CIM1600 VMware vCloud Networking Finally Explained
description
Transcript of CIM1600 VMware vCloud Networking Finally Explained
CIM1600VMware vCloud NetworkingFinally Explained
Name, Title, Company
2
Disclaimer
This session may contain product features that are currently under development.
This session/overview of the new technology represents no commitment from VMware to deliver these features in any generally available product.
Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
Technical feasibility and market demand will affect final delivery.
Pricing and packaging for any new technologies or features discussed or presented have not been determined.
3
Agenda Networking Overview External Network Organization Network vApp Network Network Pools What’s New in vCloud Director 1.5 Example Use Cases Q & A
4
Networking Overview
Layers of Networking• External Network
• Organization Network
• vApp Network
The three layers are managed either by:• Provider: External and Organization Networks
• Consumer: vApp Networks
5
External Network: Overview
Created at the vSphere level as a port group on a vSS or vDS Port group is mapped to a vCloud Director external network Mapping is on a one to one basis Use cases
• Internet access
• Provider supplied network endpoints• IP based storage• Backup servers• Access to physical managed services
• Backhauled networking to a customer datacenter• VPN access to a private cloud• MPLS termination
*vSS = VMware Standard Switch
*vDS = VMware Distributed Switch (or equivalent such as Nexus 1000V)
6
External Networks: In vSphere
Dedicate vDS for statically mapped networks i.e. “Provider vDS” Avoid vSS unless using scripting to duplicate port groups to hosts Use unique VLANs per port group to avoid broadcast overlap Below is an example of VLAN isolated External Networks:
7
External Networks: In VMware vCloud Director
In VMware vCloud Director, create an external network by mapping it to a portgroup
Portgroups are associated with vCenter servers so care should be taken in naming
Use meaningful names for Portgroups such as Organization_Purpose
8
Organization Networks: Overview
Contained within an organization Allows vApps within the organization to communicate with each
other or external endpoints Can be connected to external networks as:
• Public (External Org Direct)• Bridged connection to an external network
• Others outside the organization can see
• Private Routed (External Org NAT-Routed)• Connected to an External Network through a vShield Edge
• Can be configured for NAT & Firewall
…or left unconnected to external• Private Internal (Internal Org)
• No External connectivity
Backed by Network Pools
9
Organization Networks: In VMware vCloud Director
Creating NAT-Routed and Isolated Org Networks:• Select the type of Org Network to create using the typical radio button and
dropdown box
10
Organization Networks: In VMware vCloud Director
Creating Isolated Organization Network:• Select the Network Pool to use for the Internal Network
• Assign internal addressing for the Internal Network
11
Organization Networks: In VMware vCloud Director
Creating NAT-Routed Organization Network:• Select the External Network
to attach
• Select the Network Pool to usefor the Internal Network behindthe vShield Edge.
• Assign internal addressing forthe Inside portion of Org Network
12
vApp Networks: Overview
Contained within a vApp• Inherently Private Internal
Allows VMs in a vApp to communicate with each other or …by connecting them to Org networks, other vApps
Can be connected to Org Networks as• Public (Direct)
• Bridged connection to a organization network
• Private Routed• Connected to a organization network through a vShield Edge
• Can be configured for NAT & Firewall
Backed by a Network Pool
13
Network Pools: Overview
A set of pre-configured network resources that can be used for Organization and vApp Networks• Picture these as a collection of preconfigured switches that can be assigned to
organizations or vApps
Three Types of Network Pools in VMware vCloud Director• Portgroup-backed
• VLAN-backed
• vCloud Network Isolation-backed (vCD-NI)
14
Network Pools: Portgroup-backed
Requires• Preconfigured portgroups at the vSphere layer
• Assign meaningful names so its obvious they are part of a pool
• If using vSS portgroups, they must exist on all ESX/ESXi hosts in the cluster
How it works• The VI administrator manually creates the portgroups
• vCD Admin is given a list of unused portgroups to use for the pool
Advantages• Works with all types of vSwitches
Disadvantages• Requires manual work or orchestration to create all of the portgroups
• Portgroups needs to be keep in sync on a vSS
• To ensure isolation portgroups rely on VLANs for L2 isolation
15
Network Pools: VLAN-backed
Requires• A vDS that’s connected to all ESXi hosts in your cluster• A range of unused VLANs
How it works• vCD admin creates the network pool and chooses an “Organization vDS” to
associate it with, then provides a range of valid VLANs, for example, 10 – 15• When an network is needed, vCD will automatically create a portgroup on the
vDS and assign it an unused VLAN ID from those assigned• Many vCD generated portgroups can coexist on the same vDS because they
are isolated using VLAN tagging
Advantages• Isolated networks• No pre-configuration needed by VI administrators
Disadvantages• Requires VLANs to exist on physical switches in use• VLANs are limited in supply and may not even be available at all
16
Network Pools: VLAN-backed in VMware vCloud Director
VLAN-backed:• define the VLAN range for the pool and select the vDS to provision the
portgoups on
17
Network Pools: VLAN-backed in vSphere
VLAN-backed Example:• The VLAN-backed network pool was defined to use the range 10-15
• The routed external Org Network was called EmcaInternet
• A Static binding port group was created with a vShield Edge attached
• Looking at the portgroup shows the portgroup used VLAN 10 and is named dvs.VCDVSEmcaInternet-8dc9e26f-6783-4678-abaa-b5609114f6ca
18
Network Pools: vCloud Network Isolation
VMware proprietary network isolation technology• vCD-NI “networks” span hosts and are represented as portgroups on a vDS
• Setup:• Designate a “Transport Network” – an actual layer 2 segment to carry the packets for
vCD-NI networks
• Decide how many networks you want in the pool, up to 1000 supported
• Individual vCD-NI Networks are isolated from each other and the Transport Network via MAC-in-MAC encapsulation
• Technical details:• Implemented with MAC-in-MAC encapsulation• Encapsulation handled by dvFilter VMkernel module
• Can cause frame fragmentation with default MTU
• Requires a small increase in MTU to 1524 or higher
19
Network Pools: vCloud Network Isolation-backed
Requires• A vDS that’s connected to all ESXi hosts in your cluster
How it works:• vCD creates an overlay “transport” network for each isolated network to carry
encapsulated traffic• Each overlay network is assigned a Network ID number• Encapsulation contains source and destination information of hosts where VM endpoints
reside as well as the Network ID• ESXi host strips the vCD-NI packet to expose the VM source and destination MAC
addressed packet that is delivered to the destination VM
Advantages:• Does not require VLANs (can optionally set a VLAN ID for the transport network; leaving
blank defaults to 0)
Disadvantages:• Small performance overhead due to encapsulation (dvFilter)• Added MAC header require an increase in MTU same as in MPLS networks• vCD-NI is for layer 2 adjacency and not for routed networks• vCD-NI is only for VMs and cannot be accessed by physical hosts
20
Network Pools: vCloud Network Isolation in vSphere
vCD-NI-backed Example:• A vCD-NI-Backed Pool where transport VLAN is 99 was created
• The VI portgroup does not reflect isolation, just the transport VLAN used for the vCD-NI
21
Overview
Benefits
• Integration with vShield IPSec VPN capabilities through both API & UI
• Expanded firewall capabilities to include full 5-tuple firewalls and static routing5-tuple: Protocol, SRC/DST IP, SRC/DST Port
Expanded vShield Integration
• Organization administrators can configure private networking enclave connected back to corporate datacenters
• 5-tuple firewalls allows fully flexible network access management—control source & destination.
Virtual Datacenter:
Local
Virtual Datacenter:
Remote
Edge Edge
WAN
22
IPSec Site to Site VPN
Enable Site to Site VPN connections using vCloud Director• Configured by the organization administrator on a routed org network
23
Setting Up VPN Tunnels
Connecting to organization network to setup VPN tunnel is really easy• vCloud URL
• Organization Name
• Credentials
Setup Site to Site VPN connections in a matter of minutes• Self-service
• Only 4 pieces of information needed
• No need to call or email the vCloud administrator
24
IPSec VPN Tunnel Configuration Types
Private/Public vCloudOrg B
Org Network Org NetworkVPN
Private CloudOrg A
Org Network
Public CloudOrg A
Org NetworkVPN
VPN Endpoint(vShield Edge, 3rd Party)
vCloud Org C
Org Network VPN
Tunnel tonetwork in another organization
Tunnel to network in this organization
Tunnel to a remote network
25
IPSec VPN
AES or 3DES encryption
26
Five Tuple Firewalls
Create complex firewall rules for enhanced security
Inbound and outbound rules Firewall rules now can be
configured for:• source address
• source port
• protocol
• destination port
• destination address
Support for ICMP protocol in addition to TCP and UDP
27
Static Routing
28
Third Party Distributed Switch Integration
• Support for broader range of network pool types in third party distributed switches
• Support VLAN-backed networks
• Requires vShield Manager 5
Overview
• Leverage third party switches –
automatic portgroup creation now enabled
• Leverage third party tools for network monitoring in conjunction with vCloud deployments.
BenefitsThird Party Distributed Switch
29
Manage Your Cloud Networking Using Standard Tools
Third Party Distributed SwitchvShield Manager
REST API
Administration/Monitoring
Network admins
vCloud Director 1.5
Third party tools
30
Putting It Together: vCloud Networking Options – Examples
vApp network
vApp
External Network (set up by system admin)
External Organization Network (set up by system admin)
Organization
Internal Organization network (set up by system admin)
vApp network
(set up by org admin/vApp author, internal to vApp)
External Organization Network
vApp network1 2 3
4
56
7
8
31
Questions