vCloud Hybrid Service Networking Technical Deep...

transcript

vCloud Hybrid Service Networking TechnicalDeep Dive

HBC2068

Ninad Desai, VMware, IncDavid Hill, VMware, Inc

Disclaimer• This presentation may contain product features that are currently under development.

• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.

• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

• Technical feasibility and market demand will affect final delivery.

• Pricing and packaging for any new technologies or features discussed or presented have not been determined.

CONFIDENTIAL 2

VMware vCloud Hybrid Service VMware vCloud Air

What is vCloud Air Network Services built on??

vCloud Air Networking – Built on vCNS …. Moving to NSXFully Integrated vCloud Stack

vCloud Management and Automation

vCloud Air Management Console

vCloud Infrastructure

vCloud Networking and Security

vCloud Director with vCloud Connector

vSphere / vCenter

Customer A

Physically Isolated Servers Storage pool

VPN and Network pool

Dedicated Cloud

• Being replaced by NSX-v manager in the vCloud Air Management stack

• Backward compatible with current vCNS based stack

• Existing policies and features stay intact

• Foundation for new networking features

How do I connect to vCloud Air ?

Options to Connect to vCloud Air

Customer Data Center vCloud AirPrivate WAN /

Direct Connect /

Cross Connect

IPsec Tunnel

INTERNET

Many Connectivity Choices To Support Many Use Cases

INTERNET

Connecting to vCloud Air

• Over the Public Internet – With Public IPs– Use NAT for address translation– By default F/W set to deny all and NAT not configured

INTERNET

• IPsec VPN– vCloud Air features include IPsec VPN– Multiple VPN tunnels can terminate to Edge Gateway– Can connect to most of the major on-prem VPN devices

• Direct Connect– Dedicated private connection– Secure and high speed– Extension to customer’s MPLS or data center cage

Connecting via IPsec VPN

CONFIDENTIALVPN Traffic

INTERNET

vSphere Edge Gateway LEP – 10.0.1.150

Peer ID – 69.194.137.230

Peer IP – 69.194.137.230

10.0.10.0/24

10.0.10.1

10.0.1.150

10.0.1.1

68.108.102.47

IP Protocol ID 50 (ESP)IP Protocol ID 51 (AH)UDP Port 500 (IKE)UDP Port 4500 69.194.137.230

192.168.109.2/24

192.168.109.1

Edge Gateway LEP – 69.194.137.230

Peer ID – 10.0.1.150

Peer IP – 68.108.102.47

EDGE GATEWAY

EDGE GATEWA

What Networking Services do we offer?

vCloud Air - Options and Gateway Choices..

CONFIDENTIAL 13

Shared Cloud• Logically separated network, compute and

storage

5GHz CPU (burstable to 10GHz) 20GB RAM, 2TB storage No vDC segmentation One Edge Gateway

Dedicated Cloud• Physically separated hosts

• Logically separated network and storage

30GHz CPU, 120GB RAM, 6TB Segment vDCs based on orgs Multiple Edge Gateways

VDC1 VDC2

VDC3 VDC4VDC

vCloud Air Basic Networking Constructs

INTERNET

Routed/Gateway Networks

(up to 9 networks)

Isolated Network

External Network(managed by VMware)

NATFWLoad BalancerIPsecDHCPStatic routing

Customers vDCEDGE

GATEWAY

Configuration Access Options

CONFIDENTIAL 15

vCloud Air Management Web Portal- For basic networking configurations

CONFIDENTIAL 16

vCloud Air Management Web Portal- For basic networking configurations

For Advanced configurations

CONFIDENTIAL 17

vCloud Director management portal - For advanced networking configs

Can I bring my Private IP space along?

Yes! Via Network Address Translation (NAT)

• Need to create F/W rules to allow traffic

• IPv4 NAT

• Source NAT & Destination NAT rules.– Supports multiple rules on multiple interfaces

• Can use internal/private IP space – Bring your own internal IP space– Create/Manage subnets within IP space– Multiple IP space under the same gateway

NAT rules: - SNAT & DNAT rules

- Options include protocol/port selection

GatewayPublic IPs

Internal IPs

10.x.x.x 172.16.x.x 192.168.x.x

Organization Net 1 Organization Net 2 Organization Net 3

EDGE GATEWAY

But …. Can I stretch my Layer 2 network on to vCloud Air?

vCloud Connector Data Center L2 Extension

CONFIDENTIAL 21

(192.168.50.0/24)

184.61.71.155

74.204.180.41

VPN Traffic

INTERNET

(192.168.50.0/24)

Default Gateway = 192.168.50.10

50.34 50.35

50.36 50.37

100.33

(192.168.50.0/24)

100.10

EDGE GATEWAY

CorpFirewall

Layer 2 Extensions – Updated with NSX

vCloud Air

INTERNET

VLAN 10 VLAN 11

SSL ClientDefault Router

vNICTrunk VLAN 10-11

Site A: Non-NSX VLAN Backed Network

L3 Network, VPN,Direct Connect

EDGE GATEWAY

vCloud Air Client

Okay.. So I have a typical multi-tier app (LAMP/WAMP stack)….

Can I bring it to vCloud Air?

Firewall for Multi-Tier Applications

Web tier App tier DB Tier

INTERNET

Firewall• 5 Tuple F/W policies

– Protocol, Source/Dest. IP, Source/Dest. Port

• Stateful Firewall

• FIPS-140-2 Crypto

• Common Criteria EAL 4

Load Balancing

• VIP and pool servers

• Health check

Load Balancing

Server Pool

VIP: 66.44.4.1EDGE

GATEWAY

Direct Connect Use Cases

Direct Connect – Use Cases

Can I have a private connection to vCloud Air?

Can vCloud Air be part of my MPLS connection?

Can I cross connect in to vCloud Air?

Can I extend my layer 2 network on to this direct

connect interface?

vCloud Air Direct ConnectCustomer Co-Lo Cage vCloud Air

Data Center owner operated/managed

vCloud Air connection point

Customer Data Center vCloud Air

NSP connection

(MPLS, E-Line etc.)

vCloud Air managed

Cross connect use case

WAN connectivity use case

vCloud Air connection point

Direct Connect – With vCloud Air

DMZ Network(192.168.52.0/24)

Private Network(192.168.50.0/24)

Private Network(192.168.100.x/24)

Headquarters

NSP termination point

EDGE GATEWAY

INTERNETvCloud Air

Connection point

MDF/MMR

Untagged Layer 2 connection (1G, 10G)

10.2.2.210.2.2.1

MPLS (from NSP)

Branch office

10.2.2..x/24

10.1.1.x/2410.3.3.x/24

Direct Connect – With vCloud Air

DMZ Network(192.168.52.0/24)

Private Network(192.168.50.x/24)

Headquarters

NSP termination point

EDGE GATEWAY

INTERNETvCloud Air

Connection point

MDF/MMR

Untagged Layer 2 connection (1G, 10G)

10.2.2.210.2.2.1

MPLS (from NSP)

Branch office

10.2.2..x/24

10.1.1.x/2410.3.3.x/24

Direct Connect – Using Existing Security

CONFIDENTIAL 30

1 Gbps / 10 Gbps Direct Connect Traffic

DMZ Network(192.168.52.0/24)

Internet

10.1.1.x/2410.1.1.x/24

EDGE GATEWAY

Existing Security Policies & Appliances

Direct Connect –Private Line

Cross Connect

CONFIDENTIAL 31

1 or 10 Gbps Direct Connect Traffic

DMZ Network(192.168.52.0/24)

CUSTOMER CAGE

Direct Connect Line

EDGE GATEWAY

Direct Connect – Extended Layer 2

CONFIDENTIAL 32

Internet

10.1.1.x/2410.1.1.x/24

Co-Lo cage

IPS Direct Access Network

CONFIDENTIAL 32

Internet

10.1.1.x/2410.1.1.x/24

Co-Lo cage

CONFIDENTIAL 32

Internet

10.1.1.x/2410.1.1.x/24

Co-Lo cage

How about global availability of applications?

Global Load Balancing – Dyn Example

CONFIDENTIAL

vCNS Virtual Server192.240.153.11

vCNS Virtual Server74.204.180.41

Virtual Private Cloud (West) Dedicated Cloud (East)

.11 .12 .11 .12

vCNS Pool Servers192.168.109.11192.168.109.12

vCNS Pool Servers192.168.205.11192.168.205.12

Traffic Director

INTERNET

DYNLoad Balancing

EDGE GATEWAY

Advanced Networking - Hybrid Horizon View Logical Architecture

WDC (On Premises)

EDGE GATEWAY

(192.168.20.0/24Public-NET)

IPSec VPNIPSec VPN

DT01 DT02

(192.168.3.0/24 Desktop-NET)

AD01.41

AD02.42

ViewCS.5

vCloud Air Las Vegas (IaaS)

ViewSS.5

(192.168.2.0/24Public-NET)

view.vmtm.org

(192.168.1.0/24 Corp-NET)

66.45.200.37 69.194.137.139PCoIP and Blast

WDC (On Premises)

EDGE GATEWAY

(192.168.20.0/24Public-NET)

IPSec VPNIPSec VPN

DT01 DT02

(192.168.3.0/24 Desktop-NET)

AD01.41

AD02.42

ViewCS.5

ViewSS.5

(192.168.2.0/24Public-NET)

view.vmtm.org

(192.168.1.0/24 Corp-NET)

66.45.200.37 69.194.137.139PCoIP and Blast

WDC (On Premises)

EDGE GATEWAY

(192.168.20.0/24Public-NET)

IPSec VPNIPSec VPN

DT01 DT02

(192.168.3.0/24 Desktop-NET)

AD01.41

AD02.42

ViewCS.5

ViewSS.5

(192.168.2.0/24Public-NET)

view.vmtm.org

(192.168.1.0/24 Corp-NET)

66.45.200.37 69.194.137.139PCoIP and Blast

vCloud Air and F5 – Global Load balancing

(192.168.100.0/24 Corp-NET)

AD05 AD06

(192.168.200.0/24 Public-NET)

(10.10.10.0/24 BIP-Internal-NET)

DNAT Any:AnyFirewall Any:Any

10.0.10.0/24

10.0.10.1

10.0.1.150

INTERNET

EDGE GATEWAY

..And what about network security - IPS/IDS?

Trend Micro Based – IPS/IDS

CONFIDENTIAL 42

Firewall

Log Inspection

Anti-Malware

IntegrityMonitoring

WebReputation

IntrusionPrevention

Deep Security Manager and Relay

PROTECTION MODULES

Deep Security Database

MANAGEMENT

Protected VMs

Deep Security Manager

EDGE GATEWAY

Deep Security Agent

Database

vCloud Air – Security Solution via Trend Micro

CONFIDENTIAL 43

Choice of Networking Services Applications…

CONFIDENTIAL 44

Virtual

vCloud Air Recovery Service

“No.. No… the world was destroyed… this is a backup”

Recovery as a Service – Networking

How do I maintain the same network configs?

Do I need to re-do the network configs?

Do I need to ‘stretch’ my network?

How can I maintain my IP settings on VMs?

Disaster Recovery – Networking

• Pre-create networks on DR cloud with same private IP space, name and relevant properties

• When VMs are replicated, the IPs of the VMs are retaind

• When a disaster occurs and VMs on the DR turn on, simply connect VMs to pre-existing networks

WDC (On Premises)

DT01 DT02

(192.168.3.0/24 Desktop-NET)

AD01.41

AD02.42

ViewCS.5

ViewSS.5

(192.168.2.0/24Public-NET)

(192.168.1.0/24 Corp-NET)

EDGE GATEWAY

ReplicateEDGE

GATEWAY

(192.168.3.0/24 Desktop-NET)

(192.168.1.0/24 Corp-NET)

(192.168.2.0/24Public-NET)

DR vDC

VMware vCloud Air - Virtual Private Cloud OnDemand

Interested in participating in the vCloud Air OnDemand Beta Progam?The Product Team from vCloud Air is now accepting candidates interested in participating in the Fall 2014 beta program

Visit vmware.com/go/ondemandto sign up

vmware.com/go/ondemand

VMware vCloud Air5 Starting Points Program

VMworld 2014

Starting Point Session ID TOPIC

Dev/Test HBC2577Hybrid Sandboxing – Create the Ultimate On and Off Premises Test/Dev Factory

Extend Existing Applications HBC2066 Architect the Hybrid Cloud for

Exchange and Lync

Disaster Recovery HBC 1534 Recovery as a Service (RaaS) with vCloud Hybrid Service

ModernizeEnterprise Applications

HBC 2609Smells Like Team Spirit: Achieve Hybrid Operations Nirvana with vCloud Hybrid Service

Create Next Generation Applications

HBC 1917 Build Your First Mobile Application…In the Cloud…In 60 minutes

Learn the fundamentals on vCloud Air by attending any or all of our 5 Starting Point breakout sessions within the Hybrid Cloud Track

Attend any of these breakout sessions and earn a free vCloud Air “Dilbert” t-shirt.

Hybrid Cloud Hands On LabsCheck out the Expert Led and Self Paced vCloud Air Hands on Labs

CONFIDENTIAL 50

HOL: Expert-Led Workshop ELW-HBD-1481 Hybrid Cloud Jumpstart Workshop

HOL: Expert-Led Workshop ELW-HBD-1484 Disaster Recovery to the Cloud Workshop

HOL: Self Paced Lab SPL-HBD-1481 vCloud Hybrid Service - Jump Start for vSphere Admins

HOL: Self Paced Lab SPL-HBD-1482 vCloud Hybrid Service - Networking & Security

HOL: Self Paced Lab SPL-HBD-1483 vCloud Hybrid Service - Manage Your Cloud

Session ID Title Learn the fundamentals on vCloud Air by attending any or all of our 5 Starting Point breakout sessions within the Hybrid Cloud Track as well as our Hands on Labs

Try any of these HOLs and earn a free vCloud Air “Dilbert” t-shirt.

Hybrid Cloud Theater Schedule - VMware Booth (Solutions Exchange)

In addition to the breakout sessions within the Hybrid Cloud track, check out our THEATER schedule for the week from the VMware booth at the Solutions Exchange

Sunday 5:00pm - What is this Hybrid Cloud Thing Anyway?

Monday 12:15pm - Getting Started with Hybrid Cloud - 5 Use CasesMonday 1:30pm - vCloud Air OnDemandMonday 3:45pm - What is this Hybrid Cloud Thing, Anyway?Monday 5:30pm - Hybrid Cloud DevOps: How to keep your Devs from Running Wild

Tuesday 12:15pm - Project NEE - Delivering Hands-on Education at Cloud ScaleTuesday 1:00pm - vCloud Air NetworkTuesday 2:45pm - Disaster Recovery with vCloud AirTuesday 4:00pm - Getting Started with Hybrid Cloud - 5 Use CasesTuesday 5:30pm - Hybrid Management on vCloud Air

Wednesday 10:15am - vCloud Air OnDemandWednesday 12:45pm - The Internet of Things: Virtual Machines, vCloud Air, vCenter Operations and the Intel IoT GatewayWednesday 2:15pm - Disaster Recovery with vCloud AirWednesday 3:30pm - Another Day in Paradise....Going Full Hybrid with vCloud AirWednesday 4:30pm - RAD in the Hybrid Cloud

Thank You

Fill out a surveyEvery completed survey is entered

into a drawing for a $25 VMware company store gift certificate

vCloud Hybrid Service Networking TechnicalDeep Dive

HBC2068

Ninad Desai, VMware, IncDavid Hill, VMware, Inc

vCloud Hybrid Service Networking Technical Deep...

Documents