midonet gives openstack neutron a boost
TRANSCRIPT
Confidential
Agenda
▪ Midokura Introduc?on
▪ MidoNet Architecture & Comparisons
▪ MidoNet Packet Walk-‐through
▪ Use Cases
1
Confidential
About the company • Founded in 2010, Midokura is a global company with offices in Tokyo, San Francisco and Barcelona
• Pioneer in network virtualiza?on – provides soQware for networking using overlay approach. Pedigree derives Amazon, Cisco, VMware and Google
• Received $17M first round of funding in April 2013 from Innova?on Network Corpora?on of Japan, NTT and NEC
• Named by CRN as amongst the top 10 networking stories of 2013 and also amongst 10 coolest startups in the world
2
“800 pound virtualiza?on gorillas like VMware and MicrosoQ that have virtual switch deployments and now network virtualiza?on solu?ons (NSX and HyperV Network Virtualiza?on) will leverage exis?ng rela?onships to encourage this influence as well as gain access to the network teams. That said, key innova?ve startups in the network virtualiza?on space like Midokura will also have the poten?al to help organiza?ons bridge the gap between virtualiza?on and network domains.” – ESG Research
“Network virtualiza?on companies such as Midokura offer network virtualiza?on approaches to compete with visions such as Cisco ACI and VMware NSX, and so they will be watched by mid-‐?er vendors that feel they are missing out on the next network disrup?on opportunity.” – 451 research, an analyst firm
• First in the industry to bring together network virtualiza?on and bare metal networking with the aim of providing an open network – Cliff Grosner, Infone?cs Research
• Significant contributor to the OpenStack Networking (Neutron)
• First SDN vendor to be cer?fied for Red Hat OpenStack environment
• Early member of the Open DayLight Project (ODP)
• Broad and deep technical partnerships with network switch vendors, soQware companies and solu?on providers
Confidential
Virtual Network Overlays
Decoupling hardware and software • Cloud-ready agility • Unlimited scalability • Open, standards-based • No impact to physical
network
PROACTIVE SOFTWARE OVERLAY
EVOLUTION OF NETWORK VIRTUALIZATION
INNOVATION IN NETWORKING AGILITY
Reactive End-to-End
Requires programming of flows
• Limited scalability • Hard to manage • Impact to
performance • Still requires tenant
state in physical network
OPENFLOW REACTIVE APPOACH
VLAN configured on physical switches
• Static • Manual • Complex • Tenant state
maintained in physical network
Manual End-to-End
VLAN APPROACH
Confidential 6
Overlay Networking GRE Tunnels Uses Open vSwitch Project
Components: • Neutron OVS Agent • Neutron DHCP Agent • Neutron L3 Agent • IPTables
OVS Open Source Plugin
Confidential 7
OVS Agent - receives tunnel/flow setup info from OVS Plugin, and programs Open vSwitch to setup tunnels and send traffic through the tunnel
DHCP Agent - Sets up dnsmasq in a namespace per network/subnet and enters mac/ip into dhcp lease file
L3 Agent – OVS Plugin orchestrates to set up IPTables, Routing, NAT tables
OVS Open Source Plugin
Confidential 8
Neutron Network Node is a SPOFNeed to use corosync, etc for active/standby failover.
Challenging at Scale Since there’s a single network node, this becomes a bottleneck fairly quickly.
Inefficient Networking IPTables, L3 Agent, multiple hops for single flow are causing unnecessary traffic and added latency on your physical network
Challenges with OVS Plugin
Confidential 10
MidoNet Network Virtualiza?on Plamorm Logical L2 Switching -‐ L2 isola?on and path op?miza?on with distributed virtual switching Interconnect with VLAN enabled network via L2 Gateway
Logical L3 Rou?ng – L3 isola?on and rou?ng between virtual networks No need to exit the soQware container -‐ no hardware required
Distributed Firewall – Provides ACLs, high performance kernel integrated firewall via a flexible rule chain system
Logical Layer 4 Load Balancer – Provides applica?on load balancing in soQware form -‐ no need for hardware based firewalls
VxLAN/GRE – Provides VxLAN and GRE tunneling Provides L2 connec?vity across L3 transport. This is useful when L2 fabric doesn’t reach all the way from the racks hos?ng the VMs to the physical L2 segment of interest.
MidoNet/Neutron API– Alignment with OpenStack Neutron’s API for integra?on into compa?ble cloud management soQware
NAT – Provides Dynamic NAT, Port masquerading
Confidential 13
Neutron Network Node is a SPOFNeed to use corosync, etc for active/standby failover.
Challenging at Scale Since there’s a single network node, this becomes a bottleneck fairly quickly.
Inefficient Networking IPTables, L3 Agent, multiple hops for single flow are causing unnecessary traffic and added latency on your physical network
Challenges with OVS Plugin
Confidential
Your
Exi
stin
g In
fras
truc
ture
Your Existing Infrastructure
20
Load Balancer
MidoN
et B
orders
MidoN
et G
ateway
Net
wor
k st
ate
data
base
Cloud Networking Can Be Complicated
Then we add the MidoNet Network State Database
and MidoNet Border Nodes
Then we Install the MidoNet
Agent on all the Hypervisor
Nodes
Overlay needs underlay devices connected over IP
Confidential
MidoNet automa?cally creates a Provider Router which connects to the External Network
22
Provider Router
Tenant Router
Tenant Network
192.168.5.2 192.168.5.3
Let’s Spin up two VMs for a Single Tenant
Subnet 192.168.5.0/24
Address: 192.168.5.1 Allow incoming tcp/22
NAT 192.168.5.2 <-‐> 112.140.32.94
Confidential 23
Provider Router
Tenant Router
Tenant Network
192.168.5.2 192.168.5.3
Each Tenant also gets their own virtual Tenant Router
Let’s Spin up two VMs for a Single Tenant
Subnet 192.168.5.0/24
Address: 192.168.5.1 Allow incoming tcp/22
NAT 192.168.5.2 <-‐> 112.140.32.94
Confidential 24
Provider Router
Tenant Router
Tenant Network
192.168.5.2 192.168.5.3
Various rules and subnets can be applied to the virtual infrastructure
Let’s Spin up two VMs for a Single Tenant
Subnet 192.168.5.0/24
Address: 192.168.5.1 Allow incoming tcp/22
NAT 192.168.5.2 <-‐> 112.140.32.94
Confidential 25
Provider Router
Tenant Router
Tenant Network
192.168.5.2 192.168.5.3
Then the tenant can create VMs and Networks then atach those to the Tenant Router
Let’s Spin up two VMs for a Single Tenant
Subnet 192.168.5.0/24
Address: 192.168.5.1 Allow incoming tcp/22
NAT 192.168.5.2 <-‐> 112.140.32.94
Confidential
All of the virtual topology is stored in MidoNet’s Storage Nodes
26
MidoN
et G
ateway
Your Existing Infrastructure
Net
wor
k st
ate
data
base
Yo
ur E
xist
ing
Infr
astr
uctu
re
Provider Router
Tenant Router
Tenant Network
192.168.5.2 192.168.5.3
Subnet 192.168.5.0/24
Address: 192.168.5.1 Allow incoming tcp/22
NAT 192.168.5.2 <-‐> 112.140.32.94
Confidential
First the outbound packet from VM1 is intercepted by the MidoNet agent on the Hypervisor
28
MidoN
et G
ateway
Your Existing Infrastructure
Net
wor
k st
ate
data
base
Yo
ur E
xist
ing
Infr
astr
uctu
re
Provider Router
Tenant Router
Tenant Network
192.168.5.2 192.168.5.3
Subnet 192.168.5.0/24
Address: 192.168.5.1 Allow incoming tcp/22
NAT 192.168.5.2 <-‐> 112.140.32.94
Confidential 29
MidoN
et G
ateway
Your Existing Infrastructure
Net
wor
k st
ate
data
base
Yo
ur E
xist
ing
Infr
astr
uctu
re
Provider Router
Tenant Router
Tenant Network
192.168.5.2 192.168.5.3
Subnet 192.168.5.0/24
Address: 192.168.5.1 Allow incoming tcp/22
NAT 192.168.5.2 <-‐> 112.140.32.94
Next, the MidoNet Agent queries Network state database for the virtual topology
Confidential 30
MidoN
et G
ateway
Your Existing Infrastructure
Net
wor
k st
ate
data
base
Yo
ur E
xist
ing
Infr
astr
uctu
re
Provider Router
Tenant Router
Tenant Network
192.168.5.2 192.168.5.3
Subnet 192.168.5.0/24
Address: 192.168.5.1 Allow incoming tcp/22
NAT 192.168.5.2 <-‐> 112.140.32.94
Then the MidoNet agent simulates the packet moving through the virtual topology and ac?ons that need to be performed on the packet
Confidential
MidoN
et G
ateway
Your Existing Infrastructure
Net
wor
k st
ate
data
base
Yo
ur E
xist
ing
Infr
astr
uctu
re
Now MidoNet can create a GRE tunnel between the required nodes, and send the packet on its way
31
GRE Tunnel
Confidential
MidoN
et G
ateway
Your Existing Infrastructure
Net
wor
k st
ate
data
base
Yo
ur E
xist
ing
Infr
astr
uctu
re
32
Finally, the packet is received by the target node and delivered to the VM.
GRE Tunnel
Confidential
MidoN
et G
ateway
Your Existing Infrastructure
Net
wor
k st
ate
data
base
Yo
ur E
xist
ing
Infr
astr
uctu
re
33
Subsequent packets follow the already established path, and can travel at near-‐line-‐speed.
GRE Tunnel
Confidential
MidoN
et B
orders Your Existing
Cloud Infrastructure
Net
wor
k st
ate
data
base
Yo
ur E
xist
ing
Clo
ud In
fras
truc
ture
35
Provider Router
Tenant Router
Tenant Network
192.168.5.2 192.168.5.3
Subnet 192.168.5.0/24
Address: 192.168.5.1 Allow incoming tcp/22
NAT 192.168.5.2 <-‐> 112.140.32.94
The process is similar for packets star?ng from the Internet... only this ?me the Border Node queries the Storage Nodes for the virtual topology
Confidential Do it Bigger Do it Faster
Va
lue
Agility
Provide rapid provisioning of isolated
network infrastructure for labs and devops.
Logical Network Provisioning
Automated Provisioning
Isolated Sandboxes
Control
Network admins can better secure, control &
view network traffic.
Single Pane of Glass OpsTools
Enhanced Security
Enable Compliance
Do it Better
IaaS Cloud
Build multi-tenant
clouds with visibility into usage.
Tenant Control
Metering
Automated Self Service
Performance
Improve network performance using edge
overlay & complementary technologies.
Single Hop Virtual Networking
VXLAN Hardware Gateway
Massive performance with 40Gb Support
Scale
Add virtual network infra & services simply & resiliently without
hardware & bottlenecks.
Distributed Logical
Networking FW, LB, L2/3, NAT
Limitless “VLANs”
Scale out L3 Gateway
Bridge legacy VLANs
IPv6
Solution for OpenStack Networking
Use MN to overcome
limitations of Neutron for OpenStack users.
Replaces OVS Plugin
Use Cases
Confidential 40
MidoNet Advantages
Check out our blog & OSS site: htp://blog.midokura.com/ htp://www.midonet.org Follow us on Twiter: @midokura @midonet