Upload
james-harvey
View
216
Download
1
Tags:
Embed Size (px)
Citation preview
Virtual Network and Web ServicesAn Update
Thomas Finnern (DESY IT / Systems and Operations)
Thorsten Witt (DESY IT / Communication Networks)
HEPiX Spring 2010 @ Lisbon, Portugal
Thomas Finnern | Virtual Network and Web Services | Page 2
Application Delivery Networking
> Secure
Network Security Policies
Filtering
> Fast
Proxy
Server Farms
> Available
Server cluster
Load Distribution
> Since 2003
The Solution ApplicationsUsers
Mobile Phone
PDA
Laptop
Desktop
Co-location
CRM
Database
Siebel
BEA
Legacy
.NET
SAP
PeopleSoft
IBM
ERP
SFA
Custom
Application Delivery Network
Thomas Finnern | Virtual Network and Web Services | Page 3
Cross Functional Collaboration
> Networking
> Application Architect
> Operations
> Security Stakeholders
Operations
Security
NetworkGuy
ApplicationArchitecture
Thomas Finnern | Virtual Network and Web Services | Page 4
Outline of Talk
> Intro:
Application Delivery Networking
Cross Functional Collaboration
> Part I: Load Balancer
Work Done
Technical Features
Modes of Operation
> Part II: Application Examples
Active Services
DESY WEB Page
IT Status Monitor
> Outlook and Conclusions
Part I: The Load BalancerF5 Viprion Blade Cluster
Things Done Since 2008
The Architecture
Thomas Finnern | Virtual Network and Web Services | Page 6
Work Done, Planned and In Progress
> Updates 9.x -> 10.0 -> 10.1
Live Upgrade
Still Unix System with GUI and CLI
ssh login, crontab, ...
> Migration Old -> New
> Redesign Services
ProxyPassSite with Remote Editable Config Table
Integration of Content Management System
100 % Monitoring with „Dynamic Out Of Service Page“
Thomas Finnern | Virtual Network and Web Services | Page 7
Version 10 Software
> New Evaluation Licensing
Virtual Machine with F5 Functionality
> Application Templates
> Administrative/GUI Enhancements
> CMP Extensions
> TMSH for LTM/GTM
> Multiple Routing Domains
Overlapping IP-Ranges
“Machine readable“ qkview
> Passive (In-Band) Monitoring
> Live Installation
> IPv6 internal Communication
> IPv6 external Gateway !
> Dash Board
> Logical Volume Manager
> FastHTTP Profile Extensions
> iRule Extensions
Fast syslog
Geo-IP Locator
> Module Provisioning
> Various GUI Extensions:
• Login-Page
• Reboot/Logout/Timeout/Disclaimer
• Forced Offline
Thomas Finnern | Virtual Network and Web Services | Page 8
Overall Connection Block Diagram
Network Infrastructure Server-PoolsClients
Mobile Phone
PDA
Laptop
Desktop
Co-Location
Load-BalancerApplication Server
Office-Switches
10-100 Mbit/s
Core-Router
10 Gbit/s
CC-Switches
1 Gbit/s
10 Gbit/s
Thomas Finnern | Virtual Network and Web Services | Page 9
Technical Features
> Hardware
ASIC for Layer 3 + 4
> Software
TMOS
> TMOS traffic plug-ins
> High-performance networking microkernel
> Powerful application protocol support
> iControl – External monitoring and control
> iRules – Network programming language
SS
L
Co
mp
ress
ion
ClientSide
ServerSide
TC
P E
xpre
ss
ServerTC
P E
xpre
ss
Ca
chin
g
Microkernel
High Performance Hardware
iRules
Client
iControl API
TCP Proxy
On
eC
on
ne
ct
XM
L
Ra
te S
ha
pin
g Tra
ffic
Sh
ield
We
bA
cce
lera
tor
3 rd P
art
y
Unique TMOS Architecture
Thomas Finnern | Virtual Network and Web Services | Page 10
ServerSystem
ServerSystem
Operation Mode “Dumb Service”
> F5 Secure Network Address Translation SNAT = on
Server sees F5 Switch as Client
> No Server Change
> All Service Traffic handled by F5 Switch
> HTTP header insert
E.g. Client Address
As X-Forwarded-For
StandardRouter
ServerSystem
ClientSystem
GWSNAT
NAT
OtherSystem
OtherSystem
Thomas Finnern | Virtual Network and Web Services | Page 11
StandardRouter
ClientSystem
ServerSystem
ServerSystem
OtherSystem
ServerSystem
ServerSystem
Operation Mode “Smart Service”
> F5 Network Address Translation NAT = on
> Server Changes:
Default Route to F5 Switch
F5 Relaxed IP Binding on GW-Proxy
> Limitations
Server must be on F5 connected network (GW)
> Multiple Services Possible
> For DMZ and Extra F5 Subnet
> (Almost) All Traffic handled by F5 Switch
> Our new favoriteServerSystem
NAT
OtherSystem
GW
OtherSystem
OtherSystem
Part II: Application ExamplesOverview
DESY WEB Page (DESY IT / Information Fabrics)
DESY State Info System (DESY IT / Systems and Operations)
Thomas Finnern | Virtual Network and Web Services | Page 13
Virtual Server, Performance and Network Map
Thomas Finnern | Virtual Network and Web Services | Page 14
Top Statistics Over One Month
| bits since | bits in prior | current
| Mar 9 16:01:44 | 5 seconds | time
BIG-IP ACTIVE |---In----Out---Conn-|---In----Out---Conn-| 14:25:59
lb-198-220.desy.de 647.6G 566.8G 4.290M 8.452M 27.20M 138
VIRTUAL ip:port |---In----Out---Conn-|---In----Out---Conn-|-Nodes Up--
none:any 470.8G 8.496M 91376 272448 0 0 1
infoscreen.desy.de:ht 7.265G 302.0G 3404 245904 10.98M 0 2
www.desy.de:http 7.416G 137.1G 256425 351680 15.66M 5 1
none:any 51.87G 215040 183153 7.098M 0 10 1
wof-hasylab.desy.de:h 4.646G 37.77G 148096 856472 4.353M 13 2
none:any 37.05G 30.13M 244119 508808 640 3 1
indico.desy.de:https 1.132G 30.56G 41830 8944 7264 0 2
it-news.desy.de:http 28.41G 2.876G 443636 938664 168552 24 3
ip-console-vs.desy.de 10.36G 10.68G 10 0 0 0 2
ics.desy.de:http 3.905G 3.247G 3064 202152 169104 0 2
wof-xfel-eu.desy.de:h 257.6M 6.424G 20313 320 320 0 2
NODE ip:port |---In----Out---Conn-|---In----Out---Conn-|--State----
rt-248-16.desy.de:any 470.8G 0 91376 264008 0 0 UP
it-news02.desy.de:htt 4.188G 152.2G 385006 70016 1.934M 9 UP
it-news01.desy.de:htt 4.236G 152.1G 396351 75880 1.600M 8 UP
web2.desy.de:http 1.988G 72.26G 100105 346712 15.40M 2 UP
wofzeoc7.desy.de:http 2.622G 69.56G 150929 27952 781408 4 UP
rt-40-16.desy.de:any 51.86G 0 179544 4.247M 0 9 UP
FW-5-15.desy.de:any 37.06G 14.14M 241541 509448 0 3 UP
it-indico1.desy.de:ht 1.110G 31.43G 41540 58936 484080 0 UP
wofdb.desy.de:http 2.069G 26.58G 103313 281736 2.202M 7 UP
ip-console3.desy.de:a 10.39G 10.71G 10 0 0 0 UP
wof2.desy.de:http 970.4M 17.54G 61640 373360 3.303M 6 UP
Thomas Finnern | Virtual Network and Web Services | Page 15
Virtual Services and Pooling
> Virtual Service
Proxy with IP-Number + Port
Certificate
Scripting
RedirectEditing (stream)Mapping…
Persistence to Pool Members
SSL Offloading
RAM-Caching
Optimizing
http-Protocol (OneConnect)
> Pooling
Multiple Machines/Ports
Monitoring
PingService Monitoring
Opt. Remote Control By Remote Flag Files
Port Mapping
Load Balancing
In Band LoadRound RobinNumber Connections…
Thomas Finnern | Virtual Network and Web Services | Page 16
Example Configuration
> www.desy.de with ProxyPassSite
> CLI Configuration:virtual web-http-service {
pool wofzms-http-pool
destination 131.169.40.41:http
ip protocol tcp
rules ProxyPassDESY
profiles {
http {}
stream {}
tcp {}
}
}
virtual web-https-service {
pool wofzms-https-pool
destination 131.169.40.41:https
ip protocol tcp
rules ProxyPassDESY
profiles {
http {}
serverssl_desy {
serverside
}
stream {}
tcp {}
www-desy-client {
clientside
}
}
}
> infoscreen.desy.de with Fast HTTP Profile
> CLI Configuration:virtual it-infoscreen-http-service {
snat automap
pool it-infoscreen-pool
destination 131.169.5.220:http
ip protocol tcp
profiles fasthttp_snat {}
}
pool it-infoscreen-pool {
lb method member least conn
min active members 1
monitor all http_80_desy
members {
131.169.5.76:http {
priority 5
}
131.169.5.130:http {
priority 5
}
}
Thomas Finnern | Virtual Network and Web Services | Page 17
Example 1 : Redesign of www.desy.de
> Remove Single Points of Failure Single Machines
Provide Offline WEB Site Status Info
> Enable Mixed WWW/WOF-Environments Common ProxyPassSite Configuration
Import External ProxyPassTable
> Enhance Load Balancing and Speed Caching
Protocol Optimizing
CMS: Separate Read/Write Pools
Cookie Dependent Routing CMS: Direct Zope Interface
Offload SSL
> Other Features Get rid of old F5 Switches
No Source Network Address Translation
Intern/Extern-Routing
Intern/Extern Handling
http/https-Redirections
Thomas Finnern | Virtual Network and Web Services | Page 18
StandardRouter
Servicehttp
Before / Now
ServerSystem
ServerSystemServerSystem
ServerSystem
ZopeCMS
Proxy
Persist: ZopeId OtherSystem
OtherSystemOther
System
Apache
Servicehttps
Content Management
Service
Loadbalance
CMS-Interface
Pooling
StandardRouterwww
desy.dehttp
wwwdesy.dehttps
StandardRouter
NClientsAt
DESYSite
NClientsAt
OtherSites
otherdesy.dehttp
otherdesy.dehttps
StandardRouter
Various WEB Services
Thomas Finnern | Virtual Network and Web Services | Page 19
StandardRouter
Servicehttp
After / Now
ServerSystem
ServerSystemServerSystem
ServerSystem
ZopeCMSProxy
Persist: ZopeId, __ac
Servicehttps
Content Management
Service
Loadbalance
CMS-Interface
Pooling
wwwdesy.dehttp
wwwdesy.dehttps
ServerSystem
ServerSystemServerSystem
ServerSystem
WebService
WEB Management
Separat Read/Write
Pools
NClientsAt
DESYSite
NClientsAt
OtherSites
Migration Old/New Pools
ProxyPassTable
Thomas Finnern | Virtual Network and Web Services | Page 20
ProxyPassSite Features
> Config Load from AFS
“clientside" := "CMD[+Option] serverside“
“clientside" := "CMD serverside poolname[/https-pool]"
> Feature Redirect
"www.host.com/clientdir" := "Redirect internal.company.com/serverdir"
> Feature Alias
"/clientdir" := "Alias+HostMap /serverdir”
“host.desy.de/" := "Alias+Protomap+ZopeMap /serverdir wof-read-pool”
> Option +Cssl
> Option +Intern
> Option +Hostmap
> Option +Pathmap
> Option +ProtoMap
> Option +Zopemap
> Option +Slash
> Option +Log[0-2]
> Option +Snat
"/" := "Alias+HostMap+Snat zms.desy.de/",
"/dgs" := "Redirect http://guest-services.desy.de","hasylab.desy.de/" := "Alias+Snat / wof-http-pool/wof-https-pool",
"chor.desy.de/" := "Alias+ZopeMap+ProtoMap /VirtualHostBase/ <proto>/<host>.desy.de:<port>/sites2009/site_<host>/content/ wof-ro-pool/wof-rw-pool",
"www.desy.de/~" := "Alias web2.desy.de/~ web2-http-pool/web2-https-pool",
"/cgi-bin" := "Alias /cgi-bin web-http-pool/web-https-pool","/dgo" := "Alias+Intern /dgo web2-http-pool/web2-https-pool","/favicon.ico" := "Alias /favicon.ico web2-http-pool/web2-https-pool",
Thomas Finnern | Virtual Network and Web Services | Page 21
StandardRouter
IT-Monitorhttp
Example 2 : DESY State Information System
ServerSystem
ServerSystemServerSystem
ServerSystem
AcceleratorStatusProxy
Infoscreenhttp
Accelerator Management
Service
Loadbalance
ASIC-Interface
Pooling
IT-Newsdesy.dehttp
IT-Newsdesy.dehttps
ServerSystem
ServerSystemServerSystem
ServerSystem
IT-InfoPool
DB, Maintenance,
Timing
50Permanent
ThinClientsAtSitehttp
NRandomThickClientsAtUserhttp
ServerSystem
ServerSystemServerSystem
ServerSystem
ComputingStatus
IT Manageme
nt
Thomas Finnern | Virtual Network and Web Services | Page 22
State Information System (IT-Monitor)
Thomas Finnern | Virtual Network and Web Services | Page 23
State Information System (Infoscreen)
Thomas Finnern | Virtual Network and Web Services | Page 24
Outlook and Conclusions
> Rather Simple To Use
Nice Operating Model
Easy High Availability
Replaces Host and Cluster Solutions
> Has Become a Standard Feature
People trust virtual services
Last minute Application Safety Support
> Getting Better
Customer Invisible Service Switching
Enhanced Load Distribution
Only One Virtual Hostname Per Service
Enhancing Fault Tolerance and Security
> SSO, Certificates, Login, …
Thomas Finnern | Virtual Network and Web Services | Page 25
Thank you for listening
> Questions ?
> Answers !
Thomas Finnern | Virtual Network and Web Services | Page 26
Notes