vCloud Hybrid Service Networking Technical Deep Dive

HBC2068

Ninad Desai, VMware, Inc David Hill, VMware, Inc

Disclaimer •  This presentation may contain product features that are currently under development. •  This overview of new technology represents no commitment from VMware to deliver these

features in any generally available product. •  Features are subject to change, and must not be included in contracts, purchase orders, or

sales agreements of any kind.

•  Technical feasibility and market demand will affect final delivery. •  Pricing and packaging for any new technologies or features discussed or presented have not

been determined.

CONFIDENTIAL 2

3 3

VMware vCloud Hybrid Service VMware vCloud Air

What is vCloud Air Network Services built on??

vCloud Air Networking – Built on vCNS …. Moving to NSX Fully Integrated vCloud Stack

vCloud Management and Automation

vCloud Air Management Console

vCloud Infrastructure

vCloud Networking and Security

vCloud Director with vCloud Connector

vSphere / vCenter

Customer A

Physically Isolated Servers Storage pool

VPN and Network pool

…

Dedicated Cloud

•  Being replaced by NSX-v manager in the vCloud Air Management stack

•  Backward compatible with current vCNS based stack

•  Existing policies and features stay intact

•  Foundation for new networking features

How do I connect to vCloud Air ?

Options to Connect to vCloud Air

z

Customer Data Center vCloud Air Private WAN /

Direct Connect / Cross Connect

IPsec Tunnel

Public

INTERNET

Many Connectivity Choices To Support Many Use Cases

INTERNET

INTERNET

Connecting to vCloud Air

•  Over the Public Internet –  With Public IPs –  Use NAT for address translation –  By default F/W set to deny all and NAT not configured

INTERNET

•  IPsec VPN –  vCloud Air features include IPsec VPN –  Multiple VPN tunnels can terminate to Edge Gateway –  Can connect to most of the major on-prem VPN devices

•  Direct Connect

–  Dedicated private connection –  Secure and high speed –  Extension to customer’s MPLS or data center cage

Connecting via IPsec VPN

CONFIDENTIAL VPN Traffic

INTERNET

vSphere Edge Gateway §  LEP – 10.0.1.150

§  Peer ID – 69.194.137.230

§  Peer IP – 69.194.137.230

10.0.10.0/24

10.0.10.1

10.0.1.150

10.0.1.1

68.108.102.47

IP Protocol ID 50 (ESP) IP Protocol ID 51 (AH) UDP Port 500 (IKE) UDP Port 4500 69.194.137.230

192.168.109.2/24

192.168.109.1

Edge Gateway §  LEP – 69.194.137.230

§  Peer ID – 10.0.1.150

§  Peer IP – 68.108.102.47

EDGE GATEWAY

EDGE GATEWAY

What Networking Services do we offer?

vCloud Air - Options and Gateway Choices..

CONFIDENTIAL 13

§  Shared Cloud •  Logically separated network, compute and

storage

§  5GHz CPU (burstable to 10GHz) §  20GB RAM, 2TB storage §  No vDC segmentation §  One Edge Gateway

§  Dedicated Cloud •  Physically separated hosts •  Logically separated network and storage

§  30GHz CPU, 120GB RAM, 6TB §  Segment vDCs based on orgs § Multiple Edge Gateways

VDC1 VDC2

VDC3 VDC4 VDC

vCloud Air Basic Networking Constructs

INTERNET

Routed/Gateway Networks

(up to 9 networks)

Isolated Network

External Network (managed by VMware)

NAT FW Load Balancer IPsec DHCP Static routing

Customers vDC EDGE

GATEWAY

Configuration Access Options

CONFIDENTIAL 15

vCloud Air Management Web Portal - For basic networking configurations

Configuration Access Options

CONFIDENTIAL 16

vCloud Air Management Web Portal - For basic networking configurations

For Advanced configurations

Configuration Access Options

CONFIDENTIAL 17

vCloud Director management portal - For advanced networking configs

Can I bring my Private IP space along?

Yes! Via Network Address Translation (NAT)

•  Need to create F/W rules to allow traffic

•  IPv4 NAT

•  Source NAT & Destination NAT rules. –  Supports multiple rules on multiple interfaces

•  Can use internal/private IP space –  Bring your own internal IP space –  Create/Manage subnets within IP space –  Multiple IP space under the same gateway

NAT rules: -  SNAT & DNAT rules

-  Options include protocol/port selection

Gateway Public IPs

Internal IPs

10.x.x.x 172.16.x.x 192.168.x.x

Organization Net 1 Organization Net 2 Organization Net 3

EDGE GATEWAY

But …. Can I stretch my Layer 2 network on to vCloud Air?

vCloud Connector Data Center L2 Extension

CONFIDENTIAL 21

(192.168.50.0/24)

184.61.71.155

74.204.180.41

VPN Traffic

INTERNET

(192.168.50.0/24)

Default Gateway = 192.168.50.10

50.34 50.35

50.36 50.37

50.33

100.33

(192.168.50.0/24)

50.10

100.10

SSL

SSL

EDGE GATEWAY

EDGE GATEWAY

EDGE GATEWAY

Corp Firewall

Layer 2 Extensions – Updated with NSX

vCloud Air

INTERNET

INTERNET

VLAN 10 VLAN 11

SSL Client Default Router

vNIC Trunk VLAN 10-11

Site A: Non-NSX VLAN Backed Network

L3 Network, VPN, Direct Connect

EDGE GATEWAY

(NSX)

vCloud Air Client

Okay.. So I have a typical multi-tier app (LAMP/WAMP stack)…. Can I bring it to vCloud Air?

Firewall for Multi-Tier Applications

Web tier App tier DB Tier

INTERNET

Firewall •  5 Tuple F/W policies

–  Protocol, Source/Dest. IP, Source/Dest. Port •  Stateful Firewall

•  FIPS-140-2 Crypto

•  Common Criteria EAL 4

Load Balancing

•  VIP and pool servers

•  Health check

Load Balancing

Server Pool

VIP: 66.44.4.1 EDGE

GATEWAY

Direct Connect Use Cases

Direct Connect – Use Cases

26

Ø  Can I have a private connection to vCloud Air?

Ø  Can vCloud Air be part of my MPLS connection?

Ø  Can I cross connect in to vCloud Air?

Ø  Can I extend my layer 2 network on to this direct

connect interface?

vCloud Air Direct Connect Customer Co-Lo Cage vCloud Air

Data Center owner operated/managed

vCloud Air connection point

Customer Data Center vCloud Air

NSP connection (MPLS, E-Line etc.)

vCloud Air managed

vCloud Air managed

Cross connect use case

WAN connectivity use case

vCloud Air connection point

Direct Connect – With vCloud Air

28

DMZ Network (192.168.52.0/24)

Private Network (192.168.50.0/24)

Private Network (192.168.100.x/24)

Headquarters

NSP termination point

EDGE GATEWAY

INTERNET vCloud Air

Connection point

MDF/MMR

Untagged Layer 2 connection (1G, 10G)

10.2.2.2 10.2.2.1

MPLS (from NSP)

Private Network (192.168.50.0/24)

Branch office

10.2.2..x/24

10.1.1.x/24 10.3.3.x/24

Direct Connect – With vCloud Air

29

DMZ Network (192.168.52.0/24)

Private Network (192.168.50.0/24)

Private Network (192.168.50.x/24)

Headquarters

NSP termination point

EDGE GATEWAY

INTERNET vCloud Air

Connection point

MDF/MMR

Untagged Layer 2 connection (1G, 10G)

10.2.2.2 10.2.2.1

MPLS (from NSP)

Private Network (192.168.50.0/24)

Branch office

10.2.2..x/24

10.1.1.x/24 10.3.3.x/24

Direct Connect – Using Existing Security

CONFIDENTIAL 30

1 Gbps / 10 Gbps Direct Connect Traffic

DMZ Network (192.168.52.0/24)

Internet

Private Network (192.168.50.0/24)

Private Network (192.168.110.0/24)

10.1.1.x/24 10.1.1.x/24

EDGE GATEWAY

IDS

Existing Security Policies & Appliances

IGW

Direct Connect – Private Line

IPS

Cross Connect

CONFIDENTIAL 31

1 or 10 Gbps Direct Connect Traffic

DMZ Network (192.168.52.0/24)

Private Network (192.168.50.0/24)

Private Network (192.168.110.0/24)

CUSTOMER CAGE

Direct Connect Line

EDGE GATEWAY

Direct Connect – Extended Layer 2

CONFIDENTIAL 32

Internet

10.1.1.x/24 10.1.1.x/24

10.1.1.x/24 10.1.1.x/24

Co-Lo cage

IDS

Existing Security Policies & Appliances

IGW

Direct Connect – Private Line

IPS Direct Access Network

How about global availability of applications?

Global Load Balancing – Dyn Example

CONFIDENTIAL

34

vCNS Virtual Server 192.240.153.11

vCNS Virtual Server 74.204.180.41

Virtual Private Cloud (West) Dedicated Cloud (East)

.11 .12 .11 .12

vCNS Pool Servers 192.168.109.11 192.168.109.12

vCNS Pool Servers 192.168.205.11 192.168.205.12

Traffic Director

INTERNET

DYN Load Balancing

EDGE GATEWAY

LB

EDGE GATEWAY

LB

Advanced Networking - Hybrid Horizon View Logical Architecture

WDC (On Premises)

EDGE GATEWAY

EDGE GATEWAY

(192.168.20.0/24 Public-NET)

IPSec VPN IPSec VPN

DT01 DT02

(192.168.3.0/24 Desktop-NET)

AD01 .41

AD02 .42

ViewCS .5

vCloud Air Las Vegas (IaaS)

ViewSS .5

ViewSS .5

(192.168.2.0/24 Public-NET)

view.vmtm.org

(192.168.1.0/24 Corp-NET)

66.45.200.37 69.194.137.139 PCoIP and Blast

vCloud Air and F5 – Global Load balancing

CONFIDENTIAL 36

(192.168.100.0/24 Corp-NET)

AD05 AD06

(192.168.200.0/24 Public-NET)

(10.10.10.0/24 BIP-Internal-NET)

BIP02

DNAT Any:Any Firewall Any:Any

10.0.10.0/24

10.0.10.1

10.0.1.150

BIP02

INTERNET

EDGE GATEWAY

..And what about network security - IPS/IDS?

Trend Micro Based – IPS/IDS

CONFIDENTIAL 38

Firewall

Log Inspection

Anti-Malware

Integrity Monitoring

Web Reputation

Intrusion Prevention

Deep Security Manager and Relay

PROTECTION MODULES

Deep Security Database

MANAGEMENT

Protected VMs

Deep Security Manager

EDGE GATEWAY

Deep Security Agent

Database

vCloud Air – Security Solution via Trend Micro

CONFIDENTIAL 39

Choice of Networking Services Applications…

CONFIDENTIAL 40

Virtual

vCloud Air Recovery Service

“No.. No… the world was destroyed… this is a backup”

Recovery as a Service – Networking

Ø  How do I maintain the same network configs?

Ø  Do I need to re-do the network configs?

Ø  Do I need to ‘stretch’ my network?

Ø  How can I maintain my IP settings on VMs?

Disaster Recovery – Networking

•  Pre-create networks on DR cloud with same private IP space, name and relevant properties •  When VMs are replicated, the IPs of the VMs are retaind

•  When a disaster occurs and VMs on the DR turn on, simply connect VMs to pre-existing networks

43

WDC (On Premises)

DT01 DT02

(192.168.3.0/24 Desktop-NET)

AD01 .41

AD02 .42

ViewCS .5

ViewSS .5

(192.168.2.0/24 Public-NET)

(192.168.1.0/24 Corp-NET)

EDGE GATEWAY

Replicate EDGE

GATEWAY

(192.168.3.0/24 Desktop-NET)

(192.168.1.0/24 Corp-NET)

(192.168.2.0/24 Public-NET)

DR vDC

VMware vCloud Air - Virtual Private Cloud OnDemand

Interested in participating in the vCloud Air OnDemand Beta Progam? The Product Team from vCloud Air is now accepting candidates interested in participating in the Fall 2014 beta program

44

Visit vmware.com/go/ondemand to sign up

vmware.com/go/ondemand

VMware vCloud Air 5 Starting Points Program

VMworld 2014

45

Star%ng  Point   Session  ID   TOPIC

Dev/Test   HBC2577  Hybrid  Sandboxing  –  Create  the  Ul>mate  On  and  Off  Premises  Test/Dev  Factory  

Extend  Exis>ng  Applica>ons   HBC2066   Architect  the  Hybrid  Cloud  for  

Exchange  and  Lync  

Disaster  Recovery   HBC  1534   Recovery  as  a  Service  (RaaS)  with  vCloud  Hybrid  Service  

Modernize  Enterprise  Applica>ons  

HBC  2609  Smells  Like  Team  Spirit:  Achieve  Hybrid  Opera>ons  Nirvana  with  vCloud  Hybrid  Service  

Create  Next  Genera>on  Applica>ons  

HBC  1917   Build  Your  First  Mobile  Applica>on…In  the  Cloud…In  60  minutes  

Learn the fundamentals on vCloud Air by attending any or all of our 5 Starting Point breakout sessions within the Hybrid Cloud Track

45

Attend any of these breakout sessions and earn a free vCloud Air “Dilbert” t-shirt.

Hybrid Cloud Hands On Labs

Check out the Expert Led and Self Paced vCloud Air Hands on Labs

CONFIDENTIAL 46

HOL: Expert-Led Workshop ELW-HBD-1481 Hybrid Cloud Jumpstart Workshop

HOL: Expert-Led Workshop ELW-HBD-1484 Disaster Recovery to the Cloud Workshop

HOL: Self Paced Lab SPL-HBD-1481 vCloud Hybrid Service - Jump Start for vSphere Admins

HOL: Self Paced Lab SPL-HBD-1482 vCloud Hybrid Service - Networking & Security

HOL: Self Paced Lab SPL-HBD-1483 vCloud Hybrid Service - Manage Your Cloud

Session ID Title Learn the fundamentals on vCloud Air by attending any or all of our 5 Starting Point breakout sessions within the Hybrid Cloud Track as well as our Hands on Labs

Try any of these HOLs and earn a free vCloud Air “Dilbert” t-shirt.

Hybrid Cloud Theater Schedule - VMware Booth (Solutions Exchange)

47

In addition to the breakout sessions within the Hybrid Cloud track, check out our THEATER schedule for the week from the VMware booth at the Solutions Exchange

Sunday 5:00pm - What is this Hybrid Cloud Thing Anyway? Monday 12:15pm - Getting Started with Hybrid Cloud - 5 Use Cases Monday 1:30pm - vCloud Air OnDemand Monday 3:45pm - What is this Hybrid Cloud Thing, Anyway? Monday 5:30pm - Hybrid Cloud DevOps: How to keep your Devs from Running Wild Tuesday 12:15pm - Project NEE - Delivering Hands-on Education at Cloud Scale Tuesday 1:00pm - vCloud Air Network Tuesday 2:45pm - Disaster Recovery with vCloud Air Tuesday 4:00pm - Getting Started with Hybrid Cloud - 5 Use Cases Tuesday 5:30pm - Hybrid Management on vCloud Air Wednesday 10:15am - vCloud Air OnDemand Wednesday 12:45pm - The Internet of Things: Virtual Machines, vCloud Air, vCenter Operations and the Intel IoT Gateway Wednesday 2:15pm - Disaster Recovery with vCloud Air Wednesday 3:30pm - Another Day in Paradise....Going Full Hybrid with vCloud Air Wednesday 4:30pm - RAD in the Hybrid Cloud

Thank You Q&A

Thank You

Fill out a survey Every completed survey is entered into a

drawing for a $25 VMware company store gift certificate

vCloud Hybrid Service Networking Technical Deep Dive

HBC2068

Ninad Desai, VMware, Inc David Hill, VMware, Inc