cloudstack and nfv

The Cloud Specialists

NFV & CloudStackShapeBlue.com • @ShapeBlue

Paul Angus, VP Technology • @[email protected]

A n i n t r o d u c t i o n t o

The Cloud Specialists ShapeBlue.com @ShapeBlue

“ShapeBlue are expert builders of public & private clouds. They are the leading

independent global CloudStack services company”

A b o u t S h a p e B l u e

C l i c k t o e d i t


Paul Angus – VP Technology• Global authority on CloudStack & cloud infrastructure design.

• 15+ years C-Level experience.

• Apache CloudStack project committer & PMC member

• Specialising in deployment of CloudStackand surrounding infrastructure especially the user story

• USP, Georgian Ministry of Justice, Orange, TomTom, PaddyPower, Ascenty, BSkyB, SAP, British Telecom

A b o u t m e



S h a p e B l u e c u s t o m e r s



• What is NFV ?

• What CloudStack can do in the NFV Space

• What CloudStack can’t do (yet)

• What CloudStack might do

O v e r v i e w


What is NFV Anyway?(The Emperor's New Clothes)What is NFV Anyway?(The Emperor's New Clothes)



NetworkFunctions

Virtualization

Taking a network function (like routing or firewalling or a VPN) and creating a virtualised appliance to do it.

W h a t i s N F V ?



Sounds like the CloudStack Virtual Router !?

Yes. It does.(See. It’s not so complicated)

W h a t i s N F V ?



vFirewall• Cisco® Adaptive Security Virtual Appliance (ASAv)• Juniper® vSRX• BigIP® Virtual Firewall (vFW)

vRouter• Cisco®Integrated Services Virtual Router (ISRv)• Juniper® vMX• Brocade® 5600 vRouter (Formerly Vyatta)

W h a t i s N F V ?



WAN Acceleration• Cisco® vWAAS (wide‐area‐application‐services)• Riverbed® SteelHead CX

Application Delivery Controllers• Citrix® NetScaler VPX• Virtual Application Delivery Controllers (vADC)• A10 vThunder ADC

W h a t i s N F V ?



BIG-IP VNFs• Virtual Policy Manager (vPEM)• Virtual DNS (vDNS)

F5 • Virtual Diameter Routing Agent (vDRA)• Virtual Diameter Edge Agent (vDEA)

W h a t i s N F V ?



Other types:

• Brocade vEPC(Evolved Packet Core ‐ Mobile Comms)

• vIPS

• vThunder CGN gateways

• vWebSecurity

W h a t i s N F V ?



So what’s the big deal?A few orchestration layers are required to create the virtual instances, plumb them into a network and configure them.There quite a few combinations and permutations to deal with.(+ if it weren’t complicated, vendors couldn’t charge through the nose for it – cynical much?)

W h a t i s N F V ?



How complicated is it then?

ETSI (European Telecommunications Standards Institute) have a special interest group specifically to try to standardise it all.

W h a t i s N F V ?



W h a t i s N F V ?

ETSI NFV Reference Architecture



VNF - Virtualized Network Function(i.e vRouter or vFirewall)

Just a Virtual Instance



W h a t i s N F V ?

EM – Element Manager ServiceProvides a standardized interface to a given VNF tomanage internals



W h a t i s N F V ?

VNF ManagerManages the internal working of the VNF instances, pushes configuration and ensures availability and performance



W h a t i s N F V ?

Virtualised Infrastructure ManagerOrchestrates Virtual Infrastructureto create VNF instances and ‘plumb’ them in



W h a t i s N F V ?

NFV InfrastructureThe virtualisation hardware; compute, storage networking etc


W h a t i s N F V ?

So, about that VR then?So, about that VR then?



W h a t i s N F V ?

Comparing the NFV Model with Virtual Router elements



W h a t i s N F V ?

Virtual Infrastructure

Cloud‐Stack Kernel

Business Logic

VR1

VR Network Service Mgr Adapter

Comparing the NFV Model with Virtual Router elements


To Sum Up(this part, that’s not the

whole presentation)

To Sum Up(this part, that’s not the

whole presentation)



C l o u d S t a c k & N F V

The VNF is just a guest instance, which has a second layer of orchestration applied to it.



VM


Virtual Infrastructure ACS

This is our bread and butter.


NFV – what’s it FOR(use cases)

NFV – what’s it FOR(use cases)



• Users want to be able to be able to recreate ‘enterprise’ topologies in the virtual (cloud) space

• SPs and MSPs want their customers to be able to do the above and want to be able to sell them the appliances.



N F V To p o l o g i e s

Recreating ‘Traditional’ Enterprise topologies



‘Specific’ use cases




CloudStack’s Shortfalls

• No way to add a layer 2 network (ie network with no IP requirements)

• No way to have a range of public IPs presented to the guest networks without explicit mapping

• VR is a ‘proprietary’ case of NFV• No way to put ‘alternative’ VRs or Network Appliances in the

guest networks



CloudStack & NFV(Drumroll plleeease)

CloudStack & NFV(Drumroll plleeease)



• New concept of Topologies• New concept of Enterprise Topologies• New VR type ‘Enterprise Topology VR’• New Network Types

• Layer 2• Simple User

• UI enhancement to give graphical network building




Topologies• Isolated/shared

Individual guest networks

• VPCContains multiple VPC tiers (neworks)

• EnterpriseContains multiple ‘simple user’ or ‘Layer2’ networks



Enterprise Topology Virtual Router• A simplified (and hidden) VR to pass ALL

designated 'public' IP data through to a hand off. What happens after this, is the 'users' problem.

• Pass 'public' traffic to/from the hand-off as fast as possible (no other services)

• Ensure that a user cannot use a public IP that has not been assigned to the topology


Public Network

Hand-off

ETVR

Core Router123.123.123.254/24



Enterprise Topology Hand-off• Users can create a device, who's outside face is

on an IP between 123.123.123.56 –123.123.123.62 with a gateway of 123.123.123.254

• No other source IPs will be allowed to pass traffic

• User device eth0:IPADDR=123.123.123.56GATEWAY=123.123.123.254NETMASK=255.255.255.0

• Core router requires route info – groundwork laid by OSPF work.


Public Network

ETVROnly traffic from allowed ranges through

Core Router123.123.123.254/24

User DeviceLikely WAN Accelerator or vRouter

Gateway: 123.123.123.254Allowed Ips: 123.123.123.56 – 123.123.123.62Netmask: 255.255.255.0

Hand-off



New Network Types• Layer 2A new network type that is a pure layer 2 network. It would have a VLAN (assigned by CloudStack), but no IP addresses assigned to it and no services.And hence doesn't require VR or IP addresses (DNS/DHCP to be handled 'externally')Allows ‘service chaining’ and ‘Enterprise Networks’ using say, Active Directory or IPAM.

• Simple UserA network where a user can define the IP address properties, but VLANs are orchestrated by CloudStack. CloudStack provides DNS and DHCP, but VR in not in‐path – a self‐service shared network.A user would likely define the gateway of the network as the vRouter that they created.

*VLAN == any supported isolation method




• User creates endpoints and networks which join them.CloudStack creates VLANs but applies no layer 3 restrictions


Public Network

Hand-off:Gateway: 123.123.123.254Allowed Ips: 123.123.123.56 – 123.123.123.62Netmask: 255.255.255.255


Core Router123.123.123.254/24

User InstanceWAN Accelerator

L2 Network

User InstancevRouter/Firewall/VPN

L2 Network

User InstanceVM

User InstanceVMUser Instance

VM: AD + DHCP + DNS

L2 Network

User InstanceWeb server

DMZ



• Simple services Network which provides CloudStack controlled IP addressing.IP space and gateway defined by the user


Public Network

Gateway: 123.123.123.254Allowed Ips: 123.123.123.56 – 123.123.123.62Netmask: 255.255.255.0


Core Router123.123.123.254/24

User InstanceWAN Accelerator

Simple User Network

User InstancevRouter/Firewall/VPN

L2 Network

CloudStack VRDHCP + DNS

Hand-off

N e t w o r k V i s u a l i s a t i o n

‐ CloudStack equivalent of‘Forwarding Graph’

N e t w o r k d e v i c e s v i e w

‐ New ‘Devices’ view



A d d n e t w o r k d e v i c e t o a c c o u n t


Phase 2

M u l t i p l e V N F a p p l i a n c e s

‐ CloudStack equivalent of‘Forwarding Graph’

N e t w o r k d e v i c e

s e t t i n g s

‐ Configuration through CloudStack UI or appliances’ console

V F N C o n f i g u r a t i o n

‐ Option of configuration through appliances’ native UI orSimplified configuration through CloudStack option

N e t w o r k p r o v i d e r s

‐ Add VNF appliances as network providers

U n d e r l y i n g t o p o l o g y



H i g h l e v e l p r o c e s s

User adds appliance(s) to their account

Operator adds (VNF) appliance types to the cloud

User inserts appliance(s) into their networks

CloudStack creates ‘network

system VM’

CloudStack deploys appliance in network from ‘VM’ template

User configures VNF appliance

CloudStack sets base config of VNF appliance through VNFM or API

translator

CloudStack creates L2 networjs

APPLIANCE

‘Direct’ HTTP(s) proxiedthrough Network System VM

Direct console access on appliance via Console Proxy

Simple configuration ‘in’ CloudStack via API translator on Network System VM

Simple configuration ‘in’ CloudStack via VNFM on Network System VM



Device Integration Options• Console Proxy access to VNF appliance console • User http(s) connection to device mgmt. port (via containerised

mgmt. VR in network management VM)• CloudStack management server to containerised VNFM/EM (in

network system VM). [utilising ETSI standards] Simple command set

• ‘ad‐hoc’ API translator (Simple command set to VNF appliance native API). [where ETSI standards not available]

M a n a g e m e n t p l a n e c o m m u n i c a t i o n s



• Layer 2 networks (service chaining)• External network device (appliances) abstractions• Containerised VRs• Containerised VNFMs & EMs• Forwarding graph translation (CloudStack <-> ETSI standard)• ‘Network (management)’ System VM• UI

E l e m e n t s



Further Enhancements

• Support for VNF fabrics• Support for auto-scaling• Support for auto-healing

P h a s e 3


?