VMware vCloud Hybrid Service - VMware Virtualization for Desktop
vCloud Hybrid Service Networking Technical Deep...
Transcript of vCloud Hybrid Service Networking Technical Deep...
vCloud Hybrid Service Networking TechnicalDeep Dive
HBC2068
Ninad Desai, VMware, IncDavid Hill, VMware, Inc
Disclaimer• This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not been determined.
CONFIDENTIAL 2
33
VMware vCloud Hybrid Service VMware vCloud Air
What is vCloud Air Network Services built on??
vCloud Air Networking – Built on vCNS …. Moving to NSXFully Integrated vCloud Stack
vCloud Management and Automation
vCloud Air Management Console
vCloud Infrastructure
vCloud Networking and Security
vCloud Director with vCloud Connector
vSphere / vCenter
Customer A
Physically Isolated Servers Storage pool
VPN and Network pool
…
Dedicated Cloud
• Being replaced by NSX-v manager in the vCloud Air Management stack
• Backward compatible with current vCNS based stack
• Existing policies and features stay intact
• Foundation for new networking features
How do I connect to vCloud Air ?
Options to Connect to vCloud Air
z
Customer Data Center vCloud AirPrivate WAN /
Direct Connect /
Cross Connect
IPsec Tunnel
INTERNET
Many Connectivity Choices To Support Many Use Cases
INTERNET
INTERNET
Connecting to vCloud Air
• Over the Public Internet – With Public IPs– Use NAT for address translation– By default F/W set to deny all and NAT not configured
INTERNET
• IPsec VPN– vCloud Air features include IPsec VPN– Multiple VPN tunnels can terminate to Edge Gateway– Can connect to most of the major on-prem VPN devices
• Direct Connect– Dedicated private connection– Secure and high speed– Extension to customer’s MPLS or data center cage
Connecting via IPsec VPN
CONFIDENTIALVPN Traffic
INTERNET
vSphere Edge Gateway LEP – 10.0.1.150
Peer ID – 69.194.137.230
Peer IP – 69.194.137.230
10.0.10.0/24
10.0.10.1
10.0.1.150
10.0.1.1
68.108.102.47
IP Protocol ID 50 (ESP)IP Protocol ID 51 (AH)UDP Port 500 (IKE)UDP Port 4500 69.194.137.230
192.168.109.2/24
192.168.109.1
Edge Gateway LEP – 69.194.137.230
Peer ID – 10.0.1.150
Peer IP – 68.108.102.47
EDGE GATEWAY
EDGE GATEWA
Y
What Networking Services do we offer?
vCloud Air - Options and Gateway Choices..
CONFIDENTIAL 13
Shared Cloud• Logically separated network, compute and
storage
5GHz CPU (burstable to 10GHz) 20GB RAM, 2TB storage No vDC segmentation One Edge Gateway
Dedicated Cloud• Physically separated hosts
• Logically separated network and storage
30GHz CPU, 120GB RAM, 6TB Segment vDCs based on orgs Multiple Edge Gateways
VDC1 VDC2
VDC3 VDC4VDC
vCloud Air Basic Networking Constructs
INTERNET
Routed/Gateway Networks
(up to 9 networks)
Isolated Network
External Network(managed by VMware)
NATFWLoad BalancerIPsecDHCPStatic routing
Customers vDCEDGE
GATEWAY
Configuration Access Options
CONFIDENTIAL 15
vCloud Air Management Web Portal- For basic networking configurations
Configuration Access Options
CONFIDENTIAL 16
vCloud Air Management Web Portal- For basic networking configurations
For Advanced configurations
Configuration Access Options
CONFIDENTIAL 17
vCloud Director management portal - For advanced networking configs
Can I bring my Private IP space along?
Yes! Via Network Address Translation (NAT)
• Need to create F/W rules to allow traffic
• IPv4 NAT
• Source NAT & Destination NAT rules.– Supports multiple rules on multiple interfaces
• Can use internal/private IP space – Bring your own internal IP space– Create/Manage subnets within IP space– Multiple IP space under the same gateway
NAT rules: - SNAT & DNAT rules
- Options include protocol/port selection
GatewayPublic IPs
Internal IPs
10.x.x.x 172.16.x.x 192.168.x.x
Organization Net 1 Organization Net 2 Organization Net 3
EDGE GATEWAY
But …. Can I stretch my Layer 2 network on to vCloud Air?
vCloud Connector Data Center L2 Extension
CONFIDENTIAL 21
(192.168.50.0/24)
184.61.71.155
74.204.180.41
VPN Traffic
INTERNET
(192.168.50.0/24)
Default Gateway = 192.168.50.10
50.34 50.35
50.36 50.37
50.33
100.33
(192.168.50.0/24)
50.10
100.10
SSL
SSL
EDGE GATEWAY
EDGE GATEWAY
EDGE GATEWAY
CorpFirewall
Layer 2 Extensions – Updated with NSX
vCloud Air
INTERNET
INTERNET
VLAN 10 VLAN 11
SSL ClientDefault Router
vNICTrunk VLAN 10-11
Site A: Non-NSX VLAN Backed Network
L3 Network, VPN,Direct Connect
EDGE GATEWAY
(NSX)
vCloud Air Client
Okay.. So I have a typical multi-tier app (LAMP/WAMP stack)….
Can I bring it to vCloud Air?
Firewall for Multi-Tier Applications
Web tier App tier DB Tier
INTERNET
Firewall• 5 Tuple F/W policies
– Protocol, Source/Dest. IP, Source/Dest. Port
• Stateful Firewall
• FIPS-140-2 Crypto
• Common Criteria EAL 4
Load Balancing
• VIP and pool servers
• Health check
Load Balancing
Server Pool
VIP: 66.44.4.1EDGE
GATEWAY
Direct Connect Use Cases
Direct Connect – Use Cases
26
Can I have a private connection to vCloud Air?
Can vCloud Air be part of my MPLS connection?
Can I cross connect in to vCloud Air?
Can I extend my layer 2 network on to this direct
connect interface?
vCloud Air Direct ConnectCustomer Co-Lo Cage vCloud Air
Data Center owner operated/managed
vCloud Air connection point
Customer Data Center vCloud Air
NSP connection
(MPLS, E-Line etc.)
vCloud Air managed
vCloud Air managed
Cross connect use case
WAN connectivity use case
vCloud Air connection point
Direct Connect – With vCloud Air
28
DMZ Network(192.168.52.0/24)
Private Network(192.168.50.0/24)
Private Network(192.168.100.x/24)
Headquarters
NSP termination point
EDGE GATEWAY
INTERNETvCloud Air
Connection point
MDF/MMR
Untagged Layer 2 connection (1G, 10G)
10.2.2.210.2.2.1
MPLS (from NSP)
Private Network(192.168.50.0/24)
Branch office
10.2.2..x/24
10.1.1.x/2410.3.3.x/24
Direct Connect – With vCloud Air
29
DMZ Network(192.168.52.0/24)
Private Network(192.168.50.0/24)
Private Network(192.168.50.x/24)
Headquarters
NSP termination point
EDGE GATEWAY
INTERNETvCloud Air
Connection point
MDF/MMR
Untagged Layer 2 connection (1G, 10G)
10.2.2.210.2.2.1
MPLS (from NSP)
Private Network(192.168.50.0/24)
Branch office
10.2.2..x/24
10.1.1.x/2410.3.3.x/24
Direct Connect – Using Existing Security
CONFIDENTIAL 30
1 Gbps / 10 Gbps Direct Connect Traffic
DMZ Network(192.168.52.0/24)
Internet
Private Network(192.168.50.0/24)
Private Network(192.168.110.0/24)
10.1.1.x/2410.1.1.x/24
EDGE GATEWAY
IDS
Existing Security Policies & Appliances
IGW
Direct Connect –Private Line
IPS
Cross Connect
CONFIDENTIAL 31
1 or 10 Gbps Direct Connect Traffic
DMZ Network(192.168.52.0/24)
Private Network(192.168.50.0/24)
Private Network(192.168.110.0/24)
CUSTOMER CAGE
Direct Connect Line
EDGE GATEWAY
Direct Connect – Extended Layer 2
CONFIDENTIAL 32
Internet
10.1.1.x/2410.1.1.x/24
10.1.1.x/2410.1.1.x/24
Co-Lo cage
IDS
Existing Security Policies & Appliances
IGW
Direct Connect –Private Line
IPS Direct Access Network
Direct Connect – Extended Layer 2
CONFIDENTIAL 32
Internet
10.1.1.x/2410.1.1.x/24
10.1.1.x/2410.1.1.x/24
Co-Lo cage
IDS
Existing Security Policies & Appliances
IGW
Direct Connect –Private Line
IPS Direct Access Network
Direct Connect – Extended Layer 2
CONFIDENTIAL 32
Internet
10.1.1.x/2410.1.1.x/24
10.1.1.x/2410.1.1.x/24
Co-Lo cage
IDS
Existing Security Policies & Appliances
IGW
Direct Connect –Private Line
IPS Direct Access Network
How about global availability of applications?
Global Load Balancing – Dyn Example
CONFIDENTIAL
36
vCNS Virtual Server192.240.153.11
vCNS Virtual Server74.204.180.41
Virtual Private Cloud (West) Dedicated Cloud (East)
.11 .12 .11 .12
vCNS Pool Servers192.168.109.11192.168.109.12
vCNS Pool Servers192.168.205.11192.168.205.12
Traffic Director
INTERNET
DYNLoad Balancing
EDGE GATEWAY
LB
EDGE GATEWAY
LB
Advanced Networking - Hybrid Horizon View Logical Architecture
WDC (On Premises)
EDGE GATEWAY
EDGE GATEWAY
(192.168.20.0/24Public-NET)
IPSec VPNIPSec VPN
DT01 DT02
(192.168.3.0/24 Desktop-NET)
AD01.41
AD02.42
ViewCS.5
vCloud Air Las Vegas (IaaS)
ViewSS.5
ViewSS.5
(192.168.2.0/24Public-NET)
view.vmtm.org
(192.168.1.0/24 Corp-NET)
66.45.200.37 69.194.137.139PCoIP and Blast
Advanced Networking - Hybrid Horizon View Logical Architecture
WDC (On Premises)
EDGE GATEWAY
EDGE GATEWAY
(192.168.20.0/24Public-NET)
IPSec VPNIPSec VPN
DT01 DT02
(192.168.3.0/24 Desktop-NET)
AD01.41
AD02.42
ViewCS.5
vCloud Air Las Vegas (IaaS)
ViewSS.5
ViewSS.5
(192.168.2.0/24Public-NET)
view.vmtm.org
(192.168.1.0/24 Corp-NET)
66.45.200.37 69.194.137.139PCoIP and Blast
Advanced Networking - Hybrid Horizon View Logical Architecture
WDC (On Premises)
EDGE GATEWAY
EDGE GATEWAY
(192.168.20.0/24Public-NET)
IPSec VPNIPSec VPN
DT01 DT02
(192.168.3.0/24 Desktop-NET)
AD01.41
AD02.42
ViewCS.5
vCloud Air Las Vegas (IaaS)
ViewSS.5
ViewSS.5
(192.168.2.0/24Public-NET)
view.vmtm.org
(192.168.1.0/24 Corp-NET)
66.45.200.37 69.194.137.139PCoIP and Blast
vCloud Air and F5 – Global Load balancing
40
(192.168.100.0/24 Corp-NET)
AD05 AD06
(192.168.200.0/24 Public-NET)
(10.10.10.0/24 BIP-Internal-NET)
BIP02
DNAT Any:AnyFirewall Any:Any
10.0.10.0/24
10.0.10.1
10.0.1.150
BIP02
INTERNET
EDGE GATEWAY
..And what about network security - IPS/IDS?
Trend Micro Based – IPS/IDS
CONFIDENTIAL 42
Firewall
Log Inspection
Anti-Malware
IntegrityMonitoring
WebReputation
IntrusionPrevention
Deep Security Manager and Relay
PROTECTION MODULES
Deep Security Database
MANAGEMENT
Protected VMs
Deep Security Manager
EDGE GATEWAY
Deep Security Agent
Database
vCloud Air – Security Solution via Trend Micro
CONFIDENTIAL 43
Choice of Networking Services Applications…
CONFIDENTIAL 44
Virtual
vCloud Air Recovery Service
“No.. No… the world was destroyed… this is a backup”
Recovery as a Service – Networking
How do I maintain the same network configs?
Do I need to re-do the network configs?
Do I need to ‘stretch’ my network?
How can I maintain my IP settings on VMs?
Disaster Recovery – Networking
• Pre-create networks on DR cloud with same private IP space, name and relevant properties
• When VMs are replicated, the IPs of the VMs are retaind
• When a disaster occurs and VMs on the DR turn on, simply connect VMs to pre-existing networks
47
WDC (On Premises)
DT01 DT02
(192.168.3.0/24 Desktop-NET)
AD01.41
AD02.42
ViewCS.5
ViewSS.5
(192.168.2.0/24Public-NET)
(192.168.1.0/24 Corp-NET)
EDGE GATEWAY
ReplicateEDGE
GATEWAY
(192.168.3.0/24 Desktop-NET)
(192.168.1.0/24 Corp-NET)
(192.168.2.0/24Public-NET)
DR vDC
VMware vCloud Air - Virtual Private Cloud OnDemand
Interested in participating in the vCloud Air OnDemand Beta Progam?The Product Team from vCloud Air is now accepting candidates interested in participating in the Fall 2014 beta program
48
Visit vmware.com/go/ondemandto sign up
vmware.com/go/ondemand
VMware vCloud Air5 Starting Points Program
VMworld 2014
49
Starting Point Session ID TOPIC
Dev/Test HBC2577Hybrid Sandboxing – Create the Ultimate On and Off Premises Test/Dev Factory
Extend Existing Applications HBC2066 Architect the Hybrid Cloud for
Exchange and Lync
Disaster Recovery HBC 1534 Recovery as a Service (RaaS) with vCloud Hybrid Service
ModernizeEnterprise Applications
HBC 2609Smells Like Team Spirit: Achieve Hybrid Operations Nirvana with vCloud Hybrid Service
Create Next Generation Applications
HBC 1917 Build Your First Mobile Application…In the Cloud…In 60 minutes
Learn the fundamentals on vCloud Air by attending any or all of our 5 Starting Point breakout sessions within the Hybrid Cloud Track
49
Attend any of these breakout sessions and earn a free vCloud Air “Dilbert” t-shirt.
Hybrid Cloud Hands On LabsCheck out the Expert Led and Self Paced vCloud Air Hands on Labs
CONFIDENTIAL 50
HOL: Expert-Led Workshop ELW-HBD-1481 Hybrid Cloud Jumpstart Workshop
HOL: Expert-Led Workshop ELW-HBD-1484 Disaster Recovery to the Cloud Workshop
HOL: Self Paced Lab SPL-HBD-1481 vCloud Hybrid Service - Jump Start for vSphere Admins
HOL: Self Paced Lab SPL-HBD-1482 vCloud Hybrid Service - Networking & Security
HOL: Self Paced Lab SPL-HBD-1483 vCloud Hybrid Service - Manage Your Cloud
Session ID Title Learn the fundamentals on vCloud Air by attending any or all of our 5 Starting Point breakout sessions within the Hybrid Cloud Track as well as our Hands on Labs
Try any of these HOLs and earn a free vCloud Air “Dilbert” t-shirt.
Hybrid Cloud Theater Schedule - VMware Booth (Solutions Exchange)
51
In addition to the breakout sessions within the Hybrid Cloud track, check out our THEATER schedule for the week from the VMware booth at the Solutions Exchange
Sunday 5:00pm - What is this Hybrid Cloud Thing Anyway?
Monday 12:15pm - Getting Started with Hybrid Cloud - 5 Use CasesMonday 1:30pm - vCloud Air OnDemandMonday 3:45pm - What is this Hybrid Cloud Thing, Anyway?Monday 5:30pm - Hybrid Cloud DevOps: How to keep your Devs from Running Wild
Tuesday 12:15pm - Project NEE - Delivering Hands-on Education at Cloud ScaleTuesday 1:00pm - vCloud Air NetworkTuesday 2:45pm - Disaster Recovery with vCloud AirTuesday 4:00pm - Getting Started with Hybrid Cloud - 5 Use CasesTuesday 5:30pm - Hybrid Management on vCloud Air
Wednesday 10:15am - vCloud Air OnDemandWednesday 12:45pm - The Internet of Things: Virtual Machines, vCloud Air, vCenter Operations and the Intel IoT GatewayWednesday 2:15pm - Disaster Recovery with vCloud AirWednesday 3:30pm - Another Day in Paradise....Going Full Hybrid with vCloud AirWednesday 4:30pm - RAD in the Hybrid Cloud
Thank You
Fill out a surveyEvery completed survey is entered
into a drawing for a $25 VMware company store gift certificate
vCloud Hybrid Service Networking TechnicalDeep Dive
HBC2068
Ninad Desai, VMware, IncDavid Hill, VMware, Inc