Enabling Federated Cloud Networking Giovanni Merlino - University - - PowerPoint PPT Presentation

Enabling Federated Cloud Networking

Giovanni Merlino - University of Messina (Italy) Sébastien Dupont - CETIC (Belgium) Giuseppe Tricomi - University of Messina (Italy)

OpenStack Summit 11/05/2017 Boston, USA

Outline

• Intro
• Framework overview
• Networking federation
• Broker (demo)
• Security considerations
• SFC/NFV (Tacker, demo)
• Network visualization (Skydive)
• Wrap up

2

Problem Definition

Globally operating companies may need to:

• deploy tiers of their applications across different time zones
• diversify their choice of cloud providers, for a number of reasons

3

Approach: Federated Cloud Networking

OpenStack Summit 11/05/2017 Boston, USA

Service Manifest

Internet

With advanced features such as:

• automated high availability
• location aware elasticity
• automated service function chaining

OVN

Federating Virtual Cloud Networks: benefits

• Virtual Networks

– Flexibility – Security

• Network Federations

– Managed as an entity, via API and tools

OpenStack Summit 11/05/2017 Boston, USA

Cloud Federation: types

OpenStack Summit 11/05/2017 Boston, USA

Loosely Coupled Scenarios

OpenStack Summit 11/05/2017 Boston, USA

AWS-EU AWS-US

Interop

OpenStack Summit 11/05/2017 Boston, USA

AWS-EU AWS-US

Federated Networking: BEACON Architecture

OpenStack Summit 11/05/2017 Boston, USA

Networking: federation

OpenStack Summit 11/05/2017 Boston, USA

BEACON Broker: Scenario

OpenStack Summit 11/05/2017 Boston, USA

• A Federation Tenant (we

may also call it “borrower”) has to be already available, to enable a fully “federated” user experience (e.g.,

• rchestration)
• Customers of the federation

tenant prefer to deploy their application(s) just by selecting the area(s) where components should be deployed

Beacon Service Manifest

Custom extensions to the HOT standard: ➢ Geographical Placement ➢ Component grouping ➢ Elasticity management

12 geoshape_2: type: OS::Beacon::Georeferenced_deploy properties: label: shape label description: descripition shapes: [{"type":"Feature","id":"BEL","properties":{"nam e":"Belgium"},"geometry":{"type":"Polygon","coo rdinates":[[[3.314971,51.345781],[4.047071,51. 267259],,...............,[3.314971,51.345781]]]}}

federation: type: OS::Beacon::ServiceGroupManagement properties: name: GroupName geo_deploy: { get_resource: geoshape_2} resource: groups: {get_resource: [B,A] } B: type: OS::Nova::Server properties: name: test key_name: {get_param: key_name } image: {get_param: cirros } networks: [{"fixed_ip": 80.0.0.62, "network": { get_param: private_network } }] flavor: m1.tiny A: type: OS::Nova::Server properties: name: VM-A key_name: { get_param: key_name } image: { get_param: image-A } flavor: { get_param: flavor } networks: [{"fixed_ip": 80.0.0.61, "network": { get_param: private_network } }] security_groups: [{ get_resource: server_security_group }] user_data: | #!/bin/bash echo root:vagrant | chpasswd sudo apt-get update

elasticity_location_policy: type: OS::Beacon::ScalingPolicy properties: policy_type: SunLight geo_deploy: {get_resource: geoshape_2} groupmonitored: {get_resource: federation} min_gap: "-8"

BEACON Broker

• Sets the federation process in motion for the networks

(invoking the FedSDN services)

• Instantiates resources
• Activates the elasticity manager for instantiated

resources

• Manages the geographical placement and

deployment

13

Broker: Geographical Deployment

OpenStack Summit 11/05/2017 Boston, USA

geoshape_2: type: OS::Beacon::Georeferenced_deploy properties: description: descripition shapes: [{"type":"Feature","id":"BEL","properties":{"name":"Belgium"},"geo metry":{"type":"Polygon","coordinates":[[[3.314971,51.345781],[4.0 47071,51.267259],,...............,[3.314971,51.345781]]]}}

Starting from a GeoShape, as described in the service manifest:

• a set of clouds identified
• clouds’ endpoints retrieved
• borrower’s credential retrieved

Broker: demo time

OpenStack Summit 11/05/2017 Boston, USA

Security considerations

OpenStack Summit 11/05/2017 Boston, USA

At the local level: limited trust between clouds inside a federation e.g. Cloud A trusts cloud B but not cloud C. At the global level: ensure global security policies for the federation e.g. Intrusion detection and remediation on traffic between the federated clouds and the Internet

Network security tools

OpenStack Summit 11/05/2017 Boston, USA

Network Function Virtualisation (NFV) - Virtualise all the things! Service Function Chaining (SFC) - design complex security workflows with VNF’s

Firewall IDS monitoring

SFC/NFV - Anomaly detection

OpenStack Summit 11/05/2017 Boston, USA

VM1 NF - DPI NF - FWL7 Cloud The internet Add FW rule: drop traffic from/to VM1 Remove VM1 Security Groups & apply quarantine SG Anomaly (ftp)

Federation

SFC/NFV - Encryption

OpenStack Summit 11/05/2017 Boston, USA

VM1 VM3 NF - En/Decryption NF - En/Decryption Cloud 1 (trusted) Cloud 3 (untrusted) VM2 NF - En/Decryption Cloud 2 (trusted) VMX VMY

NFV in Openstack: Tacker project

OpenStack Summit 11/05/2017 Boston, USA

OpenStack service addressing NFV Orchestration and VNF Manager use-cases using standards (TOSCA) based architecture

21

/ nDPI

NFV/Tacker: demo time

NFV/Tacker: demo time (1)

OpenStack Summit 11/05/2017 Boston, USA

NFV/Tacker: demo time (2)

23

24

NFV/Tacker: demo time (3)

25

NFV/Tacker: demo time (4)

OpenStack Summit 11/05/2017 Boston, USA

Internet

Cloud Manager Network Manager Cloud Manager Network Manager Federation tunnel Federated datapath BEACON Net Agent Federated datapath BEACON Net Agent

Overlay network

Physical network

Global federated network policy

Federated Network Manager Application admin Service Manifest

Network visualization: Skydive

Skydive Architecture

OpenStack Summit 11/05/2017 Boston, USA

OpenStack Summit 11/05/2017 Boston, USA

Skydive WebUI: bird’s-eye view

• f a BEACON environment

OpenStack Summit 11/05/2017 Boston, USA

Skydive: single-Cloud view

OpenStack Summit 11/05/2017 Boston, USA

Skydive: single-node view

OpenStack Summit 11/05/2017 Boston, USA

BEACON Contributions to Skydive

Real-time traffic stats visualization (overlaid on top of the topology)

• Calculating aggregated traffic (over fed tunnel) and showing bandwidth

consumption on the tunnel

• Visualizing network load
• Showing L2 bandwidth on the topology
• Highlighting (color) network links, based on thresholds
• Determining bottlenecks in each cloud and on the cloud interconnect

Multi-region network topology visualization

• Enabling definition of multiple separated clouds and their network interfaces
• Grouping each cloud network with all its components in a specific area (for

enhanced usability)

Wrapping up: Impact and benefits

• Integration of Network virtualisation and Software defined

networking with Cloud Middleware

• Code originating from research is being published under

Open Source licenses

• Some results are being fed back upstream (OVN, OpenStack

and Open Nebula) already

OpenStack Summit 11/05/2017 Boston, USA

BEACON Website

OpenStack Summit 11/05/2017 Boston, USA

Consortium

34

6 countries 4 companies 2 universities 1 research institute

Duration: 30 months 02/2015-07/2017

Please help us

by answering to our brief survey http://bit.ly/2q3IAqt

35

This work has been supported by the BEACON project, grant agreement number 644048, funded by the European Union’s Horizon 2020 Programme under topic ICT-07-2014.

OpenStack Summit 11/05/2017 Boston, USA

Giovanni Merlino - gmerlino@unime.it Sébastien Dupont - sebastien.dupont@cetic.be Giuseppe Tricomi - gtricomi@unime.it

Survey: http://bit.ly/2q3IAqt