rules:
- By default: Deny all
- Policies for traffic that
passes through the
gateway
Gateway
5 Tuple F/W policies (Protocol, Source/Dest. IP, Source/Dest. Port )
Can have multiple policies across multiple networks
Ideal for enterprise grade application deployment
14
Firewall Rules in vCloud Hybrid Service Portal
15
Network Address Translation (NAT)
Source NAT & Destination NAT rules.
• Supports multiple rules on multiple interfaces
Can use internal/private IP space.
• Bring your own internal IP space
• Create/Manage subnets within IP space
• Multiple IP space under the same gateway
NAT rules:
- SNAT & DNAT rules
- Options include
protocol/port selection
Gateway Public IPs
Internal IPs
10.x.x.x 172.16.x.x 192.168.x.x
Need to create F/W rules to
allow traffic
IPv4 NAT
Organization Net 1 Organization Net 2 Organization Net 3
16
Edge Gateway Services – Load Balancing
Pool Servers
Load Balanced
- Round Robin
- IP Hash
- URI
- Least Connected
Virtual Server –
- Virtual IP (Public IP)
- Front end traffic
- Assigned to a server pool
Can have multiple virtual servers
and pools
Edge gateway
Load balancer
17
Load Balancer – Pool Server
18
Load Balancer – Virtual Server
19
IPSEC VPN Overview
vCNS 5.1 Edge/vCloud Hybrid Service features include IPSEC VPN
• Definition:
• Internet Protocol Security (IPsec) is a protocol suite for securing Internet
Protocol (IP) communications by authenticating and encrypting each IP
packet of a communication session
• Create a secured tunnel using the IPSEC VPN service from one physical/virtual
datacenter to another
IPSEC is a framework of open standards
“Protect the series of internet tubes with VPN!”
20
VPN Architecture Diagram
vSphere (On-Premise)
Sharepoint-Routed Network
(10.0.10.0/24)
vCHS Edge Gateway
LEP – 69.194.137.230
Peer ID – 10.0.1.150
Peer IP – 68.108.102.47
10.0.1.150
10.0.10.1
External Router
10.0.1.1
68.108.102.47
192.168.109.1
vCloud Hybrid Service
69.194.137.230
vSphere Edge Gateway
LEP – 10.0.1.150
Peer ID – 69.194.137.230
Peer IP – 69.194.137.230
VPN Traffic
Internet Traffic
Virtual
Machine 1
Virtual
Machine 2
Sharepoint-Default Routed Network
(192.168.109/24)
IP Protocol ID 50 (ESP)
IP Protocol ID 51 (AH)
UDP Port 500 (IKE)
UDP Port 4500
21
Hybrid Service is Just Another Site – Networking & Security
US East Region
US West Region
The Same
Networking
Topology
Full network
virtualization at
layer 2 and layer 3
Layer 2
Extensions
Your Data Center vCloud Hybrid Service
The Same
Security Policies
Integrated L4-7
services for
Firewall/NAT,
IPSec VPN, Load
Balancers, VXLAN
gateways
Primary
Regional Office
Regional Office
22
Default Setup
Dedicated Cloud – 3 IPs • Edge Gateway – Can add additional
• 2 Default Networks
• Default Isolated
• DHCP Enabled - Only Service Available
• Default Routed
• DHCP Disabled
• Firewall Enabled
• VPN, NAT & Load Balancer
• Assigned public IP address
Virtual Private Cloud – 2 IPs • Edge Gateway – 1 Max
• 2 Networks – Same Setup
23
Security
Infrastructure
Network Security
User Access Security
24
Infrastructure Security
Shared Cloud
• Logically separated network,
compute and storage
No vDC segmentation
One edge gateway
Ideal for shared access
within a single org
Dedicated Cloud
• Physically separated hosts
• Logically separated network
and storage
Regulated Apps
Require segmentation and
no multi-tenancy
Segment vDCs based on orgs
VDC1 VDC2
VDC3 VDC4
VDC
25
Network Security & Access
Secure networks
• Isolated networks
• Ideal for internal apps/VMs
• Log servers, tracking servers, DB servers
• Routed networks
• For VMs that need external access
• VMs that need Gateway services
( F/W, NAT, LB)
Secure access
• IPSec VPN
• Secure site-to-site VPN
• Data Center Extension
• SSLVPN
• Private line connectivity
• Dedicated/private connection
• Ideal for regulated apps
Isolated networks – internal access only
VPN
F/W
NAT
LB
DHCP
Routed
networks
Internet
Private
connection
Secure
VPN
vCHS
26
vCloud Networking and Security – Components
Edge Gateway: F/W, IPAM,
routing
VXLAN:
Foundation for elastic
portable virtual datacenters
Third party appliance:
Virtual appliance of choice
Bring your own appliance
and policies
Threat mitigation: Third
party AV, traffic analysis and
threat mitigation appliances AV
Edge Gateway
Isolated networks
IPSec: Data in transit
encryption
Gateway Networks
F/W
27
User Level Rights and Security
Role Rights Cannot do Ideal for
Account
Administrator
Can add/edit users
and user rights
VDC resource
management,
Network mgmt etc.
Account
management
Virtualization
Infrastructure
Administrator
Create VDCs
Add/edit compute
and storage
resources
Cannot create users,
manage networking
VI admin
App admin
Network
Administrator
Create networks
Add gateways
Add gateway
services
User management,
VDC resource
management
Network admin
Read-only
Administrator
Read only rights for
all setups/configs
Any adds/edits Supervisor
Subscription
Administrator
Access to
myVmware.
Purchase resources,
file support tickets
No vCloud Hybrid
Service management
rights
For all personnel with
purchasing rights
and/or support needs
28
User Rights – Configuration
29
User Level Rights and Security Configuration
30
Corporate SSO: Bring Your Own SAML IDP
Dedicated
Location 1
Servers
Dedicated
Location 2
Servers
VPC
Tier 1 Services
Remote office
vCHS Cloud
Customer Portal Setup SAML/IDP 1
VPC Access Request 2
Company
A
31
Summary
You will leave with:
An understanding of the vCloud Hybrid Service networking building blocks
A strong networking foundation for building a Hybrid Cloud
The Security concepts you need to be successful
Key Takeaways
• Same stuff you know – vSphere, VXLAN, vCNS, vCD
• Seemless integration – vCloud Connector
• Security you know and understand – RBAC
• Just another datacenter
32
Call to Action/Resources
Keep up with the latest on vCloud Hybrid Service
• Facebook - https://www.facebook.com/vmwarevcloud
• Blog - http://blogs.vmware.com/vcloud/
• Twitter - @vcloud
1
Call to Action
Get more information about the service: http://vcloud.vmware.com
Hands on Labs
HOL HBD 1301 vCloud Hybrid Service – Jumpstart for vSphere Admins
HOL HBD 1302 vCloud Hybrid Service – Networking and Security
HOL HBD 1303 vCloud Hybrid Service – Manage Your Cloud
Breakout Sessions – PHCxxxx
vCloud Hybrid Service Jumpstart Series
PHC1001-Group Discussion- vCHS Networking with Greg Herzog
2
33
Q & A
THANK YOU
vCloud Hybrid Service Jump Start Part Two of Five:
vCloud Hybrid Service:
Networking and Security Basics
Ninad Desai, VMware
Greg Herzog, VMware
PHC5409
#PHC5409
