Embed Size (px)
Citation preview
Copyright 2013 Alcatel-‐Lucent. All rights reserved.
Policy Driven Networking and Migra5on to Openstack Sco: Sneddon @ssneddon
@nuagenetworks
The “Consump5on shiA”
§ Cloud is changing the way technology is being consumed
§ From “order and wait”
§ To “instant gra5fica5on”
Consumer expecta5ons are shiAing
Mul@ple personas
Single user
On-‐demand personalized catalogue
§ Compute is Virtualized
§ Available in Minutes
§ Network is Par@ally Virtualized
§ Configura@on takes Days/Weeks
Network Configura@on
Compute Management
New Tenant / Applica@on Request
Auto-‐instan@a@on
Compute Request completed in
Minutes Help Desk Change Control
IP Address
VLAN Address
Firewall Configuration
LAN (VLAN) Configuration
WAN (IP) Configuration
Security / QA Team
Project Coordinator
Network Change completed in days/Weeks
00:01
Datacenter Network
Service velocity is hindered by manual network process
§ Network is “more” virtualized
§ Some things available in minutes – Some not so much
§ Many network elements are manually configured
§ Manual per-‐tenant network configura@ons
Network Configura@on
Compute Management
New Tenant / Applica@on Request
Auto-‐instan@a@on
Compute Request completed in
Minutes
SDN Controller
Some Network Change completed In Minutes
00:01 00:01
SoAware Defined Datacenter Network
Service velocity accelerated, but…
§ CommiRees s@ll build “networks”
§ Audits/reviews
§ In a NaaS environment (AWS, etc) this is delegated to the tenant
§ Is this what your DevOps team should be doing?
Network Configura@on
SoAware Defined Network Configura5on
We’ve only addressed part of the automa5on problem
Security / QA Team
VLAN Address
IP Address
WAN (IP) Configuration
Firewall Configuration
Network Configuration created in days/Weeks
Applica5on = Web
Applica5on = SAP
Applica5on = Database
Network Virtualiza5on solu5ons…
Group applica5ons into “network sandboxes”
Policy approach to networking
Policy Templates
Users
Applica@on Types
Business Rules
Policy Evalua@on
Firewall
Firewall
W
BL BL
W
Firewall W W
Firewall
Firewall
W
BL BL
W
Firewall
Firewall
W
BL BL
W
BL BL
Design once, re-‐use mul5ple 5mes
Applica@on Networks
Applica@on-‐centric
How to expose network policy in Neutron?
OpenStack Group Based Policy Abstrac@ons for Neutron hRps://blueprints.launchpad.net/neutron/+spec/group-‐based-‐policy-‐abstrac@on
• An Applica@on-‐centric approach to networking • Moving away from tradi@onal network constructs
• ports, subnets, routers, etc • Aiming for a highly abstracted interface for applica@on developers to
• express desired connec@vity of applica@on components • and express high-‐level policies governing that connec@vity
• Without imposing constraints on the underlying implementa@on
What is a Neutron network Policy?
OpenStack Group Based Policy Abstrac@ons for Neutron hRps://blueprints.launchpad.net/neutron/+spec/group-‐based-‐policy-‐abstrac@on
Outside EPG
Web EPG App EPG DB EPG
VM
VM
VM
VM
VM
VM
VM
VM
Web Contract
App Contract
App Contract
Public Network
Private Networks
Openstack Network Policy becomes more sophis5cated
§ Nuage has provided policy abstrac@ons for virtual and physical networks since first release
§ ACLs, QoS classifica@on and enforcement
§ Difficult to express using exis@ng Neutron constructs…
§ Which is why we’re contribu@ng to Group Based Policy Cleanly express applica5on policy in Neutron
Cloud Service Management Plane
Datacenter Control Plane
Datacenter Data Plane
Virtual Rou@ng & Switching
Nuage Networks Virtual Services PlaYorm Network virtualiza@on and automa@on
Virtualized Services Directory
Virtualized Services Controller
HYPERVISOR
HYPERVISOR
HYPERVISOR
HYPERVISOR
HYPERVISOR
HYPERVISOR
Brooklyn Datacenter -‐ Zone 1
Virtualized Services Directory (VSD) • Network Policy Engine – abstracts complexity • Service templates and analy@cs
Virtualized Services Controller (VSC) • SDN Controller, programs the network • Rich rou@ng feature set
Virtual Rou5ng & Switching (VRS) • Distributed switch / router – L2-‐4 rules • Integra@on of bare metal assets
Nuage Networks Virtualized Services PlaYorm (VSP)
IP Fabric
Edge Router
MP-‐BGP
MP-‐BGP
Hardware GW for Bare Metal
DATACENTER NETWORK
. . . .
Any Compute Virtualiza5on Environment
Any Datacenter Networking Hardware
Any Server or Hypervisor
Open solu5on
Consistent capabili5es across
Seamless interconnect between clouds § Distributed L2 and L3 rou@ng to
each hypervisor
§ Within clouds and across clouds
§ No choke points
§ Shared L2 and L3 networks across DCs
§ KVM, LXC, Xen, ESXi
§ Openstack, Cloudstack Hypervisor
Hypervisor Legacy DC
Hypervisor
Hypervisor
Hypervisor Private Cloud
Hypervisor Public Cloud
IP Fabric (DC & WAN)
Virtualized Services Directory
Network, Security Admin Applica@on developers
XaaS
App/Dev Container
App/Dev Container
App/Dev Container
Simplified migra5on to Openstack
Using a hypervisor-‐agnos5c network plaYorm
§ How to migrate apps to Openstack when they have network dependencies?
§ How to migrate while maintaining IP addresses?
§ How to migrate individual hosts within an applica@on?
§ Physical to Virtual?
§ Virtual to Virtual?
. . . .
???
Demo…
Conclusions
• Crea@on of distributed virtual switches and virtual routers -‐ great for virtual networks and beRer than old models, but …
• Creates a distributed virtual configura@on and management challenge • Provisioning and management of these endpoints can not be done
with tradi@onal methodology
• Policy abstrac@on is a proven framework
• Successfully shipping since May 2013
For more informa5on…
• Nuage Networks Virtualized Services Plalorm
• hRp://www.nuagenetworks.net/solu@ons/
• OpenStack Neutron Group Based Policy Abstrac@on • hRps://blueprints.launchpad.net/neutron/+spec/group-‐based-‐policy-‐abstrac@on
• OpenDaylight Applica@on Policy Plugin • hRps://wiki.opendaylight.org/view/Project_Proposals:Applica@on_Policy_Plugin
18 5/19/14
Network Policy NOW
@nuagenetworks
@ssneddon
