NET1338BU VMware Integrated OpenStack and NSX or … · VMware Integrated OpenStack and NSX ......
Transcript of NET1338BU VMware Integrated OpenStack and NSX or … · VMware Integrated OpenStack and NSX ......
Russ Starr, CernerMarcos Hernandez, VMware
NET1338BU
#NET8343
VMware Integrated OpenStack and NSX Integration Deep Dive
VMworld 2017 Content: Not fo
r publication or distri
bution
#NET1338BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
• This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not been determined.
Disclaimer
#NET1338BU CONFIDENTIAL 3
VMworld 2017 Content: Not fo
r publication or distri
bution
Agenda
1 Introduction and Objectives
2 IaaS Options from VMware
3OpenStack + NSX - High Level Architecture
OpenStack vSphere and NSX Integration Points
Basic Neutron Workflows and NSX Equivalents
NSX Neutron Plugin – Supported Topologies
4
Tenant Networks vs. Provider NetworksTenant Self Service Networking – Is This What You Need?
Tenant Reachability Using Neutron Networks
Dynamic Routing – BGP
Neutron Availability Zones
NSX Micro-segmentation in OpenStack
Service Chaining in OpenStack and FWaaS
5 Next steps - Q&A
6 SummaryCONFIDENTIAL 4
VMworld 2017 Content: Not fo
r publication or distri
bution
Introduction and Objectives
• VMware NSX vSphere and NSX Transformers (multi-hypervisor) both integrate with OpenStack Neutron to deliver robust network capabilities in vSphere and/or KVM OpenStack-based clouds
• This session is largely focused on the vSphere edition of NSX, but some of the interactions between Neutron and NSX-T are also discussed, as well as some of the differences between the two implementations of the plugin.
• We will review advanced network and security services provided by OpenStack, including Load-Balancing-as-a-Service (LBaaS), Firewall-as-a-Service (FWaaS), advanced micro-segmentation, service chaining and dynamic routing (BGP).
• Networking remains a challenge in most OpenStack deployments, as signaled by the results of the latest OpenStack User Survey.
– Users want a “networking service to be less complicated to use, with more substantial documentation and better integration with compute functions and PaaS layer integration” Source: OpenStack User Survey
• Where do I start? What does my journey look like?
CONFIDENTIAL 5
VMworld 2017 Content: Not fo
r publication or distri
bution
CONFIDENTIAL
Consistent
Virtual
Infrastructure
Virtual
Infrastructure
vRealize Automation
vSphere NSX VSAN
Basic IaaS &
Virtual Infra Consumption
Compliance & Governance
Service Catalog
Chargeback
Configuration and Change
Management
App Lifecycle Management
Policies
Orc
he
str
ati
on
Exte
rnal
Clo
ud
Co
nn
ec
tor
AWS
Cloud
• vRealize Suite is a complete Cloud Management Platform• OpenStack delivers APIs to consume infrastructure
• Additional CMP components needed for Governance
Developer Owned Toolsets-or-
3rd Party Tool
Nova Neutron Cinder
Vendor Neutral APIs
“Restrictions with Quotas”Simple IaaS
IaaS Options from VMware
6
VMworld 2017 Content: Not fo
r publication or distri
bution
▪ Founders of the Neutron Project in OpenStack (formerly known as “Quantum”)
▪ Founders and largest contributor to the Open vSwitch Project (OVS)
• Founders of Open Virtual Networking (OVN), an open source control plane for OVS
• Authors of OVSDB, the de-facto standard for physical switch (ToR) ecosystem compatibility
• Don’t take our word for it:
– http://stackalytics.com/ - Who is doing what in OpenStack
– http://openvswitch.org/ - OVS/OVN project page
– https://tools.ietf.org/html/rfc7047 - RFC7047 - The Open vSwitch Database Management Protocol
VMware Is Committed to Open Source and OpenStack
CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
OpenStack + NSX – High Level ArchitectureOpenStack + NSX – High Level Architecture
ESXi
(+ kernel modules)
KVM
(+ kernel modules)
NSX Edge VM
Or Bare Metal
Layer 2
Bridge
OpenStack
Built for consumption by developers
Cloud Consumption
Management Plane
Control Plane
Support for endpoint heterogeneity
Central Control Cluster – CCP
Local Control Plane – LCP
Data Plane
Improved performance and resiliency
VMworld 2017 Content: Not fo
r publication or distri
bution
Ecosystem
9
The NSX Networking and Security Platform
Open
source
VIO HPE Mirantis Redhat SUSE Canonical
VMware Redhat Canonical
• ESXi 6.5 U1 • RHEL 7.2• RHEL 7.3
• Ubuntu 16.04 LTS
VMworld 2017 Content: Not fo
r publication or distri
bution
CONFIDENTIAL\
Nova Compute Nova Services
NSX
Manager
Neutron Plugin
Neutron Server Heat
Glance RabbitMQ
vCenter
ESXi-2
vSphere Plugin
NSX
OpenStack
ESXi-1
NSX
KeystoneCinder
VMDK Driver
VMDK Driver
OpenStack vSphere and NSX Integration Points
10
VMworld 2017 Content: Not fo
r publication or distri
bution
3rd Party OpenStack vSphere and NSX Integration Points
Nova Compute Nova Services
NSX
Control/MGMT Plane
Neutron Plugin
Neutron Server Heat
Glance RabbitMQ
ESXi-2
vSphere Plugin
OpenStack
ESXi-1
Host Switch
KeystoneCinder
VMDK Driver
VMDK Driver
KVM-1
Host Switch Host Switch
Nova Compute
vCenter (s)
VMworld 2017 Content: Not fo
r publication or distri
bution
DHCP (NSX Edge Services Gateway)
Web Network (Logical Switch or VLAN)
App Network (Logical Switch or VLAN)
Floating IP (NSX Edge Services Gateway-DNAT)
Load Balancer (NSX Edge Services Gateway)
Intranet
Internet
Router (NSX ESG - SNAT or NO-NAT)
Security Group (Distributed Firewall Security Group)
Basic Neutron Workflows and NSX Equivalents
12CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
CONFIDENTIAL
NSX Neutron Plugin – Supported TopologiesAvailable out-of-the-box
Use CaseL2
Technology
L3
Technology
NSX Micro-
segmentationNotes
1 VLAN-Backed Networks VLAN Physical router Yes ▪ Micro-segmentation with NSGs
2.1VLAN-Backed with NSX L3
Services and NATVLAN • NSX Edge Yes
▪ No Distributed Routing support
▪ Load Balancers
▪ Provider Networks
▪ Micro-segmentation with NSGs and FWaaS
2.2
VLAN-Backed with NSX L3
Services and No-NAT VLAN • NSX Edge Yes
▪ No Distributed Routing support
▪ Dynamic routing
▪ Load Balancers
▪ Provider Networks
▪ Micro-segmentation with NSGs and FWaaS
3.1VXLAN-backed with NSX
L3 Services and NATVXLAN
• NSX Edge
• NSX DLR
• NAT
Yes
▪ Overlapping IPs allowed
▪ Load Balancers
▪ Provider and Tenant Networks
▪ Micro-segmentation with NSGs and FWaaS
3.2VXLAN-backed with NSX
L3 Services and No-NATVXLAN
• NSX Edge
• NSX DLR
• No-NAT
Yes
▪ No overlapping IPs allowed
▪ Dynamic routing
▪ Load Balancers
▪ Provider and Tenant Networks
▪ Micro-segmentation with NSGs and FWaaS
Enterprise
Model
Enterprise
Model
Enterprise
Model
13
VMworld 2017 Content: Not fo
r publication or distri
bution
Management Cluster Edge Cluster Compute Cluster(s)
OpenStack Framework
Nova Neutron Cinder
Glance KeystoneLoad
Balancer
Neutron Routers Instances
Management and Edge VDS Compute VDS
Option 3
Option 2
Compute and Management/Edge VDSOption 1
Management VDS Compute VDSEdge VDS
Distributed Switch Options in the Neutron NSX Plugin
CONFIDENTIAL 14
VMworld 2017 Content: Not fo
r publication or distri
bution
Tenant Networks vs. Provider Networks
• The primary difference revolves around who provisions the network:
– Provider networks are created by the OpenStack administrator on behalf of tenants
– Tenant networks are created by tenants for use by their instances and cannot be shared
• Provider networks typically rely on the physical network infrastructure to provide default gateway/first hop routing services
– Tenant networks rely on Neutron routers to fulfill this role
• The Neutron NSX-v Plugin supports the following:
– VXLAN-Backed Tenant Networks
– VLAN-backed and VXLAN-backed Provider Networks
– VLAN-backed and VXLAN-backed External Networks
• All version of the Neutron-NSX Plugins are available at https://github.com/openstack/vmware-nsx
CONFIDENTIAL 15
VMworld 2017 Content: Not fo
r publication or distri
bution
Tenant Reachability Using Neutron Networks
Source NAT/destination NAT- instances use IP addresses from an external provider network, aka “Floating IPs”
If NAT is disabled, how do you make tenant networks reachable? Answer: Routing configuration (static or BGP)
* Dynamic routing support was added in VIO 4.0
16
VMworld 2017 Content: Not fo
r publication or distri
bution
BGP Design Considerations
• BGP is configured and owned by the Cloud Admin
• Use eBGP for external peering (AWS/Cloud model)
• Use same AS number on all OpenStack objects in same region.
• Neutron only supports 2-byte AS and does not offer AS_TRANS support, even though NSX does it
• Connect to 4-byte AS clos-fabric using BGP Local-AS feature
• neighbor nsx local-as 65535
• Can advertise self-service networks or only networks defined by Cloud Admin
• Neutron Address Scopes are used.
• External Network – used for BGP peering
• Internal Network – The prefixes that will be advertised over BGP
• Advertise only a default route (0.0.0.0/0) to OpenStack’s BGP speaker
• Create BGP peers, routes, networks per AZ for resiliency
VMworld 2017 Content: Not fo
r publication or distri
bution
Neutron Object Relationships
CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Tenant Self-Service Networking – Is this What You Need?
• With Tenant Networks, Tenants are free to create their own IP Subnets
• Will most cloud users in your organization know what to do when presented with these configuration options?
CONFIDENTIAL 19
VMworld 2017 Content: Not fo
r publication or distri
bution
Managing IP Subnet Assignment and ConsumptionAdmin Controlled DHCP Scopes
Subnet configured
by the Admin
• When using Provider Networks, which can only be provisioned by an OpenStack Admin, the DHCP scope could also be provided by the Admin
• Tenants will launch VMs on these pre-created networks/subnets and get an IP address from a controlled pool
• This ensures proper connectivity and reachability is in place
CONFIDENTIAL 20
VMworld 2017 Content: Not fo
r publication or distri
bution
Managing IP Subnet Assignment and Consumption
• In Kilo, a new feature called Neutron Subnet Pools was added to the OpenStack networking workflows
• Neutron subnet pools allow an administrator to create a large Classless Inter-Domain Routing (CIDR) IP address range for a Neutron network, from which Tenants can create subnets without specifying a CIDR
• In cases where valid, routable IPs are used, subnet pools are very useful. Tenants only need to specify minimal configuration parameters for creating a subnet without worrying about the IP subnet on which the VMs/Instances will sit.
Neutron Subnet Pools
# neutron subnetpool-create --default-prefixlen 24 --pool-prefix 10.10.0.0/16
TestSubnetPoolCreated a new subnetpool:
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| default_prefixlen | 24 |
| default_quota | |
| id | d963acd5-1afc-477c-a434-cef46f017b17 |
| ip_version | 4 |
| max_prefixlen | 32 |
| min_prefixlen | 8 |
| name | TestSubnetPool |
| prefixes | 10.10.0.0/16 |
| shared | False |
| tenant_id | 4b36a201448b4fc19b91439d8e883b36 |
+-------------------+--------------------------------------+
CONFIDENTIAL 21
VMworld 2017 Content: Not fo
r publication or distri
bution
Neutron Availability Zones
CONFIDENTIAL
Edge Cluster 2
Neutron Routers, DHCP, LB and FW
Edge VDS 2 Edge VDS 3Edge VDS 1
Edge Cluster 1
Neutron Routers, DHCP, LB and FW
Edge Cluster 3
Neutron Routers, DHCP, LB and FW
Datastore 1 Datastore 2 Datastore 3
AZ 1 AZ 2 AZ 3
VMworld 2017 Content: Not fo
r publication or distri
bution
Neutron Availability Zones (continued)
CONFIDENTIAL
• Core plugin must support the following extensions:
• availability_zone
• network_availability_zone
• router_availability_zone
• Attributes (router & network)
• availability_zone_hints – Which zones to prefer placement in
• availability_zone – Which zones actually got selected after scheduling
• If hints are not specified look in /etc/neutron/neutron.conf
• default_availability_zones = az1,az2,az3
VMworld 2017 Content: Not fo
r publication or distri
bution
Neutron Role Based Access Control (RBAC) for NetworksLimiting Neutron Networks to Specific Tenants
• Starting with Liberty, Neutron added a new policy model allowing the sharing of networks for a group of tenants, as opposed to this being a global operation.
• Both the Admin and a User can leverage this capability, but there are some restrictions for non-Admin users (inability to delete Neutron ports, for example)
• This feature, when combined with Provider Networks, enables more granular control of access and connectivity without delegating complex operations to the end user.
# neutron rbac-create --target-tenant 118dedfc737d46f49ab176a657bf23ce --action access_as_shared
--type network 40bff173-355a-4a42-847c-f02e7ef7abbf
Created a new rbac_policy:
+---------------+--------------------------------------+
| Field | Value |
+---------------+--------------------------------------+
| action | access_as_shared |
| id | f7a3ecd9be054d8782663202f6cc9c4e |
| object_id | 134a5f236a11477583d67400786017a2 |
| object_type | network |
| target_tenant | 118dedfc737d46f49ab176a657bf23ce |
| tenant_id | d0d3aca886ad4ddcac8e2233e4598dc1 |
+---------------+--------------------------------------+
VMworld 2017 Content: Not fo
r publication or distri
bution
Enterprise Migration Option: VXLAN/VLAN Bridging in Neutron
▪ The Neutron NSX Plugin supports the creation of a L2 Bridge:
▪ VXLAN - VLAN bridging can help customers preserve physical L3 services while leveraging the benefits of VXLAN for Tenant topologies.
# neutron-l2gw l2-gateway-create L2GW1 –device name=L2GW1,interface_names=dvportgroup-456
Created a new l2_gateway:
+-----------+------------------------------------------------------------------------+
| Field | Value |
+-----------+------------------------------------------------------------------------+
| devices | {"interfaces": [{"segmentation_id": [], "name": "dvportgroup-456"}],
"id": "21d7078c-10b9-40bc-bbb3-418d296eac3c", "device_name": "edge-164"} |
| id | 84c59e94-b0ce-43e7-9c52-a0a5f88b7014 |
| name | L2GW1 |
| tenant_id | b0131a0680144c079eeeca26c2265ec0 |
+-----------+------------------------------------------------------------------------+
# neutron-l2gw l2-gateway-connection-create
L2GW1 VXLAN-A --default-segmentation-id 10
Created a new l2_gateway_connection:
+-----------------+--------------------------------------+
| Field | Value |
+-----------------+--------------------------------------+
| id | ddf11ca0-16ed-40ab-8892-a208d532627a |
| l2_gateway_id | 84c59e94-b0ce-43e7-9c52-a0a5f88b7014 |
| network_id | 61b83f49-c258-4175-bbe2-05c8666ef1b7 |
| segmentation_id | 10 |
| tenant_id | b0131a0680144c079eeeca26c2265ec0 |
+-----------------+--------------------------------------+
1
2
VMworld 2017 Content: Not fo
r publication or distri
bution
Web App DB
Alignment of Policy ControlsSecurity and networking policy that travels with the workload independent of physical network topology
Granular Policy EnforcementEnabling least privilege security with policy enforced at every workload
What Is NSX Microsegmentation?
CONFIDENTIAL 26
VMworld 2017 Content: Not fo
r publication or distri
bution
CONFIDENTIAL
Microsegmentation with Provider Networks Using NSX
• Traditionally, network security has been enforced at the network perimeter, where a layer 3 boundary exists (firewall, router)
• Neutron Security Groups and Neutron Port Security provide vNIC-level security protection
▪ Perimeter firewall cannot protect what it cannot see▪ Traffic must be steered to security appliance▪ Firewall policy controlled by security admin
▪ No traffic steering required▪ vNIC-level stateful FW protection▪ If using NSX, global security policy is controlled
by security admin (Neutron Admin Rules):– https://review.openstack.org/#/c/200847
Neutron
Security
Group 1
Neutron
Security
Group 2
Neutron
Security
Group 3
Controlled Path
Controlled Path
Controlled Path
27
VMworld 2017 Content: Not fo
r publication or distri
bution
Advanced Networking and Service Chaining in Neutron
▪ As of OpenStack Newton, Neutron has added support for Service Function Chaining, to enable a number of NFV use cases
• There is applicability in the Enterprise when using this feature with NSX NetX partner extensibility:
– Next Generation Firewall inspection for East-West traffic
– IPS/IDS services for E-W
– Visibility and troubleshootingRedirect TCP port 81
for additional
inspection
20.0.0.0/24
CONFIDENTIAL 28
VMworld 2017 Content: Not fo
r publication or distri
bution
Firewall-as-a-Service - FWaaS
CONFIDENTIAL
• Ability for Tenants to define and apply their own North-South Firewall rules
• Compatible with version 1.0 of the Neutron FWaaS spec (v 2.0 is under consideration)
• Implemented on the NSX Edge Firewall, for both NSX-v and NSX-T
• In NSX-v, FWaaS requires an exclusive router, i.e. an Edge dedicated for this function
• Can combine Allow and Deny rules
VMworld 2017 Content: Not fo
r publication or distri
bution
▪ VLAN-backed
Provider Net
▪ DHCP
▪ Neutron Security
Groups
▪ Neutron Routers
▪ LBaaS
▪ VXLAN Networks
(Provider/Tenant)
▪ DHCP
▪ Neutron Security
Groups
▪ Neutron Routers
▪ LBaaS
Network Virtualization Journey with OpenStackWhat Does My Journey Look Like?
▪ VLAN-backed
Provider Net
▪ DHCP
▪ Neutron Security
Groups
CONFIDENTIAL 30
VMworld 2017 Content: Not fo
r publication or distri
bution
Summary
• Tenant networks and provider networks are different tools in the OpenStack administrator’s toolbox
– Tenant networks present some unique challenges for the enterprise private cloud (especially if you’re simultaneously hosting both cattle and pets)
• The Ocata release of the NSX plugin offers rich and robust Enterprise-grade networking and security services, such as BGP, Load Balancing, East-West and North-South Firewalling and Service Chaining
• Application tiering/security zones no longer necessitate the deployment of dedicated layer 2 networks and can be implemented using security groups on a common, shared provider network
• Leverage vSphere and NSX investments, knowledge and expertise to deliver on your OpenStack mandate
– The API that I want with the Infrastructure that I know
• Crawl, Walk, Run: Journey to Network Virtualization
CONFIDENTIAL 31
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX partner ecosystem
Physical Infrastructure
Security
Application Delivery
Operations and Visibility
DYNAMIC INSERTION OF
PARTNER SERVICES
VMworld 2017 Content: Not fo
r publication or distri
bution
Learn
Connect & Engagecommunities.vmware.com
NSX Product Page & Technical Resourcesvmware.com/products/nsx
Network Virtualization Blogblogs.vmware.com/networkvirtualization
VMware NSX on YouTubeyoutube.com/user/vmwarensx
Where to get started
Experience
70+ Unique NSX SessionsSpotlights, breakouts, quick talks & group discussions
Visit the VMware BoothUse case demos, chat with NSX experts
Visit NSX Technical Partner BoothsIntegration demos – EPSec & NetX, Hardware VTEP,
Ops & Visibility
Test Drive NSX with free Hands-on LabsExpert-led or Self-paced. labs.hol.vmware.com
Use
NSX Proactive Support ServiceOptimize performance based on data monitoring
and analytics to help resolve problems, mitigate
risk and improve operational efficiency.
vmware.com/consulting
Take
Training and CertificationSeveral paths to professional certifications. Learn
more at the Education & Certification Lounge.
vmware.com/go/nsxtraining
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution