Hybrid Cloud Networking

Transcription

1 Hybrid Cloud Networking ITMCCS-2580 Follow us on Twitter for real time updates of the #CLEUR

2 Housekeeping We value your feedback- don't forget to complete your online session evaluations after each session & the Overall Conference Evaluation which will be available online from Thursday Visit the World of Solutions and Meet the Engineer Visit the Cisco Store to purchase your recommended readings Please switch off your mobile phones After the event don t forget to visit Cisco Live Virtual: Follow us on Twitter for real time updates of the #CLEUR 2

3 Agenda Section 1 - Cloud Computing introduction - Cloud Deployment Models (NIST definition) Section 2: - Hybrid Cloud Options - Seamless Hybrid Cloud Benefits - Current Solutions Section 3: - Conceptual Cloud Services Management Architecture - Seamless Hybrid Cloud (SHC) Abstraction - End-to-end (E2E) Multitenant Isolation in SHC 3

4 Agenda Section 4 - Seamless Hybrid Cloud Realization in Network: Network Management Architecture for Realization of E2E Multitenant Isolation Section 5 - Use Cases Section 6 - Issues Section 7 - Conclusion 4

5 Cloud Computing Introduction Cloud Deployment Models

6 Cloud Computing - Introduction Cloud Service Consumer or Tenant Network (Internet/Intranet/Private MAN/WAN) Cloud Service Interfaces One or more DC Cloud Service Provider (CSP) vnic2 OS1 DB1 VM13 IaaS: Infrastructure resources PaaS: Software middleware, development & test resources SaaS: Application product resources 6

7 Cloud Deployment NIST Definition Private Cloud: For use by an enterprise only - Owned / operated by enterprise IT or 3rd party Public Cloud: For use by anyone - Owned / operated / offered by a Cloud Service Provider Hybrid Cloud: Multiple interoperable Clouds that enables data and application portability - Multiple Cloud operators and CSP: Private and Public Clouds Community Cloud: Cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns 7

8 Hybrid Cloud Options Seamless Hybrid Cloud Benefits Current Solutions

9 Hybrid Cloud Architecture Options A1: An Enterprise (Tenant) extends into a Public Cloud (consumes resources from public Cloud) - One Cloud service provider serving out of multiple DCs A2: An enterprise extending into multiple public Clouds A3: Public Clouds extending into each other Any combination of above Focus: A1 with support for seamlessness 9

10 Seamless Hybrid Cloud Benefits With Hybrid Cloud enterprises may have resources distributed in Enterprise intranet and one or more Public Clouds Enterprises should be able to deploy and execute apps on these distributed resources seamlessly as if they are on the intranet Manage distributed on-premises and off-premises Cloud resources seamlessly together with other intranet IT resources Seamless Hybrid Cloud Abstraction, Interfaces and their realization on infrastructure will facilitate above 10

11 Current Solutions Solutions for interconnecting several clouds are starting to emerge But these solutions allow only interoperability between clouds at the IT level by providing functions such as: - Populating service catalogs from one cloud to another - deploying a VM in a public cloud from a local one - copying VM templates between clouds - Cold migration of application workloads between clouds 11

12 Current Solutions contd E2E network related services, network protocol, network management architecture and solutions (a la Seamless Hybrid Cloud) both at Cloud abstraction and L2/L3 network levels are missing Typical VPC (Virtual Private Cloud) that is a form of Hybrid Cloud is based on IPSEC over public Internet - In contrast SHC is enterprise and telco grade, supporting, in addition, various L2/L3 network isolation technologies (including PPVPN: Provider Provided VPN) and also SP/telco Private (IP/MPLS/Optical) MAN/WAN New generation (protocol) solutions for multitenant isolation covers Cloud DC only, not E2E as required for hybrid Cloud 12

13 Overview of Conceptual Cloud Services Management Architecture Seamless Hybrid Cloud (SHC) Abstraction End-to-end (E2E) Multitenant Isolation in SHC

14 Seamless Hybrid Cloud Service Management Architecture Tenant On-demand Requests Customer private cloud management Enterprise E1 Site 3 E2 Site 2 E1 Site 4 CSP DC 1 Tenant facing Interfaces Cloud Services Management (Tenant facing Cloud Abstraction for SHC) Compute / Storage / Network Management Interfaces Cloud Infrastructure Management Compute Storage Network E2E SHC Realization in Network MAN/ WAN CE 13 PE 5 DC Core/Aggr Server/Storage Access Network Server/ Storage ETH1 CE22 SP Private MAN/WAN IP / MPLS Network DC-Net 2 Virtual SW veth1 vnic1 OS1 App3 VM14 veth3 vnic4 OS1 App4 VM21 CE 14 PE 4 SW 12 ER 02 DMZ Internet PE 3 DC-SAN-Net 1 14

15 Seamless Hybrid Cloud Abstraction Site 1 (DC) ONPR-DB ONPR-App ONPR-DMZ ~SHC Enterprise T2 Site 1 (DC) Site 5 ~SHC Site 7 CE11 CE21 CE15 CE17 PWAN PE-CL1 PE-TS1 PE-TS2 PE-CL2 ER-CL1 ER-CL2 15

16 Seamless Hybrid Cloud Abstraction SHC Components ONPR-DB PWAN Site 1 (DC) ONPR-App ONPR-DMZ CE11 CE21 CE15 CE17 PE-CL1 PE-TS1 PE-TS2 Site 7 PE-CL2 A whole Tenant Site - Site ID A set of On-premises Resources (ONPR) on a specified Site - ONPR ID or IP Prefix, Site ID - Whole Site is not included in SHC in this case ER-CL1 SHC-T1-1 ER-CL2 A Set of off-premises Public Cloud resources (OFPR) - OFPR ID or IP Prefix OFPR Locations (Public Cloud DC locations - Location ID 16

17 Seamless Hybrid Cloud Components contd.. ONPR-DB PWAN Site 1 (DC) ONPR-App ONPR-DMZ CE11 CE21 CE15 CE17 PE-CL1 ER-CL1 PE-TS1 SHC-T1-1 PE-TS2 Site 7 PE-CL2 ER-CL2 Each SHC attached component can be flagged with whether it is directly accessible from outside (other components or sites or Cloud DCs associated with SHC) or not DA: TRUE FALSE - For example, DA: FALSE for ONPR- DB or ONPR-App Each ONPR and OFPR can be a DC App Tier (Web/DMZ, App and DB Tiers) A Tenant can have multiple SHC (for each per department, Engg, HR, etc.) 17

18 E2E Multitenant Isolation for Seamless Hybrid Cloud ONPR-DB PWAN Site 1 (DC) ONPR-App ONPR-DMZ PE-CL1 ~SHC: PE-TS1 Enterprise T2 Site 1 (DC) Site 5 ~SHC: CE11 CE21 CE15 CE17 PE-TS2 Site 7 PE-CL2 A Cloud is multitenant where multiple tenants (T1 & T2 in example) share Physical Resources (Compute / Storage / server access network) in Cloud DC A network E2E (from CE via PWAN to Cloud DC networks) is also multitenant ER-CL1 ER-CL2 Isolate E2E Traffic and Routes of tenants from each other (not just in Cloud DC) We cover an NM architecture for realizing E2E multitenant isolation in SHC 18

19 Seamless Hybrid Cloud Realization in Network: Network Management Architecture for Realization of E2E Multitenant Isolation in SHC

20 SHC Isolation Realization via L3 MPLS Extranet VPN ONPR-DB Site 1 (DC) ONPR-App ONPR-DMZ ~SHC: Enterprise T2 Site 1 (DC) Site 5 ~SHC: CE1 CE2 CE3 CE4 Site 7 Distributed Offpremises resources modeled / architected as Virtual L3 MPLS VPN Sites PE-CL1 PE-TS1 PWAN OFPR-DMZ OFPR-App ER-CL1 CSP DC 1 PE-TS2 OFPR-App PE-CL2 ER-CL2 CSP DC 2 VRF VLAN VRF-Lite VLAN/ VxLAN An SHC is realized via an L3 MPLS Extranet VPN in the WAN In Cloud DCs mapped to VLAN VRF- Lite VLAN/VxL AN 20

21 SHC Components Mapped to RT Extended Community ONPR-DB Site 1 (DC) ONPR-App ONPR-DMZ ~SHC: Enterprise T2 Site 1 (DC) Site 5 ~SHC: Site 7 SHC components mapped to Route Target (RT) Extended Community, which are exchanged between PEs *RT-C* CE1 CE2 CE3 CE4 *RT-T* PE-CL1 PWAN PE-TS1 PE-TS2 PE-CL2 Example: ONPR-DMZ RT: 2000:2 ER-CL1 ER-CL2 RTs imported/exported accordingly in relevant VRF/VRF-Lite instances OFPR-DMZ OFPR-App CSP DC 1 OFPR-App CSP DC 2 Tenants will have the control over reachability between SHC components 21

22 Use Cases

23 ONPR-DB PWAN Use case 1 Site 1 (DC) ONPR-App ONPR-DMZ PE-CL1 ONPR-App-D PE-TS1 PE-TS2 PE-CL2 Site 7 Tenant T1 extends to a public Cloud by creating an SHC (SHC- T1-1) and acquiring resources for DMZ (OFPR-DMZ 1/2) and certain Apps (OFPR-App 1/2/D) Access from T1 Site 7 loadbalanced via three DMZs DB, App on ONPR and App1, App2 on OFPR are not directly accessible from anywhere, including other location of SHC App-D directly accessible from anywhere in SHC OFPR-DMZ 1 OFPR-App 1 CE-CL1 OFPR-DMZ 2 OFPR-App 2 CE-CL2 OFPR-App-D RT Extended Communities are exchanged for ONPR-DMZ, OFPR-DMZ 1/2, ONPR/OFPR- App-D and imported/exported into relevant VRF/VRF-Lite, but not for ONPR-App/DB and OFPR-App 1/2 CSP DC 1 CSP DC 2 23

24 Use Case 2 Two SHC of a Tenant Site 1 (DC) ONPR-DB ONPR-App ONPR-DMZ Site 7 SHC-1 is created with Site 7, ONPR- DMZ, OFPR-DMZ associated Site 7 accesses via any of the ONPR-DMZ or OFPR-DMZ, which are load-balanced SHC 2 created with OFPR-DMZ, ONPR-DMZ, ONPR-App, ONPR DB (DA: FALSE; not directly accessible) PWAN PE-CL1 PE-TS1 PE-TS2 Cloud DC 1 can reach ONPR-App directly OFPR-DMZ CE-CL1 CSP DC 1 Even though one SHC could have been used A separate SHC will provide quick ondemand access or quick on-demand removal of access (to a group, for example) For SHC-1, ONPR-DMZ, OFPR- DMZ RT are exchanged and imported/exported For SHC-2, OFPR-DMZ, ONPR- DMZ, ONPR-App RT are exchanged and imported/exported If access from Site 7 directed to OFPR-DMZ, the ONPR-App will be accessible from there 24

25 Issues

26 On-demand Acquire / Release ONPR-DB PWAN Site 1 (DC) ONPR-App ONPR-DMZ ~SHC: PE-TS1 Enterprise T2 Site 1 (DC) Site 5 ~SHC: CE1 CE2 CE3 CE4 Remove OFPR-App 1 PE-CL1 Remove VS2-T2 PE-TS2 Site 7 PE-CL2 As typical in Cloud, resources can be added to or released from an SHC ondemand Hence Config/provisioning related to SHC isolation applied/removed ondemand ER-CL1 ER-CL2 Programmatic management/control plane interfaces desirable OFPR-DMZ OFPR-App 1 OFPR-App 2 VS2-T2 Protocol support / extension desirable CSP DC 1 CSP DC 2 26

27 Multitenant E2E Isolation Number of SHC E2E isolation will be limited by number of VRF instances and VLANs supported in devices/network Some of the new multitenant Cloud DC isolation technologies (VxLAN, etc.) can scale better than VLAN, for example - But for E2E isolation with L2/L3 MPLS VPN + DC isolation technologies, the number will be limited by the number of VRF instances Many mapping options in Cloud DC: - VxLAN - NVGRE - PBB/SPB (Provider Backbone Bridge/Shortest Path Bridging 802.1ah/aq) assuming support in Cloud DC - Other Each solution will have its own strengths and weaknesses in terms of: - Hypervisor virtual access switch based isolation - Evolution of existing devices required 27

28 Conclusion

29 Conclusion Seamless Hybrid Cloud (SHC) facilitates seamless and secure extension of enterprises to Public Clouds Seamless Distributed Application Execution: When associated with an SHC, the distributed components of a Tenant application runs seamlessly and securely on on-premises AND off-premises resources Seamless IT resource management: Tenant IT management applications manage on-premises AND off-premises resources seamlessly and securely We have provided a network management architecture for realizing E2E multitenant isolation for an SHC The realization is based on Cloud-ready Network Management Architecture that makes use of L3 MPLS Extranet VPN together with isolation technologies in Cloud DC Since realization is based on network management architecture, it can be supported on existing infrastructure 29

30 Conclusion Continued / Future Work Multi-CSP Hybrid Cloud: Extend the architecture to cover multiple cooperating CSPs so that an SHC can be extended over multiple CSPs and other partner tenants Address issues mentioned Incorporate in Open-source Cloud management framework OpenStack 30

31 Backup

32 ONPR-DB Use case 1 RT Extended Community SHC-T1-1: ONPR-DMZ, Site 1 (DC) ONPR-App ONPR-DMZ ONPR-App-D Site 7 ONPR-App-D, ONPR-DB (DA: FALSE), ONPR-APP (DA: FALSE), OFPR-DMZ 1, OFPR-DMZ 2, OFPR-App-D, OFPR-App 1 (DA: FALSE), OFPR-App2 (DA: FALSE) Each matrix cell is extended community RT exchanged between relevant PEs PWAN PE-CL1 PE-TS1 PE-CL2 PE-TS2 SHC- T1-1 PE-TS1 PE-TS2 PE-CL1 PE-CL2 CE-CL1 CE-CL2 PE-TS1 ONPR- DMZ, ONPR- App-D ONPR- DMZ, ONPR- App-D PE-TS2 Site 7 Site 7 Site 7 OFPR-DMZ 1 OFPR-DMZ 2 PE-CL1 OFPR- DMZ 1 OFPR- DMZ 1 OFPR- DMZ 1 OFPR-App 1 CSP DC 1 OFPR-App 2 OFPR-App-D CSP DC 2 PE-CL2 OFPR- DMZ 2, OFPR- App-D OFPR- DMZ 2, OFPR- App-D OFPR- DMZ 2, OFPR- App-D 32

33 Use Case 2 RT Extended Community Site 1 (DC) ONPR-DB ONPR-App Site 7 ONPR-DMZ PWAN PE-CL1 PE-TS1 PE-TS2 CE-CL1 SHC 1 PE-TS1 PE-TS2 PE-CL1 SHC 2 PE-TS1 PE-TS2 PE-CL1 OFPR-DMZ PE-TS1 ONPR- DMZ PE-TS2 Site7 Site 7 PE-TS1 ONPR- DMZ, ONPR- App CSP DC 1 PE-CL1 OFPR- DMZ PE-TS2 PE-CL1 OFPR- DMZ 33

34 L3 MPLS VPN MP-BGP 8 Bytes 4 Bytes 8 Bytes 3 Bytes 65425:1111 RD VPNv :2 IPv4 Route-Target Label (BGP Extended Community) MP_REACH_NLRI attribute within MP-BGP UPDATE message 34

35 L3 MPLS VPN Provisioning Use Case ip vrf SHC_1_DC_1_PE rd 65425:1111 export map OFPR_DMZ_1 import map ONPR_App route-target import 2000:2! route-map OFPR_DMZ_1 permit 10 match ip address 1 set extcommunity rt 1000:1! route-map ONPR_App permit 10 match ip address 2! access-list 1 permit access-list 2 permit ip vrf Intranet_T1_PE rd 65426:2222 export map ONPR_DMZ_1 import map OFPR_DMZ_1 route-target import 1000:1! route-map ONPR_DMZ_1 permit 10 match ip address 2 set extcommunity rt 2000:2! route-map OFPR_DMZ_1 permit 10 match ip address 1! access-list 1 permit access-list 2 permit

36 Recommended Reading Please visit the Cisco Store for suitable reading.

37 Please complete your Session Survey We value your feedback Don't forget to complete your online session evaluations after each session. Complete 4 session evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt Surveys can be found on the Attendee Website at which can also be accessed through the screens at the Communication Stations Or use the Cisco Live Mobile App to complete the surveys from your phone, download the app at 1. Scan the QR code (Go to for QR code reader software, alternatively type in the access URL above) 2. Download the app or access the mobile site 3. Log in to complete and submit the evaluations 37

38 38

39 Thank you. 39