Breaking the Kubernetes Kill Chain: Host Path Mount
Â
Private cloud networking_cloudstack_days_austin
1. Private  Cloud  Networking  in Â
Apache  CloudStack
Chiradeep Vittal
@chiradeep
CloudStack  Days  Austin
April  16  2015
2. Overview
⢠Private  Cloud
⢠Issues  in  Private  Cloud  Networking
⢠Introduction  to  CloudStack  Networking
⢠Basic  Zone
⢠Advanced  Zone
⢠Hybrid  Cloud
5. Friction  in  Private  Cloud
⢠Co-Ââexistence  with  legacy  infrastructure  and Â
operations Â
⢠Compute,  network  and  storage  still  siloâed.
⢠Lack  of  DevOps mentality
6. Friction  in  networking
⢠DNS  and  IPAM  automation
⢠Security  policy  automation
⢠Switch  /  VLAN  configuration
⢠Infrastructure  optimized  for  N-ÂâS  traffic
⢠Integration  with  middle  boxes
â Load  Balancers
â NAT
â IDS
8. CloudStack  Networking
⢠âBatteries  included  but  removableâ
⢠Network  services:
â Use  built-Ââin  providers  or
â Integrate  with  external  providers  or
â Mix-Ââand-Ââmatch
⢠KISS  principle
â Master  the  simplest  network  configuration  first
9. Network  Services
Network Â
Services
⢠L2 Â
connectivity
⢠IPAM
⢠DNS
⢠Routing
⢠ACL
⢠Firewall
⢠NAT
⢠VPN
⢠LB
Network Â
Isolation
⢠No  isolation
⢠VLAN Â
isolation
⢠Overlays
⢠L3  isolation
Service
Providers
Ăźďź Virtual
appliances
Ăźďź Hardware
firewalls
Ăźďź LB
appliances
Ăźďź SDN
controllers
Ăźďź VRF
Ăźďź Hypervisor
10. Basic  Zone
⢠Basic :  reduced  network  setup
⢠Group  Based  Policy  :  Security  Groups  is  the Â
means  of  policy  enforcement  /  isolation
⢠AWS  EC2-ÂâClassic  emulation
⢠High  level  policy  configuration
⢠Scalable implementation
⢠Least friction Â
11. Security  Groups
⢠All  VMs  (instances)  launched  into  one  or  more Â
security  groups
⢠Default-Ââdeny firewalls
⢠Contain  Rules that  allow selected  traffic
⢠Example:
â VMs  in  âWebâ  Security  Group  are  allowed  to Â
communicate  on  TCP  port  3306  to  VMs  in  âDBâ Â
Security  Group
â Anybody  can  talk  to  a  âWebâ  VM  on  port  80
12. Web Â
appserver db
8080 3306
Internet
80
All  ports  are  tcp /24
192.168.1.0/24
22
management
22
Security  Groups
13. Security  Groups
⢠Create  security  groups
>  create  securitygroup  name=web
>  create  securitygroup  name=appserver
>  create  securitygroup  name=db
>  create  securitygroup  name=management
⢠Add  rules
>  authorize  securitygroupingress securitygroupname=management protocol=tcp startport=22  endport=22  usersecuritygrouplist=management
>  authorize  securitygroupingress securitygroupname=management protocol=tcp startport=22  endport=22  cidrlist=192.168.0.1/24
>  authorize  securitygroupingress securitygroupname=web protocol=tcp startport=80  endport=80  cidr=0.0.0.0/0
>  authorize  securitygroupingress securitygroupname=appserver protocol=tcp startport=8080  endport=8080  usersecuritygrouplist=web
>  authorize  securitygroupingress securitygroupname=db protocol=tcp startport=3306  endport=3306  usersecuritygrouplist=appserver
⢠Deploy  VMs
> deploy  virtualmachine securitygroupnames=management,web displayname=web0001
> deploy  virtualmachine securitygroupnames=management,web displayname=web0002
> deploy  virtualmachine securitygroupnames=management,appserver displayname=app001
> deploy  virtualmachine securitygroupnames=management,db displayname=db0001
14. Properties  of  Security  Groups
⢠Subnets  are  shared  between  accounts  /  VMs Â
in  a  security  group  may  not  share  a  subnet.
15. Properties  of  Security  Groups
⢠Anti-Ââspoofing  protection.
⢠Multiple  IP  addresses  per  VM  (single  NIC)
⢠No  multicast  /  broadcast
⢠Stateful firewall
⢠More:
https://cloudierthanthou.wordpress.com/2015/04/07/cloudstack-Ââbasic-Âânetworking-Ââdeeper-Ââdive/
16. Scaled  out  network  for  Basic  Zone
⌠Servers
Leaf Routers
Spine Routers
Host-based
firewalls and ACL
Server Load Balancing
Backbone/Int
ernet
17. 10.1.0.0/2
4
L3 Â Core
Rack  1  L2 Â
Switch
Rack 24 Â L2 Â
Switch
10.22.16.0/24
VM Â 1 10.1.0.2
VM Â 2 10.1.0.3
VM Â 3
10.1.0.99
Rack  1  Host  1
VM Â 4 10.1.0.43
VM Â 5 10.1.0.87
Rack  1  Host  8
VM Â 6 10.1.0.43
VM Â 7 10.1.0.87
Rack  24  Host  5
VM Â 8 10.1.0.43
10.1.0.87
Rack  24  Host  9
VM Â 9
VM  Placement  in  Basic  Zone
18. Adding  Services  to  Basic  Zone
⢠Static  NAT  (aaS)
⢠Load  Balancer  (aaS)
⢠Use  Citrix  Netscaler integration  or
⢠Run  a  PaaS on  CloudStack
19. Advanced  Zone
⢠Virtual  networking  using  either
â VLANs  or
â Overlay
⢠Rich  array  of  services  and  virtual  networking  providers
⢠Out-Ââof-Ââthe-Ââbox  (batteries  included)
â VLAN, Â GRE Â isolation
â Virtual  Router  provides  scale  out  (per  tenant)  services  including
⢠VPNaaS
⢠LBaaS
⢠FWaaS
⢠DHCP,  DNS
â Physical  Device  Integration  via  plugins
⢠F5,  Netscaler
⢠Juniper  SRX
20. Keeping  it  simple
⢠Network  Offerings Â
â Catalog  of  potential  virtual  network  designs
â Created  by  operator
⢠Simplest  network  offering  :âShared  Networkâ
â Only  services  offered  are
⢠DNS,  DHCP
⢠User  data,  password  change
â VLAN-Ââbased  virtual  networks
â Inter-Âânetwork  routing  using  static  routing  in  TOR
21. Service  insertion  with  VLANs
10.1.1.5
Tenant
2 VM 2
Tenant
2 VM 3
Tenant
2 VM 1
Tenant 2 Virtual Network 10.1.1.0/24
Gateway
address
10.1.1.1
VPN
NAT
DHCP
10.1.1.2
10.1.1.3
10.1.1.4
Tenant 2
Edge
Services
Appliance
Public IP
address
65.37.141.24
65.37.141.80
Internet
/ rest of
DC
Tenant
1 VM 4
Tenant
1 VM 1
Tenant
1 VM 2
Tenant
1 VM 3
âPublic
Networkâ
Tenant 1 Virtual Network 10.1.1.0/24
Gateway
address 10.1.1.1
NAT
DHCP
FW
Public IP
address
65.37.141.11
65.37.141.36
10.1.1.2
10.1.1.3
10.1.1.4
Tenant 1
Edge
Services
Appliance(s)
Tenant 1
Edge
Services
Appliance(s)
Load
Balancing
Public  IPs  can  be  RFC1918
Virtual
Router
23. Multi-Ââtier  virtual  networking
VLAN2724
DB
VM 1
Web
VM 1
Web
VM 3
Web
VM 2
VLAN101
App
VM 1
App
VM 2
VLAN398Virtual Router
Internet /
Rest of DC
Remote DC
IPSec VPN
Integration VLANLoadbalancer Â
(HW Â or Â
Virtual)
Network Services
⢠IPAM
⢠DNS
⢠LB [intra]
⢠S-2-S VPN
⢠Static Routes
⢠ACLs
⢠NAT, PF
⢠FW [ingress & egress]
24. Virtual  networking  with  overlays
GREKEY2724
DB
VM 1
Web
VM 1
Web
VM 3
Web
VM 2
GREKEY101
App
VM 1
App
VM 2
GREKEY398VR + vSwitches
Internet /
Rest of DC
Remote DC
IPSec VPN
Private GatewayLoadbalancer Â
(Virtual)
Network Services
⢠IPAM
⢠DNS
⢠LB [intra]
⢠S-2-S VPN
⢠Static Routes
⢠ACLs
⢠NAT, PF
⢠FW [ingress & egress]
25. SDN  /  Other  Overlays/Other  Devices
⢠Plugins  available  for
â Midokura
â NVP
â Nuage
â BigSwitch
â Palo  Alto
⢠VxLAN on  KVM
26. Private Â
Cloud
Your Â
Workload
âOn  premâ Public  Cloud
Hybrid  Cloud  Networking
⢠AWS  VPN  Gateway
⢠AWS  Direct  Connect
⢠Google  Carrier  Interconnect
⢠GCE  VPN
⢠Azure  ExpressRoute
⢠Azure  VPN
⢠Citrix  CloudBridge
Your  router
27. Wrap-Ââup
⢠Private  Cloud  :  Keep  it  simple
⢠Choose  Basic  Zone  for
â Simplicity
â Low  friction
â Scale
â Cost
⢠Choose  Advanced  Zone  for
â vSphere
â Multiple  NICs
â IPv6
â Control  over  IP  addressing
â Device  integration
⢠Start  with  simplest  network  offering  with  Advanced  Zone