Enabling Federated Cloud Networking Giovanni Merlino - University of Messina (Italy) Sébastien Dupont - CETIC (Belgium) Giuseppe Tricomi - University of Messina (Italy) OpenStack Summit 11/05/2017 Boston, USA
Outline • Intro • Framework overview • Networking federation • Broker (demo) • Security considerations • SFC/NFV (Tacker, demo) • Network visualization (Skydive) • Wrap up 2
Problem Definition Globally operating companies may need to: • deploy tiers of their applications across different time zones • diversify their choice of cloud providers, for a number of reasons 3
Approach: Federated Cloud Networking Service Manifest OVN Internet With advanced features such as: - automated high availability - location aware elasticity - automated service function chaining OpenStack Summit 11/05/2017 Boston, USA
Federating Virtual Cloud Networks: benefits • Virtual Networks – Flexibility – Security • Network Federations – Managed as an entity, via API and tools OpenStack Summit 11/05/2017 Boston, USA
Cloud Federation: types OpenStack Summit 11/05/2017 Boston, USA
Loosely Coupled Scenarios AWS-EU AWS-US OpenStack Summit 11/05/2017 Boston, USA
Interop AWS-EU AWS-US OpenStack Summit 11/05/2017 Boston, USA
Federated Networking: BEACON Architecture OpenStack Summit 11/05/2017 Boston, USA
Networking: federation OpenStack Summit 11/05/2017 Boston, USA
BEACON Broker: Scenario ● A Federation Tenant (we may also call it “borrower”) has to be already available, to enable a fully “federated” user experience (e.g., orchestration) ● Customers of the federation tenant prefer to deploy their application(s) just by selecting the area(s) where components should be deployed OpenStack Summit 11/05/2017 Boston, USA
Beacon Service Manifest Custom extensions to the HOT standard: federation: ➢ Geographical Placement type: OS::Beacon::ServiceGroupManagement properties: ➢ Component grouping name: GroupName geo_deploy: { get_resource: geoshape_2} ➢ Elasticity management geoshape_2: resource: type: OS::Beacon::Georeferenced_deploy groups: {get_resource: [B,A] } properties: B: label: shape label type: OS::Nova::Server description: descripition properties: name: test shapes: key_name: {get_param: key_name } [{"type":"Feature","id":"BEL","properties":{"nam image: {get_param: cirros } elasticity_location_policy: e":"Belgium"},"geometry":{"type":"Polygon","coo networks: [{"fixed_ip": 80.0.0.62, "network": { get_param: private_network } }] type: OS::Beacon::ScalingPolicy flavor: m1.tiny rdinates":[[[3.314971,51.345781],[4.047071,51. properties: 267259],,...............,[3.314971,51.345781]]]}} A: policy_type: SunLight type: OS::Nova::Server geo_deploy: {get_resource: geoshape_2} properties: name: VM-A groupmonitored: {get_resource: federation} key_name: { get_param: key_name } min_gap: "-8" image: { get_param: image-A } flavor: { get_param: flavor } networks: [{"fixed_ip": 80.0.0.61, "network": { get_param: private_network } }] security_groups: [{ get_resource: server_security_group }] user_data: | #!/bin/bash echo root:vagrant | chpasswd sudo apt-get update 12
BEACON Broker ● Sets the federation process in motion for the networks (invoking the FedSDN services) ● Instantiates resources ● Activates the elasticity manager for instantiated resources ● Manages the geographical placement and deployment 13
Broker: Geographical Deployment Starting from a GeoShape, as described in the service manifest: ● a set of clouds identified ● clouds’ endpoints retrieved ● borrower’s credential retrieved geoshape_2: type: OS::Beacon::Georeferenced_deploy properties: description: descripition shapes: [{"type":"Feature","id":"BEL","properties":{"name":"Belgium"},"geo metry":{"type":"Polygon","coordinates":[[[3.314971,51.345781],[4.0 47071,51.267259],,...............,[3.314971,51.345781]]]}} OpenStack Summit 11/05/2017 Boston, USA
Broker: demo time OpenStack Summit 11/05/2017 Boston, USA
Security considerations At the local level : limited trust between clouds inside a federation e.g. Cloud A trusts cloud B but not cloud C. At the global level : ensure global security policies for the federation e.g. Intrusion detection and remediation on traffic between the federated clouds and the Internet OpenStack Summit 11/05/2017 Boston, USA
Network security tools Network Function Virtualisation (NFV) - Virtualise all the things! Service Function Chaining (SFC) - design complex security workflows with VNF’s Firewall IDS monitoring OpenStack Summit 11/05/2017 Boston, USA
SFC/NFV - Anomaly detection Cloud The internet VM1 NF - DPI NF - FWL7 Anomaly (ftp) Add FW rule: Remove VM1 Security Groups drop traffic from/to VM1 & apply quarantine SG OpenStack Summit 11/05/2017 Boston, USA
SFC/NFV - Encryption Federation Cloud 1 (trusted) Cloud 3 (untrusted) NF - VM1 En/Decryption VMX NF - VM3 En/Decryption Cloud 2 (trusted) NF - VMY VM2 En/Decryption OpenStack Summit 11/05/2017 Boston, USA
NFV in Openstack: Tacker project OpenStack service addressing NFV Orchestration and VNF Manager use-cases using standards (TOSCA) based architecture OpenStack Summit 11/05/2017 Boston, USA
NFV/Tacker: demo time / nDPI 21
NFV/Tacker: demo time (1) OpenStack Summit 11/05/2017 Boston, USA
NFV/Tacker: demo time (2) 23
NFV/Tacker: demo time (3) 24
NFV/Tacker: demo time (4) 25
Network visualization: Skydive Application Service admin Manifest Global Federated federated Network Manager network policy Cloud Cloud Manager Manager Network Network Manager Manager Overlay network BEACON Net BEACON Net Agent Agent Federated Federated Federation tunnel datapath datapath Internet Physical network OpenStack Summit 11/05/2017 Boston, USA
Skydive Architecture OpenStack Summit 11/05/2017 Boston, USA
Skydive WebUI: bird’s-eye view of a BEACON environment OpenStack Summit 11/05/2017 Boston, USA
Skydive: single-Cloud view OpenStack Summit 11/05/2017 Boston, USA
Skydive: single-node view OpenStack Summit 11/05/2017 Boston, USA
BEACON Contributions to Skydive Real-time traffic stats visualization (overlaid on top of the topology) • Calculating aggregated traffic (over fed tunnel) and showing bandwidth consumption on the tunnel • Visualizing network load • Showing L2 bandwidth on the topology • Highlighting (color) network links, based on thresholds • Determining bottlenecks in each cloud and on the cloud interconnect Multi-region network topology visualization • Enabling definition of multiple separated clouds and their network interfaces • Grouping each cloud network with all its components in a specific area (for enhanced usability) OpenStack Summit 11/05/2017 Boston, USA
Wrapping up: Impact and benefits • Integration of Network virtualisation and Software defined networking with Cloud Middleware • Code originating from research is being published under Open Source licenses • Some results are being fed back upstream (OVN, OpenStack and Open Nebula) already OpenStack Summit 11/05/2017 Boston, USA
BEACON Website OpenStack Summit 11/05/2017 Boston, USA
Consortium Duration: 30 months 02/2015-07/2017 6 countries 4 companies 2 universities 1 research institute 34
Please help us by answering to our brief survey http://bit.ly/2q3IAqt 35
Survey : http://bit.ly/2q3IAqt Giovanni Merlino - gmerlino@unime.it Sébastien Dupont - sebastien.dupont@cetic.be Giuseppe Tricomi - gtricomi@unime.it This work has been supported by the BEACON project, grant agreement number 644048, funded by the European Union’s Horizon 2020 Programme under topic ICT-07-2014. OpenStack Summit 11/05/2017 Boston, USA
Recommend
More recommend