VMWARE SOLUTIONS AND THE DATACENTER
Fredric Linder
2 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
MORE THAN VSPHERE
Vmware
Offering
Core
Cloud
DR / Replication
VDI / Applications
Management
vSphere
vCenter
vCloud Director
Chargeback
VMware IT Business Management Suite
Site Recovery Manager
Storage Appliance
Vmware View
vCenter Operations Suite
vCenter Operations
3 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
INFRASTRUCTURE AS A SERVICE (IAAS)
Most commonly adaptable strategy in the Enterprise
Building resource pools for consumption
CPU – Memory
– Server Virtualization
Storage
– SAN
Network
– QoS, VLAN, Bandwith
Requirements:
•Dedicate resources based on service demands
•Monitor resource out take to guarantee resources
Vmware vSphere
vCloud Suite
4 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
PLATFORM AS A SERVICE (PAAS)
Delivering the foundation to building new SaaS applications
.
New application platform to build NextGen Applications
Distributed application model
Metering and subscription based model
IaaS aware Requirements:
•Dedicate resources based on service demands
•Monitor resource out take to guarantee resources
•Metering and subscription infrastructure
Vmware vSphere
vFabric Suite
5 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
SOFTWARE AS A SERVICE (SAAS)
Delivering SaaS applications.
SLA driven Model
End user experience
Pay per use
Requirements:
•Dynamic resource allocation based on service demands
•Continues End-to-End SLA metering
•Automatic End-to-End adaptation of resources to meet SLA
Vmware vSphere
Operations Suite
IT Buiness Management Suite
6 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
VMWARE VSPHERE AND VCENTER SERVER
Clusters and Resource Pools Provide cloud compute
DRS is a requirement for the cluster
Shared storage
vMotion compatible or EVC enabled
Datastores Provide cloud storage
Abstract away underlying storage type
Portgroups Provide cloud networking
Abstract away underlying networking infrastructure
vSwitch, vNetwork Distributed Switch or Nexus 1000V, IBM 5000v
vNetwork Distributed Switch
Resource Pools
FC StorageiSCSI Storage NFS Storage
vCenter Server
ESXi/ESX hosts
7 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
NETWORKING OPTIONS IN VMWARE
vSwitch Types
• -
• One or more per host
• Basic functionality
• -
• One or more per cluster
• LACP, BPDU filters, Port Mirroring, SR-IOV
• Requirement for 3rd party switches
• VXLAN support (With vShield and Security Package)
vSwitch
vNetwork Distributed Switch
8 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
VXLAN - PRINCIPLES
Identifier : 24bit segment VNI (up to 16M VXLAN)
Only VMs in the same VXLAN (VNI) can communicate
together
Tunneling L2 over L3 (MAC-over-UDP, UDP port not defined at
this time)
VM are not aware of VXLAN, only VTEP.
Today VXLAN Tunnel End Point (VTEP) would be setup on
vSwitch, but could be on physical switches, routers or
servers (VXLAN gateways)…
9 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
DRS CLUSTER DESIGN (8-12 HOSTS PER CLUSTER)
V
M
V
M
10 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
ACTIVE PASSIVE DESIGN
V
M V
M
V
M
NFS, iSCSI, FCoE NFS, iSCSI, FCoE
Storage Replication
V
M
11 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
STETCHED CLUSTER DESIGN
Affinity Groups Affinity Groups V
M V
M
V
M
NFS, iSCSI, FCoE NFS, iSCSI, FCoE
Storage Replication
12 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
VMWARE VCLOUD COMPONENTS
VMware vSphere and vCenter Servers
VMware vCloud Director
vShield for VMware Cloud Director
13 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
VMWARE VCLOUD DIRECTOR
Define standard infrastructure tiers called
Virtual Datacenters
Pool virtualized infrastructure resources
across multiple vCenter Servers
Define standard collections of VMs
called vApps
Create Organizations and manage users
Provide UI for users to self provision
vApps into Virtual Datacenters
Provide secure multi-tenancy using
vShield Edge
14 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
VMware vCloud Director
VMWARE VCLOUD STACK
Secure Private Cloud
Organization: Marketing Organization: Finance
Organization VDCs Catalogs Organization VDCs Catalogs
VMware vSphere
VMware vCenter Server
Resource Pools Datastores Port Groups
(Go
ld)
(Bro
nze)
Provider Virtual Datacenters
(Sil
ver)
Users & Policies Users & Policies
15 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
Organisation Network
Application Network
External Network
FW
FW
App
VM
App
VM
App
VM
vShield
vShield
16 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
EXTERNAL NETWORK: OVERVIEW
Created at the vSphere level as a port group on a vSS or vDS
Port group is mapped to a vCloud Director external network
Mapping is on a one to one basis
Use cases
• Internet access
• Provider supplied network endpoints
• IP based storage
• Backup servers
• Access to physical managed services
• Backhauled networking to a customer datacenter
• VPN access to a private cloud
• MPLS termination
17 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
EXTERNAL NETWORKS: IN VSPHERE
Dedicate vDS for statically mapped networks i.e. “Provider vDS”
Avoid vSS unless using scripting to duplicate port groups to hosts
Use unique VLANs per port group to avoid broadcast overlap
Below is an example of VLAN isolated External Networks:
18 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
EXTERNAL NETWORKS: IN VMWARE VCLOUD DIRECTOR
In VMware vCloud Director, create an external network by
mapping it to a portgroup
19 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
ORGANIZATION NETWORKS: OVERVIEW
Contained within an organization
Allows vApps within the organization to communicate with each other or external endpoints
Can be connected to external networks as:
• Public (External Org Direct)
• Bridged connection to an external network
• Others outside the organization can see
• Private Routed (External Org NAT-Routed)
• Connected to an External Network through a vShield Edge
• Can be configured for NAT & Firewall
…or left unconnected to external
• Private Internal (Internal Org)
• No External connectivity
Backed by Network Pools
20 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
VAPP NETWORKS: OVERVIEW
Contained within a vApp
• Inherently Private Internal
Allows VMs in a vApp to communicate with each other or …by connecting them
to Org networks, other vApps
Can be connected to Org Networks as
• Public (Direct)
• Bridged connection to a organization network
• Private Routed
• Connected to a organization network through a vShield Edge
• Can be configured for NAT & Firewall
Backed by a Network Pool
21 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
Organisation Network
Application Network
External Network
FW
FW
App
VM
App
VM
App
VM
vShield
vShield
VMware vShield
Provides network edge security
Provides firewall, NAT, port forwarding, IP
masquerading and DHCP functionality (enforces
multi-tenancy)
Edge appliances deployed and managed by VMware
vCloud Director on vSphere.
NOTE:
Does not include site-to-site VPN and load balancer
22 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
TYPES OF NETWORK POOLS Portgroup-backed
• Create isolated portgroups in vSphere manually or with automation
• Attach a collection of them to VMware vCloud Director
VLAN-backed
• VMware vCloud Director will automatically create portgroups as needed, and use a range of VLANs to isolate
them
VMware vCloud Director Network Isolation-backed
• Proprietary network isolation technology
Network Pool Building Blocks
VLAN Backed + VLAN tags
VCDNI + one VLAN for transport
Portgroup backed or portgroups vSwitch vNetwork Distributed Switch
vNetwork Distributed Switch
vNetwork Distributed Switch
23 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
OrgNet (vCD-NI)
AppNet (vCD-NI)
ExternalNet (VLAN)
FW
FW
App
VM
App
VM
App
VM
vShield
vShield
24 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
TRAFFIC FLOW EXAMPLE
25 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
TRAFFIC FLOW EXAMPLE
26 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
VCLOUD API RESTful
Designed for web infrastructure
Extensible, Modular
Released in “Open” form
Version 0.9 currently public
Spans vCenter Instances
Operate across multiple vCenter Servers
100% Virtual
VIM API Unchanged
With OVF standard, unlocks ability to
move vApps across clouds (Hybrid cloud
use case)
27 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
2 LOGICAL APIS FOR VMWARE VCLOUD DIRECTOR
1: VMware vCloud Director “Admin API”
• Automate VCD Management
• Attach virtual/physical
resources
• Manage organizations, users,
etc.
• RESTful for loose coupling
to existing systems
2: vCloud API
• Standard way to consume
vCloud Resources
28 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
ORCHESTRATION + VMWARE CLOUD DIRECTOR
Financial Systems
End Users
Redwood Portal
Orchestration Engine
Datastores
vCenter Chargeback
VMware vCloud IaaS
VMware vSphere
Hosts
Approval Systems
Asset Systems
CMDB ….
User Portal + vCloud API
vCloud API
Physical Config
1. User Workflow Initiation
2. User Resource Interaction
vSphere API
VCD Portal
29 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
JUNIPER SOLUTIONS
30 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
OrgNet (vCD-NI)
AppNet (vCD-NI)
ExternalNet (VLAN)
FW
FW
App
VM
App
VM
App
VM
vShield
vShield
JUNIPER SOLUTIONS
31 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
vGW
OrgNet (vCD-NI)
AppNet (vCD-NI)
ExternalNet (VLAN)
FW
FW
App
VM
App
VM
App
VM
vShield
vShield
FW SRX
JUNIPER SOLUTIONS
32 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
vGW
OrgNet (vCD-NI)
AppNet (vCD-NI)
ExternalNet (VLAN)
FW
FW
App
VM
App
VM
App
VM
vShield
vShield
FW vSRX
JUNIPER SOLUTIONS
33 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
vGW
OrgNet (vCD-NI)
AppNet (vCD-NI)
ExternalNet (VLAN)
FW
FW
App
VM
App
VM
App
VM
vSRX
vSRX
34 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
VGW – NETWORK VISIBILITY
Navigate
See traffic flows
Troubleshoot
Benefits:
Visibility to all VM communications
Ability to spot design issues with security policies
Single click to more detail on VMs
Export flows for analysis
35 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
36 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
VGW – INTROSPECTION
“X-ray” VMs and automate compliance enforcement
Benefits:
Know exactly what’s installed in a VM
Automatically attach relevant security policy!
Define & enforce a ‘”gold” image (template or VM)
37 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
VGW – SMART GROUPS
Smart Groups allow for the use of attributes to create dynamic system associations.
Benefits:
Tie vGW product discoveries to Smart Group definitions.
Tie vCenter and VM config attributes to Smart Group definitions
Attributes are read real time so if a VM changes in vCenter, it’s instantly updated in vGW
Priority and precedence level can be
defined to Tier Groups easily
Smart Groups help
capability allows
administrator to see
name, description and
values of attributes
38 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
STRM
VGW AND HOW VGW CAN HELP ORHESTRATE SECURITY
VM1 VM2 VM3 ALTOR
vGW
VMware vSphere
Network
Juniper SRX
with IDP
Juniper EX
Switch
Central Policy Management
Zone Synchronization
Traffic Mirroring to IPS
vGW
Firewall Event Syslogs
Netflow for Inter-VM Traffic
Orchistration API’s
39 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
Network Admin
Server Admin
DC MANAGEABILITY CHALLENGES WITH SERVER VIRTUALIZATION
1. Blurred roles between
the server and
network admin.
2. No automation/
orchestration
to sync-up the 2 networks.
3. VM Migration can fail.
4. Proprietary products
& protocols
B
A Virtual n/w
Physical n/w
P P
VM1 VM2 VM3 VM1 VM2
A
40 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
SOLUTIONS WITH JUNOS SPACE VIRTUAL CONTROL
1. Clear roles and
responsibilities
2. Automated
orchestration between
physical and virtual
networks
3. Scalable solution –
allows VMs to move
freely
4. Open Architecture
Network Admin
Server Admin
VM1 VM2
Virtual
Control
A
A A
A
Virtual n/w
Physical n/w
P P A A
VM2 VM3 VM1
41 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
NETWORK RELATED ACCESS
Server Admin should not have the following access
• Move network
• This can be a security concern
• Configure network
• Remove network
Server Admin should have
• Assign network
• To assign a network to a VM
42 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
• One device
• One hop
• Non Blocking
WILL QFABRIC HELP ME ORCHESTRATE
Application
QFabric Director
Orchestration Engine • As Qfabric Director acts a the brain for the fabric
you only have to request relevant information to
this device in order to guarantee required
characteristics from the application
• Less devices to orchestrate
• Less complex
• Simpler to deploy applications based on SLA
43 Copyright © 2012 Juniper Networks, Inc. www.juniper.net
JUNIPER’S OPEN CLOUD ORCHESTRATION MODEL
Network
Cloud Governance and Lifecycle Management
Network Abstraction, Orchestration and Automation
Routing
Switching
Security
x86 - Platform from Intel
Containers Virtual
Machines
Lin
ux
Win
dow
s
PH
P
Java
Rails
Node.js
Serv
ice
Compute Storage
Hyper-V KVM
Juniper provides an open interface model for cloud orchestration X
ML
AP
I, J
un
os S
cri
ptin
g
Ju
no
s S
pa
ce
Op
en
flo
w
QUESTIONS?