BBVA Bank on OpenStackOpenStack SummitParis, November 2014

Jose Maria San José,Jose Luis Lucas,Daniel Chavero,

1 Introduction

Vision

Why hasn’t a bank 1B customers?

Because we can’t

2 Vision

Vision: Let’s go Cloud!● Cloud sets up self provisioning infrastructure

● Hybrid Cloud allows unlimited elasticity (no constraints)

● Active-Active Hybrid Cloud boosts resilience

● Hybrid data model (sensitive aware) ensures privacy

● Programmable automation simplifies management

BBVA BBVA

It's a Cloud World

BBVA Datacenter

BBVA DMZ

physical constraints

ZLong term

transfer

ES MX US

Amazon

Google

Manage-ment

&Support

no constraints

busi

ness

m

odel

co

nstr

aint

s

SecDevOpsCooperation

New lifecycle

Development Testing Production Maintenance

Cloud Catalog (Virtual Machines, SW packages, SW Developments)

DeploymentPackage

TestedDeployment

Package

EvolvedDeployment

Package

Strategic Roadmap

Private CloudCultural engagement.

DevOps AdoptionImprove speed of development and deployment without flaws.

Hybrid CloudInternet-scale infrastructure.

High Value ApplicationsWeb-scale applications on top of Liberty and Hydra.

Assure sustainability of IT

Cloud ConsolidationMigrate internal process and applications to internal cloud.

3 OpenStack

3 - OpenStack: the beginnings.

● Our goals.

● Previous experience in public clouds.

● Why OpenStack?

● Why RedHat?

● How are we planning to use it?

3 - OpenStack: there we go!

● Environments: PRE and PRO.

● Enclosures with Virtual Connectso HP Blades, Proliant BL 660co Intel Xeon E5-2660

● Cloud Controller & Compute & Admin:o 256Gb RAM

● Swift:o 64Gb RAM & 12 HDD 1,2Tb

● Cinder & Glance:o NetApp NFS

3 - OpenStack: there we go! ● Infrastructure deployment: Foreman + Puppet (Staypuft)

3 - OpenStack: there we go! ● Infrastructure deployment: Foreman + Puppet

3 - OpenStack: technical details

Router Inet B

Router Inet A

OpenStack

Internet

Foreman

Firewall

BBVA

Internal Management

NFS Storage

RHEV - NFS

Migration

Nagios

Internet

Security stuff

DMZ/Endpoint

Log collector

Firewall

Management OpenStack

Router

Service subnet

RHEV

DNS/NTP

Foreman

Firewall

SwiftBBVA

Internal Management

NFS Storage

RHEV - NFS

Nagios

Internet

Security stuff

Swift

DMZ/Endpoint

Log collector

Firewall

Management OpenStack

Router

Service subnet

RHEV

OpenStack components:● Cinder● Glance● Swift

DNS/NTP

Migration

Foreman

Firewall

SwiftBBVA

Internal Management

WAF

NFS Storage

RHEV - NFS

Nagios

Internet

Security stuff

CloudControllerEndpoint API

Swift

Horizon

DMZ/Endpoint

Load Balancer

Log collector

Firewall

Management OpenStack

Router

Load Balancer

Service subnet

OpenStack components:● Cinder● Glance● Swift● Horizon● Keystone● Cloud Controller

DNS/NTPMySQLRabbitMQ

RHEV

Migration

Foreman

Firewall

SwiftBBVA

Internal Management

WAF

NFS Storage

RHEV - NFS

Nagios

Internet

Security stuff

CloudControllerEndpoint API

Swift

Horizon

DMZ/Endpoint

Load Balancer

Log collector

Firewall

Management OpenStack

Router

Load Balancer

Service subnet

RHEV

Hey!… what about Neutron?

OpenStack components:● Cinder● Glance● Swift● Horizon● Keystone● Cloud Controller● Nova● Neutron???

DNS/NTPNova Compute + KVM + VRS

MySQLRabbitMQ

Migration

4 SDN

4 - SDN: Motivation

● Security Team needs to enforce security at all deployment stages automatically.

● Programmability of network functions to automate deployments.

● Growth capabilities between data centers.● It’s a good point to introduce SDN into the organization.

4 - SDN: Why Nuage?

● Domain Templates.● Users roles.● Automation.● Consumable via REST API.● Openstack integration via neutron plugin.● dVRS (Distributed Routing and Switching).● Hypervisor agnostic solution.

4 - SDN: Openstack integration ● Virtualized Services Platform (VSP):

○ Virtualized Services Directory (VSD).○ Virtualized Services Controller (VSC).○ Virtual Routing and Switching (VRS).○ Virtualized Services Gateway (VSG).

● Neutron plugin.● Basic vs. Advanced mode integration.● Floating-IPs.● Horizon customization.

Firewall

VSG

Internet

Data

Nova Compute Cloud Controller

DMZ

VSC

Management OpenStack

Router

Transit network

VSD

4 - SDN: Openstack integration.

Load Balancer+WAF

VRS

Nova Compute

VRS

...

Neutron Plugin

Firewall

VSG

Internet

Data

Nova Compute Cloud Controller

DMZ

VSC

Management OpenStack

Router

VSD

4 - SDN: Openstack integration (VSD).

Load Balancer+WAF

VRS

Nova Compute

VRS

REST API / WEB GUI

...

Neutron Plugin

Transit network

Firewall

VSG

Internet

Data

Nova Compute Cloud Controller

DMZ

VSC

Management OpenStack

Router

VSD

4 - SDN: Openstack integration (VSD).

Load Balancer+WAF

VRS

Nova Compute

VRS

...

Neutron Plugin

XMPP

Transit network

Firewall

VSG

Internet

Data

Nova Compute Cloud Controller

DMZ

VSC

Management OpenStack

Router

VSD

4 - SDN: Openstack integration (VSC).

Load Balancer+WAF

VRS

Nova Compute

VRS

...

Neutron Plugin

Open Flow

Transit network

Firewall

VSG

Internet

Data

Nova Compute Cloud Controller

DMZ

VSC

Management OpenStack

Router

VSD

4 - SDN: Openstack integration (VSC).

Load Balancer+WAF

VRS

Nova Compute

VRS

...

Neutron Plugin

MP-BGP

Transit network

Firewall

VSG

Internet

Data

Nova Compute Cloud Controller

DMZ

VSC

Management OpenStack

Router

VSD

4 - SDN: Openstack integration (VRS).

Load Balancer+WAF

VRS

Nova Compute

VRS

...

Neutron Plugin

VXLAN

Transit network

Firewall

VSG

Internet

Data

Nova Compute Cloud Controller

DMZ

VSC

Management OpenStack

Router

VSD

4 - SDN: Openstack integration (VSG).

Load Balancer+WAF

VRS

Nova Compute

VRS

...

Neutron Plugin

VXLAN

Break out

Firewall

VSG

Internet

Data

Nova Compute Cloud Controller

DMZ

VSC

Management OpenStack

Router

VSD

4 - SDN: Openstack integration (Plugin)

Load Balancer+WAF

VRS

Nova Compute

VRS

...

Neutron Plugin

REST API

Transit network

4 - SDN: Openstack integration (Custom)

4 - SDN: Openstack integration (Custom)

4 - SDN: Openstack integration (Custom)

4 - SDN: Openstack integration (Custom)

4 - SDN Security based on Nuage

● ACL and policies applied on different network levels.● Service chaining.

5 Lesson Learned &Next Steps

5 - Lessons learned.

● Internal process to be adapted to consume the Openstack services.

● Difficult to deploy with department silos, is better a “one-team” approach, multi disciplinar.

5 - Next steps

● Icehouse > Juno or kilo● Dockers● Ceph ● ...

5 - One Team, SecDevOps Crew ;)● Alberto Morgante Medina (Security)● Leticia García Martín (Security)● Mariano Ruiz Muñoz (Storage)● German Moya Olmedo (IT)● Vicente Miranda Cagigas (IT)● Alberto Martín (IT)● Helena Cornic Giron (Networking)● Cesar Martinez Segura (Networking)● Enrique Garcia Pablos (Innovation)● Karim Boumedhel (RedHat)● Oscar Martin Vega (Nuage Networks)● Francisco Alcantara Hernandez (Nuage Networks)● Phillipe Jeurissen (Nuage Networks)

Thank you!

Full presentation in youtube:http://www.youtube.com/watch?v=PESWFDPbexs

Summary keynote:http://www.youtube.com/watch?v=Pp2TiOKjWLY