Building Scalable Multi-Tenant Cloud Networks with OpenFlow and OpenStack Dave Tucker Hewlett-Packard April 2013 1
About Me Dave Tucker WW Technical Marketing HP Networking dave.j.tucker@hp.com Twitter: @dave_tucker April 2013 2
What we will cover Cloud Network Requirements Cloud Network Design Creating a Network Abstraction with OF Automating the cloud with OpenStack Q&A
Which cloud are we talking about? Enterprise Private Cloud Public Cloud Telecom Cloud Integration with legacy estates Support for legacy application & behaviors L2 adjacency mechanism to enable P2V migration Live workload mobility Accessed over Internet Massive scale 10s of thousands of projects 100s of thousands of VMs Flexibility unconstrained by HW innovation cycle Extreme cost sensitivity Pay-as-you-go use model Integration of multitenancy into telecom core Distributed datacenters Requirements trickle down
Critical cloud requirements Enable Competitive Cost Structure The network should not constrain scale Consistent Performance @ Scale Avoid Brown-Outs & Luck of the Draw Performance isolation High performance multi-path fabric Secure Multi-Tenancy @ Scale System segregation Enforcement of tenant policies Reliable Automation @ Scale Sustain high rate of churn High Availability Tolerate & isolate failures (server, AZ, region) Flexibility Avoid vendor lock-in Avoid lock-in to specific HW function Develop and deploy new services independent of HW development cycles Hypervisor Agnostic Network Model Consistent security & functional models across multiple hypervisors Fabric Independent L2 Functional Model Maintain Standard Network Behaviors
Not all apps are created equal Application Requirements Does the app depend on infrastructure for availability? Does the app implement multi-tenancy & is it trustworthy? What level of infrastructure affinity does the app have? What is the app doing to data in flight? Ultimately, you ll likely have to support all of these! Architectural flexibility to support racks of various network blocking ratios Multi-tenancy solution which comprehends both virtual and bare metal Support for multiple HW builds
Accomplishing tenant segregation HW-Centric? SW-Centric? Encapsulate in ToR switch Switch to Destination VM Switch to Gateway Encapsulate in vswitch Tunnel to Destination VM Tunnel to vgw - Higher acquisiton cost - Multi-Tier automation - HW Innovation pace + Edge-only automation + SW Innovation Pace - N/S traffic become E/W A SW-centric approach to multi-tenancy within the cloud is not ideal but it s the right answer today. And it s moving in the right direction for tomorrow. April 2013 7
Performance @ Scale Deterministic Performance Avoid Excessive Oversubscription Allow internal environments to scale without incurring cost of scaling expensive core components Controlled oversubscription between fabrics to enable high performance comms & maintain cost controls Low to No oversubscription within the L2 Fabric where most east-west comms occur Traffic Policing Prohibit individual guests from impacting their neighbors through overconsumption of network resources Subsume Segregation & Policy Enforcement Into the Hypervisor Use existing integrated firewall capability to build a massively scalable distributed firewall Avoid highly expensive firewall appliances Avoid network choke points associated with network services appliances Implement virtual network layer to enforce tenant segregation Avoid dependence on infrastructure elements for segregation April 2013 8
Reliable Automation @ Scale OpenFlow provides a means for a Network controller to influence the data plane SDN Controller provides a broader Network Abstraction via its Northbound API This abstraction is the perfect interface to Cloud Orchestration tooling April 2013 9
Automating with OpenStack OpenStack provides a common provisioning platform for the cloud Quantum provides networking functions. Intelligence is implemented in plugins Simple shim plugin is all that is required to convert Quantum API to Controller API April 2013 10
Cloud Network Building Blocks Client Access Network MPLS WWW Tenant Connectivity DC Core Carrier Integration & Peering Intra-DC Compute Zone Integration DC resiliency DC Fabric Compute Node Connectivity Deterministic Performance Compute Resiliency Compute Networking vswitch vswitch Tenant Security Data Center Interconnect Synchronization DWDM VPLS Inter-Tool communication Out-of-band access April 2013 11
Multi-Tenancy: HP Virtual Cloud Networks Cloud Network Orchestration Network Controller Network Router Traditional Switch Fabric Private Encapsulated vnet Private Encapsulated vnet Private Encapsulated vnet Public VLAN Open vswitch (Encap & PEP) Open vswitch (Encap & PEP) Open vswitch (Encap & PEP) Guest Guest Guest Guest Guest Guest Guest Guest Guest Guest Guest Guest Compute Node Compute Node Network Node
The End-game is Multi-Layer SDN HW-Centric SW-Centric Encap in ToR Switch Switch to Destination VM Switch to vgw Encap in vswitch i.e. VLAN, PBB Tunnel to Destination VM Tunnel to vgw Software-Defined Cloud Networks Multi-Layer SDN Traffic Policy Enforced in Fabric Cost Effective Topology Flexibility Simplified Fabric Automation HW Support of Generic UDP Tunneling Efficient Broadcast & Multicast Support i.e. HP VCN, VMWare NVP
What does this enable? Multi-Layer SDN? Avoid tromboning through GW VMs or appliances Traffic Policy Enforced in Fabric? Simple & efficient implementation of inline security & load balancing services Cost Effective Topology Flexibility More capable fabrics without excessive cost Simplified Fabric Automation Abstraction of control plan reduces complexity and risk of multi-tier automation HW Support of Generic UDP Tunneling Enable integration of SW-centric multi-tenancy models with HW-centric solutions
Thank You! April 2013 15
Q&A April 2013 16