CloudLink - The On-Ramp to the Cloud Security, Management and Performance Optimization for Multi-Tenant Private and Public Clouds

Transcription

1 - The On-Ramp to the Cloud Security, Management and Performance Optimization for Multi-Tenant Private and Public Clouds February 2011

2 1 Introduction Today's business environment requires organizations of all types to reduce costs and create flexible business processes to compete effectively in an ever changing market. The pace of technology change continues to increase, yet IT costs must be reduced, leading many companies and government bodies to look for alternative approaches. This has led to a high level of interest in private, public and hybrid cloud computing solutions that transform the IT infrastructure into a dynamic, on-demand utility. Most IT departments have spent many years building solid processes, scalable procedures and internal systems expertise to make their data centers reliable and manageable. The key challenge for cloud computing providers is to deliver solutions that allow organizations to maintain internal control of sensitive data, deliver reliable, predictable performance to their end-users, while reducing costs and improving time to market for new applications and business systems. As organizations look to build multi-departmental private clouds or employ public cloud services, the concerns of security, manageability and performance optimization become critical and must be addressed. AFORE s CloudLink virtual appliance and management software suite is built to address these fundamental issues and enable a significant increase in the adoption of private, public and hybrid cloud computing. AFORE s CloudLink software solution provides a secure, optimized and managed on-ramp to link an enterprise data center to the cloud computing infrastructure. CloudLink extends enterprise security and manageability into the cloud while optimizing communication between data centers and cloud centers. CloudLink also equips the enterprise with powerful performance monitoring and troubleshooting tools to ensure that the required Service Level Agreement (SLA) levels are achieved. CloudLink primarily targets Infrastructure as a Service (IaaS) applications in a private, public or hybrid cloud environment, providing the following key capabilities: End-to-end encryption of data in motion and data at rest for multi-tenant private and public clouds Encrypts all layer 2 (Ethernet) and layer 3 (IP) cloud communications Encrypts all data written onto the cloud storage subsystem Integration with Key Management Systems Optimizes cloud connectivity with advanced TCP/IP acceleration and packet loss prevention; Monitors network SLAs and provides powerful fault isolation and troubleshooting tools; Provides per VM (virtual machine) traffic flow management capability; Extends the enterprise data center and enables mobility of virtual machines; Supports unique dual management capabilities which allow both enterprise users and cloud providers to simultaneously manage communications and monitor SLAs with independent rights and privileges; Scales to support multiple tenants and multiple virtual data centers in the cloud; Integrates seamlessly with VMware vcenter and VMware vcloud Director platforms. 2 Document Version 1.1

3 CloudLink s rich set of features offers a distinct value proposition for both enterprises and service providers. It resolves key cloud networking issues by combining the essential requirements of optimization, security and management into a single software solution. 2 CloudLink Architecture The CloudLink software solution contains three major components: CloudLink Center : A management application delivered as a VMware vsphere Client plug-in. CloudLink Center s management interfaces support user authentication, VPN management, encryption key management, network optimization management, traffic management, SLA monitoring and testing, performance dashboard, alarm reporting and VM deployment tools. All capabilities are available via a web services interface and can be accessed via a web browser. CloudLink Gateway : A software virtual appliance deployed in the enterprise data center that provides a gateway to the cloud. It communicates with multiple CloudLink vnodes to create secure and optimized connections between the enterprise data center and the cloud environment. The Gateway originates performance tests and constantly monitors SLA Key Performance Indicators (KPIs). CloudLink vnode : A software virtual appliance deployed in the cloud. The vnode creates a secure cloud shield for the VMs and ensures that all communications between VMs in the cloud and in the enterprise data center are encrypted, optimized and managed, as well as all the data stored in the cloud storage layer.. CloudLink Center s web server and the CloudLink Gateway are delivered as a single virtual appliance in standard OVA format ready for installation on any VMware ESX/ESXi server. The CloudLink vnode is packaged as a separate virtual appliance using standard OVA format. Users can upload this appliance into a cloud-based virtual data center (vdc) via a cloud provider s management portal, employing applications such as VMware vcloud Director. The CloudLink management software enables a single click deployment of the vnode - as a vapp/vm into the cloud providing end-to-end security, remote management, performance optimization and SLA monitoring for applications that are deployed into the vdc. 3 Document Version 1.1

4 Figure 1. CloudLink On Ramp to VMware vcloud 4 Document Version 1.1

5 3 CloudLink Solutions 3.1 Security One of the key considerations when moving to a public or private cloud is Secure Multi-Tenancy (SMT). SMT involves two security aspects: protection of data in motion and at rest. Enterprise data owners do not have to rely exclusively on the policy-based security provisions of Cloud Service Providers. SMT gives enterprise users ultimate control of their data in the Cloud by giving control of the encryptions keys to their data as it moves through the shared networks and as it lands on a shared storage. This allows for data protection from potential intruders and cloud administrators. CloudLink provides end-to-end secure communication between the enterprise data center and the cloudbased virtual data center using robust AES-256 encryption algorithms. CloudLink supports both layer 2 and layer 3 SSL VPNs and works seamlessly through existing virtual switches, routers and wide area networks. The first step in deployment of CloudLink is the creation of secure VPN tunnels between CloudLink Gateway and CloudLink vnodes. These tunnels can be configured in layer 2 or layer 3 mode over any WAN. Once the secure tunnels are established, enterprise customers can safely deploy VMs or select / instantiate VM templates in the cloud. vnodes that are deployed in the cloud provide a suite of services to protect communications in and out of the virtual data center, including the option to protect sensitive data that is stored at-rest in the cloud provider s data center. The second step involves creation of the secure storage in the form of encrypted volume or LUN (Logical Unit) in the Cloud SAN environment. Each vnode maps its own encrypted volume, so that different legal data owners are separated from each other not only by the means of policy-based protection, but also by encryption. Encryption keys may be automatically generated before the CloudLink vnode is deployed thereby simplifying key management tasks. Enterprise users have full control of encryption keys for both the Gateway and vnodes under the control of CloudLink Center, enabling users to update their keys via the secure in-band management channel. Special care is taken to ensure that the enterprise-owned DEKs (Data Encryption Keys) are never stored or transferred in cleartext and can be promptly withdrawn by the enterprise at will. Cloud administrators do not have access to DEKs, or the wrapping keys used to encrypt the DEK, therefore neither cloud administrators, other tenants nor intruders can access the enterprise, data in motion or at rest. CloudLink works in conjunction with VMware vcloud Director s networking capabilities such as networking fencing and vshield firewalls. This solution isolates the virtual machines (VMs) in a private network in the vdc and encrypts all communications between VMs in the vdc and the enterprise data center. 5 Document Version 1.1

6 Figure 2 CloudLink vdc Security Gateway in VMware vcloud Director 3.2 Performance Network performance issues such as latency and packet loss can significantly impact the overall performance of cloud based applications. TCP/IP based communications often lose efficiency and fairness when network latency increases and may not be effective in meeting the demands of storage applications which typically require a loss-less, reliable transport network for application performance requirements and business objectives. CloudLink optimizes the network connections between the enterprise data center and cloud environment with advanced network optimization techniques that significantly improve the overall performance of applications that interconnect over the WAN. Kernel-spacing of critical operations. CloudLink performs most critical operations in the kernel space of the OS. Eliminating the data copy operations for both VPN and block-level encryption which maximizes the performance of the entire system. Loss-less real time data compression. As a configurable option, CloudLink can compress all packets in real time for a specific connection between CloudLink Gateway and CloudLink vnode. Moving storage data and VMs between the enterprise data center and cloud environment requires significant WAN bandwidth and time. CloudLink saves bandwidth and improves the overall throughput of the link by compressing the data. 6 Document Version 1.1

7 TCP proxy over accelerated tunnels. The TCP transport protocol was designed in early 1980 s when bandwidth requirements for applications were low. TCP bandwidth discovery, slow-start and congestion avoidance algorithms are not optimized for today s high performance applications, especially for high speed communications between data centers. CloudLink improves network performance with two key technologies. CloudLink accelerates communications between the Gateway and vnodes with a high performance data transport protocol optimized for high speed transfers between high performance computing systems. CloudLink s VPN technology uses rate based congestion control to tune the inter-packet sending time in place of TCP s window based control mechanism. This intelligently controls the maximum number of inflight packets and provides rapid re-transmission in the event of dropped packets. CloudLink s optimized transport technology increases network throughput and minimizes latency. Second, both CloudLink Gateway and vnodes support TCP proxy. TCP sessions are terminated at the Gateway and vnodes. The user payload is then relayed over CloudLink s secure and accelerated VPN tunnels. Per flow buffer management, flow control and connection management techniques further optimize the end-to-end performance. With TCP proxy and accelerated transport tunnels, CloudLink significantly increases bandwidth efficiency and application performance over high speed links between the enterprise and the cloud data centers. Advanced traffic management. CloudLink further improves network and application performance by providing traffic management on a per-connection and per-vm basis. CloudLink performs traffic rate limiting and traffic shaping for each accelerated VPN tunnel using a traffic policy profile. This ensures that each tunnel will be guaranteed a committed information rate and traffic will not exceed a peak information rate. Traffic management policies can be applied to individual virtual machines ensuring that each VM is allocated a fair and managed portion of the overall bandwidth. CloudLink appliances enforce the traffic rates (peak rate and committed rate) on per-vm basis, and also provide the ability to modify such policies based on time of day. This level of control ensures that the QoS requirements of sensitive applications, such as virtual desktops and unified communications, can be met on an end-to-end basis. 3.3 Manageability An essential requirement of private, public or hybrid clouds is to preserve overall management and control of the IT infrastructure, whether physically located at a local data center or located in the cloud. Such management capabilities must include physical or virtual servers, storage, security policies, applications and management of networking elements. CloudLink equips enterprise IT administrators with a powerful suite of capabilities to monitor and manage the end-to end communications between applications in the enterprise data center and those residing in the cloud. Extend enterprise control and management into the cloud: CloudLink Center provides a unified suite of capabilities to manage the security, performance and SLAs of communications between data centers. CloudLink Center is designed as a VMware vsphere Client plug-in, enabling IT managers to launch CloudLink Center from their VMware vcenter console. IT managers can use these tools to deploy CloudLink vnodes into the cloud. Several vnodes can be managed from a single CloudLink Center over the in-band secured link between CloudLink Gateway and CloudLink vnode. Once a vnode is deployed in the cloud, enterprise users can manage the security policies, encryption keys network performance optimization policies and traffic management operations from a central location. 7 Document Version 1.1

8 Service assurance and SLA monitoring: Network SLA and performance monitoring tools are an essential element of cloud management. The wide area network connectivity between the data center and cloud environment may traverse several service provider networks or many WAN switches and routers creating the potential for network performance issues. When an application is not performing as expected it is important to determine the cause of the bottleneck. Is the server overloaded? Is the network congested? Or has the network latency increased due to an outage? All too often, today s management tools leave one guessing. CloudLink provides a powerful tool set to monitor the communications infrastructure from within the server itself, across the data center and wide area networks, through the cloud provider s network and into the virtual data center servers in the cloud. This end-to-end visibility equips the IT manager with the information required to identify performance issues and conduct troubleshooting operations to ensure that SLA objectives are being met. AFORE has many years of experience developing OAM (operation, administration and management) software for deployment in service provider networks. CloudLink employs this technology to extend the reach of carrier class OAM capabilities to the cloud. In fact, the scale of today s data centers requires a solution able to simultaneously monitor hundreds, even thousands of sessions. Such scale is a requirement in the service provider world and a similar scale is now required for deployments in the cloud. Connection status monitoring: The CloudLink Gateway and CloudLink vnodes continuously exchange continuity check messages to monitor the link status from enterprise data center to the cloud. Users will be notified of any link status failure via the CloudLink Center topology map and the alarm panel. Delay measurement: CloudLink s OAM technology monitors round trip delay and delay variation. The delay measurement diagnostic tools can be employed for in-service and out-of-service conditions such as initial turn-up of the network. Loss measurement: CloudLink uses synthetic loss measurement frames to characterize the packet loss in the network. Users can initiate loss measurement testing to measure the near end (Gateway side) packet loss ratio and far end (vnode side) packet loss ratio. Loopback test: CloudLink supports loopback capabilities for trouble shooting and fault localization. Users can initiate a loopback from the Gateway to the vnode or vice versa. This will isolate the problem either in the network domain or in the cloud service provider domain (e.g. the network in the vdc). Throughput test: CloudLink allows users to perform throughput tests to measure the subscribed level of bandwidth between the data center and cloud. The extensive set of performance data collected by CloudLink enables enterprise users to benchmark real performance and compare against application performance objectives to quickly assess if the network performance meets the expected SLAs. Dual management: In a managed services model, both cloud service providers and enterprise customers will benefit from having independent access to SLA and performance management data. CloudLink provides a unique split horizon management plane enabling enterprise users & cloud providers to simultaneously manage communications, each with independent rights & privileges. With independent control, enterprise users can control encryption keys, manage security policies & view performance statistics, while the service provider can manage VPN connectivity, perform SLA testing, isolate network issues and form a complete picture of overall performance of the offered service. Service providers can offer CloudLink s capabilities as a value added service to differentiate their offerings. In a private cloud environment, individual departments can manage and monitor their portion of the infrastructure, while central IT staff manage the entire private cloud as a shared utility. 8 Document Version 1.1

9 Figure 3 Powerful SLA Monitoring and Diagnostics 4 CloudLink Benefits CloudLink s rich feature set and unique functionality offers a distinct advantage to both enterprise customers and service providers looking to augment their service offering. CloudLink resolves key cloud networking issues by combining the essential requirements of optimization, security and management into a single software solution that enables Secure Multi-tenancy in private and/or public IaaS cloud. This combined functional approach provides enterprises with a one-stop solution to avoid the costly acquisition of unique security, management and optimization hardware / software products and provides a rapid return on investment. Empower the enterprise with control in the cloud. CloudLink provides the enterprise with overall control of cloud security by giving the enterprise sole control of encryption key management. It enables the enterprise to monitor cloud network performance in a manner consistent with the tools used to manage their own data centers. By deploying CloudLink, the enterprise gains end-to-end control and extend their management capability into the cloud. Enable value added services for cloud providers. CloudLink allows cloud service providers to differentiate their service offerings. CloudLink virtual appliances can be published as a vapp template in a cloud provider s value added service catalog potentially generating additional revenue for the provider. Each CloudLink virtual appliance runs in a designated vdc and therefore well suited for service providers multitenant cloud environment. 9 Document Version 1.1

10 No IT infrastructure and application changes required. CloudLink is a plug and play solution operating within an existing IT and network infrastructure. No additional hardware is required for the enterprise or cloud provider. With its data center bridge extension capability, virtual machines may be moved between locations for additional flexibility. Avoid cloud lock-in. VMware vcloud offerings are widely available. A single CloundLink Gateway operates with CloudLink vnode s deployed across a number of cloud providers. Unlock the economic benefits of the cloud. CloudLink combines security, performance and manageability in a single solution that integrates seamlessly with VMware s vcloud, vcloud Director and vcenter environment. CloudLink accelerates the adoption of private, public and hybrid cloud services while protecting the existing data center and IT investment. 5 Conclusions Enterprise s adopting private, public or hybrid cloud services wrestle with the challenges of security, performance, manageability and integration with the existing IT infrastructure. CloudLink secures all communications to the cloud and all the data stored in the cloud, optimizes the network, provides SLA monitoring and fault diagnostic tools and offers unique dual management capabilities for private and public cloud federation. With seamless integration with VMware s vcloud environment, CloudLink is the next generation on-ramp to the cloud. 10 Document Version 1.1