The Why, When and wHow

of CloudStack Networking

Paul AngusVP Technology & Cloud Architect

paul.angus@shapeblue.comTwitter: @CloudyAngus

@ShapeBlue

Who am I

VP Technology & Cloud Architect with ShapeBlueWorked with CloudStack since 2.2.13Specialising in deployment of CloudStackand surrounding infrastructureUSP, Georgian Ministry of Justice, Orange, TomTom, PaddyPower, Ascenty, BSkyB

About Me

@ShapeBlue

@ShapeBlue

“ShapeBlue are expert builders of public & private clouds. They are the

leading global independent CloudStack / CloudPlatform integrator &

consultancy”

About ShapeBlue

@ShapeBlue

The What, When and wHow

Physical networkingStorage networks

Guest networkingBasic networkingAdvanced networking

CloudStack Networking

@ShapeBlue

CloudStack Networking

Physical Networking

@ShapeBlue

Why separate networks?SecurityBandwidth improvementBandwidth contention protection

Converged networking simplifies cabling but contention still needs to be controlled.

Physical Networking

@ShapeBlue

Physical networks are described (per-zone) through two constructs:

‘Physical Networks’‘Network labels’

Physical Networking

@ShapeBlue

Physical NetworksConfusingly named – may be better to call them Network types or groups.Physically independent network interfaces don’t have to be different ‘physical networks’ unless:

They use different separation techniques VLAN vs VXLANYou have multiple physical guest networks

Physical Networking

@ShapeBlue

Physical Networking

@ShapeBlue

A word or two on Blade Chassis

16 hosts sharing a 10Gb connection for storage and mgmt ?Often chassis present virtual interfaces, using these enable bandwidth controlSome chassis present virtual interfaces on a per-uplink module basis. These still need to be bonded by the hypervisor

Physical Networking

@ShapeBlue

Network LabelsDescribe how CloudStack’s network types map to the hypervisor naming of interfaces/bonds. Leaving as ‘default’ not advisedHow the labels are used is subtlety different between hypervisors

Physical Networking

@ShapeBlue

vSphereExample Mappings

CloudStack Label

Hypervisor Interfaces

Hypervisor interface

Mgmt NIC 1+NIC4

vSwitch0

Public NIC2+NIC5 vSwitch1Guest NIC2+NIC5 vSwitch1Storage NIC3+NIC6 vSwitch2

@ShapeBlue

KVM (Ubuntu)Example Mappings

CloudStack Label

Hypervisor Interfaces

Hypervisor interface

Mgmt em1+em3 cloudbr-mgmtPublic em2+em4 cloudbr-guest-

pubGuest em2+em4 cloudbr-guest-

pub

@ShapeBlue

Example Mappings# This file describes the network interfacesauto loiface lo inet loopback

auto em1iface em1 inet manual

auto em2iface em2 inet manual

auto em3iface em3 inet manual

auto em4iface em4 inet manual

auto cloudbr-mgmtiface cloudbr-mgmt inet static bridge_ports em1 em3 address 192.168.1.78 netmask 255.255.255.0 gateway 192.168.1.1 bridge_fd 5 bridge_stp off bridge_maxwait 1

auto cloudbr-guest-publiciface cloudbr-guest-public inet manual bridge_ports em2 em4 bridge_fd 5 bridge_stp off bridge_maxwait 1

@ShapeBlue

XenServerExample Mappings

CloudStack Label

Hypervisor Interfaces

Hypervisor interface

Mgmt NIC 1+NIC4

Mgmt

Public NIC2+NIC5 Public-Guest

Guest NIC2+NIC5 Public-Guest

Storage NIC3+NIC6 Storage

@ShapeBlue

XenServer with Storage VLANExample Mappings

@ShapeBlue

XenServer with Storage VLANExample Mappings

@ShapeBlue

XenServer/KVM with (secondary) Storage VLAN• When adding into CloudStack, Storage VLAN is

UNTAGGED so that it is not tagged twice.

• Can co-exist with ESXi, but must be in different pods so that storage network port group can be tagged with VLAN.

Example Mappings

@ShapeBlue

CloudStack Networking

Storage Networking

@ShapeBlue

Storage networks

Mgmt & SecondaryStorage traffic

NIC0

Host

192.168.1.1/24

Hypervisor

PrimaryStorage traffic

Primary Storage

192.168.99.2 /24

Management Server

192.168.1.2/24

SecondaryStorage

192.168.1.3/24

NIC1

192.168.99.0/24

192.168.1.0/24

192.168.1.0/24

192.168.99.1 /24

Switch

@ShapeBlue

Storage networks

Mgmt traffic

NIC0

Host

192.168.1.1/24

Hypervisor

PrimaryStorage traffic

SecondaryStorage

192.168.10.3/24

Primary Storage

192.168.99.2 /24

Management Server

192.168.1.2/24

NIC1

192.168.99.0/24

192.168.1.0/24

192.168.1.0/24

192.168.99.1 /24

Switch

192.168.10.1/24

SecondaryStorage traffic

NIC2

@ShapeBlue

CloudStack Networking

Guest Networking

@ShapeBlue

Why multiple physical guest networks?Shared vs Isolated networks

Guest Networking

@ShapeBlue

Hypervisor

SSVM

VR

Public TrafficVLAN 99 Mgmt traffic

Storage traffic

Mgmt traffic

Mgmt / Storage traffic

Public TrafficVLAN 99

NIC0

NIC1

Host

Public TrafficVLAN 99

Public Traffic VLAN 99

Guest Traffic VLAN 2001Guest TrafficVLAN 2001

Guest TrafficVLAN 2001

cloudbr0 /Xenbr0 /

vSwitch0 -

mgmt & storage traffic

Guest TrafficVLAN 2002

Guest Traffic VLAN 2002

cloudbr1 /xenbr1 /

vSwitch1 -

guest & public traffic

Guest

Guest

Switch

Trunked (VLAN)

Port

Access Port

@ShapeBlue

Multiple Physical Guest Networks

Guest iSCSISecure backend servicesA number of use cases have been replaced by VPC private gateway

Guest Networking

@ShapeBlue

Isolated networks give... er, isolation.

Additional network services:

load-balancingAuto-scalingFirewallingPort-forwarding

Multi-tiered networksPrivate gatewaysVPN

Isolated vs Shared

@ShapeBlue

Isolated networks are NATed and therefore (direct) inbound routing is not possible.

This makes PaaS problematic Isolated network VR can be a bottleneck and or perceived as a weak link.

Isolated vs Shared

@ShapeBlue

Shared networks can run at physical wire speeds.VMs in shared networks can easily be routed to.

Built-in CloudStack integrated network services not available

Isolated vs Shared

@ShapeBlue

OSPF and Routed VPCComing Soon…

10.1.1.0/24

.1

Other Networks

VR1-VPC

Tier 1 Tier X

Virtual instances

Tier 1 Tier X

.1 .1 .1 .1

BGPBackbone

.2

OSPF Area 0

Other Networks

Super CIDREx: 10.10.10.0/23

Subnet 10.10.10.0/24 Subnet 10.10.11.0/24

VPC VR advertise routes (redistribute connected and static) via OSPF and receiving routes from another's VPC VRs and default route from Border Routers

Super CIDREx: 10.20.20.0/23

Subnet 10.20.20.0/24 Subnet 10.20.21.0/24Virtual instances Virtual instances Virtual instances

.10

.11

VR2-VPC

CORE-ROUTER1

CORE-ROUTER2

Other Networks

@ShapeBlue

Questions

?

@ShapeBlue

Slides: www.slideshare.net/shapeblueBlogs: http://shapeblue.com/blog/Email: paul.angus@shapeblue.comTwitter: @CloudyAngusWeb: http://shapeblue.com http://cloudstack.apache.org/

Resources

The Why, When and wHow

of CloudStack Networking

Paul AngusVP Technology & Cloud Architect

paul.angus@shapeblue.comTwitter: @CloudyAngus