Thursday, February 13, 2014

Cloud Hybrid Service (vCHS): Advanced Networking & Security, Chris Colotti

The goal of this presentation is to understand the building blocks of vCHS and networking requirements to build a Hybrid Cloud. vCHS is available as a Dedicated Cloud which is Physically Isolated or a Virtual Private Cloud which is logically isolated.

vCHS is built on vSphere and vCenter, vCloud Director (vCD) and vCloud Networking and Security (vCNS) at this time. NSX is not part of the infrastructure at this time. As NSX has additional functionality it is definitely something VMware is looking at closely. When you buy vCHS you get one external network protected by an Edge Gateway (EG). By default a routed network and an isolated network created for you. VMware Cloud Service Providers running vCD will also have these services and features available.

The Edge Gateway has one interface facing out and 9 internal so you have 9 possible routable IP spaces. The EG is deployed in HA mode. All networks are segmented based on VXLAN. EG come out of the provider resource pool not out of the tenant pool. Typically customers will create a DMZ, Application network as well as one for Test and Development.

As part of the EG you can create an VPN connection between the customer datacenter. In addition VMware now offers a dedicated network option. The VPN uses IPSEC and allows you to build complex interconnected Cloud architectures. Each connection however is a single tunnel. This allows you to run cross cloud functional services like Active Directory (AD) for example.

All Firewall Rules are configured at the gateway. By default all traffic is denied. Right now the vCHS operational team has access to the firewall logs however they are available upon request. VMware is looking at ways to provide direct access to these logs.

You can configure Source NAT and Destination NAT rules on the EG. In addition you can configure Load Balancing by defining Virtual IPs and Server Pools. The load balancing rules allow you to run health checks to monitor things like ports on the servers in the pools.

It is possible to drop 3rd party appliances between isolated networks to for additional network services such as an F5 virtual appliance. VMware is also providing examples of doing split designs using common services like SharePoint and Exchange. You cannot replace the external facing EG with a 3rd party appliance but you can configure the EG to flow through the traffic to get these scenarios working.

You can use stretched networks to extend a Layer 2 network between the customer datacenter and the cloud. You have to keep in mind though that all network traffic traverses the VPN as routing is done by the On Premise Network Gateway. One reason to use stretched networks is applications that are tied to MACs or IPs. But keep in mind that a vApp container can only contain 128 VMs.

To do stretched network you need an Edge Gateway on premise and in the Cloud with two active interfaces. A single EG is required per segment you want to stretch so you cannot use the additional interfaces. This is not recommended for a segment with a large number of VMs due to the amount of traffic going back to the router on premise.

The other option is a DirectConnect which allows you to put in a private line to connect an on premise segment to a Cloud based network. There are actually two versions available; DirectConnect and Cross Connect. If the customer is in an existing datacenter running vCHS, then they can cross connect from their on premise cage to vCHS. DirectConnect is setup when the customer is not in the same datacenter.

These options (VPN, DirectConnect and Cross Connect) allows the customer to pick and choose the best method to connect to vCHS. In vCHS there is 5 different Role Based Access Control levels defined. from Account Administrator, Virtualization Infrastructure Administrator, Network Administrator, Read-only Administrator and Subscription Administrator to provide a flexible security policy.












- Posted using BlogPress from my iPad

No comments:

Post a Comment