Transcript Organization Networks

CIM1600
VMware vCloud Networking
Finally Explained
Name, Title, Company
Disclaimer
 This session may contain product features that are
currently under development.
 This session/overview of the new technology represents
no commitment from VMware to deliver these features in
any generally available product.
 Features are subject to change, and must not be included in
contracts, purchase orders, or sales agreements of any kind.
 Technical feasibility and market demand will affect final delivery.
 Pricing and packaging for any new technologies or features
discussed or presented have not been determined.
2
Agenda








3
Networking Overview
External Network
Organization Network
vApp Network
Network Pools
What’s New in vCloud Director 1.5
Example Use Cases
Q&A
Networking Overview
 Layers of Networking
• External Network
• Organization Network
• vApp Network
 The three layers are managed either by:
• Provider: External and Organization Networks
• Consumer: vApp Networks
4
External Network: Overview




Created at the vSphere level as a port group on a vSS or vDS
Port group is mapped to a vCloud Director external network
Mapping is on a one to one basis
Use cases
• Internet access
• Provider supplied network endpoints
• IP based storage
• Backup servers
• Access to physical managed services
• Backhauled networking to a customer datacenter
• VPN access to a private cloud
• MPLS termination
*vSS = VMware Standard Switch
*vDS = VMware Distributed Switch (or equivalent such as Nexus 1000V)
5
External Networks: In vSphere




6
Dedicate vDS for statically mapped networks i.e. “Provider vDS”
Avoid vSS unless using scripting to duplicate port groups to hosts
Use unique VLANs per port group to avoid broadcast overlap
Below is an example of VLAN isolated External Networks:
External Networks: In VMware vCloud Director
 In VMware vCloud Director, create an external network by mapping
it to a portgroup
 Portgroups are associated with vCenter servers so care should be
taken in naming
 Use meaningful names for Portgroups such as
Organization_Purpose
7
Organization Networks: Overview
 Contained within an organization
 Allows vApps within the organization to communicate with each
other or external endpoints
 Can be connected to external networks as:
• Public (External Org Direct)
• Bridged connection to an external network
• Others outside the organization can see
• Private Routed (External Org NAT-Routed)
• Connected to an External Network through a vShield Edge
• Can be configured for NAT & Firewall
 …or left unconnected to external
• Private Internal (Internal Org)
• No External connectivity
 Backed by Network Pools
8
Organization Networks: In VMware vCloud Director
 Creating NAT-Routed and Isolated Org Networks:
• Select the type of Org Network to create using the typical radio button and
dropdown box
9
Organization Networks: In VMware vCloud Director
 Creating Isolated Organization Network:
• Select the Network Pool to use for the Internal Network
• Assign internal addressing for the Internal Network
10
Organization Networks: In VMware vCloud Director
 Creating NAT-Routed Organization Network:
• Select the External Network
to attach
• Select the Network Pool to use
for the Internal Network behind
the vShield Edge.
• Assign internal addressing for
the Inside portion of Org Network
11
vApp Networks: Overview
 Contained within a vApp
• Inherently Private Internal
 Allows VMs in a vApp to communicate with each other or …by
connecting them to Org networks, other vApps
 Can be connected to Org Networks as
• Public (Direct)
• Bridged connection to a organization network
• Private Routed
• Connected to a organization network through a vShield Edge
• Can be configured for NAT & Firewall
 Backed by a Network Pool
12
Network Pools: Overview
 A set of pre-configured network resources that can be used for
Organization and vApp Networks
• Picture these as a collection of preconfigured switches that can be assigned to
organizations or vApps
 Three Types of Network Pools in VMware vCloud Director
• Portgroup-backed
• VLAN-backed
• vCloud Network Isolation-backed (vCD-NI)
13
Network Pools: Portgroup-backed
 Requires
• Preconfigured portgroups at the vSphere layer
• Assign meaningful names so its obvious they are part of a pool
• If using vSS portgroups, they must exist on all ESX/ESXi hosts in the cluster
 How it works
• The VI administrator manually creates the portgroups
• vCD Admin is given a list of unused portgroups to use for the pool
 Advantages
• Works with all types of vSwitches
 Disadvantages
• Requires manual work or orchestration to create all of the portgroups
• Portgroups needs to be keep in sync on a vSS
• To ensure isolation portgroups rely on VLANs for L2 isolation
14
Network Pools: VLAN-backed
 Requires
• A vDS that’s connected to all ESXi hosts in your cluster
• A range of unused VLANs
 How it works
• vCD admin creates the network pool and chooses an “Organization vDS” to
associate it with, then provides a range of valid VLANs, for example, 10 – 15
• When an network is needed, vCD will automatically create a portgroup on the
vDS and assign it an unused VLAN ID from those assigned
• Many vCD generated portgroups can coexist on the same vDS because they
are isolated using VLAN tagging
 Advantages
• Isolated networks
• No pre-configuration needed by VI administrators
 Disadvantages
• Requires VLANs to exist on physical switches in use
• VLANs are limited in supply and may not even be available at all
15
Network Pools: VLAN-backed in VMware vCloud Director
 VLAN-backed:
• define the VLAN range for the pool and select the vDS to provision the
portgoups on
•
•
16
Network Pools: VLAN-backed in vSphere
 VLAN-backed Example:
• The VLAN-backed network pool was defined to use the range 10-15
• The routed external Org Network was called EmcaInternet
• A Static binding port group was created with a vShield Edge attached
• Looking at the portgroup shows the portgroup used VLAN 10 and is named
dvs.VCDVSEmcaInternet-8dc9e26f-6783-4678-abaa-b5609114f6ca
17
Network Pools: vCloud Network Isolation
 VMware proprietary network isolation technology
• vCD-NI “networks” span hosts and are represented as portgroups on a vDS
• Setup:
• Designate a “Transport Network” – an actual layer 2 segment to carry the packets for
vCD-NI networks
• Decide how many networks you want in the pool, up to 1000 supported
• Individual vCD-NI Networks are isolated from each other and the Transport
Network via MAC-in-MAC encapsulation
• Technical details:
•
•
•
•
18
Implemented with MAC-in-MAC encapsulation
Encapsulation handled by dvFilter VMkernel module
Can cause frame fragmentation with default MTU
Requires a small increase in MTU to 1524 or higher
Network Pools: vCloud Network Isolation-backed
 Requires
• A vDS that’s connected to all ESXi hosts in your cluster
 How it works:
• vCD creates an overlay “transport” network for each isolated network to carry
encapsulated traffic
• Each overlay network is assigned a Network ID number
• Encapsulation contains source and destination information of hosts where VM endpoints
reside as well as the Network ID
• ESXi host strips the vCD-NI packet to expose the VM source and destination MAC
addressed packet that is delivered to the destination VM
 Advantages:
• Does not require VLANs (can optionally set a VLAN ID for the transport network; leaving
blank defaults to 0)
 Disadvantages:
•
•
•
•
19
Small performance overhead due to encapsulation (dvFilter)
Added MAC header require an increase in MTU same as in MPLS networks
vCD-NI is for layer 2 adjacency and not for routed networks
vCD-NI is only for VMs and cannot be accessed by physical hosts
Network Pools: vCloud Network Isolation in vSphere
 vCD-NI-backed Example:
• A vCD-NI-Backed Pool where transport VLAN is 99 was created
• The VI portgroup does not reflect isolation, just the transport VLAN used for
the vCD-NI
20
Expanded vShield Integration
Overview
• Integration with vShield IPSec VPN
capabilities through both API & UI
Virtual
Datacenter:
Remote
E
d
g
e
WAN
Virtual
Datacenter:
Local
E
d
g
e
• Expanded firewall capabilities to include
full 5-tuple firewalls and static routing
5-tuple: Protocol, SRC/DST IP, SRC/DST Port
Benefits
• Organization administrators can configure
private networking enclave connected
back to corporate datacenters
• 5-tuple firewalls allows fully flexible
network access management—control
source & destination.
21
IPSec Site to Site VPN
 Enable Site to Site VPN connections using vCloud Director
• Configured by the organization administrator on a routed org network
22
Setting Up VPN Tunnels
 Connecting to organization
network to setup VPN
tunnel is really easy
• vCloud URL
• Organization Name
• Credentials
 Setup Site to Site VPN
connections in a matter of
minutes
• Self-service
• Only 4 pieces of information
needed
• No need to call or email the
vCloud administrator
23
IPSec VPN Tunnel Configuration Types
 Tunnel to
Private Cloud
Public Cloud
Org A
Org A
VPN
Org Network
Org Network
Private/Public vCloud
Org B
network in
another
organization
 Tunnel to
network
in this
organization
 Tunnel to
Org Network
VPN
Org Network
vCloud
VPN Endpoint
Org C
(vShield Edge, 3rd Party)
Org Network
24
VPN
a remote
network
IPSec VPN
 AES or 3DES encryption
25
Five Tuple Firewalls
 Create complex firewall rules
for enhanced security
 Inbound and outbound rules
 Firewall rules now can be
configured for:
• source address
• source port
• protocol
• destination port
• destination address
 Support for ICMP protocol in
addition to TCP and UDP
26
Static Routing
27
Third Party Distributed Switch Integration
Overview
• Support for broader range of network
pool types in third party distributed switches
• Support VLAN-backed networks
• Requires vShield Manager 5
Third Party Distributed Switch
Benefits
• Leverage third party switches –
automatic portgroup creation now enabled
• Leverage third party tools for network
monitoring in conjunction with vCloud
deployments.
28
Manage Your Cloud Networking Using Standard Tools
vCloud Director 1.5
Third Party Distributed Switch
vShield
Manager
REST API
Third party tools
Administration/
Monitoring
Network
admins
29
Putting It Together: vCloud Networking Options – Examples
External Network (set up by system admin)
Organization
5
6
External Organization Network
External Organization Network (set up by system admin)
vApp
4
1
2
8
vApp network
3
vApp network
(set up by org admin/vApp author, internal to vApp)
7
Internal Organization network (set up by system admin)
30
vApp network
Questions
31