INT-362

Cloud Architecture & Implementation-I

Unit-2
Cloudstack Network Architecture

www.lpu.in Lovely Professional University

 Cloudstack Network
Architecture:
• Network Architecture overview
• Deployment model of cloudstack-
– basic mode
– advanced mode,
• Security groups,
• System VMs
• Virtual router

www.lpu.in Lovely Professional University

 Network Architecture
overview
• The architecture used in a deployment will
vary depending on the size and purpose of the
deployment.
• Small-scale deployment
– useful for test and trial deployments
• Fully-redundant large-scale setup
– for production deployments.

www.lpu.in Lovely Professional University

Network Architecture
overview
Small-scale CloudStack
Deployment.
• A firewall provides a connection to the Internet. The
firewall is configured in NAT mode. The firewall forwards
HTTP requests and API calls from the Internet to the
Management Server. The Management Server resides on
the management network.
• A layer-2 switch connects all physical servers and
storage.
• A single NFS server functions as both the primary and
secondary storage.
• The Management Server is connected to the
management network.
Network Architecture
overview
Large-scale CloudStack
deployment.
• A layer-3 switching layer is at the core of the data center. A router redundancy protocol like
VRRP should be deployed. Typically high-end core switches also include firewall modules.
Separate firewall appliances may also be used if the layer-3 switch does not have integrated
firewall capabilities. The firewalls are configured in NAT mode. The firewalls provide the
following functions:
– Forwards HTTP requests and API calls from the Internet to the Management Server. The
Management Server resides on the management network.
– When the cloud spans multiple zones, the firewalls should enable site-to-site VPN such that servers
in different zones can directly reach each other.
• A layer-2 access switch layer is established for each pod. Multiple switches can be stacked
to increase port count. In either case, redundant pairs of layer-2 switches should be
deployed.
• The Management Server cluster (including front-end load balancers, Management Server
nodes, and the MySQL database) is connected to the management network through a pair
of load balancers.
• Secondary storage servers are connected to the management network.
• Each pod contains storage and computing servers. Each storage and computing server
should have redundant NICs connected to separate layer-2 access switches.
Large-scale CloudStack
deployment.
• A layer-3 switching layer is at the core of the data center.
• Separate firewall appliances may also be used if the layer-3
switch does not have integrated firewall capabilities. The
firewalls are configured in NAT mode. The firewalls provide the
following functions:
– Forwards HTTP requests and API calls from the Internet to the
Management Server. The Management Server resides on the
management network.
– When the cloud spans multiple zones, the firewalls should enable site-
to-site VPN such that servers in different zones can directly reach each
other.
• A layer-2 access switch layer is established for each pod. Multiple
switches can be stacked to increase port count. In either case,
redundant pairs of layer-2 switches should be deployed.
Large-scale CloudStack
deployment:
• The Management Server cluster (including front-end
load balancers, Management Server nodes, and the
MySQL database) is connected to the management
network through a pair of load balancers.
• Secondary storage servers are connected to the
management network.
• Each pod contains storage and computing servers.
Each storage and computing server should have
redundant NICs connected to separate layer-2 access
switches
Network service providers
• Network service providers CloudStack network services
are made possible with the help of a network service
provider, which is basically a network element, hardware,
or a virtual appliance.
• It can be a Cisco or Juniper device(s) that provide(s)
firewall services in the same physical network or a F5 load
balancer which provides load balancing for the virtual
machines registered with it,
• It can also be a CloudStack virtual router which provides
networking configuration for VLANs or overlay network,
which helps in the division of a network into multiple tiers.
Network service providers
• There can be single or multiple network service
providers which are used to provide network
services for a single network.
• There can be multiple instances of the same
service provider in a single network.
• In the case where various network service
providers are configured to provide network
services, the users have the option to select from
the several network offerings that are created by
the administrator.
Types of network in CloudStack:

• CloudStack provides various types of network

services for end users.
• CloudStack supports multiple network services
from third parties.
• It helps with providing complex network
configurations in the cloud.
– Physical Network
– Virtual Network
– Isolated networks
Types of network in CloudStack:

• Physical network :
– A zone in the CloudStack deployment can be
associated with one or more physical networks.
– A physical network can be used to carry one or
more types of network traffic.
– A zone can use the basic network configuration or
advanced network configuration, which will decide
the type of network traffic that flows through the
physical networks.
Physical Network
• In a zone with basic network
configuration, only one physical network
can be present.
• There are basically three types of network
traffic that are allowed. They are:
– Guest Network traffic
– Management traffic
– Storage traffic
Guest Network traffic
• This is the traffic flowing over the guest network for
communication between the guest VMs when they are
running.
• All the guest networks which are of type isolated share
the same subnet which is set at the zone level.
• Guest traffic of a VM within one zone is carried in one
network, VMs in different zones cannot communicate
with each other.
• In order for the VMs in different zone to
communicate, they must do it via a router through a
public IP address.
Management traffic:
• This traffic is generated by the internal resources of
CloudStack.
• This basically comprises of the traffic between the hosts in
the clusters, system VMs (these VMs perform various
tasks by CloudStack in the cloud).
• The administrator must configure the IP ranges of the
system VMs.
• The management traffic is should be isolated from the
other traffic. The management traffic contains all the UDP
traffic for heartbeats. It is highly recommended to isolate
the management traffic from the other network traffic.
Storage traffic:
• This traffic is the traffic flowing between
the primary and secondary storage servers.
• These can be the VM templates which are
placed on the secondary storage and when
the user requests to create a VM based on
some template, that template data has to
flow from secondary storage server to the
primary storage server
Virtual network
• In order to enable multi-tenancy on a single physical network,
the physical network has to be logically divided into several
logical constructs, each logical construct is known as virtual
network.
• All the information about the virtual networks and their setting
are configured and stored in CloudStack.
• These settings are activated only when the first VM is started
and assigned to this network and the virtual network is also
deleted or garbage collected when all the VMs are removed
from that network.
• CloudStack helps in preserving the network resources and
optimizing wastage. CloudStack allows the virtual network to be
shared or isolated..
Isolated networks
• These networks, as the term suggests, are isolated
and can be accessed only on virtual machines of a
single account except for the domain administrators.
• The resources such as VLAN are allocated to these
types of networks and the garbage collection is done
dynamically.
• The isolated network can be upgraded or
downgraded only if it is done for the entire network
because it is unique for the entire network.
Basic and Advanced
Networking
• CloudStack provides two styles of networking:

• Basic For AWS-style networking. Provides a single network where

guest isolation can be provided through layer-3 means such as
security groups (IP address source filtering).
• Advanced For more sophisticated network topologies. This
network model provides the most flexibility in defining guest
networks, but requires more configuration steps than basic
networking.
• Each zone has either basic or advanced networking. Once the
choice of networking model for a zone has been made and
configured in CloudStack, it can not be changed.
• A zone is either basic or advanced for its entire lifetime.
Basic and Advanced
Networking
Basic and Advanced
Networking
• The two types of networking may be in use in the
same cloud. However, a given zone must use either
Basic Networking or Advanced Networking.
• Different types of network traffic can be segmented
on the same physical network. Guest traffic can also
be segmented by account.
• To isolate traffic, you can use separate VLANs. If you
are using separate VLANs on a single physical
network, make sure the VLAN tags are in separate
numerical ranges.
Security Groups
• Security groups can be attached to any particular instance in
the CloudStack environment. The security groups act as the
firewall to allow or deny the egress and ingress of network
traffic.
• The rules defined in security groups decide whether
communication of some protocol, to some port of the
instance from a particular source can be allowed or denied.
• The security groups can also be used to define rule for the
outgoing traffic.
• The security groups offer an extra level of security or firewall
that can be applied to the instances for restricting the
incoming and outgoing traffic.
 Security Group:
• For example, the web servers on one VLAN can have security group
to allow traffic from anywhere on the Internet to its particular port
serving the users' requests, whereas a backend database server can
have security group configured to allow traffic only from the
security group of the web servers to its database port and deny any
other traffic from anywhere.
• Thus, the security of the database server is maintained by
restricting the access only from the web server.
• Security groups allow a scalable network configuration in cloud
over VLANs, where the numbers of VLANs that can be created on a
Vswitch are restricted.
Security Groups
System VMs:
• CloudStack uses several types of system virtual
machines to perform tasks in the cloud.
• In general CloudStack manages these system
VMs and creates, starts, and stops them as
needed based on scale and immediate needs.
• The System VMs come from a single Template.
System VMs:
System VMs:
• A System VM upgrade involves two entities:
– the System VM Template based on current Debian
stable distribution
– the CloudStack package scripts.
• A System VM Template should be updated when:
– The previous Template reaches end-of-life or,
– The latest available Template addresses essential
security issues or,
– The Template has some fixes to be made in the
Template’s built-in scripts.
CloudStack virtual router
• The virtual router is a type of System Virtual Machine. The
virtual router is one of the most frequently used service
providers in CloudStack
• The virtual network in the deployment of CloudStack consists
of various virtual networks which can be configured as per the
demands by the administrator.
• Virtual routers are deployed in the basic type of networking
where they are used as a shared service among the multiple
tenants and provides features such as DHCP, DNS, and so on.
• By default, only one virtual router can be deployed per
network in an account in the advanced type of networking
where there is one virtual router unique to the isolated guest
private network.
 CloudStack virtual router
• A virtual router has three network interface cards,
• One is connected to the isolated guest network used for
advanced VLAN, and is assigned the first IP in the CIDR
range and will also act as DHCP, DNS, and gateway for
instances in the private guest network,
• The second NIC is used for a local link network (only for
KVM and XenServer), the management network, and for
configuration of the virtual router.
• The third and the last NIC of the virtual router resides on
the public network and is assigned a public IP that is used
to provide NAT services to the guest VMs connected to it.
CloudStack virtual router
Thank You