Transcription
HBC2068vCloud Hybrid ServiceNetworking TechnicalDeep DiveNinad Desai, VMware, IncDavid Hill, VMware, Inc
Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitment from VMware to deliver thesefeatures in any generally available product. Features are subject to change, and must not be included in contracts, purchase orders, orsales agreements of any kind. Technical feasibility and market demand will affect final delivery. Pricing and packaging for any new technologies or features discussed or presented have notbeen determined.CONFIDENTIAL2
VMware vCloudHybrid ServiceVMware vCloud Air3
What is vCloud Air NetworkServices built on?
vCloud Air Networking – Built on vCNS . Moving to NSXFully Integrated vCloud StackvCloud Management and Automation Being replaced by NSX-vmanager in the vCloud AirManagement stackvCloud Air Management ConsolevCloud InfrastructurevCloud Director with vCloud Connector Backward compatible withcurrent vCNS based stackvCloud Networking and SecurityvSphere / vCenter Existing policies andfeatures stay intactDedicated CloudCustomer A Foundation for newnetworking features Physically IsolatedServersStorage poolVPN and Networkpool
How do I connect to vCloud Air ?
Options to Connect to vCloud AirvCloud AirCustomer Data CenterPrivate WAN /zDirect Connect /Cross ConnectIPsec TunnelINTERNETMany Connectivity Choices ToSupport Many Use Cases
Connecting to vCloud Air Over the Public Internet– With Public IPsINTERNET– Use NAT for address translation– By default F/W set to deny all and NAT not configured IPsec VPN– vCloud Air features include IPsec VPNINTERNET– Multiple VPN tunnels can terminate to Edge Gateway– Can connect to most of the major on-prem VPN devices Direct ConnectINTERNET– Dedicated private connection– Secure and high speed– Extension to customer’s MPLS or data center cage
Connecting via IPsec VPNINTERNETIP Protocol ID 50 (ESP)IP Protocol ID 51 (AH)UDP Port 500 (IKE)UDP Port 10.0.10.1vSphere Edge GatewayEdge Gateway LEP – 10.0.1.150 LEP – 69.194.137.230 Peer ID – 69.194.137.230 Peer ID – 10.0.1.150 Peer IP – 69.194.137.230 Peer IP – 68.108.102.4710.0.10.0/24VPN TrafficCONFIDENTIAL
What Networking Servicesdo we offer?
vCloud Air - Options and Gateway Choices.VDC1VDC2VDCVDC3VDC4 Dedicated Cloud Physically separated hosts Logically separated network and storage 30GHz CPU, 120GB RAM, 6TB Segment vDCs based on orgs Multiple Edge Gateways Shared Cloud Logically separated network, compute andstorage 5GHz CPU (burstable to 10GHz) 20GB RAM, 2TB storage No vDC segmentation One Edge GatewayCONFIDENTIAL13
vCloud Air Basic Networking ConstructsExternal Network(managed by VMware)Routed/GatewayNetworks(up to 9 networks)EDGEGATEWAYINTERNETCustomers vDCNATFWLoad BalancerIPsecDHCPStatic routingIsolated Network
Configuration Access OptionsvCloud Air Management Web Portal- For basic networking configurationsCONFIDENTIAL15
Configuration Access OptionsvCloud Air Management Web Portal- For basic networking configurationsFor AdvancedconfigurationsCONFIDENTIAL16
Configuration Access OptionsvCloud Director management portal- For advanced networking configsCONFIDENTIAL17
Can I bring my Private IPspace along?
Yes! Via Network Address Translation (NAT)Public IPsInternal IPs10.x.x.xOrganization Net 1 Source NAT & Destination NAT rules.– Supports multiple rules on multiple interfaces Can use internal/private IP space– Bring your own internal IP space– Create/Manage subnets within IP space– Multiple IP space under the same gatewayGatewayNAT rules:- SNAT & DNAT rulesEDGEGATEWAY- Options include ation Net 3Organization Net 2 Need to create F/W rules toallow traffic IPv4 NAT
But . Can I stretch my Layer 2network on to vCloud Air?
vCloud Connector Data Center L2 Default Gateway VPN TrafficCONFIDENTIAL21
Layer 2 Extensions – Updated with NSXL3 Network, VPN,Direct ervCloud AirClientSSL ClientvNICTrunk VLAN 10-11VLAN 10VLAN 11Site A: Non-NSX VLAN Backed NetworkvCloud Air
Okay. So I have a typical multi-tier app(LAMP/WAMP stack) .Can I bring it to vCloud Air?
Firewall for Multi-Tier ApplicationsINTERNETVIP: 66.44.4.1EDGEGATEWAYFirewall 5 Tuple F/W policies– Protocol, Source/Dest. IP, Source/Dest. Port Stateful FirewallLoadBalancingServer Pool FIPS-140-2 Crypto Common Criteria EAL 4Load Balancing VIP and pool servers Health checkWeb tierApp tierDB Tier
Direct Connect Use Cases
Direct Connect – Use Cases Can I have a private connection to vCloud Air? Can vCloud Air be part of my MPLS connection? Can I cross connect in to vCloud Air? Can I extend my layer 2 network on to this directconnect interface?26
vCloud Air Direct ConnectCustomer Co-Lo CagevCloud AirCross connect use caseData Center owneroperated/managedvCloud AirmanagedvCloud Airconnection pointWAN connectivity use casevCloud AirCustomer Data CenterNSP connection(MPLS, E-Line etc.)vCloud AirmanagedvCloud Airconnection point
Direct Connect – With vCloud AirMDF/MMRMPLS(from NSP)NSP terminationpoint10.2.2.x/24vCloud AirConnection pointUntagged Layer 2connection(1G, EDGEGATEWAYPrivate Network(192.168.50.0/24)Private Network(192.168.50.0/24)Branch officePrivate Network(192.168.100.x/24)DMZ Network(192.168.52.0/24)Headquarters28
Direct Connect – With vCloud AirMDF/MMRMPLS(from NSP)NSP terminationpoint10.2.2.x/24vCloud AirConnection pointUntagged Layer 2connection(1G, EDGEGATEWAYPrivate Network(192.168.50.0/24)Private Network(192.168.50.0/24)Branch officePrivate Network(192.168.50.x/24)DMZ Network(192.168.52.0/24)Headquarters29
Direct Connect – Using Existing SecurityInternet1 Gbps / 10 Gbps Direct Connect TrafficDirect Connect –Private ate Network(192.168.50.0/24)Existing Security Policies & AppliancesPrivate Network(192.168.110.0/24)DMZ Network(192.168.52.0/24)CONFIDENTIAL30
Cross ConnectDirect Connect LinePrivate Network(192.168.110.0/24)EDGEGATEWAYPrivate Network(192.168.50.0/24)DMZ Network(192.168.52.0/24)CUSTOMER CAGE1 or 10 Gbps Direct Connect TrafficCONFIDENTIAL31
Direct Connect – Extended Layer 2InternetDirect Connect –Private Line10.1.1.x/24IGWIDSIPSExisting Security Policies & 410.1.1.x/24Co-Lo cageCONFIDENTIAL32
Direct Connect – Extended Layer 2InternetDirect Connect –Private Line10.1.1.x/24IGWIDSIPSExisting Security Policies & 410.1.1.x/24Co-Lo cageCONFIDENTIAL32
Direct Connect – Extended Layer 2InternetDirect Connect –Private Line10.1.1.x/24IGWIDSIPSExisting Security Policies & 410.1.1.x/24Co-Lo cageCONFIDENTIAL32
How about globalavailability of applications?
Global Load Balancing – Dyn ExampleTraffic DirectorINTERNETEDGEGATEWAYLBvCNS Virtual Server192.240.153.11vCNS Virtual Server74.204.180.41vCNS Pool BvCNS Pool Servers192.168.205.11192.168.205.12.12Virtual Private Cloud (West)DYNLoad Balancing.11.12Dedicated Cloud (East)CONFIDENTIAL36
Advanced Networking - Hybrid Horizon View LogicalArchitectureview.vmtm.orgIPSec VPN66.45.200.37PCoIP and ec .139(192.168.20.0/24Public-NET)DT02(192.168.1.0/24 Corp-NET)ViewCS.5AD01.41ViewSS.5ViewSS.5AD02.42WDC (On Premises)vCloud Air Las Vegas(IaaS)
Advanced Networking - Hybrid Horizon View LogicalArchitectureview.vmtm.orgIPSec VPN66.45.200.37PCoIP and ec .139(192.168.20.0/24Public-NET)DT02(192.168.1.0/24 Corp-NET)ViewCS.5AD01.41ViewSS.5ViewSS.5AD02.42WDC (On Premises)vCloud Air Las Vegas(IaaS)
Advanced Networking - Hybrid Horizon View LogicalArchitectureview.vmtm.orgIPSec VPN66.45.200.37PCoIP and ec .139(192.168.20.0/24Public-NET)DT02(192.168.1.0/24 Corp-NET)ViewCS.5AD01.41ViewSS.5ViewSS.5AD02.42WDC (On Premises)vCloud Air Las Vegas(IaaS)
vCloud Air and F5 – Global Load balancingINTERNETEDGEGATEWAYDNAT Any:AnyFirewall 0/24 BIPInternal-NET)AD05AD0610.0.10.0/2440
.And what about networksecurity - IPS/IDS?
Trend Micro Based – IPS/IDSDeep Security Manager and RelayEDGEGATEWAYDeep Security DatabaseDeep Security ManagerMANAGEMENTProtected ntionDeep ionPROTECTION MODULESCONFIDENTIAL42
vCloud Air – Security Solution via Trend MicroCONFIDENTIAL43
Choice of Networking Services Applications VirtualCONFIDENTIAL44
vCloud Air Recovery Service“No. No the world was destroyed this is a backup”
Recovery as a Service – Networking How do I maintain the same network configs? Do I need to re-do the network configs? Do I need to ‘stretch’ my network? How can I maintain my IP settings on VMs?
Disaster Recovery – Networking Pre-create networks on DR cloud with same private IP space, name and relevant properties When VMs are replicated, the IPs of the VMs are retaind When a disaster occurs and VMs on the DR turn on, simply connect VMs to Public-NET)DT02(192.168.1.0/24 Corp-NET)ViewCS.5AD01.41ViewSS.5(192.168.1.0/24 Corp-NET)AD02.42WDC (On Premises)DR vDC47
VMware vCloud Air - Virtual Private Cloud OnDemandInterested in participating in thevCloud Air OnDemand BetaProgam?The Product Team from vCloud Air is nowaccepting candidates interested in participatingin the Fall 2014 beta programvmware.com/go/ondemandVisit vmware.com/go/ondemandto sign up48
Learn the fundamentals on vCloud Airby attending any or all of our5 Starting Point breakout sessionswithin the Hybrid Cloud TrackVMware vCloud Air5 Starting Points ProgramVMworld 2014Starting PointAttend any of these breakout sessions andearn a free vCloud Air “Dilbert” t-shirt.Session IDTOPICDev/TestHBC2577Hybrid Sandboxing – Create theUltimate On and Off Premises Test/DevFactoryExtend ExistingApplicationsHBC2066Architect the Hybrid Cloud forExchange and LyncDisaster RecoveryHBC 1534Recovery as a Service (RaaS) withvCloud Hybrid ServiceModernizeEnterpriseApplicationsHBC 2609Smells Like Team Spirit: Achieve HybridOperations Nirvana with vCloud HybridServiceCreate NextGenerationApplicationsHBC 1917Build Your First Mobile Application Inthe Cloud In 60 minutes49
Hybrid Cloud Hands On LabsCheck out the Expert Led and Self Paced vCloud Air Hands on LabsSession IDTitleHOL: Expert-Led Workshop ELW-HBD-1481Hybrid Cloud Jumpstart WorkshopHOL: Expert-Led Workshop ELW-HBD-1484Disaster Recovery to the Cloud WorkshopHOL: Self Paced Lab SPL-HBD-1481vCloud Hybrid Service - Jump Start for vSphere AdminsHOL: Self Paced Lab SPL-HBD-1482vCloud Hybrid Service - Networking & SecurityHOL: Self Paced Lab SPL-HBD-1483vCloud Hybrid Service - Manage Your CloudLearn the fundamentals onvCloud Air by attending anyor all of our 5 Starting Pointbreakout sessions within theHybrid Cloud Track as wellas our Hands on LabsTry any of these HOLsand earn a free vCloudAir “Dilbert” t-shirt.CONFIDENTIAL50
Hybrid Cloud Theater Schedule - VMware Booth (Solutions Exchange)Sunday 5:00pm - What is this Hybrid Cloud Thing Anyway?In addition to the breakoutsessions within the HybridCloud track, check out ourTHEATER schedule for theweek from the VMwarebooth at the SolutionsExchangeMonday 12:15pm - Getting Started with Hybrid Cloud - 5 Use CasesMonday 1:30pm - vCloud Air OnDemandMonday 3:45pm - What is this Hybrid Cloud Thing, Anyway?Monday 5:30pm - Hybrid Cloud DevOps: How to keep your Devs from Running WildTuesday 12:15pm - Project NEE - Delivering Hands-on Education at Cloud ScaleTuesday 1:00pm - vCloud Air NetworkTuesday 2:45pm - Disaster Recovery with vCloud AirTuesday 4:00pm - Getting Started with Hybrid Cloud - 5 Use CasesTuesday 5:30pm - Hybrid Management on vCloud AirWednesday 10:15am - vCloud Air OnDemandWednesday 12:45pm - The Internet of Things: Virtual Machines, vCloud Air, vCenter Operations andthe Intel IoT GatewayWednesday 2:15pm - Disaster Recovery with vCloud AirWednesday 3:30pm - Another Day in Paradise.Going Full Hybrid with vCloud AirWednesday 4:30pm - RAD in the Hybrid Cloud51
Thank You
Fill out a surveyEvery completed survey is enteredinto a drawing for a 25 VMwarecompany store gift certificate
HBC2068vCloud Hybrid ServiceNetworking TechnicalDeep DiveNinad Desai, VMware, IncDavid Hill, VMware, Inc
vCloud Air Networking – Built on vCNS . Moving to NSX Fully Integrated vCloud Stack vCloud Management and Automation vCloud Air Management Console vCloud Infrastructure vCloud Networking and Security vCloud Director with vCloud Connector vSphere / vCenter Customer A Physical
