vmworld 2013: vcloud hybrid service jump start part three of five: vcloud hybrid service: advanced...
DESCRIPTION
VMworld 2013 Ninad Desai, VMware Greg Herzog, VMware Jon Kim, Force 3 Gregory Stemberger, Force 3 Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshareTRANSCRIPT
vCloud Hybrid Service Jump Start Part Three of Five:
vCloud Hybrid Service:
Advanced Networking and Security
Ninad Desai, VMware
Greg Herzog, VMware
Jon Kim, Force 3
Gregory Stemberger, Force 3
PHC5488
#PHC5488
2
What’s in It for You?
You will leave with:
An understanding of the vCloud Hybrid Service networking building blocks
A strong networking foundation for building a complex Hybrid Cloud
An understanding of advanced networking use cases and security
3
Agenda
vCloud Hybrid Service Introduction
• Basic Stack and Constructs
Networking
• Key Components • Network Virtualization
• Edge Gateway
• Services Overview
• Advanced Use Cases • Complex Networking
• Sharepoint Networking
• Datacenter Extension
Security
• Application Firewall
• Application Security
4
vCloud Hybrid Service Networking is Easy and Powerful
Key Takeaways
• Building blocks you are used to – vSphere, VXLAN, vCNS, vCD
• Flexible and Powerful
• Supports all your most complex networking
• IPSEC VPN
• Stretched Applications
• Layer 2 Extension - BYOIP
• Advanced application security
5
Minimum size: 120GB vRAM 30GHz vCPU
Starts at: 6 TB
50 Mbps allocated 1 Gbps burstable 3 Public IPs
Your own private cloud instance
Physically isolated
vCloud Hybrid Service: Any Mixture Of Two Flavors
Starts at: 2 TB
10 Mbps allocated 50 Mbps burstable 2 Public IPs
Logically isolated
Guaranteed resource allocation
Dedicated Cloud Virtual Private Cloud
Minimum size: 20GB vRAM 5GHz vCPU
(burst to 10GHz)
6
Dedicated vCloud Stack per Dedicated Cloud
Fully Integrated vCloud Stack
vCloud Management and Automation
vCloud Hybrid Service Management Console
vCloud Infrastructure
vCloud Networking and Security
vCloud Director with vCloud Connector
vSphere / vCenter
Customer A
Physically
Isolated Servers Storage pool VPN and
Network pool
…
Dedicated Cloud
7
Hybrid Service Basic Networking Constructs
Organization Network (isolated) Organization Network (Customer Controlled)
8
Network Virtualization in vCloud Hybrid Service
vCloud Hybrid Service
Networking & Security
vCloud Hybrid Service
vSphere
VXLAN
Integrated Management Console
Edge Gateway
Secures the edge of the virtual datacenter and
delivers network services:
Firewall
NAT
Load Balancer
Site-to-Site IPSec VPN
Active/Standby High Availability
Stateful Session Failover
VXLAN
Foundation for elastic portable virtual
datacenters. Encapsulation allows
Isolation between Organization Networks
Bring-your-own private IPv4 layer 3
address space
vCloud Hybrid Service Networking
• Nine routable IP spaces
• Intuitive design replicates traditional networks
• Customizable to support production applications
VDC 1 VDC 2
9
Available Services
Firewall – Basic Session
NAT – Basic Session
DHCP – Basic Session
Load Balancer
VPN
10
Edge Gateway Services – Load Balancing
Pool Servers
Load Balanced
- Round Robin
- IP Hash
- URI
- Least Connected
Virtual Server –
- Virtual IP (Public IP)
- Front end traffic
- Assigned to a server pool
Can have multiple virtual servers
and pools
Edge gateway
Load balancer
11
Load Balancer – Pool Servers
Pool Servers
• HTTP/HTTPS/TCP
• Load Balancing Methods
• IP Hash
• Round Robin
• URI
• Least Connected
• Health Check
• Each with +TCP as mode
• Monitoring Ports
• Add Servers
• Ratio Weight
• Change Ports/Services per Server
12
Load Balancer – Virtual Servers
Virtual Servers
• Apply on outside network
• Server Pool
• Persistence Method
• HTTP – Cookie
• HTTPS – Session ID
13
IPSEC VPN Overview
vCNS 5.1 Edge/vCloud Hybrid Service features include IPSEC VPN
• Definition:
• Internet Protocol Security (IPsec) is a protocol suite for securing Internet
Protocol (IP) communications by authenticating and encrypting each IP
packet of a communication session
• Create a secured tunnel using the IPSEC VPN service from one physical/virtual
datacenter to another
IPSEC is a framework of open standards
“Protect the series of internet tubes with VPN!”
14
VPN Architecture Diagram
vSphere (On-Premise)
Sharepoint-Routed Network
(10.0.10.0/24)
vCHS Edge Gateway
LEP – 69.194.137.230
Peer ID – 10.0.1.150
Peer IP – 68.108.102.47
10.0.1.150
10.0.10.1
External Router
10.0.1.1
68.108.102.47
192.168.109.1
vCloud Hybrid Service
69.194.137.230
vSphere Edge Gateway
LEP – 10.0.1.150
Peer ID – 69.194.137.230
Peer IP – 69.194.137.230
VPN Traffic Virtual
Machine 1
Virtual
Machine 2
Sharepoint-Default Routed Network
(192.168.109/24)
IP Protocol ID 50 (ESP)
IP Protocol ID 51 (AH)
UDP Port 500 (IKE)
UDP Port 4500
15
Hybrid Service is Just Another Site – Networking & Security
US East Region
US West Region
The Same
Networking
Topology
Full network
virtualization at
layer 2 and layer 3
Layer 2
Extensions
Your Data Center vCloud Hybrid Service
The Same
Security Policies
Integrated L4-7
services for
Firewall/NAT,
IPSec VPN, Load
Balancers, VXLAN
gateways
Primary
Regional Office
Regional Office
16
Advanced Use Cases
Complex Networking
Stretched Application Networking Example
• Sharepoint
Datacenter Extension
• Keep your same IP and MAC address
Force 3 Use Case
17
Complex Networking
Flexibile and Powerful
Can replicate existing complex topology
Same constructs you are used to
Don’t have to figure it out – weird mappings etc.
• Problem translating standard enterprise networking to new models
• Virtual Gateways, Security Groups, Elastic IPs
10 interfaces and additional Gateways if necessary
Supports existing virtual appliances
18
vCloud Hybrid Service Advanced Networking
Web Servers
VM
App Servers DB Servers
Organization Network (DMZ) Org Net 1
VM VM Log Servers
RSA
Edge Gateway
10 Total Interfaces
9 For Customer Use
Static Routes between Zones
3rd Party Appliance
Customer Supplied
F5, RSA, Cisco
Organization Network (Test/Dev)
Organization Network (Isolated)
VM
Org Net 1 Organization Network (App)
VM VM VM VM VM VM
19
Sharepoint Networking
Stretched Application
Uses Layer 3 Tunnel – IPSEC
Data stays on premise
Load Balancing and additional demand is in the cloud
Internet access in cloud for scalability
No holes in firewall – no direct access to internet traffic
20
VPN Architecture Diagram
Sharepoint-Routed Network
(10.0.10.0/24)
vCHS Edge Gateway
LEP – 69.194.137.230
Peer ID – 10.0.1.150
Peer IP – 68.108.102.47
10.0.1.150
10.0.10.1
External Router
10.0.1.1
68.108.102.47
192.168.109.1
69.194.137.230
vSphere Edge Gateway
LEP – 10.0.1.150
Peer ID – 69.194.137.230
Peer IP – 69.194.137.230
VPN Traffic
Internet Traffic
Virtual
Machine 2
Sharepoint-Default Routed Network
(192.168.109/24)
IP Protocol ID 50 (ESP)
IP Protocol ID 51 (AH)
UDP Port 500 (IKE)
UDP Port 4500
Sharepoint
VM SQL
VM
Domain
Controller
VM
Domain
Controller
VM
Local Sharepoint Application
vSphere (On-Premise)
Remote Sharepoint Application
vCloud Hybrid Service
21
When Would You Use Stretch Deployed Networks? DCE
Application Dependency on IP Address
Application Dependency on MAC Address
• Licensing requirement
External Application Interdependencies
• Hard Coded IP Addresses
• Lack of DNS usage
Existing Security Rules
• Switch ACL’s
• Existing Firewalls
22
DCE Logical Architecture (vSphere Private Cloud)
23
Stretched Network Considerations
Stretched virtual machines use On Premise Network Gateway
• All Network traffic traverses VPN
Active Directory Sites and Services
• “Stretched” network is part of On Premise Site in AD
• DNS/AD calls for vCloud servers will traverse VPN
• Cannot split a network between sites
vApp Limitations
• 128 Virtual machines per vApp
• Single vApp container with power operations
24
Stretch Deploy (DCE) Architecture Diagram
Stretch1
Local Application
vCloud Director (On-Premise)
vCHS Edge Gateway
10.0.1.150
10.0.10.1
External Router
10.0.1.1
68.108.102.47
Sharepoint-Default Routed Network
(192.168.109/24)
192.168.109.1
Remote Application
vCloud Hybrid Service
69.194.137.230
vSphere Edge Gateway
SSLVPN
Traffic
Stretch2
vShield Edge
192.168.2.101 192.168.2.102
10.0.10.6 10.0.10.7
Stretch1
Stretch-Routed vAPP Network
(192.168.2.0/24)
192.168.2.101
vShield Edge Sharepoint-Routed Network
(10.0.10.0/24)
Stretch-Routed vAPP Network
(192.168.2.0/24)
SSLVPN – Port 443
25
Force 3 Use Case
Jon S. Kim, Security Practice Director, Force 3
Gregory Stemberger, Principal Network Security Architect, Force 3
26
Case Study – Force 3, Inc.
Building Upon vCloud Hybrid Networking Model
Privatization of the Public Cloud
Enabling Advanced and Networking Functions
Cloud Becomes a Virtual Extension of the Enterprise
www.force3.com
27
Case Study Architecture – Force 3, Inc.
28
Advanced Security
Application Security
• Infrastructure
• Firewall
• User access
29
Application Security – Infrastructure Best Practices
Application segmentation
• Use dedicated cloud
• Segmented compute
• Segmented Network NIC
SharePoint Web application
Dev / Test
VDC 2
VDC 1
VDC 3
• Separate VDCs per use case
• Separate connectivity per use case
• Direct connect
• IPsec
Internet
Direct
Connect
IPSec VPN Dedicate
cloud
30
Firewall for Three Tier Applications
VDC
Allow:
HTTP
HTTPS
SSH
Mgmt
Allow:
HTTP
HTTPS
App -access
Allow:
App-access
SSH
Mgmt
(HTTPS)
Edge Gateway - Firewall
Allow:
SQL
Mgmt
Web tier
Allow:
SQL
SSH
Allow:
App tier
SSH
Mgmt
(HTTPS)
NAT/LB
Web tier App tier DB
31
Configuring Firewall Rules
32
Application Security – Access Rights
Administration rights
• Clearly identify individuals,
and rights that the
individuals get
• An enterprise admin
can have more than
one type of right
• Rights help enforce
secure cloud usage
User rights
• End user rights for VM owners
• End user cannot do any admin activity
• Users have limited visibility to
cloud resources
33
vCloud Hybrid Service Networking is Easy and Powerful
You will leave with:
An understanding of the vCloud Hybrid Service networking building blocks
A strong networking foundation for building a complex Hybrid Cloud
An understanding of advanced networking use cases and security
Key Takeaways
• Building blocks you are used to – vSphere, VXLAN, vCNS, vCD
• Flexible and Powerful
• Supports all your complex networking
• IPSEC VPN
• Stretched Applications
• Layer 2 Extension - BYOIP
• Advanced application security
34
Call to Action/Resources
Keep up with the latest on vCloud Hybrid Service
• Facebook - https://www.facebook.com/vmwarevcloud
• Blog - http://blogs.vmware.com/vcloud/
• Twitter - @vcloud
1
Call to Action
Get more information about the service: http://vcloud.vmware.com
Hands on Labs
HOL HBD 1301 vCloud Hybrid Service – Jumpstart for vSphere Admins
HOL HBD 1302 vCloud Hybrid Service – Networking and Security
HOL HBD 1303 vCloud Hybrid Service – Manage Your Cloud
Breakout Sessions – PHCxxxx
vCloud Hybrid Service Jumpstart Series
PHC1001-Group Discussion- vCHS Networking with Greg Herzog
2
35
Q & A
THANK YOU
vCloud Hybrid Service Jump Start Part Three of Five:
vCloud Hybrid Service:
Advanced Networking and Security
Ninad Desai, VMware
Greg Herzog, VMware
Jon Kim, Force 3
Gregory Stemberger, Force 3
PHC5488
#PHC5488