eucalyptus 3 networking options - lightning webinar series #4
TRANSCRIPT
© 2012 Eucalyptus Systems, Inc.
Eucalyptus 3 Lightning Webinar: Networking Options
1
Steve Bradshaw Sr. Technical Trainer
© 2012 Eucalyptus Systems, Inc.
Network Modes
• Eucalyptus supports four network modes
– SYSTEM (default)
– STATIC
– MANAGED
– MANAGED-NOVLAN
• Configured in /etc/eucalyptus/eucalyptus.conf
– On cluster and node controllers
– Look for the VNET_*= entries
• Choice depends on two factors:
– Eucalyptus features you require or desire
• Security groups, elastic IPs, VLAN network isolation
– Level of control over the underlying physical network
2
© 2012 Eucalyptus Systems, Inc.
SYSTEM – Logical View
Walrus storage
cloud controller
cluster controller
storage controller
corporate LAN
corporate DHCP server
Node Controlle
r
Node Controlle
r
Node Controlle
r VM
VM
VM Br
© 2012 Eucalyptus Systems, Inc.
SYSTEM – Characteristics and Features
DHCP Server External to Eucalyptus
Elastic IPs Not available
Security Groups Not available
VLAN Isolation Not available
© 2012 Eucalyptus Systems, Inc.
STATIC – Logical View
Walrus storage
cloud controller
cluster controller
storage controller
corporate LAN
provides DHCP for virtual machines
(MAC-to-IP)
VM
VM
VM Br Node
Controller
Node Controlle
r
Node Controlle
r node
controller
© 2012 Eucalyptus Systems, Inc.
STATIC – Characteristics and Features
DHCP Server Cluster Controller
Elastic IPs Not available
Security Groups Not available
VLAN Isolation Not available
© 2012 Eucalyptus Systems, Inc.
MANAGED(-NOVLAN) Characteristics and Features
DHCP Server Cluster Controller
Elastic IPs Available
Security Groups Available
VLAN Isolation MANAGED mode only
© 2012 Eucalyptus Systems, Inc.
MANAGED(-NOVLAN) – Logical View
Walrus storage
cloud controller cluster
controller
storage controller
Node Controlle
r
Node Controlle
r
Node Controlle
r node
controller
corporate LAN
provides DHCP for virtual machines
switch
subnet boundary
corporate DHCP server
© 2012 Eucalyptus Systems, Inc.
IP Network Ranges
• In MANAGED(-NOVLAN) mode, virtual machines use two IP address ranges. Why?
• Each virtual machine is assigned two IP addresses
– A private IP address on the virtual subnet (VM-to-VM)
– A public IP address for external communication
• Cluster controller maps private IP addresses to public IP addresses
– In iptables ‘nat’ table
9
CLC
CC
NC NC
VM VM VM VM VM VM VM VM VM VM
public IP
range
private
virtual IP
range
public
switch
private
switch
Eucalyptus physical hosts
also require IP addresses
© 2012 Eucalyptus Systems, Inc.
Private Virtual IP Subnets
• Private virtual IP range for virtual machines is divided into subnets by Eucalyptus
• Address range, number of subnets, and number of virtual machines per subnet is controlled by parameters in /etc/eucalyptus/eucalyptus.conf
10
CC NCs
VM public IP
addresses
VM private IP
addresses
.
.
.
virtual
subnet
virtual
subnet
virtual
subnet
VM
VM
VM
VM
VM
VM
private
virtual
IP range
iptables’
network
address
translation
© 2012 Eucalyptus Systems, Inc.
Virtual Private Subnets • Virtual subnet configuration determines:
– Maximum number of security groups (one per subnet)
– Maximum number of instances per security group (subnet)
• 10 IP addresses reserved per subnet (not available for VMs)
– network number, broadcast address, eight gateway addresses
• 4095 possible VLAN IDs, Eucalyptus can use 2-4094
16 subnet bits = 65,536 possible addresses
VNET_SUBNET=“192.168.0.0”
VNET_NETMASK=“255.255.0.0”
VNET_ADDRSPERNET=“32” 65,536 / 32 = 2048 possible subnets
min of(4092, 2048) = 2048 actual subnets
32 ADDRSPERNET – 10 = 22 instances per subnet
eucalyptus.conf
© 2012 Eucalyptus Systems, Inc.
MANAGED-NOVLAN VM Isolation
• VM isolation is managed only at the IP layer through security groups.
– Entries in iptables ‘filter’ table
• Multiple subnets but a single LAN
– An instance in one virtual subnet could network sniff an instance in another virtual subnet.
192.168.1.1 192.168.1.2 192.168.2.2 192.168.2.1
Security Group A
IP subnet 1
LAN
Security Group B
IP subnet 2
firewall rules firewall rules
© 2012 Eucalyptus Systems, Inc.
MANAGED VM Isolation
• VM isolation is managed at the IP layer through security groups (iptables ‘filter’ table) and VLANs (one security group per VLAN)
– An instance in one virtual subnet cannot network sniff an instance in another virtual subnet
192.168.1.1 192.168.1.2 192.168.2.2 192.168.2.1
Security Group A
IP subnet 1
VLAN 1
Security Group B
IP subnet 2
firewall rules firewall rules
VLAN 2
© 2012 Eucalyptus Systems, Inc.
Network Modes
DHCP Server Corporate Yes Yes Yes
Elastic IPs No No Yes Yes
Security Groups No No Yes Yes
Isolation of VMs No No No Layer 2
STATIC SYSTEM MANAGED-
NOVLAN MANAGED
© 2012 Eucalyptus Systems, Inc.
Q & A
• Do you have any questions?