VMworld 2014: vCloud Hybrid Service Networking Technical Deep Dive
2 likes7,469 views
VMware vCloud Hybrid Service provides networking services including IPsec VPN connectivity, direct connect options, and network address translation capabilities. Customers can connect their on-premises networks to vCloud Air through various connectivity methods and extend their internal IP addressing schemes. The presentation also discusses load balancing, firewall, and intrusion detection options for securing multi-tier applications on vCloud Air. Disaster recovery with vCloud Air aims to maintain the same network configurations across sites.
VMworld 2014: vCloud Hybrid Service Networking Technical Deep Dive
- 1. vCloud Hybrid Service Networking Technical Deep Dive HBC2068 Ninad Desai, VMware, Inc David Hill, VMware, Inc
- 2. Disclaimer • This presentation may contain product features that are currently under development. • This overview of new technology represents no commitment from VMware to deliver these features in any generally available product. • Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind. • Technical feasibility and market demand will affect final delivery. • Pricing and packaging for any new technologies or features discussed or presented have not been determined. CONFIDENTIAL 2
- 3. 33 VMware vCloud Hybrid Service VMware vCloud Air
- 6. What is vCloud Air Network Services built on??
- 7. vCloud Air Networking – Built on vCNS …. Moving to NSX Fully Integrated vCloud Stack vCloud Management and Automation vCloud Air Management Console vCloud Infrastructure vCloud Networking and Security vCloud Director with vCloud Connector vSphere / vCenter Customer A Physically Isolated Servers Storage pool VPN and Network pool … Dedicated Cloud • Being replaced by NSX-v manager in the vCloud Air Management stack • Backward compatible with current vCNS based stack • Existing policies and features stay intact • Foundation for new networking features
- 8. How do I connect to vCloud Air ?
- 9. Options to Connect to vCloud Air z Customer Data Center vCloud Air Private WAN / Direct Connect / Cross Connect IPsec Tunnel Public INTERNET Many Connectivity Choices To Support Many Use Cases
- 10. INTERNET INTERNET Connecting to vCloud Air • Over the Public Internet – With Public IPs – Use NAT for address translation – By default F/W set to deny all and NAT not configured INTERNET • IPsec VPN – vCloud Air features include IPsec VPN – Multiple VPN tunnels can terminate to Edge Gateway – Can connect to most of the major on-prem VPN devices • Direct Connect – Dedicated private connection – Secure and high speed – Extension to customer’s MPLS or data center cage
- 11. Connecting via IPsec VPN CONFIDENTIAL VPN Traffic INTERNET vSphere Edge Gateway § LEP – 10.0.1.150 § Peer ID – 69.194.137.230 § Peer IP – 69.194.137.230 10.0.10.0/24 10.0.10.1 10.0.1.150 10.0.1.1 68.108.102.47 IP Protocol ID 50 (ESP) IP Protocol ID 51 (AH) UDP Port 500 (IKE) UDP Port 4500 69.194.137.230 192.168.109.2/24 192.168.109.1 Edge Gateway § LEP – 69.194.137.230 § Peer ID – 10.0.1.150 § Peer IP – 68.108.102.47 EDGE GATEWAY EDGE GATEWAY
- 12. What Networking Services do we offer?
- 13. vCloud Air - Options and Gateway Choices.. CONFIDENTIAL 13 § Shared Cloud • Logically separated network, compute and storage § 5GHz CPU (burstable to 10GHz) § 20GB RAM, 2TB storage § No vDC segmentation § One Edge Gateway § Dedicated Cloud • Physically separated hosts • Logically separated network and storage § 30GHz CPU, 120GB RAM, 6TB § Segment vDCs based on orgs § Multiple Edge Gateways VDC1 VDC2 VDC3 VDC4 VDC
- 14. vCloud Air Basic Networking Constructs INTERNET Routed/Gateway Networks (up to 9 networks) Isolated Network External Network (managed by VMware) NAT FW Load Balancer IPsec DHCP Static routing Customers vDC EDGE GATEWAY
- 15. Configuration Access Options CONFIDENTIAL 15 vCloud Air Management Web Portal - For basic networking configurations
- 16. Configuration Access Options CONFIDENTIAL 16 vCloud Air Management Web Portal - For basic networking configurations For Advanced configurations
- 17. Configuration Access Options CONFIDENTIAL 17 vCloud Director management portal - For advanced networking configs
- 18. Can I bring my Private IP space along?
- 19. Yes! Via Network Address Translation (NAT) • Need to create F/W rules to allow traffic • IPv4 NAT • Source NAT & Destination NAT rules. – Supports multiple rules on multiple interfaces • Can use internal/private IP space – Bring your own internal IP space – Create/Manage subnets within IP space – Multiple IP space under the same gateway NAT rules: - SNAT & DNAT rules - Options include protocol/port selection Gateway Public IPs Internal IPs 10.x.x.x 172.16.x.x 192.168.x.x Organization Net 1 Organization Net 2 Organization Net 3 EDGE GATEWAY
- 20. But …. Can I stretch my Layer 2 network on to vCloud Air?
- 21. vCloud Connector Data Center L2 Extension CONFIDENTIAL 21 (192.168.50.0/24) 184.61.71.155 74.204.180.41 VPN Traffic INTERNET (192.168.50.0/24) Default Gateway = 192.168.50.10 50.34 50.35 50.36 50.37 50.33 100.33 (192.168.50.0/24) 50.10 100.10 SSL SSL EDGE GATEWAY EDGE GATEWAY EDGE GATEWAY Corp Firewall
- 22. Layer 2 Extensions – Updated with NSX vCloud Air INTERNET INTERNET VLAN 10 VLAN 11 SSL Client Default Router vNIC Trunk VLAN 10-11 Site A: Non-NSX VLAN Backed Network L3 Network, VPN, Direct Connect EDGE GATEWAY (NSX) vCloud Air Client
- 23. Okay.. So I have a typical multi-tier app (LAMP/WAMP stack)…. Can I bring it to vCloud Air?
- 24. Firewall for Multi-Tier Applications Web tier App tier DB Tier INTERNET Firewall • 5 Tuple F/W policies – Protocol, Source/Dest. IP, Source/Dest. Port • Stateful Firewall • FIPS-140-2 Crypto • Common Criteria EAL 4 Load Balancing • VIP and pool servers • Health check Load Balancing Server Pool VIP: 66.44.4.1 EDGE GATEWAY
- 25. Direct Connect Use Cases
- 26. Direct Connect – Use Cases 26 Ø Can I have a private connection to vCloud Air? Ø Can vCloud Air be part of my MPLS connection? Ø Can I cross connect in to vCloud Air? Ø Can I extend my layer 2 network on to this direct connect interface?
- 27. vCloud Air Direct Connect Customer Co-Lo Cage vCloud Air Data Center owner operated/ managed vCloud Air connection point Customer Data Center vCloud Air NSP connection (MPLS, E-Line etc.) vCloud Air managed vCloud Air managed Cross connect use case WAN connectivity use case vCloud Air connection point
- 28. Direct Connect – With vCloud Air 28 DMZ Network (192.168.52.0/24) Private Network (192.168.50.0/24) Private Network (192.168.100.x/24) Headquarters NSP termination point EDGE GATEWAY INTERNET vCloud Air Connection point MDF/MMR Untagged Layer 2 connection (1G, 10G) 10.2.2.2 10.2.2.1 MPLS (from NSP) Private Network (192.168.50.0/24) Branch office 10.2.2..x/24 10.1.1.x/24 10.3.3.x/24
- 29. Direct Connect – With vCloud Air 29 DMZ Network (192.168.52.0/24) Private Network (192.168.50.0/24) Private Network (192.168.50.x/24) Headquarters NSP termination point EDGE GATEWAY INTERNET vCloud Air Connection point MDF/MMR Untagged Layer 2 connection (1G, 10G) 10.2.2.2 10.2.2.1 MPLS (from NSP) Private Network (192.168.50.0/24) Branch office 10.2.2..x/24 10.1.1.x/24 10.3.3.x/24
- 30. Direct Connect – Using Existing Security CONFIDENTIAL 30 1 Gbps / 10 Gbps Direct Connect Traffic DMZ Network (192.168.52.0/24) Internet Private Network (192.168.50.0/24) Private Network (192.168.110.0/24) 10.1.1.x/2410.1.1.x/24 EDGE GATEWAY IDS Existing Security Policies & Appliances IGW Direct Connect – Private Line IPS
- 31. Cross Connect CONFIDENTIAL 31 1 or 10 Gbps Direct Connect Traffic DMZ Network (192.168.52.0/24) Private Network (192.168.50.0/24) Private Network (192.168.110.0/24) CUSTOMER CAGE Direct Connect Line EDGE GATEWAY
- 32. Direct Connect – Extended Layer 2 CONFIDENTIAL 32 Internet 10.1.1.x/24 10.1.1.x/24 10.1.1.x/2410.1.1.x/24 Co-Lo cage IDS Existing Security Policies & Appliances IGW Direct Connect – Private Line IPS Direct Access Network
- 33. How about global availability of applications?
- 34. Global Load Balancing – Dyn Example CONFIDENTIAL 34 vCNS Virtual Server 192.240.153.11 vCNS Virtual Server 74.204.180.41 Virtual Private Cloud (West) Dedicated Cloud (East) .11 .12 .11 .12 vCNS Pool Servers 192.168.109.11 192.168.109.12 vCNS Pool Servers 192.168.205.11 192.168.205.12 Traffic Director INTERNET DYN Load Balancing EDGE GATEWAY LB EDGE GATEWAY LB
- 35. Advanced Networking - Hybrid Horizon View Logical Architecture WDC (On Premises) EDGE GATEWAY EDGE GATEWAY (192.168.20.0/24 Public-NET) IPSec VPNIPSec VPN DT01 DT02 (192.168.3.0/24 Desktop-NET) AD01 .41 AD02 .42 ViewCS .5 vCloud Air Las Vegas (IaaS) ViewSS .5 ViewSS .5 (192.168.2.0/24 Public-NET) view.vmtm.org (192.168.1.0/24 Corp-NET) 66.45.200.37 69.194.137.139 PCoIP and Blast
- 36. vCloud Air and F5 – Global Load balancing 36 (192.168.100.0/24 Corp-NET) AD05 AD06 (192.168.200.0/24 Public-NET) (10.10.10.0/24 BIP- Internal-NET) BIP02 DNAT Any:Any Firewall Any:Any 10.0.10.0/24 10.0.10.1 10.0.1.150 BIP02 INTERNET EDGE GATEWAY
- 37. ..And what about network security - IPS/IDS?
- 38. Trend Micro Based – IPS/IDS CONFIDENTIAL 38 Firewall Log Inspection Anti-Malware Integrity Monitoring Web Reputation Intrusion Prevention Deep Security Manager and Relay PROTECTION MODULES Deep Security Database MANAGEMENT Protected VMs Deep Security Manager EDGE GATEWAY Deep Security Agent Database
- 39. vCloud Air – Security Solution via Trend Micro CONFIDENTIAL 39
- 40. Choice of Networking Services Applications… CONFIDENTIAL 40 Virtual
- 41. vCloud Air Recovery Service “No.. No… the world was destroyed… this is a backup”
- 42. Recovery as a Service – Networking Ø How do I maintain the same network configs? Ø Do I need to re-do the network configs? Ø Do I need to ‘stretch’ my network? Ø How can I maintain my IP settings on VMs?
- 43. Disaster Recovery – Networking • Pre-create networks on DR cloud with same private IP space, name and relevant properties • When VMs are replicated, the IPs of the VMs are retaind • When a disaster occurs and VMs on the DR turn on, simply connect VMs to pre-existing networks 43 WDC (On Premises) DT01 DT02 (192.168.3.0/24 Desktop-NET) AD01 .41 AD02 .42 ViewCS .5 ViewSS .5 (192.168.2.0/24 Public-NET) (192.168.1.0/24 Corp-NET) EDGE GATEWAY Replicate EDGE GATEWAY (192.168.3.0/24 Desktop-NET) (192.168.1.0/24 Corp-NET) (192.168.2.0/24 Public-NET) DR vDC
- 44. VMware vCloud Air - Virtual Private Cloud OnDemand Interested in participating in the vCloud Air OnDemand Beta Progam? The Product Team from vCloud Air is now accepting candidates interested in participating in the Fall 2014 beta program 44 Visit vmware.com/go/ondemand to sign up vmware.com/go/ondemand
- 45. VMware vCloud Air 5 Starting Points Program VMworld 2014 45 Star%ng Point Session ID TOPIC Dev/Test HBC2577 Hybrid Sandboxing – Create the Ul>mate On and Off Premises Test/Dev Factory Extend Exis>ng Applica>ons HBC2066 Architect the Hybrid Cloud for Exchange and Lync Disaster Recovery HBC 1534 Recovery as a Service (RaaS) with vCloud Hybrid Service Modernize Enterprise Applica>ons HBC 2609 Smells Like Team Spirit: Achieve Hybrid Opera>ons Nirvana with vCloud Hybrid Service Create Next Genera>on Applica>ons HBC 1917 Build Your First Mobile Applica>on…In the Cloud…In 60 minutes Learn the fundamentals on vCloud Air by attending any or all of our 5 Starting Point breakout sessions within the Hybrid Cloud Track 45 Attend any of these breakout sessions and earn a free vCloud Air “Dilbert” t-shirt.
- 46. Hybrid Cloud Hands On Labs Check out the Expert Led and Self Paced vCloud Air Hands on Labs CONFIDENTIAL 46 HOL: Expert-Led Workshop ELW-HBD-1481 Hybrid Cloud Jumpstart Workshop HOL: Expert-Led Workshop ELW-HBD-1484 Disaster Recovery to the Cloud Workshop HOL: Self Paced Lab SPL-HBD-1481 vCloud Hybrid Service - Jump Start for vSphere Admins HOL: Self Paced Lab SPL-HBD-1482 vCloud Hybrid Service - Networking & Security HOL: Self Paced Lab SPL-HBD-1483 vCloud Hybrid Service - Manage Your Cloud Session ID Title Learn the fundamentals on vCloud Air by attending any or all of our 5 Starting Point breakout sessions within the Hybrid Cloud Track as well as our Hands on Labs Try any of these HOLs and earn a free vCloud Air “Dilbert” t-shirt.
- 47. Hybrid Cloud Theater Schedule - VMware Booth (Solutions Exchange) 47 In addition to the breakout sessions within the Hybrid Cloud track, check out our THEATER schedule for the week from the VMware booth at the Solutions Exchange Sunday 5:00pm - What is this Hybrid Cloud Thing Anyway? Monday 12:15pm - Getting Started with Hybrid Cloud - 5 Use Cases Monday 1:30pm - vCloud Air OnDemand Monday 3:45pm - What is this Hybrid Cloud Thing, Anyway? Monday 5:30pm - Hybrid Cloud DevOps: How to keep your Devs from Running Wild Tuesday 12:15pm - Project NEE - Delivering Hands-on Education at Cloud Scale Tuesday 1:00pm - vCloud Air Network Tuesday 2:45pm - Disaster Recovery with vCloud Air Tuesday 4:00pm - Getting Started with Hybrid Cloud - 5 Use Cases Tuesday 5:30pm - Hybrid Management on vCloud Air Wednesday 10:15am - vCloud Air OnDemand Wednesday 12:45pm - The Internet of Things: Virtual Machines, vCloud Air, vCenter Operations and the Intel IoT Gateway Wednesday 2:15pm - Disaster Recovery with vCloud Air Wednesday 3:30pm - Another Day in Paradise....Going Full Hybrid with vCloud Air Wednesday 4:30pm - RAD in the Hybrid Cloud
- 48. Thank You Q&A
- 49. Thank You
- 50. Fill out a survey Every completed survey is entered into a drawing for a $25 VMware company store gift certificate
- 51. vCloud Hybrid Service Networking Technical Deep Dive HBC2068 Ninad Desai, VMware, Inc David Hill, VMware, Inc