beware the pitfalls when migrating to hybrid cloud with openstack

www.99cloud.net

Copyright©2015 99Cloud Inc. All rights reserved.九州云版权所有 STRICTLY CONFIDENTIAL 机密文件

Shuquan Huang

Beware the Pitfalls when migrating to Hybrid Cloud with OpenStack

2016/10/18

www.99cloud.net

Copyright©2015 99Cloud Inc. All rights reserved.九州云版权所有 STRICTLY CONFIDENTIAL 机密文件 2

• Technical Director @ 99cloud

• Heavily involve in OpenStack Community since 2012

About

www.99cloud.net

Copyright©2015 99Cloud Inc. All rights reserved.九州云版权所有 STRICTLY CONFIDENTIAL 机密文件 3

• Chinese first pure OpenStack startup( May, 2012)，with 4+ years code contribution since 2012• Global top 10 OpenStack contributor

• Delivered the 1st COA training in China , and we are on the list of first COA partners

• Gold Member

Who are we?

www.99cloud.net

Copyright©2015 99Cloud Inc. All rights reserved.九州云版权所有 STRICTLY CONFIDENTIAL 机密文件

What do we do?99Cloud focus on filling the last mile gap in OpenStack vertical adoption

l 9 Provinces: Jiangsu, Sichuan, Shanxi, Shanghai , Shanxi, Fujian, Tianjing, NingXia, Shandong

l Coved China power market

Closed On-going l Guangdong

State Grid

l Tibetl Liaoningl Inner

Mongolial …l Beijing

Short term

Long-term

30%Cover

100% Provinces by 2018

l Guangxil Yunnanl Guizhou

l Heilongjiangl Jilinl Henanl Hunanl Hubeil Hebeil Jiangxil Qinghai

Electric Power Industry Vertical Cloud

China Southern Power Grid

www.99cloud.net

Copyright©2015 99Cloud Inc. All rights reserved.九州云版权所有 STRICTLY CONFIDENTIAL 机密文件 5

• The State of Hybrid Cloud

• Why to use Hybrid Cloud?

• Hybrid Cloud User Cases

• Avoid Pitfalls

Agenda

www.99cloud.net

Copyright©2015 99Cloud Inc. All rights reserved.九州云版权所有 STRICTLY CONFIDENTIAL 机密文件 6

• 71% of respondents enterprises are using hybrid cloud – RightScale Report

• 75% of companies planned to adapt hybrid cloud – Cloud Cruiser survey

• 88% of respondents believe hybrid cloud is ‘important’ or ‘critical’ to enable digital business transformation - IDG Research survey

The State of Hybrid Cloud

www.99cloud.net

Copyright©2015 99Cloud Inc. All rights reserved.九州云版权所有 STRICTLY CONFIDENTIAL 机密文件 7

• Speed

• Accelerate the speed of deployment.• Scale within minutes and provide resources in a short timeframe.

• Cost

• buying the base and renting the peak.

• Geographic & Compliance

• Full geographic reach needed with global applications.• Data restricted to some countries.

Why to use Hybrid Cloud?

www.99cloud.net

Copyright©2015 99Cloud Inc. All rights reserved.九州云版权所有 STRICTLY CONFIDENTIAL 机密文件 8

• Best Cloud Allocation

• Lifecycle-Based Deployment

• Disaster Recovery

• Cloud bursting

Hybrid Cloud Use Cases

www.99cloud.net

Copyright©2015 99Cloud Inc. All rights reserved.九州云版权所有 STRICTLY CONFIDENTIAL 机密文件 9

• It involves selecting the best cloud for deploying each application.

• The entire application runs in that selected private or public cloud.

Best Cloud Allocation

www.99cloud.net

Copyright©2015 99Cloud Inc. All rights reserved.九州云版权所有 STRICTLY CONFIDENTIAL 机密文件 10

• Dev/Test in Public Cloud, Production in Private Cloud

• Dev/Test in Private Cloud, Production in Public Cloud

• New Apps in Public Cloud, Steady-State Apps in Private Cloud

Lifecycle-Based Deployment

www.99cloud.net

Copyright©2015 99Cloud Inc. All rights reserved.九州云版权所有 STRICTLY CONFIDENTIAL 机密文件 11

• Using public cloud for disaster recovery avoid the cost of provisioning duplicateinfrastructure that is rarely used.

• Greatly reducing the time required to bring the entire configuration to an operational state.

Disaster Recovery

www.99cloud.net

Copyright©2015 99Cloud Inc. All rights reserved.九州云版权所有 STRICTLY CONFIDENTIAL 机密文件 12

• Direct connection between cloud providers

• AWS Direct Connect• Aliyun Express Connect

• Automation capabilities to handle auto-scaling

Cloud bursting

13

14

www.99cloud.net

Copyright©2015 99Cloud Inc. All rights reserved.九州云版权所有 STRICTLY CONFIDENTIAL 机密文件 15

• It’s easy to get swept up in the buzz around hybrid cloud, and rush into it without doing the proper spadework first.

• Now it’s not easy to manage the public cloud and private cloud due to a Cloud Management Platform is missing.

Pitfall 1: Fail to manage clouds with a single pane

www.99cloud.net

Copyright©2015 99Cloud Inc. All rights reserved.九州云版权所有 STRICTLY CONFIDENTIAL 机密文件 16

• Using CMP(Cloud Management Platform) like RightScale, Scalr, Fit2Cloud, etc, you can add a single user interface to many cloud combinations.

• Work with the community and leverage the existing solution to resolve the following problems.

• Resource Management• Monitor & Dashboard• User/Role Management• Image Portability• Network Topology• QoS

Solution and mitigation

www.99cloud.net

Copyright©2015 99Cloud Inc. All rights reserved.九州云版权所有 STRICTLY CONFIDENTIAL 机密文件 17

• If there are different kinds of clouds involved in the hybrid cloud, a user should be able to use a single authentication point to manage virtual resources spread over multiple no matter OpenStack or others.• Remove the need of a user to constantly remember

the password for each cloud.• Increase productivity while reducing cost and

frustration.• Eliminates the need for a user identity to exist in

each cloud.

Pitfall 2: Fail to to handle credentials in hybrid cloud

www.99cloud.net

Copyright©2015 99Cloud Inc. All rights reserved.九州云版权所有 STRICTLY CONFIDENTIAL 机密文件 18

• Federated Identity provides a way to securely use existing credentials to access cloud resources such as servers, volumes, and databases, across multiple endpoints provided in multiple authorized clouds using a single set of credentials, without having to provision additional identities or log in multiple times.

• Integration with identity services of other cloud providers, such as AWS Identity and Access Management (IAM) , Alibaba Cloud Resource Access Management (RAM)

Solution and mitigation

www.99cloud.net

Copyright©2015 99Cloud Inc. All rights reserved.九州云版权所有 STRICTLY CONFIDENTIAL 机密文件 19

• Service Provider (SP)

• Identity Provider (IdP)

• SAML assertion/OpenID/Oauth

Federated Identity(1)

www.99cloud.net

Copyright©2015 99Cloud Inc. All rights reserved.九州云版权所有 STRICTLY CONFIDENTIAL 机密文件 20

Federated Identity(2)

Keystone to Keystone Federation

www.99cloud.net

Copyright©2015 99Cloud Inc. All rights reserved.九州云版权所有 STRICTLY CONFIDENTIAL 机密文件 21

• L2/L3 networking automation across clouds.

• Tenant's VMs communicate with each other via L2 or L3 networking across clouds.

• Security group applied across clouds.

• Tenant level IP/mac addresses management across clouds.

• Tenant level quota control across clouds.

• …

Pitfall 3: Fail to automate network configuration across clouds

www.99cloud.net

Copyright©2015 99Cloud Inc. All rights reserved.九州云版权所有 STRICTLY CONFIDENTIAL 机密文件 22

• Tacker• An official OpenStack project for NFV Orchestration and VNF Management using

standards based architectures.• Support VNF placement on specific target OpenStack VIM & Explicit Region.

• Tricircle

• Dedicated for networking automation across Neutron in multi-region OpenStack deployments

• Leverage Neutron API for cross Neutron networking automation, eco-system like CLI, SDK, Heat, Murano, Magum etc, all of these could be reserved seamlessly.

Solution and mitigation

www.99cloud.net

Copyright©2015 99Cloud Inc. All rights reserved.九州云版权所有 STRICTLY CONFIDENTIAL 机密文件

What is Tacker?

Tacker is an official OpenStack

project for NFV Orchestration and

VNF Management using standards based

architectures

www.99cloud.net

Copyright©2015 99Cloud Inc. All rights reserved.九州云版权所有 STRICTLY CONFIDENTIAL 机密文件 24

Tacker

www.99cloud.net

Copyright©2015 99Cloud Inc. All rights reserved.九州云版权所有 STRICTLY CONFIDENTIAL 机密文件

Tacker: Roadmap Beyond Newton

www.99cloud.net

Copyright©2015 99Cloud Inc. All rights reserved.九州云版权所有 STRICTLY CONFIDENTIAL 机密文件

Tacker: Multi-VIM Type Support

Orchestrate VNFs on different type of VIM’s

Introduce Tacker InfraDriver’s for VMware ESXi (TOSCA -> OVF)

Tacker

Site 1 OpenStack

Site 2VMware ESXi

Site 3AWS

Site 4Custom

www.99cloud.net

Copyright©2015 99Cloud Inc. All rights reserved.九州云版权所有 STRICTLY CONFIDENTIAL 机密文件

Tricircle - Networking automation across Neutron

27

www.99cloud.net

Copyright©2015 99Cloud Inc. All rights reserved.九州云版权所有 STRICTLY CONFIDENTIAL 机密文件

Pitfall 4: Fail to orchestrate application across clouds

• Murano introduced an application catalog to OpenStack, which allows application developers and cloud administrators to publish their cloud-ready applications in a browsable , easily navigable and categorized catalog.

• However, when applications are deployed or shared between multiple clouds, Murano cannot do much for you.

28

www.99cloud.net

Copyright©2015 99Cloud Inc. All rights reserved.九州云版权所有 STRICTLY CONFIDENTIAL 机密文件

Solution and mitigation

• Extend Murano capability to deploy applications across different clouds and it should deploy applications not only to the same cloud where it’s installed but also to the several other clouds to fulfill the requirements of hybrid-cloud applications or disaster recovery.

• Using Cloudify to Extend Murano Past OpenStack to Multiple Clouds. This plugin allows Murano to manage TOSCA templates directly, and deploy them to OpenStack and other clouds directly, using Cloudify.

29

https://wiki.openstack.org/wiki/Murano/MultiCloudSupport

www.99cloud.net

Copyright©2015 99Cloud Inc. All rights reserved.九州云版权所有 STRICTLY CONFIDENTIAL 机密文件

Pitfall 5: Lost control and protect when migrating to hybrid cloud

Considerations• Do you have data protection or encryption

all the time?

• Is your data safe when it is on one public cloud?

• Does it still meet the compliance requirements when migrating to hybrid cloud?

• Do you still maintain a complete audit trail when migrating to hybrid cloud?

30

Compliance• Industry specific frameworks:

• Solvency II/III, Basel II/III

• Quality and environment:

• ISO 9001, 14001

• Information security and handing:

• ISO 27001, 27015, 27018

• ISO 22301

• PCI-DSS

• Governance and management:

• Cobit 5

www.99cloud.net

Copyright©2015 99Cloud Inc. All rights reserved.九州云版权所有 STRICTLY CONFIDENTIAL 机密文件

Solution and mitigation

• Combine with monitoring and log analysis to visualize audit trails.

• See who changed what and when• Provide audit logs and reports to satisfy regulators.

• Learn about the security issues of OpenStack and work it out under the help of community.

• OpenStack Security Advisories (OSSA) are created to deal with severe security issues in OpenStack for which a fix is available - OSSA’s are issued by the OpenStack Vulnerability Management Team (VMT).

• OpenStack Security Notes (OSSN) are used for security issues which do not qualify for an advisory, typically design issues, deployment and configuration vulnerabilities.

31

https://security.openstack.org/

https://wiki.openstack.org/wiki/Security_Notes

Have a great journey on the way to hybrid cloud!

32

www.99cloud.net

Copyright©2015 99Cloud Inc. All rights reserved.九州云版权所有 STRICTLY CONFIDENTIAL 机密文件

THANK YOU!www.99cloud.net

电话：021-6120-7665 邮箱：99cloud@99cloud.net

地址：上海市黄浦区局门路427号1号楼206室

www.99cloud.net

Copyright©2015 99Cloud Inc. All rights reserved.九州云版权所有 STRICTLY CONFIDENTIAL 机密文件 34

• http://www.rightscale.com/lp/2016-state-of-the-cloud-report

• https://www.emc.com/microsites/cio/articles/idg-research-study-hybrid-cloud/index.htm

• https://aws.amazon.com/directconnect/

• http://docs.openstack.org/developer/heat/getting_started/standalone.html

Reference