IPOP-TinCan: User-defined IP-over-P2P Virtual Private Networks Renato Figueiredo Advanced Computing and Information Systems Lab University of Florida ipop-project.org Unit 3: Intra-cloud Virtual Networks This material is based upon work supported in part by the National Science Foundation under Grants No. 0910812, 1339737
Amazon VPC: Technologies and Techniques Virtual private network extending from enterprise to resources at a major IaaS commercial cloud OpenFlow: Open switching specification allowing programmable network devices through a forwarding instruction set OpenStack Quantum: Virtual private networking within a private cloud offered by a major open-source IaaS stack 2
Amazon Virtual Private Cloud Service interface and Web console Available for all Amazon EC2 customers Layer-3 VN within EC2 infrastructure Extensible through hardware VPN Typical use cases: 3 Multi-tier applications: Public Web server; private DB, app server Extending datacenter on demand Cloud-bursting
Amazon Virtual Private Cloud From http://aws.amazon.com/vpc/ [VPC] lets you provision a private, isolated section of the Amazon Web Services (AWS) Cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways. Additionally, you can create a Hardware Virtual Private Network (VPN) connection between your corporate datacenter and your VPC and leverage the AWS cloud as an extension of your corporate datacenter. 4
Amazon VPC IP namespace management; hardware IPsec VPN 10.10.2.3 10.10.2.2 LAN VPN router VPC Internet User Isolation Private Public/private VPC EC2 infrastructure 5
6 VPC Web console
Amazon Virtual Private Cost model: Cloud No additional charge for using VPC, but if using with a VPN, there is a charge for VPN connection-hour Charge for inbound/outbound traffic Inter-operability: Custom AWS APIs Uses IPsec for VPN connections No connectivity with other providers 7
OpenFlow Towards an open platform foundation supporting Software- Defined Networks (SDN) Interface standardized by Open Networking Foundation (ONF) 8
OpenFlow Every packet that comes through an OpenFlow port is processed through flow pipeline Processing may incur multiple tables The rules of processing for each table are programmed by the controller through OpenFlow API If no matching entry found, packet is forwarded to controller for processing 9
Recall our VLAN example Software Software SEND (link, msg): Network Device Virtual LAN Network Device (Virtual) machine (Virtual) machine Under control OpenFlow switch: RECV porta OpenFlow pipeline SEND portb 10
OpenFlow Controller Controller OpenFlow Protocol Secure Channel Group Table OpenFlow ingress port Add, update, delete Flow Table Match flow table entry Pipeline Flow Table Table miss OpenFlow output port 11
OpenFlow Provides primitives for virtualization Packets are intercepted High-throughput datapath: flow tables Packets not matched sent to controller Exception ; slower control path Can use event to program flow table entries Supports layer-2, layer-3 Hardware, software implementations 12
Openstack Quantum Service to establish connectivity among virtual NICs managed by Openstack cloud Quantum plugin - manage configuration of virtual switches (VMM) and physical switches Plug-in may use OpenFlow to manage switches 13
VMs + VNs Within Cloud Ctrl Ctrl User: Create VLAN d virtual cluster 14 Quantum: Create VN OpenStack Services Physical switch Nova: Create VMs Physical host
Intra-cloud VNs Typical use case: virtualization within a single domain Multiple VN slices for cloud tenants E.g. devices OpenFlow-enabled and managed by same entity Distributed data centers; dedicated links Inter-cloud virtual networks must deal with shared links that cannot be programmed by single controller 15