Lecture 02b Cloud Computing II

Transcription

1 Mobile Cloud Computing Lecture 02b Cloud Computing II 吳 秀 陽 Shiow-yang Wu T. Sridhar. Cloud Computing A Primer, Part 2: Infrastructure and Implementation Topics. The Internet Protocol Journal, Volume 12, No.4, Dec Mobile Cloud Computing Cloud Computing II 2 Note 1

2 Network Infrastructure The data-center server organization has often adopted a three-tier architecture. a web or Presentation Tier on the front end an Application Tier to perform the application and business-processing logic a Database Tier (to run the DB management system) (Figure 1 on the next slide) It follows that the server connectivity and the network topology for the cloud data centers might follow a similar organization. Mobile Cloud Computing Cloud Computing II 3 Data Center Extension IaaS If the cloud is seen as an extension of the existing data center, IaaS is a natural fit. You would specify the number of servers in each tier, load the appropriate server image, specify the links between them, and specify the network connectivity. The cloud provider handles the elasticity by ensuring that the number of servers and switches is adequate for you. Per-use billing and on-demand resource addition and removal are also provided by the cloud provider. Mobile Cloud Computing Cloud Computing II 4 Note 2

3 PaaS Infrastructure In PaaS, you transfer more control to cloud provider. The platform can scale transparently without your involvement other than at the time of configuration. Cloud providers can realize this function often with a three-tier topology similar to traditional data centers. Some of them have innovated to perform parts of the function differently. Eg. DB functions may rely upon a model of scaling out (splitting the DB across multiple servers) instead of scaling up (increasing the capability of the machine). Mobile Cloud Computing Cloud Computing II 5 SaaS Infrastructure SaaS vendors have the highest degree of control. The topology can be similar to existing data centers and scale up or down according to the number of users added. Most of them are quite straightforward. Mobile Cloud Computing Cloud Computing II 6 Note 3

4 Mobile Cloud Computing Cloud Computing II 7 Virtualization and Its Demands on Switching There are some addressing and control factors to consider on supporting things like virtual switch. Consider a data center with 100 servers, each with 16 VMs but one physical 10-Gbps Ethernet connection from each physical machine. With traditional method, you need 16 MAC and IP addresses for each server, a total of 1600 addresses. This problem is exacerbated when you increase the number of VMs per server. Switching between MAC addresses belonging to the virtual machines is done by the virtual switch. Mobile Cloud Computing Cloud Computing II 8 Note 4

5 Virtualization and Its Demands on Switching The virtual switch treats the physical link as an uplink to the external physical switch. Each physical host can have more than one virtual switch to support greater logical segmentation. It is common for each of the virtual switches to have its own physical uplink to the external switch. Virtual switch does not need to learn MAC addresses. It forwards all destination-unknown frames over the physical link (or uplink to the physical switch). It switches traffic between the intramachine VMs according to policy (eg. prohibit such traffic). Mobile Cloud Computing Cloud Computing II 9 Virtualization and Its Demands on Switching The virtual switch is just used for aggregation and access control within a physical server hosting VMs. Management of virtual switches can follow an aggregation model (i.e. multiple virtual switches managed through an external node). (next slide) This external node provides the management view. This separation of control- or management-plane functions permits easier VM migration. Problem: Inter-VM traffic within the same machine is not visible and cannot be appropriately monitored. Mobile Cloud Computing Cloud Computing II 10 Note 5

6 Virtual Switch Mobile Cloud Computing Cloud Computing II 11 IaaS Private Clouds If a private cloud to enterprise A is realized as a partition in a the IaaS provider s public cloud, then the private cloud should be reachable as a LAN extension to the servers in A s data center. (next slide) A secure Virtual Private Network (VPN) tunnel is set between the A s data center and the public cloud using public IP addresses. The VPN gateway uses multiple contexts each context corresponding to a specific private cloud. Traffic from enterprise A is decrypted and forwarded over to an Ethernet switch to the private cloud. Mobile Cloud Computing Cloud Computing II 12 Note 6

7 Mobile Cloud Computing Cloud Computing II 13 Possible Evolution Scenarios Automation of the VPN connection between the enterprise and cloud service provider. Integration of the VPN functions with the site-to-site VPN network functions from service providers. Cloud service providers using multiple data centers. CloudNet is an example being developed by AT&T Labs and the U Mass Amherst to address the two scenarios above. Mobile Cloud Computing Cloud Computing II 14 Note 7

8 Layer 2 vs Layer 3 Connectivity Layer 2 (switching) or Layer 3 (routing)? Layer 2 is simpler, where the MAC address and VLAN information are used for forwarding. The disadvantage of Layer 2 networks is scalability due to flat topology. Can use routing and subnets to provide segmentation at the cost of forwarding performance and network complexity. How about connectivity management for VM migration? (next slide) Mobile Cloud Computing Cloud Computing II 15 Layer 2 vs Layer 3 Connectivity Most common scenario: when a VM is migrated to a different host on the same Layer 2 topology. After migration, IP and TCP packets destined for the VM must be resolved to a different MAC address or the same MAC address connected to a different physical switch. An Address Resolution Protocol (ARP) request from the migrated VM can cause the switch tables to be updated. It may be less complex to freeze the VM and move it across the network. Mobile Cloud Computing Cloud Computing II 16 Note 8

9 Cloud Federation There may be situations where an enterprise needs to work with multiple cloud providers. Cloud interoperability and the ability to share information between clouds become important. This is sometimes known as cloud federation. Cloud federation manages consistency and access controls when two or more independent geographically distributed clouds share either authentication, files, computing resources, command and control, or access to storage resources. Mobile Cloud Computing Cloud Computing II 17 Cloud Federation Issues Single sign-on scheme which can be implemented: through an authentication server maintained by an enterprise that provides the appropriate credentials Or a central trusted authentication server to which all the cloud services interface could be used. CPU and storage resources may be orchestrated through the individual enterprise or through an interoperability scheme (federation agreement). How can the VM migration be done transparently and reliably? Mobile Cloud Computing Cloud Computing II 18 Note 9

10 Cloud Federation Issues Connectivity Layer 2 vs Layer 3 secure tunnel Consistency and a common understanding are required Charging or billing and reconciliation Management and billing systems need to work together business models for peering arrangements Cloud federation is a relatively new area in cloud computing. Mobile Cloud Computing Cloud Computing II 19 Security Topics The provider s security processes will need to be as good as or better than that of the enterprise. An audit of the vendor s processes will need to be done periodically, possibly including patches and security updates for the individual components. Infrastructure and data isolation must be assured between multiple tenants. The hypervisor should be treated as an OS and have the latest security patches applied. Similarly for paravirtualized operating systems. Mobile Cloud Computing Cloud Computing II 20 Note 10

11 Security Topics Security functions can run as virtual appliances. IaaS users can load and configure their own firewall or other security virtual appliance. These virtual appliances need to be managed and patched regularly. Logging and audit trails for applications are important. Cloud providers should enable access to their application monitoring and profiling tools. Authentication mechanisms are required at both ends (cloud user and provider) Mobile Cloud Computing Cloud Computing II 21 Security Topics Configuration and updates to the network infrastructure must be audited and tracked. The cloud infrastructure should support security functions such as intrusion detection and prevention, firewalling, and Denial of Service (DoS) prevention. The cloud service is vulnerable to Distributed Denial of Service (DDoS) attacks. Network-based DDoS prevention is a possible solution. The biggest issue for IT managers to adopt cloud is the problem of security and loss of control. Mobile Cloud Computing Cloud Computing II 22 Note 11

12 Virtualization and Security One option involves plug-ins to the hypervisor so that packets destined to the VMs are captured and processed by the security plug-ins. A second option is to make a specific VM handle the security functions without changing or adding to the hypervisor. For VM migration, it is important that the connection between the source and destination hypervisors is authenticated and encrypted during the course of migration. Mobile Cloud Computing Cloud Computing II 23 Virtualization and Security A rogue hypervisor could overwhelm a destination machine by migrating a large number of VMs to it. Policies and logic are required at the hypervisor level to ensure that these vulnerabilities are addressed. Network-based throttling( 節 流 ) might be required so that live migration does not cause congestion. Mobile Cloud Computing Cloud Computing II 24 Note 12

13 Standards Bodies in CC The Desktop Management Task Force (DMTF) has specified a portable format (the Open Virtualization Format, OVF) for packaging the s/w to run as a VM. Another group under DMTF called the Open Cloud Standards Incubator focuses on standardizing the interactions between cloud environments. The Cloud Security Alliance (CSA) is a new group to address security aspects with a focus on security assessment and management. Mobile Cloud Computing Cloud Computing II 25 Standards Bodies in CC The Organization for the Advancement of Structured Information Standards (OASIS) sees clouds as an extension of the Service-Oriented Architecture (SOA). The Storage Networking Industries Association (SNIA) has a Cloud Storage Technical Working Group (TWG) that works on storage standards. It has developed the Cloud Data Management Interface (CDMI). Mobile Cloud Computing Cloud Computing II 26 Note 13

14 Some Perspectives on CC Cloud computing and SOA: Some view cloud computing as a specific deployment case of an SOA. Server virtualization schemes: No matter what approach is taken, the final decision is on total costs. Other types of virtualization: such as desktop, application, and presentation virtualization. Data transfer and network bandwidth: Data needs to be sent back and forth between the cloud user and cloud provider. The charges can quickly add up. Mobile Cloud Computing Cloud Computing II 27 Some Perspectives on CC WAN acceleration for the cloud: chatty protocols and applications can benefit from WAN acceleration devices. VM migration: Need to consider the amount of data movement when a VM is migrated across a network. Management: Current paradigms are quite discrete and provide a strong level of control. Efforts are being made to unify management schemes. Energy considerations: With CC, overall energy consumption may be reduced. Mobile Cloud Computing Cloud Computing II 28 Note 14

15 Some Perspectives on CC Legal and regulatory considerations: VM migration, data migration, load balancing policies may need to consider legal and regulatory issues. Cloud providers with data centers in different countries may also encounter similar issues. Mobile Cloud Computing Cloud Computing II 29 Conclusion The area of cloud computing is very dynamic and offers scope for innovative technologies and business models. Ongoing work with respect to solutions is substantial (in vendor research labs, product development organizations, as well as in academia) It is clear that cloud computing will see significant advances and innovation in the next few years. Mobile Cloud Computing Cloud Computing II 30 Note 15

16 Assignment 1 A Service on GAE with Datastore Design a GAE service to test the Google cloud platform. Your service must use the Google Datastore for keeping data. You are encouraged to design any type of service you can think of. Must demonstrate your service and explain your design to me. Due date: Mar 22, 2012 Mobile Cloud Computing Cloud Computing II 31 Note 16