Cisco Nexus 1000V InterCloud based Hybrid Cloud Architectures and Approaches

Size: px

Start display at page:

Download "Cisco Nexus 1000V InterCloud based Hybrid Cloud Architectures and Approaches"

Phebe Williams
5 years ago
Views:

2 Cisco Nexus 1000V InterCloud based Hybrid Cloud Architectures and Approaches Kapil Bakshi Solutions Architect

3 Session Details - Session Title: Cisco Nexus 1000V InterCloud-based Hybrid Cloud Architectures and Approaches Abstract: This is an introductory session, based on details of Cisco Nexus 1000V InterCloud and related L3-L7 Virtual Network Services technologies. The session provides an overview of the architecture, implementation and use cases for a secure hybrid cloud with enterprise workloads and network services. Customer and Partners are looking for approaches and technologies to securely extend their data center workloads to public clouds. That too, while maintaining their current operational consistency and paradigms in their current data centers. Service Providers are also looking ways to expand their cloud services and on board workloads. This session will review architecture for secure hybrid cloud where enterprises and SPs can extend their network and network virtual services in a secure fashion to public clouds. For more in-depth information about using Cloud automation to enable Nexus 1000v InterCloud enhanced functionality, see session BRKVIR For more in-depth information about Nexus 1000V InterCloud Use Cases, see session BRKVIR

4 Agenda for the session! 4

5 The Real Agenda! Introduction Hybrid Cloud & Virtual Networking Concepts Cisco N1KV InterCloud Architectural Details Cisco N1KV InterCloud Use Cases Introducing Cisco InterCloud Discussion/Q & A 5

cloud workloads Manageability and policy

6 Hybrid Cloud & Challenges Security: Workload security, Connection security Enterprise Data Center Public Cloud Connectivity between on-premises and cloud workloads Manageability and policy inconsistency Cloud Control, Visibility and Flexibility 6

Securely Extend Environment into Provider Cloud Enterprise Apps and Network Services on the

Provisioning Routing V M V M Program Unique APIs V M V M Convert Image Format L2 Services Onboard

Operations Enterprise Cloud Recreate Services Translate Policies Provider Cloud ENTERPRISE

7 Securely Extend Environment into Provider Cloud Enterprise Apps and Network Services on the Public Cloud Centralized Migration and Management Reconfigure Application Firewalls Use Cloud Provisioning Routing V M V M Program Unique APIs V M V M Convert Image Format L2 Services Onboard New Monitoring Insert Custom Tools Identify New Security Nexus 1000V InterCloud Validate Operations Enterprise Cloud Recreate Services Translate Policies Provider Cloud ENTERPRISE VISIBILITY & CONTROL ENTERPRISE CHOICE ENTERPRISE SECURITY PROVIDER RESOURCES PROVIDER EASE OF BUSINESS PROVIDER VALUE 7

Secure Hybrid Cloud Framework Multi-Hypervisor, Multi-Service, Multi-Cloud UCS Director Cisco IAC Openstack Cisco Prime Network Services Controller Private Cloud Enterprise Data Center Portal &

8 Secure Hybrid Cloud Framework Multi-Hypervisor, Multi-Service, Multi-Cloud UCS Director Cisco IAC Openstack Cisco Prime Network Services Controller Private Cloud Enterprise Data Center Portal & Orchestration Network Controller Public & SP Cloud Portal & Orchestration Cloud APIs Cisco ASA1kv VSG vnam vwaas Netscarler 1kv L4 L7 Network Services Workload s Workload s Virtual L4 L7 Network Services Cloud Services Router CSR1000V Cisco N1kv InterCloud L3 capabilities Service Chaining Virtual Layer 2 (Secure Extension) Virtual L3 capabilities Service Chaining vsphere, HyperV, K, Xen Hypervisor(s) Physical Compute, DC Network and Storage Hypervisor(s) Physical Compute, DC Network and Storage

9 Virtual Networking Concepts

10 Back Plane L2 Connectivity L3 Connectivity Nexus 1000v Architecture Physical, Virtual and InterCloud Network Admin Modular Switch Virtual Appliance VSM1 VSM2 Supervisor-1 Supervisor-2 Linecard-1 Linecard-2 Linecard-N VSM: Virtual Supervisor Module VEM: Virtual Ethernet Module Server Admin VEM-1 Hypervisor Hypervisor Hypervisor VEM-2 VEM-N 10

Virtual Services in Cloud Cisco Virtual Security Gateway (VSG) Secures inter- traffic within a tenant Cisco Cloud Services Router (CSR) 1000v Virtual L3 router for Cloud deployment Context aware

11 Virtual Services in Cloud Cisco Virtual Security Gateway (VSG) Secures inter- traffic within a tenant Cisco Cloud Services Router (CSR) 1000v Virtual L3 router for Cloud deployment Context aware Security context aware rules L3 Routing IOS-XE based Zone based Controls Establish zones of trust Infra Agnostic Hypervisor, L2 Dynamic, Agile Policies follow vmotion APIs REST APIs Support Scale and Intelligence Scale-out (with vpath service chaining) Use Case InterCloud and Standalone 11

12 Secure Hybrid Cloud Architecture

13 Nexus 1000V InterCloud Components Cisco Prime Network Services Controller for InterCloud Deployed as a Virtual Machine and provides a single pane of glass to manage enterprise and cloud data centers InterCloud VSM Nexus 1000V Virtual Supervisor Module provides the controlplane to manage port-profiles for s in the InterCloud infrastructure InterCloud Extender Virtual Machine in enterprise data center to provide secure connectivity to the InterCloud Switch in provider cloud. InterCloud Extender is registered as a module on the InterCloud VSM InterCloud Switch Virtual Machine in provider data center, has secure connectivity to the InterCloud Extender in enterprise cloud and secure connectivity to the Virtual Machines in the provider cloud. InterCloud Switch is registered as a module on the InterCloud VSM. Cloud Virtual Machines Virtual Machines in provider data center to run customer workloads, run a modified OS to include InterCloud Drivers 13

InterCloud Interfaces Cisco Prime Network Controller InterCloud Orchestration Register with Cloud Providers Interface with Management

14 Cisco Prime Network Services Controller for InterCloud Single point of Management for InterCloud ENTERPRISE CLOUD PROVIDER CLOUD DB Cisco Prime Network Services Controller ware vcenter APP N1KV InterCloud VPC Provider APIs Web Cisco Prime Network Controller InterCloud Interfaces Cisco Prime Network Controller InterCloud Orchestration Register with Cloud Providers Interface with Management Tools Create Switching End points Clone/Move s in VPC with secure wrapper GUI -Easy-To-Use Web Interface Support for 3 rd party integration 14

15 Cisco Prime Network Services Controller - UI 15

16 InterCloud Virtual Switching Components Switch extended from enterprise to cloud ENTERPRISE CLOUD PROVIDER CLOUD DB APP VPC Web IC VSM InterCloud Extender N1KV InterCloud InterCloud Switch ware vcenter InterCloud Extender N1KV InterCloud InterCloud Switch InterCloud Link (x16) VSM, InterCloud Extender, InterCloud Switch Secure L2 extension Secure virtual switch in cloud 16

Extender Enterprise Virtual Switch I n t e r n e t Cloud Data Center

17 Nexus 1000V InterCloud Deployment Enterprise Data Center IC VSM Virtual Machine Manager Enterprise Switch Cisco Prime NSC InterCloud Extender Enterprise Virtual Switch I n t e r n e t Cloud Data Center Cloud API Interface Cloud s InterCloud Switch Secure Tunnels DTLS Encap

18 InterCloud Extender and InterCloud Switch Interfaces Mgmt Data Trunk Internal Enterprise Trunk INTERCLOUD EXTENDER VEM Internal Tunnel Trunk Tunnel Public IP INTERCLOUD SWITCH Internal Tunnel Trunk VEM Mgmt Cloud VLANs Management Interface Used for communication with InterCloud VSM and PNSC. Can also be used as secure tunnel endpoint. Tunnel interface Can be used for secure tunnel to InterCloud Switch. Trunk interface Enterprise trunk allowing all VLANs that are being extended. Management Interface Used for communication with InterCloud VSM and InterCloud Extender. Public interface Provider interface with public IP. Used to communicate with PNSC and tunnel endpoint. Cloud interfaces Access Tunnels to Cloud s on VLANs extended from the enterprise.

19 Cloud Interfaces IC User Space Processes TCP/IP Stack Applications Applications Cloud VEM Ports Overlay Access Port (Private IP) Provider Interface vnic.. Overlay Interfaces InterCloud Agent Provider Ports Cloud Port (Provider public IP) Provider Network Switch Private IP Used for communication with InterCloud Switch and other cloud s Provider Public IP Used for communication with Cisco Prime Network Controller for InterCloud

Cisco N1Kv InterCloud Network Deployment Walkthrough Assumptions - ICX Tunnel Interface as Tunnel Originator with NAT/PAT for ICX Tunnel and PNSC - Enterprise

x (Private) (Multiple Data VLANs Private IPs) PNSC Internal DC Domain Enterprise Datacenter VSG Trunk VSM ICX DMZ FW Mgmt Out Of Band Management Domain Tunnel

20 Cisco N1Kv InterCloud Network Deployment Walkthrough Assumptions - ICX Tunnel Interface as Tunnel Originator with NAT/PAT for ICX Tunnel and PNSC - Enterprise Management Network extended for InterCloud Switch Management ware vcenter 12.x (Private) (Multiple Data VLANs Private IPs) PNSC Internal DC Domain Enterprise Datacenter VSG Trunk VSM ICX DMZ FW Mgmt Out Of Band Management Domain Tunnel 11.x (Private) Internet domain 168.X (Public) Router/Firewall (NAT/PAT) Secure Tunnel I n t e r n e t Public IP 10.X (Provider Public) Management VLAN Tunnel VLAN Data VLANS Cloud Datacenter CMgmt VEM ICS (Multiple Data VLANs Private IPs)

21 Nexus1000V InterCloud Security ENTERPRISE CLOUDS PROVIDER CLOUDS Cisco PNSC IC VSM M InterCloud Extender S2S Data Tunnel InterCloud Switch Access Data Tunnel with ICA Other Tenants Security in an InterCloud VPC 1. Secure Layer-2 Extension 2. Secure Cloud communication 3. InterCloud Agent to protect traffic 4. Enterprise controls/manages Keys and certificates Establish Trust Establish Secure Tunnels Comm. Securely

Security Considerations: Summary Data in Transit between Enterprise DC and Public SP Cloud Key Management &

Algorithm Data Encryption and Hashing Layer 3 Security via CSR 1000v Layer 4 7 Security via VSG Encryption

All data in motion is cryptographically isolated and encrypted Enterprise to Cloud & to within Cloud Enterprise

Program Unique APIs vpath Insert Custom Tools Recreate Services Reconfigure Application Identify New Security

22 Security Considerations: Summary Data in Transit between Enterprise DC and Public SP Cloud Key Management & Algorithm Data Encryption and Hashing Inter Security in the Public SP Cloud InterCloud Agent Key Management & Algorithm Data Encryption and Hashing Layer 3 Security via CSR 1000v Layer 4 7 Security via VSG Encryption algorithm AES-128-GCM, AES-128-CBC, AES-256-GCM (Suite B), AES-256-CBC Hashing algorithm SHA-1, SHA-256, SHA-384 All data in motion is cryptographically isolated and encrypted Enterprise to Cloud & to within Cloud Enterprise owns the keys V M V M V M Enterprise Cloud V M vpath Centralized Migration and Management Onboard New Monitoring Program Unique APIs vpath Insert Custom Tools Recreate Services Reconfigure Application Identify New Security Convert Image Format Nexus 1000V InterCloud Provider Cloud Translate Policies Firewalls Use Cloud Provisioning Routing L2 Services Validate Operations 22

Virtual Network Services with Nexus 1000V

vpath VSG N1KV InterCloud InterCloud Switch

23 Virtual Network Services with Nexus 1000V InterCloud ENTERPRISE CLOUD Cisco Prime Network Services Controller PROVIDER CLOUDS VSG L2 Virtual Private Cloud Nexus1000V vpath VSG N1KV InterCloud InterCloud Switch vpath Security Profile to Port Profile in IC VSM 23

24 Nexus 1000V InterCloud + CSR 1000V PNSC Enterprise DC Public Cloud VSG Virtual Services vpath Nexus HW Switches vpath Nexus 1000V vpath InterCloud Switch Outside InterCloud Network ASR 1k/9k UCS/Servers InterCloud extends, secures and isolates L2 subnets into public clouds. CSR 1000V CSR as Gateway for InterCloud Network CSR provides access into the secure InterCloud network, via PNSC: VPN VPN 1. Inbound NAT/FW GW from Internet to Cloud Apps 2. Outbound direct Internet access for cloud applications (e.g SW updates functions) 3. Routing and FW services within InterCloud network Subnets 4. VPN for branch and remote users Remote/Branch Office ISR Mobile Worker 24

Cisco Prime Network Services Controller + Intelligent Automation for Cloud (IAC) User requests cloud services via end-user portal Cisco Intelligent Automation for Cloud Cisco Cloud Portal Cisco

25 Cisco Prime Network Services Controller + Intelligent Automation for Cloud (IAC) User requests cloud services via end-user portal Cisco Intelligent Automation for Cloud Cisco Cloud Portal Cisco Process Orchestrator Orchestrator manages workflow across multiple cloud environments (Integration via Northbound API) (Workloads moved via InterCloud) Private Cloud Cisco Prime Network Services Controller (MANAGEMENT LAYER) Policy manager Resource manager Service registry Manager Cloud Provider Manager Nexus 1000V (Platform layer) N1KV Switching Firewall, Routing Crypto Secure Public Cloud Tenant B

26 Additional Considerations Application Requirements - Operating System, Storage, Latency, Image Size, Relationships/Dependencies Service Provider Connectivity Internet/Extranet bandwidth, latency, and availability Security Requirements - Data at rest Service Level Agreements Regulatory Considerations 26

Installation Workflow Step 1 Step 2 Step 3 Step 4 Install PNSC Register with M (vcenter) Install InterCloud VSM Register IC VSM with PNSC PNSC is format Download the vcenter plugin Install the IC VSM

27 Installation Workflow Step 1 Step 2 Step 3 Step 4 Install PNSC Register with M (vcenter) Install InterCloud VSM Register IC VSM with PNSC PNSC is format Download the vcenter plugin Install the IC VSM ova Via PNSC GUI Existing VNMC can be upgraded Add Register the Plug in vcenter Add vcenter as M in PNSC Note: vcenter, vsphere and Enterprise VSM and VEMs are assumed to be already installed InterCloud VSM only installed as a. N1110 under consideration. Simple install No Installer app No adding VEMs No vcenter reg A basic version of VSM ware vcenter Cisco Prime Network Services Controller 4 VSM

28 Components Deployment (via PNSC) Step 1 Step 2 Step 3 Step 4 Create a Cloud Provider Manage IC components Images Configure InterCloud VSM Extend the Network to Cloud IC Link is setup Pick the Cloud Provider Provider Credentials Upload the ICX, ISW and ICA images to PNSC ICX ova format ISW AMI format ICA OS based Note: ICX and ISW are Modules in IC VSM ICX as s in Enterprise VSM ICS as a on Public Cloud Provider Configure Port Profiles in IC VSM Copy Port Profile from Enterprise VSM Create a VPC Create a IC link (upto 16 per VPC) Configure ICX and ICS Setup tunnel Sec for ICX to ICS and ICS to. Encrpytion and Hash. ICX, ISW deployment is automated by PNSC ISW is programmatically via AWS APIs 28

Deployment Workflow Migrate a 1 to Provider 2 Cloud Select the Enterprise Host and to migrate Select a IC-Link Select the properties Migrate to Provide Cloud PNSC migrates behinds the scene Create a

29 Deployment Workflow Migrate a 1 to Provider 2 Cloud Select the Enterprise Host and to migrate Select a IC-Link Select the properties Migrate to Provide Cloud PNSC migrates behinds the scene Create a in Provider Cloud Upload an AMI, ISO, OVA for template Select a IC-Link Select the properties Migrate to Provide Cloud PNSC migrates behinds the scene Single creation PNSC. Key Observations Single creation by PNSC Leverage a Cloud Management Tools to create a several at a time Cold Migration On-boarding(currently) Existing s in Cloud 29

30 Nexus 1000V InterCloud Deployment Pre-requisites Enterprise Virtual Machine Manager: ware vcenter version 5.0 or 5.1 Cloud Provider: Amazon Web Services An AWS account is required to register the provider with Nexus 1000V InterCloud Internet Router/Firewall must allow outbound/inbound traffic originating from enterprise network to the range of AWS IP addresses for the following protocols and ports: Public IP address ranges by Regions: Protocol: UDP & TCP Ports: o 80 HTTP access from PNSC for AWS calls and communicating with InterCloud s in provider cloud o 443 HTTPS access from PNSC for AWS calls and communicating with InterCloud s in provider cloud o 22 SSH from PNSC to InterCloud s in provider cloud o UDP 6644 DTLS data tunnel o TCP 6644 DTLS control tunnel

31 Hybrid Cloud Use Cases

InterCloud enables Hybrid Cloud Use Cases Dev/Test Shadow IT

Dev/Test Production WAN Common Peak Workloads VPC/Publi c Cloud End

can be promoted eg from Test in the public cloud to Production in the

Helps IT to control the applications: IT enforces policies and

for seasonal demands Seamless management of multi-tier applications

32 InterCloud enables Hybrid Cloud Use Cases Dev/Test Shadow IT Applications Capacity Augmentation Disaster Recovery Private Cloud Dev/Test Production WAN Common Peak Workloads VPC/Publi c Cloud End users can dev/test applications in the public cloud With, workloads can be promoted eg from Test in the public cloud to Production in the private cloud Users continue to use public clouds for quick access Helps IT to control the applications: IT enforces policies and governance to resources Extra capacity can be dynamically deployed for seasonal demands Seamless management of multi-tier applications in different clouds, Enterprises can use public cloud as backup DR site DR solution at a reduced cost

33 Hybrid Cloud for Service Providers Map Use Cases to Service Offerings Dev/Test Production Capacity Augementation DevTest Shadow IT DR/BC USE CASES IaaS/Bursting IaaS/DevOps SERVICE OFFERINGS IT optimization services DR as a Service 33

34 Announcing Cisco InterCloud!

& Cisco Powered Services Hyper-V End User & IT Admin Portals Openstack/K

35 Cisco InterCloud Solution Overview Enterprise DC or Cloud Provider Clouds vsphere InterCloud InterCloud Provider Enablement Platform Cloud Providers & Cisco Powered Services Hyper-V End User & IT Admin Portals Openstack/K Secure Fabric Network, Compute & Storage Azure APIs CloudStack/Xen EC2 APIs 35

InterCloud Solution Highlights Cloud admin provisions hybrid cloud, network connectivity and services End user requests applications/compute services via Cisco s self-service portal InterCloud

36 InterCloud Solution Highlights Cloud admin provisions hybrid cloud, network connectivity and services End user requests applications/compute services via Cisco s self-service portal InterCloud Director Service Provider portal End-user portal Admin portal InterCloud Fabric Hybrid cloud provisioning with policies Cloud APIs Cloud APIs Public Providers with open APIs (AWS, Azure) Providers with InterCloud Enablement platform Private Cloud HYBRID CLOUD Public Cloud

Cisco InterCloud Components Cloud management REST Open source/ 3rd party management tools InterCloud Director Leverage functionality from UCSD SP portal/ cloud management (Integration via

37 Cisco InterCloud Components Cloud management REST Open source/ 3rd party management tools InterCloud Director Leverage functionality from UCSD SP portal/ cloud management (Integration via Northbound API) InterCloud Fabric VSM PNSC InterCloud Cloud APIs InterCloud Enablement platform jcloud APIs Openstack Scripts vcloud InterCloud Extender Layer 2 InterCloud Switch vfirewall vrouter

38 Cisco InterCloud Fabric Hybrid cloud connectivity and network services InterCloud Fabric VSM PNSC InterCloud InterCloud Extender InterCloud Switch Layer 2 VSG CSR Private Cloud HYBRID CLOUD Public Cloud Hybrid cloud connectivity with L2 connectivity End to end security Network services such as firewall, virtual router

InterCloud Director High-Level Architecture Application Owners Self Service Console OS & Deployment IT Admins Admin Console Policy Manager IT Operations Dashboard Open API for Integration UCS

39 InterCloud Director High-Level Architecture Application Owners Self Service Console OS & Deployment IT Admins Admin Console Policy Manager IT Operations Dashboard Open API for Integration UCS Director extension Resource Pools InterCloud Director functionality as an extension of UCSD Single Console for Private and Public Cloud End-User Portal for consumption Hybrid Cloud Operation IT Admin Portal for Policy Governance Private cloud Manager (vcenter, SCM, OpenStack) InterCloud Fabric Private Cloud (Vmware, Hyper-V, OpenSource) Hybrid cloud network Public Cloud (Amazon, Azure, IEP

40 InterCloud Enablement Platform Enables Cloud Provider Integration Virtual Appliance Deployed and Managed by Cloud Provider Acts as a Proxy between Cisco InterCloud and Provider Infrastructure Requires Access to Provider Infrastructure; Applicable only for provider with no Publicly available API Published by Provider or via InterCloud Enablement Platform and Consumed by Cisco InterCloud Stack Base Set General : Image Management : Life Cycle : Storage Management : Security : Advanced Set Advanced Workload Protection Enhanced Crypto Performance Bare metal workload placement Application Aware Policy Management Account Login, Location/Partitioning Import/Export, Upload of image, Create/Delete Template from image Create(from template), Retrieve, Update, Delete, Start, Stop, Reboot Create/Delete volume and Attach/Detach volume to Security Group

Cisco InterCloud Deployment Models For Cloud Providers Enterprise cloud InterCloud Director Enterprise cloud InterCloud

new business model - Choice of SP infrastructure- vcloud, - Openstack Value based Margins - Differentiate Cloud services For

cloud Amazon/Azure SP with InterCloud Enablement platform - IT enabled and managed - Choice of hypervisors - Choice of Cloud

41 Cisco InterCloud Deployment Models For Cloud Providers Enterprise cloud InterCloud Director Enterprise cloud InterCloud Director Provider Cloud InterCloud Enablement Plat Service Provider Portal API M(Openstack/vCl oud/ Script based) - Enables new business model - Choice of SP infrastructure- vcloud, - Openstack Value based Margins - Differentiate Cloud services For Enterprises consuming Hybrid Cloud Services Enterprise cloud Enterprise cloud InterCloud Enterprise cloud Director Public cloud Amazon/Azure SP with InterCloud Enablement platform - IT enabled and managed - Choice of hypervisors - Choice of Cloud Providers - End-to-end workload security - Policy based workload governance - Unified management of workload - Consistent operations model

42 Evolving Nexus 1000V InterCloud to Cisco InterCloud Product Capabilities Providers Benefits Nexus 1000V InterCloud Cisco InterCloud InterCloud Secure Fabric InterCloud Secure Fabric InterCloud Director InterCloud Provider Enablement Platform Amazon Azure Validate secure fabric technology Validate with heterogeneous cloud infrastructure (physical/virtual network and compute) Enable any provider via InterCloud Provider Enablement Platform Extend business customer DC environment to public cloud Enhance end-to-end and workload security Consistent policy and unified management Bi-directional workload mobility Provider on-boarding 42

43 Call to Action Attend BRKVIR-3033 Advanced Cisco InterCloud Best Practices (Fri, 9AM) Attend Deploying, Implementing and troubleshooting Cloud Service Router (CSR 1000v) (Fri 9AM) Visit the Cisco Campus at the World of Solutions to experience demos/solutions in action Get hands-on experience with the following Walk-in Labs Meet the Engineer Discuss your project s challenges at the Technical Solutions Clinics Attend one of the Lunch Time Table Topics, held in the main Catering Hall Recommended Reading: For reading material and further resources for this session, please visit CL365 -Visit us online after the event for updated PDFs and on-demand session videos. 43

44 Complete Your Online Session Evaluation Complete your online session evaluation Complete four session evaluations and the overall conference evaluation to receive your Cisco Live T-shirt 2014 Cisco and/or its affiliates. All rights reserved. 44

45 GRAZIE! 45

Hybrid Clouds: Integrating the Enterprise Data Center and the Public Cloud

Hybrid Clouds: Integrating the Enterprise Data Center and the Public Cloud Usha Ramachandran, Technical Marketing Engineer Session Abstract In this session, participants will learn how to create hybrid