Lecture 02b Cloud Computing II



Similar documents
Lecture 02a Cloud Computing I

OVERLAYING VIRTUALIZED LAYER 2 NETWORKS OVER LAYER 3 NETWORKS

In This Issue. From The Editor

Analysis of Network Segmentation Techniques in Cloud Data Centers

Cloud Infrastructure Planning. Chapter Six

Cloud Computing Architecture: A Survey

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

Extending Networking to Fit the Cloud

Virtualization, SDN and NFV

Virtual Machine in Data Center Switches Huawei Virtual System

Secure Cloud Computing with a Virtualized Network Infrastructure

Proactively Secure Your Cloud Computing Platform

Secure Cloud-Ready Data Centers Juniper Networks

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

How To Make A Vpc More Secure With A Cloud Network Overlay (Network) On A Vlan) On An Openstack Vlan On A Server On A Network On A 2D (Vlan) (Vpn) On Your Vlan

Securely Architecting the Internal Cloud. Rob Randell, CISSP Senior Security and Compliance Specialist VMware, Inc.

CompTIA Cloud+ 9318; 5 Days, Instructor-led

What Cloud computing means in real life

How To Extend Security Policies To Public Clouds

Security Issues in Cloud Computing

Cisco Secure Network Container: Multi-Tenant Cloud Computing

White Paper. Juniper Networks. Enabling Businesses to Deploy Virtualized Data Center Environments. Copyright 2013, Juniper Networks, Inc.

Securing the Cloud with IBM Security Systems. IBM Security Systems IBM Corporation IBM IBM Corporation Corporation

CompTIA Cloud+ Course Content. Length: 5 Days. Who Should Attend:

Securing the private cloud

A Case for Overlays in DCN Virtualization Katherine Barabash, Rami Cohen, David Hadas, Vinit Jain, Renato Recio and Benny Rochwerger IBM

Cisco Unified Network Services: Overcome Obstacles to Cloud-Ready Deployments

Evolution from the Traditional Data Center to Exalogic: An Operational Perspective

Data Center Networking Designing Today s Data Center

Network Virtualization and Data Center Networks Data Center Virtualization - Basics. Qin Yin Fall Semester 2013

Public Clouds. Krishnan Subramanian Analyst & Researcher Krishworld.com. A whitepaper sponsored by Trend Micro Inc.

CoIP (Cloud over IP): The Future of Hybrid Networking

CloudLink - The On-Ramp to the Cloud Security, Management and Performance Optimization for Multi-Tenant Private and Public Clouds

Software-Defined Networks Powered by VellOS

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

Testing Network Virtualization For Data Center and Cloud VERYX TECHNOLOGIES

Software Defined Network (SDN)

Network Security Demonstration - Snort based IDS Integration -

VXLAN: Scaling Data Center Capacity. White Paper

Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud

Network Virtualization for Large-Scale Data Centers

From Secure Virtualization to Secure Private Clouds

How To Create A Cloud Based System For Aaas (Networking)

Lecture 7: Data Center Networks"

"Charting the Course... Implementing Citrix NetScaler 11 for App and Desktop Solutions CNS-207 Course Summary

Network Virtualization Network Admission Control Deployment Guide

Future of Cloud Computing. Irena Bojanova, Ph.D. UMUC, NIST

Cloud Courses Description

Securing Virtual Applications and Servers

Security Management of Cloud-Native Applications. Presented By: Rohit Sharma MSc in Dependable Software Systems (DESEM)

Transform Your Business and Protect Your Cisco Nexus Investment While Adopting Cisco Application Centric Infrastructure

CERN Cloud Infrastructure. Cloud Networking

IaaS Cloud Architectures: Virtualized Data Centers to Federated Cloud Infrastructures

Citrix On-Boarding A target Cloud

THE INS AND OUTS OF CLOUD COMPUTING

Vyatta Network OS for Network Virtualization

Configuring Oracle SDN Virtual Network Services on Netra Modular System ORACLE WHITE PAPER SEPTEMBER 2015

Table of Content Cloud Computing Tutorial... 2 Audience... 2 Prerequisites... 2 Copyright & Disclaimer Notice... 2 Cloud Computing - Overview...

Cloud Computing Governance & Security. Security Risks in the Cloud

Intel IT Cloud 2013 and Beyond. Name Title Month, Day 2013

The Case for Enterprise Ready Virtual Private Clouds

How To Manage A Virtualization Server

Cisco Nexus 1000V Switch for Microsoft Hyper-V

Cloud Courses Description

SDN and NFV in the WAN

An overwhelming majority of IaaS clouds leverage virtualization for their foundation.

Cisco Application Networking for IBM WebSphere

Private Distributed Cloud Deployment in a Limited Networking Environment

Deploying Public, Private, and Hybrid Storage Clouds. Marty Stogsdill, Oracle

Ranch Networks for Hosted Data Centers

The Road to Cloud Computing How to Evolve Your Data Center LAN to Support Virtualization and Cloud

Increase Simplicity and Improve Reliability with VPLS on the MX Series Routers

New Security Perspective for Virtualized Platforms

How To Protect Your Cloud From Attack

1.1.1 Introduction to Cloud Computing

SDN Architecture and Service Trend

Chapter 11 Cloud Application Development

CNS-207 Implementing Citrix NetScaler 10.5 for App and Desktop Solutions

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

What is VLAN Routing?

VXLAN Overlay Networks: Enabling Network Scalability for a Cloud Infrastructure

Secure Remote Access Solutions Balancing security and remote access Bob Hicks, Rockwell Automation

Planning the Migration of Enterprise Applications to the Cloud

RE Think. IT & Business. Invent. IBM SmartCloud Security. Dr. Khaled Negm, SMIEEE, ACM Fellow IBM SW Global Competency Center Leader GCC

Impact of Virtualization on Cloud Networking Arista Networks Whitepaper

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

Installing Intercloud Fabric Firewall

Overcoming Security Challenges to Virtualize Internet-facing Applications

VMware Software Defined Network. Dejan Grubić VMware Systems Engineer for Adriatic

Cloud Security and Data Protection

Chapter 9 Firewalls and Intrusion Prevention Systems

Unified Threat Management, Managed Security, and the Cloud Services Model

STeP-IN SUMMIT June 18 21, 2013 at Bangalore, INDIA. Performance Testing of an IAAS Cloud Software (A CloudStack Use Case)

Cisco Prime Network Services Controller. Sonali Kalje Sr. Product Manager Cloud and Virtualization, Cisco Systems

JUNIPER. One network for all demands MICHAEL FRITZ CEE PARTNER MANAGER. 1 Copyright 2010 Juniper Networks, Inc.

SOLUTION BRIEF Citrix Cloud Solutions Citrix Cloud Solution for On-boarding

Software Defined Environments

Network Access Control in Virtual Environments. Technical Note

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Transcription:

Mobile Cloud Computing Lecture 02b Cloud Computing II 吳 秀 陽 Shiow-yang Wu T. Sridhar. Cloud Computing A Primer, Part 2: Infrastructure and Implementation Topics. The Internet Protocol Journal, Volume 12, No.4, Dec 2009. Mobile Cloud Computing Cloud Computing II 2 Note 1

Network Infrastructure The data-center server organization has often adopted a three-tier architecture. a web or Presentation Tier on the front end an Application Tier to perform the application and business-processing logic a Database Tier (to run the DB management system) (Figure 1 on the next slide) It follows that the server connectivity and the network topology for the cloud data centers might follow a similar organization. Mobile Cloud Computing Cloud Computing II 3 Data Center Extension IaaS If the cloud is seen as an extension of the existing data center, IaaS is a natural fit. You would specify the number of servers in each tier, load the appropriate server image, specify the links between them, and specify the network connectivity. The cloud provider handles the elasticity by ensuring that the number of servers and switches is adequate for you. Per-use billing and on-demand resource addition and removal are also provided by the cloud provider. Mobile Cloud Computing Cloud Computing II 4 Note 2

PaaS Infrastructure In PaaS, you transfer more control to cloud provider. The platform can scale transparently without your involvement other than at the time of configuration. Cloud providers can realize this function often with a three-tier topology similar to traditional data centers. Some of them have innovated to perform parts of the function differently. Eg. DB functions may rely upon a model of scaling out (splitting the DB across multiple servers) instead of scaling up (increasing the capability of the machine). Mobile Cloud Computing Cloud Computing II 5 SaaS Infrastructure SaaS vendors have the highest degree of control. The topology can be similar to existing data centers and scale up or down according to the number of users added. Most of them are quite straightforward. Mobile Cloud Computing Cloud Computing II 6 Note 3

Mobile Cloud Computing Cloud Computing II 7 Virtualization and Its Demands on Switching There are some addressing and control factors to consider on supporting things like virtual switch. Consider a data center with 100 servers, each with 16 VMs but one physical 10-Gbps Ethernet connection from each physical machine. With traditional method, you need 16 MAC and IP addresses for each server, a total of 1600 addresses. This problem is exacerbated when you increase the number of VMs per server. Switching between MAC addresses belonging to the virtual machines is done by the virtual switch. Mobile Cloud Computing Cloud Computing II 8 Note 4

Virtualization and Its Demands on Switching The virtual switch treats the physical link as an uplink to the external physical switch. Each physical host can have more than one virtual switch to support greater logical segmentation. It is common for each of the virtual switches to have its own physical uplink to the external switch. Virtual switch does not need to learn MAC addresses. It forwards all destination-unknown frames over the physical link (or uplink to the physical switch). It switches traffic between the intramachine VMs according to policy (eg. prohibit such traffic). Mobile Cloud Computing Cloud Computing II 9 Virtualization and Its Demands on Switching The virtual switch is just used for aggregation and access control within a physical server hosting VMs. Management of virtual switches can follow an aggregation model (i.e. multiple virtual switches managed through an external node). (next slide) This external node provides the management view. This separation of control- or management-plane functions permits easier VM migration. Problem: Inter-VM traffic within the same machine is not visible and cannot be appropriately monitored. Mobile Cloud Computing Cloud Computing II 10 Note 5

Virtual Switch Mobile Cloud Computing Cloud Computing II 11 IaaS Private Clouds If a private cloud to enterprise A is realized as a partition in a the IaaS provider s public cloud, then the private cloud should be reachable as a LAN extension to the servers in A s data center. (next slide) A secure Virtual Private Network (VPN) tunnel is set between the A s data center and the public cloud using public IP addresses. The VPN gateway uses multiple contexts each context corresponding to a specific private cloud. Traffic from enterprise A is decrypted and forwarded over to an Ethernet switch to the private cloud. Mobile Cloud Computing Cloud Computing II 12 Note 6

Mobile Cloud Computing Cloud Computing II 13 Possible Evolution Scenarios Automation of the VPN connection between the enterprise and cloud service provider. Integration of the VPN functions with the site-to-site VPN network functions from service providers. Cloud service providers using multiple data centers. CloudNet is an example being developed by AT&T Labs and the U Mass Amherst to address the two scenarios above. Mobile Cloud Computing Cloud Computing II 14 Note 7

Layer 2 vs Layer 3 Connectivity Layer 2 (switching) or Layer 3 (routing)? Layer 2 is simpler, where the MAC address and VLAN information are used for forwarding. The disadvantage of Layer 2 networks is scalability due to flat topology. Can use routing and subnets to provide segmentation at the cost of forwarding performance and network complexity. How about connectivity management for VM migration? (next slide) Mobile Cloud Computing Cloud Computing II 15 Layer 2 vs Layer 3 Connectivity Most common scenario: when a VM is migrated to a different host on the same Layer 2 topology. After migration, IP and TCP packets destined for the VM must be resolved to a different MAC address or the same MAC address connected to a different physical switch. An Address Resolution Protocol (ARP) request from the migrated VM can cause the switch tables to be updated. It may be less complex to freeze the VM and move it across the network. Mobile Cloud Computing Cloud Computing II 16 Note 8

Cloud Federation There may be situations where an enterprise needs to work with multiple cloud providers. Cloud interoperability and the ability to share information between clouds become important. This is sometimes known as cloud federation. Cloud federation manages consistency and access controls when two or more independent geographically distributed clouds share either authentication, files, computing resources, command and control, or access to storage resources. Mobile Cloud Computing Cloud Computing II 17 Cloud Federation Issues Single sign-on scheme which can be implemented: through an authentication server maintained by an enterprise that provides the appropriate credentials Or a central trusted authentication server to which all the cloud services interface could be used. CPU and storage resources may be orchestrated through the individual enterprise or through an interoperability scheme (federation agreement). How can the VM migration be done transparently and reliably? Mobile Cloud Computing Cloud Computing II 18 Note 9

Cloud Federation Issues Connectivity Layer 2 vs Layer 3 secure tunnel Consistency and a common understanding are required Charging or billing and reconciliation Management and billing systems need to work together business models for peering arrangements Cloud federation is a relatively new area in cloud computing. Mobile Cloud Computing Cloud Computing II 19 Security Topics The provider s security processes will need to be as good as or better than that of the enterprise. An audit of the vendor s processes will need to be done periodically, possibly including patches and security updates for the individual components. Infrastructure and data isolation must be assured between multiple tenants. The hypervisor should be treated as an OS and have the latest security patches applied. Similarly for paravirtualized operating systems. Mobile Cloud Computing Cloud Computing II 20 Note 10

Security Topics Security functions can run as virtual appliances. IaaS users can load and configure their own firewall or other security virtual appliance. These virtual appliances need to be managed and patched regularly. Logging and audit trails for applications are important. Cloud providers should enable access to their application monitoring and profiling tools. Authentication mechanisms are required at both ends (cloud user and provider) Mobile Cloud Computing Cloud Computing II 21 Security Topics Configuration and updates to the network infrastructure must be audited and tracked. The cloud infrastructure should support security functions such as intrusion detection and prevention, firewalling, and Denial of Service (DoS) prevention. The cloud service is vulnerable to Distributed Denial of Service (DDoS) attacks. Network-based DDoS prevention is a possible solution. The biggest issue for IT managers to adopt cloud is the problem of security and loss of control. Mobile Cloud Computing Cloud Computing II 22 Note 11

Virtualization and Security One option involves plug-ins to the hypervisor so that packets destined to the VMs are captured and processed by the security plug-ins. A second option is to make a specific VM handle the security functions without changing or adding to the hypervisor. For VM migration, it is important that the connection between the source and destination hypervisors is authenticated and encrypted during the course of migration. Mobile Cloud Computing Cloud Computing II 23 Virtualization and Security A rogue hypervisor could overwhelm a destination machine by migrating a large number of VMs to it. Policies and logic are required at the hypervisor level to ensure that these vulnerabilities are addressed. Network-based throttling( 節 流 ) might be required so that live migration does not cause congestion. Mobile Cloud Computing Cloud Computing II 24 Note 12

Standards Bodies in CC The Desktop Management Task Force (DMTF) has specified a portable format (the Open Virtualization Format, OVF) for packaging the s/w to run as a VM. Another group under DMTF called the Open Cloud Standards Incubator focuses on standardizing the interactions between cloud environments. The Cloud Security Alliance (CSA) is a new group to address security aspects with a focus on security assessment and management. Mobile Cloud Computing Cloud Computing II 25 Standards Bodies in CC The Organization for the Advancement of Structured Information Standards (OASIS) sees clouds as an extension of the Service-Oriented Architecture (SOA). The Storage Networking Industries Association (SNIA) has a Cloud Storage Technical Working Group (TWG) that works on storage standards. It has developed the Cloud Data Management Interface (CDMI). Mobile Cloud Computing Cloud Computing II 26 Note 13

Some Perspectives on CC Cloud computing and SOA: Some view cloud computing as a specific deployment case of an SOA. Server virtualization schemes: No matter what approach is taken, the final decision is on total costs. Other types of virtualization: such as desktop, application, and presentation virtualization. Data transfer and network bandwidth: Data needs to be sent back and forth between the cloud user and cloud provider. The charges can quickly add up. Mobile Cloud Computing Cloud Computing II 27 Some Perspectives on CC WAN acceleration for the cloud: chatty protocols and applications can benefit from WAN acceleration devices. VM migration: Need to consider the amount of data movement when a VM is migrated across a network. Management: Current paradigms are quite discrete and provide a strong level of control. Efforts are being made to unify management schemes. Energy considerations: With CC, overall energy consumption may be reduced. Mobile Cloud Computing Cloud Computing II 28 Note 14

Some Perspectives on CC Legal and regulatory considerations: VM migration, data migration, load balancing policies may need to consider legal and regulatory issues. Cloud providers with data centers in different countries may also encounter similar issues. Mobile Cloud Computing Cloud Computing II 29 Conclusion The area of cloud computing is very dynamic and offers scope for innovative technologies and business models. Ongoing work with respect to solutions is substantial (in vendor research labs, product development organizations, as well as in academia) It is clear that cloud computing will see significant advances and innovation in the next few years. Mobile Cloud Computing Cloud Computing II 30 Note 15

Assignment 1 A Service on GAE with Datastore Design a GAE service to test the Google cloud platform. Your service must use the Google Datastore for keeping data. You are encouraged to design any type of service you can think of. Must demonstrate your service and explain your design to me. Due date: Mar 22, 2012 Mobile Cloud Computing Cloud Computing II 31 Note 16

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information