CloudStack Networking Paul Angus Cloud Architect ShapeBlue paul.angus@shapeblue.com @CloudyAngus @ShapeBlue
Cloud Architect with ShapeBlue Worked with CloudStack since 2.2.13 About Me Specialising in deployment of CloudStack and supporting infrastructure Orange, TomTom, PaddyPower, Ascenty, BSkyB, SunGard, T Mobile I view CloudStack from a What can cloud consumers practically do with it point ofview
About ShapeBlue ShapeBlue are expert builders of public & private clouds. They are the leading global CloudStack / CloudPlatform integrator & consultancy
Why NaaS The Use Cases VPS Cloud NaaS
CloudStack Networking Logical Networking Models Basic Advanced
Basic Networking AWS Style L3 isolation Massive Scale Simple Flat Network Each POD has a unique CIDR Optional Guest Isolation via Security Groups Optional NetScaler Integration Elastic IPs and Elastic LB Optional Nicira NVP Integration
Security Groups Isolate traffic between VMs Available for both Basic and Advanced Networking XenServer must use Linux Bridge and not Open vswitch xe switch network backend bridge Edit sysctl to enable net.bridge.bridge nf call iptables and net.bridge.bridge nf call arptables Must be implemented before adding to CloudStack
Security Groups Rules can be mapped to CIDR or another Account/Security Group
Advanced Networking This network model provides the most flexibility in defining guest networks and providing custom network offerings such as firewall, VPN, Load Balancer & VPC functionality. Guest isolation is provided through layer 2 means such as VLANs or SDN technologies
Advanced Networking Private and Shared Guest Networks Multiple Physical Networks Virtual Router for each Network providing: DNS & DHCP Firewall Client VPN Load Balancing Source / Static NAT Port Forwarding
Advanced Networking & Security Groups Effectively enables the deployment of multiple Basic style networks which use Security Groups for isolation of VMs, but with each Network encapsulated within a unique VLAN.
Management Network Traffic between CloudStack Management Servers and the various cloud components (Hosts, System VMs, Storage*, vcenter etc)
Guest Network Basic & Advanced
Guest Network Basic Zone EIP / ELB
Public Network Basic & Advanced
Public Network System VMs CPVM, SSVM & VRs have a connection to the Public Network *VRs only have public connection in Advanced Network
Storage Network
Physical Connectivity
Basic Zone Example IP Schema
Advanced Zone Example IP Schema
Network Service Providers A Hardware or Virtual Appliance that provide Network Services to CloudStack e.g. Virtual Router VPC Virtual Router Internal LBVM Citrix NetScaler F5 Load Balancer Juniper SRX Firewall Nicira Nvp Midokura Midonet BigSwitch Vns Cisco VNMC Baremetal DHCP* Baremetal PXE* Palo Alto* Ovs (GRE/VXLAN) *new in 4.3
Virtual Private Clouds (VPC) Private multi tiered Virtual Networks ACLs to control traffic isolation Inter VLAN Routing Site 2 Site VPN Private Gateway VPC 2 VPC VPN* User VPN* *new in 4.3
VPC Components Virtual Router Connects all the VPC Components Network Tiers Isolated Networks, each with unique VLAN and CIDR
VPC Components Public Gateway
VPC Components Site 2 Site VPN Linked to Public Gateway
VPC Components User VPN Linked to Public Gateway
VPC Components VPC 2 VPC VPN Linked to Public Gateway
VPC Components Private Gateway Created by Root Admins Configured by Users (Static Routes)
VPC Components
VPC Components
VPC Components
Communication Ports