PLUMgrid Open Networking Suite Service Insertion Architecture

Transcription

1 White Paper PLUMgrid Open Networking Suite Service Insertion Architecture Introduction A rapid increase in the use of cloud services across the globe require networks to be adaptable and flexible. PLUMgrid Open Networking Suite (ONS) was built from ground up to dynamically adapt with the growing needs of the cloud. The focus of PLUMgrid ONS is to provide industry leading flexibility to its customers without compromising performance. Keeping this philosophy in context PLUMgrid ONS provides seamless integration with various third party services allowing customers to utilize third party tools in conjunction with the PLUMgrid ONS, a bespoke service insertion architecture was developed to ensure effective integration with various third party services. The Need for Network Service Insertion Designing and implementing network infrastructure and integrating software capabilities, that we call Virtual Network Infrastructure (VNI) sometimes referred to as Software Defined Networks (SDN) requires planning and is part of the bigger picture in moving towards cloud based data centers. Building OpenStack networks isn t one size fits all. Customers have existing investments in network appliances (physical and virtual) that they also want to bring forward to their OpenStack clouds. In some instances, they can accomplish it by leveraging Neutron plugins from the network appliance vendor - and PLUMgrid s Neutron plugin will work side by side with FWaaS/LBaaS vendor plugins. However, not all network appliances have OpenStack plugins and this is where PLUMgrid SIA is a massive benefit. PLUMgrid s SIA is a generic framework that allows us to service chain/stitch in a topology any 3rd party network appliance - physical, virtual or container based - to complement PLUMgrid s VNF (Virtual Network Functions) portfolio inside a Virtual Domain. The network architecture can be complex with multiple vendors infrastructure taking their positions in customers data center, simplification of VNI and its integration with existing network and 3rd party vendor network services is crucial. With the increasing diversity in open-sources network services as well as commercial solutions, insertion of 3rd-party services on a case-by-case basis is becoming increasingly impractical. Hence, it is important that service insertion is supported at an architectural level in a production-grade virtual networking product. The SIA is one of the foundational block of PLUMgrid ONS. The PLUMgrid ONS is a software-only solution that provides a rich set of built-in distributed network functions such as routers, switches, NAT, IPAM, DHCP, and it also supports security policies and end-to-end encryption. The PLUMgrid ONS is deployed in OpenStack based deployment via OpenStack Neutron as a plugin forming an overlay network on top of the physical network. The architecture is designed to incorporporate 3rd party commercial and open source L3-L7 components into the virtual network infrastructure. 1/ PLUMgrid, Inc. All rights reserved.

2 PLUMgrid Zone Components Before delving into the details of the SIA it is important to understand all the key components of PLUMgrid zone and the role they play: PLUMgrid Director, Virtual Domains and IO Visor which collectively form the PLUMgrid zone as shown in figure 1. Virtual Domain A Virtual Domain B PLUMgrid Directors PLUMgrid IO Visor Gateways VM VM VM VM VM VM VM Figure 1: PLUMgrid Zone PLUMgrid IO Visor Edges PLUMgrid Director The Director is the brain of the PLUMgrid Platform. It is responsible for coordinating and managing all the other platform components. Based on PLUMgrid s distributed system architecture, it provides built-in high availability and scaling. The Director allows you to create Virtual Domains on a per tenant or application basis. Virtual Domains Virtual Domain is a logical data center. A Virtual Domain can be created on demand as an overlay to provide all the networking services (e.g., routers, switches, IPAM, DHCP, NAT, etc.) necessary to build a cloud network. A single instance of PLUMgrid Platform can support thousands of Virtual Domains. Each Virtual Domain is managed by one tenant and provides complete security, isolation and administrative control for its tenant. Changes can be made in-service and without affecting other tenants or the underlying physical network. IO Visor The PLUMgrid s IO Visor technology is the programmable data plane component used to implement distributed network functions. It provides connectivity to virtual machines, other Virtual Domains, physical network infrastructure and the. The IO Visor provides the capability to develop new data plane functions through the SDK. It allows new network functions to be loaded at run-time and without requiring a reboot. The IO Visor is deployed as either an Edge (i.e. compute node) or a Gateway (i.e. interface to legacy or physical networks). PLUMgrid Service Insertion Architecture The PLUMgrid SIA is part of the holistic architecture of PLUMgrid Platform. SIA addresses increasing demands of the customers for a flexible, agile, manageable cloud infrastructure, where networking is enabler and not a roadblock. SIA allows third party network functionality into the existing virtual network infrastructure. The SIA enables third party Virtual Network Functions (VNF) such as,, NAT, DHCP, Firewall, Load Balancer and so on to be added as a plugin in L3-L7. 2/ PLUMgrid, Inc. All rights reserved.

3 Physical Appliance Virtual Appliance Container Based Service Insertion Architecture PLUMgrid Platform Why PLUMgrid s SIA is Industry-leading Solution Figure 2: PLUMgrid Service Insertion Architecture Virtualization promise keeper: One of the key reasons why consumers felt the need of virtualization is efficiency in resource utilization. PLUMgrid SIA keeps this promise to its customers by minimizing its footprint on the hypervisor thus preserving the precious CPU and memory resources for tenant services. SDN promise keeper: It also keeps the promise of the Software Defined Networking (SDN) of vendor independent by being hypervisor and Cloud Management System (CMS) agnostic. Automated deployment, management and monitoring: This is provided throughout the lifecycle of the service. High Availability: This caters for service, Operating System or node-level crashes. PLUMgrid SIA Modes PLUMgrid SIA offers three modes for 3rd party commercial and open source software integration with the PLUMgrid Platform: Physical Appliance Virtual Appliance Container Based Physical Appliance PLUMgrid SIA leverages the existing Physical Network Function (PNF) of a physical service appliance such as a physical router in the Physical Network Infrastructure (PNI). This enables the Virtual Network to leverage existing hardware assets in datacenter and optimize the total cost for new cloud based deployment. PLUMgrid SIA also supports the multi-tenancy of the physical service appliance for example one VLAN per tenant can be shared among multiple Virtual Domains. The network functionality of physical service appliance becomes part of the virtual network and the traffic flows via the physical appliance. In the network topology, the physical appliance is inserted via PLUMgrid gateway. PLUMgrid gateway provides the connection between the external resources and PLUMgrid Platform such as external network, network service appliance and bare-metal servers as shown in figure / PLUMgrid, Inc. All rights reserved.

4 LB Figure 3: Physical Appliance Service Insertion The network diagram above shows how the traffic from an external network for a tenant flows through the PLUMgrid gateway and physical appliance to the virtual machine. Note that the network function of router and bridge of the physical appliance here offers network functionality to the PLUMgrid Virtual Domain in the Virtual Network. Virtual Appliance The SIA mode for virtual appliance differs from the physical appliance in terms of the resource it leverages i.e. the network functionality of the virtual service appliance. Unlike the physical mode, the virtual service appliance are deployed as Virtual Machine on an edge. The edge is a key component of the PLUMgrid Platform that runs in the hypervisor and provides networking for the VMs. The ability to launch a virtual appliance as a virtual machine provides a high level of flexibility to the process LB Figure 4: Virtual Appliance Service Insertion Figure 4 shows how the traffic from the external network flows into the virtual network through a PLUMgrid gateway to virtual load balancer deployed as a VM on an edge. The virtual appliance then sends the traffic over virtual network fabric as per user s setting. 4/ PLUMgrid, Inc. All rights reserved.

5 Container Based Similar to virtual appliance insertion, PLUMgrid ONS supports container based insertion of services based on business needs. PLUMgrid SIA allows the deployment of a container on an edge. A container is therefore deployed through a virtual machine residing on an edge. While using a container based mode, all traffic is hair pinned through the inserted container. Figure 4 shows how traffic flows when a container is leveraged within a PLUMgrid zone. Figure 5: Container Service Insertion The network diagram shows how the two VMs are utilizing resources such as third party router capability deployed in through container insertion. For VMs to communicate, network traffic flows from VM1 to VM2 in a Virtual Domain through the third party container. Last but not least, high availability is a mandatory requirement for any large-scale cloud solution. With the ability to automatically detect and recover from process-, docker-, hypervisor-, and server-level crashes, the PLUMgrid Platform can replay and restart services based on the stored service-level configurations. Distributed Data Plane PLUMgrid SIA is designed to enable integration of 3rd party network functions to the PLUMgrid Control Plane The deployed 3rd party VNFs in the control plane communicates with the existing PLUMgrid VNFs (PLUMlet) of the multiple VMs in the distributed data plane bringing scalability to the network. The deployment and configuration of the 3rd party open source software is as per all other VNFs. Figure 6: Distributed Data Plane Service Insertion 5/ PLUMgrid, Inc. All rights reserved.

6 The network diagram indicates PLUMlets in the VMs such as PLUMgrid communicating through the third party router in the Control Plane. The network traffic flows from one VM to another VM as per Users setting through the third party router in data plane. Community and Partner Integration PLUMgrid SIA is designed to support multiple vendors and is vendor agnostic. This agnostic nature of the platform allows seamless integration across multiple third party services. The PLUMgrid Platform has been integrated with a large number of commercial 3rd party Layer 4-7 Network Services and a portfolio of open-source networking functions. This flexible integration of the platform allows businesses to leverage existing LBaaS and FWaaS components. PLUMgrid integrates with Quagga, pfsense and Bird which allows the deployment to leverage third party components and build a cohesive, flexible network deployment. Conclusion PLUMgrid SIA provides an industry leading solution for integrating 3rd party open source and commercial network services to the Virtual Network on top of the VNF services provided by the PLUMgrid Platform, so customers can have best of both worlds and leverage the resources that they currently have in their data center. PLUMgrid is a leader of secure and scalable software-defined networking (SDN) solutions for OpenStack clouds. To learn more about PLUMgrid visit: 6/ PLUMgrid, Inc. All rights reserved.