Archive
Juniper Employee , Juniper Employee Juniper Employee
Archive
CloudStack and Juniper's MetaFabric - Enabling Private and Public Clouds
Nov 6, 2014

Introduction

CloudStack is an open source software platform that pools computing resources to build public, private, and hybrid Infrastructure-As-A-Service (IaaS) clouds. CloudStack automatically configures each guest virtual machine’s networking and storage settings but requires deployment of network vendors’ plugins to configure the underlying physical network.

 

Juniper has envisioned an architecture - MetaFabric that ties together switching, routing, security and software into High IQ Networks for data centers. Orchestration/Automation is one of the key components of this architecture and a Network Plugin for CloudStack, fits into the MetaFabric architecture and vision.

 

In this blog we will see how Juniper’s MetaFabric architecture can be leveraged in CloudStack (using a CloudStack Network Guru Plugin for MetaFabric Architecture) to setup a Private Cloud inside an organization

 

CloudStack provides powerful features for enabling a secure multi-tenant cloud computing environment. While the underlying physical network may be the shared between all the tenants, the specific requirements may vary.

For example, within an organization:

  • Finance Department might host a Financial application in a VM and would want secure/restricted access
  • Marketing Department might want unrestricted access to their product advertisements
  • Engineering Department might want to setup servers that would communicate only with each other

 

Juniper’s feature-rich Switching fabric (eg: Virtual Chassis Fabric, QFabric) combined with high performance Routers (eg: MX) and intelligent network Security solutions (eg: SRX) provide the right network foundation needed for High IQ Networks.

 

The MetaFabric plugin ties them together to address the varying needs of CloudStack Tenants.

 

CloudStack provides the following entities:

  • User account(ie Tenant) : Within an organization, there could be a separate account for each Department
  • Network Offering: This is a blue-print of the Network to be created. The CloudStack Administrator can create various Network Offerings with different services (like Firewall etc)
  • Guest Network: CloudStack Tenants can create Networks based on a particular Network Offering that suits their requirement. In addition, the access to such Networks can be controlled via Ingress/Egress rules
  • Create VM Instance: CloudStack Tenants can create VMs and attach them to a Network

 

When CloudStack tenants create Network(ie virtual networks), the MetaFabric plugin interprets the associated Network Offering and Ingress/Egress rules associated with the Network and orchestrates the Juniper’s devices accordingly.

 

 

Deployment

Deployment.png

 

 

In this MetaFabric deployment, the MX Series and the SRX Series handle the Routing, the SRX Series handles Security, and the Fabric solution handles L2 forwarding

 

 

Use Case#1 Creating a Restricted Network with appropriate Ingress/Egress rules (eg: Finance)

The CloudStack Administrator will login to the CloudStack Mgmt Server and create a Network Offering – Secure Access by selecting Firewall service (powered by MetaFabric). The Default Ingress and Egress policy will be Deny

 

SecureAcessNWOffering.png

 

The Secure Access Network offering is then associated with Finance account. Now the Finance Department representative will login to the CloudStack Mgmt Server using the Finance account and create a network – FinanceDeptNW and choose the Secure Access Network offering

 

FinanceDeptNW.png

 

Next step would be to configure the Ingress/Egress rules for this Network

Configure_NW_Rules.png

 

 

 

After the Network is created, the Finance tenant will create a VM and attach it to this Network

 

CreateVM_Attach_To_NW.png

 

 

From an orchestration perspective, the MetaFabric Plugin will configure

  • the switching fabric with VLANs to provide isolation at the Layer-2. In addition, the vlan will be attached to the trunk ports on the switch connecting to SRX
  • the SRX will be configured with security-policies based on the Ingress/Egress rules of the Network and the subnet address

 

Use Case#2 Creating a Network with unrestricted access (eg: Marketing)

The CloudStack Administrator will login to the CloudStack Mgmt Server and create a Network Offering – Open Access by selecting Firewall service (powered by MetaFabric). The Default Ingress and Egress policy will be Allow

 

OpenAccessNWOffering.png

After this, the Marketing Department representative will login from the Marketing account and create a new Network (call it MarketingDeptNW) and choose the Open Access Network offering. They would associate their VMs with this newly created Network (ie MarketingDeptNW).

 

From an orchestration perspective, the MetaFabric Plugin will configure

  • the switching fabric with VLANs to provide isolation at the Layer-2. In addition, the vlan will be attached to the trunk ports on the switch connecting to SRX
  • the SRX will be configured with security-policy (with a default allow for this subnet address)

 

 

Use Case#3 Creating an Isolated Network (eg: Engineering)

 

CloudStack comes with a default NetworkOffering – DefaultIsolatedNetworkOffering

 

NW_Offerings_List.png

 

 

The Engineering Department representative will login from the Engineering account and create a new Network (call it EngineeringDeptNW) and choose the DefaultIsolatedNetworkOffering. They would associate their VMs with this newly created Network (ie EngineeringDeptNW).

 

 

From an orchestration perspective, the MetaFabric Plugin will configure

  • the switching fabric with VLANs to provide isolation at the Layer-2

 

Conclusion

Juniper’s MetaFabric plugin is a key enabler in mapping the tenant’s virtual networking requirement onto the physical network. With the continued adoption of switching fabrics, high performance routers and intelligent security solutions, Cloud Builders will need automation supported by Juniper Networks’ CloudStack Plugin for Metafabric.