Building Scalable Multi-Tenant Cloud Networks with OpenFlow and OpenStack

Building Scalable Multi-Tenant Cloud

Networks with OpenFlow and OpenStack

Dave Tucker

Hewlett-Packard

Santa Clara, CA USA

About Me

Dave Tucker

WW Technical Marketing

HP Networking

[email protected]

Twitter: @dave_tucker

Santa Clara, CA USA

What we will cover

 Cloud Network Requirements

 Cloud Network Design

Which cloud are we talking about?

•

Integration with legacy

estates

•

Support for legacy

application & behaviors

•

L2 adjacency

mechanism to enable

P2V migration

•

Live workload mobility

•

Accessed over Internet

•

Massive scale

•

Flexibility –

unconstrained by HW

innovation cycle

•

Extreme cost sensitivity

•

Pay-as-you-go use

model

•

Integration of

multi-tenancy into telecom

core

•

Distributed datacenters

Enterprise Private

Cloud

Public Cloud

Telecom Cloud

Critical cloud requirements

• Enable Competitive Cost Structure

• The network should not constrain scale

• Consistent Performance @ Scale

• Avoid ‘Brown-Outs’ & ‘Luck of the Draw’ • Performance isolation

• High performance multi-path fabric

• Secure Multi-Tenancy @ Scale

• System segregation

• Enforcement of tenant policies

• Reliable Automation @ Scale

• Sustain high rate of ‘churn’

• High Availability

• Tolerate & isolate failures (server, AZ, region)

• Flexibility

• Avoid vendor lock-in

• Avoid lock-in to specific HW function

• Develop and deploy new services independent of HW development cycles

• Hypervisor Agnostic Network Model

• Consistent security & functional models across multiple hypervisors

• Fabric Independent L2 Functional

Model

Not all apps are created equal

Application Requirements

Does the app depend on infrastructure for

availability?

Does the app implement multi-tenancy &

is it trustworthy?

What level of infrastructure affinity does

the app have?

What is the app doing to data in flight?

Ultimately, you’ll likely have to

support all of these!

•

Architectural flexibility to support racks

of various network blocking ratios

•

Multi-tenancy solution which

comprehends both virtual and bare

metal

Accomplishing tenant segregation

Santa Clara, CA USA

April 2013 7

HW-Centric?

Encapsulate in ToR switch

Switch to Destination VM

Switch to Gateway

- Higher acquisiton cost

- Multi-Tier automation

- HW Innovation pace

SW-Centric?

Encapsulate in vSwitch

Tunnel to Destination VM

Tunnel to vGW

+ Edge-only automation

+ SW Innovation Pace

- N/S traffic become E/W

A SW-centric approach to multi-tenancy within the cloud is not ‘ideal’ but it’s the right

answer today.

Performance @ Scale



Deterministic Performance

• Avoid Excessive Oversubscription

– Allow internal environments to scale without incurring cost of scaling expensive core

components

– Controlled oversubscription between fabrics to enable high performance comms & maintain cost

controls

– Low to No oversubscription within the L2 Fabric where most ‘east-west’ comms occur

• Traffic Policing

– Prohibit individual guests from impacting their neighbors through overconsumption of network

resources

 Subsume Segregation & Policy Enforcement Into the Hypervisor

• Use existing integrated firewall capability to build a massively scalable distributed firewall

– Avoid highly expensive firewall appliances

– Avoid network choke points associated with network services appliances

• Implement virtual network layer to enforce tenant segregation

– Avoid dependence on infrastructure elements for segregation

Santa Clara, CA USA

Reliable Automation @ Scale

 OpenFlow provides a means for a Network

controller to influence the data plane

 SDN Controller provides a broader Network

Abstraction via its Northbound API

 This abstraction is the perfect interface to

Cloud Orchestration tooling

Santa Clara, CA USA

Automating with OpenStack

 OpenStack provides a common provisioning

platform for the cloud

 Quantum provides networking functions.

Intelligence is implemented in plugins

 Simple shim plugin is all that is required to

convert Quantum API to Controller API

Santa Clara, CA USA

Cloud Network Building Blocks

Santa Clara, CA USA

April 2013 11

Client Access Network

DC Core

Compute Networking DC Fabric

Tenant Connectivity

Carrier Integration & Peering Intra-DC Compute Zone Integration DC resiliency

Tenant Security

Compute Node Connectivity Deterministic Performance Compute Resiliency

Data Center Interconnect

Multi-Tenancy:

HP Virtual Cloud Networks

Traditional Switch Fabric

Compute Node

Guest Guest Guest

Guest Guest Guest

Open vSwitch

(Encap & PEP)

Compute Node

Guest Guest Guest

Guest Guest Guest

Open vSwitch

(Encap & PEP)

Public VLAN Network Router Network Controller Private Encapsulated vNet Private Encapsulated vNet Private Encapsulated vNet Network Node Open vSwitch

(Encap & PEP)

The End-game is Multi-Layer SDN

•

Encap in vSwitch

•

Tunnel to Destination

VM

•

Tunnel to vGW

SW

-C

ent

ri

c

•

Encap in ToR Switch

•

Switch to Destination

VM

•

Switch to vGW

HW

-C

ent

ri

c

•

Multi-Layer SDN

•

Traffic Policy Enforced in Fabric

•

Cost Effective Topology Flexibility

•

Simplified Fabric Automation

•

HW Support of Generic UDP

Tunneling

What does this enable?

 Multi-Layer SDN?

• Avoid ‘tromboning’ through GW VMs or appliances

 Traffic Policy Enforced in Fabric?

• Simple & efficient implementation of inline security & load balancing services

 Cost Effective Topology Flexibility

• More capable fabrics without excessive cost

 Simplified Fabric Automation

• Abstraction of control plan reduces complexity and risk of multi-tier automation

 HW Support of Generic UDP Tunneling

Thank You!

Santa Clara, CA USA

Q&A

Santa Clara, CA USA