[OpenStack Days Korea 2016] An SDN Pioneer's Vision of Networking

Guido AppenzellerVMware

SDN Pioneer's Vision of Networking

1. Cloud & Mobile

Networking is Changing

3. Containers and PaaS

2. The Application is the Network

What does this mean for OpenStack Networking?

We are in the 3rd fundamental structural transition in the history of IT

Cloud Computing

We are here

Mainframe

Mainframe

PC Revolution

Client/Server

Cloud

Cloud

• Mobile Devices & Clouds

(public & private)

• Software Defined

• Local Applications

• Minor role for networking

• Desktops & Servers

• Campus Networks

• Data Centers

CONFIDENTIAL 4

Networking for Mobile & Cloud

• traceroute to demo-aws.eng.vmware.com (52.35.205.45), 64 hops max, 52 byte packets

• 1 * * *

• 2 50-254-159-158-static.hfc.comcastbusiness.net (50.254.159.158) 3.367 ms

• 3 50.184.162.1 (50.184.162.1) 26.484 ms

• 4 te-0-2-0-15-sur04.santaclara.ca.sfba.comcast.net (162.151.30.113) 13.716 ms

• 5 hu-0-3-0-4-ar01.hayward.ca.sfba.comcast.net (68.87.192.241) 30.744 ms

• 6 hu-0-0-0-0-ar01.santaclara.ca.sfba.comcast.net (68.85.154.249) 27.420 ms

• 7 be-33651-cr01.sunnyvale.ca.ibone.comcast.net (68.86.90.93) 16.763 ms

• 8 he-0-12-0-0-pe02.529bryant.ca.ibone.comcast.net (68.86.86.166) 29.906 ms

• 9 as16509-2-c.529bryant.ca.ibone.comcast.net (66.208.229.30) 20.418 ms

• 10 * * *

• 11 * * *

• 12 205.251.229.68 (205.251.229.68) 48.178 ms

• 13 205.251.232.145 (205.251.232.145) 35.174 ms

• 14 54.239.48.191 (54.239.48.191) 39.651 ms

• 15 205.251.232.151 (205.251.232.151) 49.356 ms

• 16 205.251.230.125 (205.251.230.125) 32.864 ms

CONFIDENTIAL 5

For mobile users, companies no longer control the networking hardware

Example:

• Working from Starbucks on an AWS demo.

• My IT department controls 0% of networking hardware

• It is still responsible for security & compliance

Clouds are the New SilosIT Department Nightmare: Different teams, different technology stacks, different security & compliance

On-Premises Datacenter

Multi-Cloud NetworkingCompanies need to extend networks across public clouds

On-Premises Datacenter Multi-Cloud Networking

Web

Portal

Retail

App

Web

PortalBig Data Big Data

Tomorrow’s NetworkingConnect and Secure Applications across Private and Public Multiple Clouds

Connect & Secure

• Create private networks within

or across clouds

• Define logical switches routers

• Use firewalls to segment

applications

• Service Insertion

• Distributed Enterprise Edge

Internet



1. Cloud & Mobile



PROVISIONING

AND

CONFIGURATION

Provisioning

TROUBLESHOOTING

Troubleshooting

!

SECURITY

Security

THE APP HAS EVOLVED

INTO A NETWORK

INFRASTRUCTURE HAS

EVOLVED INTO A

SOFTWARE PLATFORM

VIRTUALIZATION



1. Cloud & Mobile



Host

Hypervisor

ContainersContainers are emerging as the application management layer of choice

App

bin/libs

OS

App

bin/libs

OS

App

bin/libs

OS

bin/libs

OS

Application ContainersVM Applications

Application Containers

Host

Ap

p

Ap

p

Ap

p

Ap

p

Ap

p

Ap

p

Ap

p

Ap

p

Ap

p

Containers

bin/libs

Container Networking

Containers run inside of VMs

• One VM per server per security domain

• Containers often behind NAT

• No container level networking

Does this make sense?

It actually does…

16

Enterprise model today

VM

Co

nta

ine

r

Co

nta

ine

r

Co

nta

ine

r

Co

nta

ine

r

Hypervisor

VM

Co

nta

ine

r

Co

nta

ine

r

Co

nta

ine

r

Co

nta

ine

r

vSwitch


Two levels of vSwitch

• First layer vSwitch inside the container VM

• Second layer vSwitch inside the Hypervisor

• Container level networking

17

In the future, container level visibility

VM

Co

nta

ine

r

Co

nta

ine

r

Co

nta

ine

r

Co

nta

ine

r

Hypervisor

VM

Co

nta

ine

r

Co

nta

ine

r

Co

nta

ine

r

Co

nta

ine

r

vSwitch

vSwitch vSwitch

1818

Hypervisor Hypervisor Hypervisor

Guest

Co

nta

ine

r

Co

nta

ine

r

Co

nta

ine

r

Co

nta

ine

r

Guest

Co

nta

ine

r

Co

nta

ine

r

Co

nta

ine

r

Co

nta

ine

r

vSwitch vSwitch

Guest

Co

nta

ine

r

Conta

iner

Co

nta

ine

r

Co

nta

ine

r

vSwitch

Physical Network Infrastructure

Internet

Containers – More Secure with a HypervisorHypervisor provides a security control point


• Attacker can’t escalate from container to vSwitch

• Does not gain physical network access

• Ability to spread is limited


1. Cloud & Mobile




OpenStack Networking TodayPhysical and Virtual Networks connect Virtual Machines

Physical Network

Virtual Network

Tomorrow: Cross-Platform NetworkingYour network needs to manage many different types of endpoints

Physical Network

Virtual Network

Hyper-V

Example: NSX for OpenStack and Amazon Web Services

22

Native support for AWS instances with coherent services and security posture for on and off-premise

22

AWS Cloud

Data Center

Web

Server

HR

Server

Developer

Launches instances

via Amazon console

Amazon Web

Services• Native AWS Server

instances (AMI’s)

• Added to NSX virtual

networks via policy

On-Premise NSX/vSphere

• AWS instances are added to logical switch

• Consistent security posture on-premise and in cloud

• AWS instances leverage services

…

IT Administrator

Defines network and

security policy

Internet

CONFIDENTIAL 23

On-Prem Data Center(Today) Containers

(2016)

Public Clouds(2016)

Virtual Desktop(VDI)

Mobile Devices(Airwatch)

Internet of Things(Roadmap)

Branch Offices(Partner)

Networking is Evolving

• H/W networks no longer under IT control (e.g. mobile, IoT, public clouds)

• Challenge is security, compliance and QoS

NSX Everywhere

• An overlay to manage network policy

• Spans many types of underlying networks

• Transparent app-level security across clouds

Example: NSX for OpenStack and beyond…Managing Security and Connectivity for many Heterogeneous End Points

Thank you

[OpenStack Days Korea 2016] An SDN Pioneer's Vision of Networking

Technology