« Previous 1 2 3 Next »
Exploring Apache CloudStack
Stack Check
Networking
The glue that brings all of the building blocks together is the network layer. CloudStack has two principal models for Networking, referred to as Basic and Advanced.
Basic networking is very similar to the model used by AWS, and it can be deployed in three slightly different ways, with each adding to the features of the previous. Security Groups, which use Layer 3 IP address filtering, isolate VMs from one another. A Citrix NetScaler provides public IP and load balancing functionality.
You can scale the zone horizontally by simply adding more PODs, consisting of a clusters of hosts and their associated top-of-rack switching and primary storage.
The Advanced networking model brings a raft of features that place power into the hands of the end users. VLANs are the standard method of isolation but Software-Defined Networking (SDN) offerings from Nicira, Big Switch, and soon Midokura bring the possibility of massive scale by overcoming any VLAN limitations.
CloudStack makes excellent use of system virtual machines to provide control and automation of storage and networking. One such system VM is the CloudStack virtual router. The key difference between Advanced and Basic networking is that, in the Advanced mode, users can create CloudStack guest networks, with each network having a dedicated virtual router. A virtual router provides DNS and DHCP, firewall, client IPsec VPN, load balancing, source/static NAT, and port forwarding, and all of these features are configurable by end users through either the GUI (Figure 3) or the CloudStack API.
When a user creates a new guest network, then deploys Guest VMs onto that network, the VMs are attached to a dedicated L2 broadcast domain, isolated by VLANS, and fronted by a virtual router. The user has full control of all traffic entering and leaving the network, with a direct connection to the public Internet.
Firewall and port forwarding rules enable the mapping of live IPs to any number of Internal VMs. Load balancing functionality with round-robin, least connections, and source-based algorithms, along with source-based, App Cookie or LB cookie stickiness policies are available out of the box.
Another powerful feature of the Advanced network model is the Virtual Private Cloud (VPC). A VPC enables the user to create a multi-tiered network configuration, placing VMs within their own VLAN. ACLs let users control the flow of traffic between each network tier and also the Internet. A typical VPC might contain three network tiers (Web, App, and DB), with only the Web tier having Internet access.
VPCs also provide additional features, such as Site-2-Site VPN, enabling a persistent connection with infrastructure running in alternate locations. A VPC private gateway is a feature that cloud admins can leverage to provide a second gateway out of the VPC virtual router.
CloudStack optimizes the underlying network architecture within a data center by enabling the Cloud admins to split up the various types of network traffic and map them to different sets of bonded NICs within each compute host.
CloudStack supports four types of physical network, and you can configure them to use a single NIC or multiple bonds, depending on how many NICs are available in the host server. (See the box titled "Network Types.")
Network Types
CloudStack supports the following types of physical networks:
- Management: Used by the CloudStack management servers and various other components within the system, sometimes referred to as the orchestration network.
- Guest: Used by all guest VMs when communicating with other guest VMs or gateway devices, such as virtual routers, Juniper SRX firewalls, F5 load balancers, and so on. The Advanced network configuration lets you create multiple guest networks, allowing you to assign a specific NIC to a particular user or function.
- Public: In an Advanced network configuration, the public network connects the virtual routers to the public Internet. In Basic network mode, the public network only exists when a Citrix NetScaler is used to provide elastic IP and elastic LB services.
- Storage: Used by the special secondary storage system VM and host server when connecting to secondary storage devices, the storage network enables the optimization of traffic used for deploying new VMs from templates and for handling snapshot traffic in particular – which can become network intensive – without negatively affecting the guest and management traffic.
Network Service Providers
In addition to the virtual router and VPC virtual router, CloudStack can also leverage the power of real hardware, bringing even more functionality and greater scale. Currently supported devices are Citrix NetScaler, F5 Big-IP, and Juniper SRX, but with many more on the way.
Once a device has been integrated by Cloud Admins, the users have control of the features via the standard GUI or API. For example, if a Juniper SRX is deployed, when a user configures a firewall rule within the CloudStack UI, CloudStack uses the Juniper API to apply that configuration on the physical SRX.
When a Citrix NetScaler is deployed, in addition to load balancing, NAT, and port forwarding, it also enables AutoScaling. AutoScaling is a method for monitoring the performance of your existing Guest VMs and then automatically deploying new VMs as the load increases. After the load has dropped off, the extra VMs can be destroyed, bringing your usage and costs back down to a base level. This level of flexibility and scalability is a key driving force in the adoption of cloud computing.
Management
CloudStack is quite easy to set up and administer thanks to its great graphical user interface, API, and CLI tools such as CloudMonkey. A wizard takes you through the configuration and deployment of your first zone, networking, POD, cluster, host, and storage, meaning you can be up and running within a matter of hours.
A simple Role-Based Access Control (RBAC) system presents different levels of users with the features to which they are entitled, and the standard allocations can be fine tuned as required. The authentication can also be passed off to LDAP, enabling integration with enterprise systems, including OpenLDAP and MS Active Directory.
Admins set up new user accounts, which are grouped together into domains, allowing a hierarchical structure. By grouping users into domains, Admins can make certain subsets of the infrastructure available to a particular group of users.
A set of system parameters called global settings allows admins to control all of the features and set up controls such as limits, SMTP alerts, and a host of other settings.
Service offerings enable Admins to set up the parameters that control the end-user environment, such as the number of vCPUs, RAM, network bandwidth, and preferred hardware.
Admins have full control over the infrastructure and can initiate the live migration of any VM between hosts in the same cluster. You can migrate stopped VMs across different clusters by moving their associated volumes to different storage. Storage devices and hosts can be taken offline for maintenance and upgrades, and admins can steer VMs to a particular set of hosts using either the API or tags.
« Previous 1 2 3 Next »