brighttalk sdn solution showcase with chris swan
TRANSCRIPT
copyright 2013 1
Network Function
Virtualization – What do
customers use it for?
Chris Swan, CTO - CohesiveFT
@cpswan
copyright 2013 2
Agenda
• Introducing Network Function Virtualization (NFV)
• The Networking Declaration of Independence
• Business use cases:
- Wave 1 - bursting and containment
- Wave 2 - hubs and spokes
- Wave 3 - winning back control
• Summary
copyright 2013 3
What is
Network Function Virtualization?
copyright 2013 4
NFV is a networking Swiss Army knife
Firewall
Dynamic &
Scriptable
SDN
Protocol
Redistributor
IPsec/SSL VPN
concentrator
Router Switch
NFV
Hybrid
virtual
device
able to
extend to
multiple
sites
Application SDN (Software Defined Network) Appliances
• Allow control, mobility & agility by separating network location and network
identity
• Control over end to end encryption, IP addressing and network topology
copyright 2013 5
A technical use case overview
Customer Data Center Customer Remote Office
Overlay Network Subnet: 172.31.0.0/22
Overlay IP: 172.31.1.1 Overlay IP: 172.31.1.5 Overlay IP: 172.31.1.9 Overlay IP: 172.31.1.13 Overlay IP: 172.31.1.17 Overlay IP: 172.31.1.21 Cloud Server A Cloud Server B Cloud Server C Cloud Server D Cloud Server E Cloud Server F
Active IPsec Tunnel Active IPsec Tunnel
Failover IPsec
Tunnel
192.168.4.0/24 - 172.31.1.0/24 192.168.3.0/24 - 172.31.1.0/24
Firewall / IPsec
Cisco 5505
Firewall / IPsec
Cisco 5585
Data Center
Server Data Center
Server LAN IP:
192.168.4.50
LAN IP:
192.168.4.100
User Workstation
LAN IP:
192.168.3.100
User Workstation
LAN IP:
192.168.3.50
Chicago, IL USA
Remote Subnet:
192.168.3.0/24
London, UK
Remote Subnet:
192.168.4.0/24
Public IP:
184.73.174.250
Overlay IP:
172.31.1.250 Public IP:
54.246.224.156
Overlay IP:
172.31.1.246
Public IP:
192.158.29.143
Overlay IP:
172.31.1.242
Peered Peered
US East 1 EMEA APAC
copyright 2013
Providers and Customers have different concerns
Layer
0
Layer
4
Layer
3
Layer
2
Layer
1
Layer
5
Layer
7
Layer
6
Virtualization
Layer
Hardware
Ownership
Layer
Limits of access, control, & visibility
User
Contr
ol
Use
r C
on
tro
l
Service Provider SDN starts at the
bottom of the network with the
"device" and network flows.
Application SDN (using NFV)
begins at the top of the network
with the enterprise application, its
owner and their collective technical
and organizational demands.
6
copyright 2013
Positioning - NFV and SDN
7
copyright 2013 8
Networking Declaration
of Independence
copyright 2013 9
Nicira’s “declaration of independence” from metal,
freed NFV from OpenFlow
+
http://nicira.com/sites/default/files/docs/Nicira%20-
%20The%20Seven%20Properties%20of%20Virtualization.pdf
copyright 2013 10
These same properties free NFV from the
“constraints” of OpenFlow (technology, timing and target)
Nicira defined the 7 Properties of network virtualization as:
1. Independence from network hardware
2. Faithful reproduction of the physical
network service model
3. Follow operational model of compute
virtualization
4. Compatible with any hypervisor
platform
5. Secure isolation between virtual
networks, the physical network, and
the control plane
6. Cloud performance and scale
7. Programmatic networking provisioning and control
copyright 2013 11
With VM-based network devices you can use the cloud
network as “bulk transport” and are indifferent to all else.
Independence from network hardware
Customer Data Center
NFV Standard IPsec
Tunnel
Firewall / IPsec Device
Data Center Servers
Overlay IP: 172.31.11.xx
Public Cloud Region 1
IP: 192.168.1.xx LAN
Cloud Server Cloud Server
Overlay Network
copyright 2013 12
NFV devices “look” and “feel” like the same networking
devices customers have used for ever, without boundaries
Reproduction of physical network model
Customer Data Center
Standard IPsec Tunnel
Data Center Servers
Virtual Network
Cloud Server
Public Cloud Region 1
Overlay Network
Data Center Servers
Cloud Server
NFV
copyright 2013 13
Follow operational model of compute virtualization
NFV NFV NFV NFV
NFV functions can be dynamically brought on-line, up to
the elastic limits of the total infrastructure available (!!)
copyright 2013 14
Compatible with any hypervisor platform
NFV does more than “follow” the model of compute
virtualization, it exists via compute virtualization.
Public Clouds
Virtual
Infrastructure
Private
Clouds Cloud
copyright 2013 15
Secure isolation
Isolation takes many forms: from underlying infra, allow my
protocols, keep my “chattiness” in, keep others out, etc..
Public Cloud Region 1
Cloud Server Cloud Server
Overlay Network
Public Cloud Region 3
Cloud Server Cloud Server
Overlay Network
Public Cloud Region 2
Cloud Server Cloud Server
Overlay Network
Public Cloud Region 4
Cloud Server Cloud Server
Overlay Network
copyright 2013 16
Cloud performance and scale
Where NFV really shines today, create a WAN in minutes,
use cloud as points of presence for your business
Customer Data Center Customer Remote Office
Overlay Network Subnet: 172.31.0.0/22
Overlay IP: 172.31.1.1 Overlay IP: 172.31.1.5 Overlay IP: 172.31.1.9 Overlay IP: 172.31.1.13 Overlay IP: 172.31.1.17 Overlay IP: 172.31.1.21 Cloud Server A Cloud Server B Cloud Server C Cloud Server D Cloud Server E Cloud Server F
Active IPsec Tunnel Active IPsec Tunnel
Failover IPsec
Tunnel
192.168.4.0/24 - 172.31.1.0/24 192.168.3.0/24 - 172.31.1.0/24
Firewall / IPsec
Cisco 5505
Firewall / IPsec
Cisco 5585
Data Center Server Data Center Server
LAN IP: 192.168.4.50 LAN IP: 192.168.4.100 User Workstation
LAN IP: 192.168.3.100
User Workstation
LAN IP: 192.168.3.50
Chicago, IL USA Remote Subnet:
192.168.3.0/24
London, UK Remote Subnet:
192.168.4.0/24
Public IP:
184.73.174.250
Overlay IP: 172.31.1.250
Public IP: 54.246.224.156
Overlay IP: 172.31.1.246
Public IP:
192.158.29.143
Overlay IP: 172.31.1.242
Peered Peered
US East 1 EMEA APAC
copyright 2013 17
Programmatic networking provisioning & control
+ http://maxoffsky.com/code-blog/building-restful-api-in-laravel-start-here/
Cloud Compute and Network APIs + NFV Device APIs
allow previously unimaginable flexibility and power
Public Clouds
Virtual Infrastructure Private Clouds
Cl
ou
d
copyright 2013 18
Business Use Cases
copyright 2013 19
Wave 1
Bursting and Containment
copyright 2013
Fund bursts into public cloud to extend HPC
Private Data Center
NFV
US-east-1
Active IPsec Tunnels
Firewall / IPsec
Data Center Node
Boston, USA
Node
US-west-1
Overlay Network
Peered
Node
Node
NFV
20
copyright 2013
AD Configuration with Dual NIDs
Developer Office
NFV
US-east-1
Active IPsec Tunnels 192.168.4.0/24 - 172.31.1.0/24
Firewall / IPsec
USA
User Workstation User Workstation
Partner Data
Center
Firewall / IPsec
Data Center Servers
Private Cloud
Peered
Hybrid Network
Virtual Machine Virtual Machine
NFV
21
copyright 2013
Energy Savings Trust analyzes data in SmartCloud
On-Site Hardware
NFV
Active IPsec Tunnel
UK
Firewall / IPsec
Data Center Servers
Virtual Machine Cloud Server
Ehningen
22
copyright 2013
Capacity expansion: meeting game day demand
Main Offices
NFV
Active IPsec Tunnels
New York, NY USA
Data Center
Virtual Machine Cloud Server
us-east-1
Media Partners
Firewall / IPsec
EMEA, & US & ANZ
Workstations
23
copyright 2013
BPMS-as-a-SaaS without traditional complexity
Home Data Center
NFV Active IPsec
Tunnels
Firewall / IPsec
Boston, MA
USA
us-east-1
Customer
Data Center 2
Peered
Federated Cloud
Overlay Network
NFV
Virtual Machine Virtual Machine
Customer
Data Center 1
Cloud-based
SaaS tool
Failover
IPsec
Private Cloud
Data Center Servers
us-west-2
Berlin, DE London, UK
24
copyright 2013 25
Wave 2
Hubs and spokes
copyright 2013
Cloud “Meet Me Room”
Data Center
NFV
Active IPsec Tunnels
US
Firewall / IPsec
Data Center Servers
Customer Network UK
Browser-based
portal access SaaS App
eu-west-1
26
copyright 2013
Cloud WAN for global reach and redundancy
Data Center
Active IPsec Tunnels
Frankfurt,
Germany
Firewall / IPsec
Data Center Server
Customer 2 Tokyo, Japan
Workstations
APAC-1
Peered
US East Coast
NFV Peered
Office London, UK
Data Center Server
NFV NFV
Netherlands
27
copyright 2013
Pharmaceutical system federates infrastructure
Data
Center
Active IPsec Tunnels
New York, USA
Firewall / IPsec
Data Center Server
Medical
Office 2 San Francisco, USA
US-west-1
Peered NFV
Peered
Medical
Office 1
Customer
Hospital Boston, USA
Data Center Server
NFV
US-east-1
Salt Lake City, USA
Private Cloud
SaaS portal SaaS portal
28
copyright 2013
Multitenant cloud-based partner network
Data Center Server
Home Network
NFV
Encrypted IPsec Tunnels
USA
Firewall / IPsec
Data Center Server
Virtual Machine
Customer
Data Center 2 USA
Customer
Data Center 1 UK
Data Center Server
Virtual Machine
Mobile Banking Platform
US-west-1
29
copyright 2013
Leading global mobile telco service provider
NFV
EMEA
Active IPsec Tunnel
Firewall / IPsec
Overlay Network
Peered
Private Cloud
Partner Data
Center London, UK
Dev/Test 2
Data Center
Servers
Data Center Servers
Dev/Test 1 Boston,
USA
Data Center
Servers
Cloud Server Virtual Machine
NFV
London, UK
30
copyright 2013
Mobile app developer connects on overlay
Data Center Server
Virtual Network
NFV
Dedicated IPsec Tunnels
Firewall / IPsec
London, UK
Partner
LAN 1
Cloud-based
SaaS tool Data Center Servers
Virtual Machine
Ehningen
Partner
LAN 2
NFV
Customer Site
Virtual Machine
Peered
Osaka, Japan Hong Kong
Asia Pacific (Tokyo)
31
copyright 2013
Scientific research groups connect, migrate to cloud
Research Campus Palo Alto, CA USA
Observatory 2 Marshall Islands, USA
NFV
Observatory 1 Honalulu, HI USA
Active IPsec Tunnels
Firewall / IPsec
Workstations Workstations
Virtual Machine Virtual Machine
Node
US-west-1
32
copyright 2013
Mission specific global WAN
Isolation takes many forms: from underlying infra, allow my
protocols, keep my “chattiness” in, keep others out, etc..
33
copyright 2013 34
Wave 3
Winning back control
copyright 2013 35
Overlay between public & private cloud
Public IP: 194.42.93.145 Public IP: 194.42.93.146 Public IP: 194.42.93.147 Public IP: 194.42.93.148 Public IP: 194.42.93.149 Public IP: 194.42.93.150
Public IP: 194.42.93.151 Public IP: 194.42.93.152 Public IP: 194.42.93.153 Public IP: 194.42.93.154
Public IP: 5.23.25.66
Cloud Servers
Peered
Location 1
Cloud Servers
Peered
Location 2
Cloud Servers
Peered
Location 3
Cloud Servers
Peered
Location 4
Cloud Servers
Peered
Location 5 Peered Public IP: 5.23.25.12
Region: Europe-1
NFV Overlay Network
172.31.0.0/24
Peered Peered
Peered
Peere
d
Peered
• Not technically very
different from
bursting, but
motivation is
different
• Get network
(re)configured in
minutes rather than waiting weeks for a change request to be
implemented by the (outsourced) NOC
•No need for new hypervisor or networking equipment
copyright 2013 36
The first “process” customizable cloud
transport network device NFV allows customers to embed features and functions provided by
other vendors - or developed in house, safely and securely into
cloud networks
• Not just a scripting interpreter that allows control over known, existing
features
• Completely new functions, processes, computation delivered to the
core of the customer cloud network (patent pending)
NFV
Customer
controlled,
and co-
created, for
the best
hybrid cloud
experience
Router
Reverse
Proxy Content
Caching
Load
Balancing
Intrusion
Detection More....
Switch Firewall IPsec/SSL
VPN
Concentrator
Protocol
Redistributor
Dynamic &
Scriptable
SDN
Proxy
copyright 2013 37
Encrypted Overlay network in VPC
NFV as a converged device gateway into cloud
NFV +
Web App 2 Web App 1 Web App 3
Single IP address
•Customer created a customized reverse
proxy application (NGINX) inside the NFV
appliance
•NFV provides end-to-end encryption,
private address control, firewalling, and port
forwarding
• NGINX configuration files are completely customer controlled
• NGINX app sits at the transport layer inside the NFV appliance
• Runs on the encrypted overlay network in VPC
copyright 2013 38
Summary
copyright 2013 39
• NFV allows networks to be built out of the cloud
• Users get control over their: • addressing
• topology
• security
• protocols
• When you give people a networking Swiss Army
knife to run in the cloud they do all kinds of
stuff that you might not have expected
Summary
copyright 2013 40
Questions?
CohesiveFT Americas
Chicago, IL USA
888.444.3962
CohesiveFT Europe
London, UK
+44 208 144 0156