[Note: This is part 3 of a 3-part blog post on Nuage Networks release 4.0. Part 1 | Part 2]
In this final installment of our blog series on Nuage Networks release 4.0 enhancements, we look at the data center and cloud SDN features.
Data Center SDN Enhancements in Release 4.0
Nuage Networks is a pioneer in DC SDN, having delivered one of the first DC network automation solutions back in 2012. Since then the Nuage Networks DC SDN product (called VCS or Virtual Cloud Services) has grown in feature/function as well as customer adoption. A strong carrier grade routing based SDN controller combined with widest support for end point types (VM, Containers, Bare Metal, Public Cloud) and Cloud Management Systems (OpenStack, CloudStack, VMware, Kubernetes, Mesos, etc.), has made Nuage a leader in DC SDN space.
Nuage for Policy-Based Container Networking
While virtual machine (VM) technology has matured greatly over the last decade, a lightweight virtualization approach based on containers is rapidly increasing in popularity. Containers promise to accelerate application deployment cycles and increase cloud agility in fundamental ways.
Containers allow applications to be isolated from each other using operating system-level virtualization features such as Linux control groups (resource control) and namespaces (resource isolation). Since containers run atop the same operating system they require fewer resources than VMs. For example, containers require fewer CPU cycles and less memory (container images are much smaller in comparison to VM images). As a result of these differences, and the fact that they don’t require an operating system to boot up, containers can be launched very quickly. The smaller footprint of containers also means many more application instances can be run on a host compared to VMs (which in turn can also raise network bandwidth requirements).
While LXC containers have been around for a while, Docker has popularized containers by making it easier to create, ship and run containers. Nuage Networks has created a plug-in for Docker container networking, which runs on every Docker host. Each Docker host, whether bare-metal or virtual, also has the Nuage Networks VSP’s Virtual Routing and Switching (VRS) component installed on it. VRS is a software agent, and the Nuage version of Open vSwitch (OVS), that is responsible for forwarding traffic from the containers, performing the VXLAN encapsulation of layer-2 packets, and enforcing security policies. When creating a Docker container, the user can specify what Zone or Policy Group it belongs to. All endpoints in a given Zone or Policy Group adhere to the same set of security policies.
The Nuage Networks Docker plug-in also works with the Mesos cluster manager when using the Docker Containerizer for managing Docker containers.
The Docker plug-in first creates a virtual Ethernet (veth) interface pair to connect the Docker container to the VRS. The Docker plug-in then passes the network and policy information to the VRS, which uses it to resolve the IP address and policies of the container. The VRS then configures the IP address in the container’s namespace and also the policies associated with the container. Every container gets its own IP address making it a first class citizen in VCS.
Advanced Networking for Kubernetes and Red Hat’s OpenShift Container Platform
Kubernetes was developed by Google and contributed to the open source community in order to allow applications to be deployed across large pools of resources. Kubernetes introduced the concept of a Pod, a group of related containers that all run on the same host. Each pod gets its own IP address and can communicate with other pods, while containers within a pod communicate using localhost networking. Kubernetes also supports an API to integrate more sophisticated networking and SDN services into the cloud environment.
Red Hat’s OpenShift Container Platform is based on Kubernetes and Docker. It adds developer and operational centric tools to enable application development, application deployment and lifecycle management. OpenShift relies on Kubernetes to launch container pods and configure the localhost networking between containers.
Nuage Networks VCS now supports Docker-based applications running on Kubernetes and OpenShift, to accelerate the provisioning of virtual networks between pods, and to extend network service policies across the entire cloud environment.
VCS is integrated into the Kubernetes application workflow, which triggers events in the Nuage Networks system; similar to the way VM Orchestrator events trigger virtual network configurations between virtual machines. VCS provides a Master plug-in running on the Kubernetes/OpenShift master, which connects Kubernetes/OpenShift to the two main VCS controller components: the Virtualized Services Controller (VSC) and the Virtualized Services Directory (VSD). VSC and VSD maintain the higher-level network and security policies and configure the relevant network devices and virtual networks to automate the required connectivity.
VCS provides a Network plug-in running on the Kubernetes/OpenShift nodes that is invoked during pod lifecycle events, such as creation and destruction. The VCS plug-ins on the Kubernetes/OpenShift nodes and the Kubernetes/OpenShift master communicate the policy configurations and lifecycle events between the VCS controllers as well as the local VCS virtual switch (VRS), as needed (see figure below).
We have also created Ansible playbooks for automated installation of the Nuage plugins for OpenShift. These playbooks are available in the OpenShift Ansible repos. We are also going to have playbooks available soon for the Kubernetes project. Installation instructions and other artifacts of our Kubernetes integration are available on github.
As part of Network Field Day 12 in August we also did a presentation of our Kubernetes integration including a demo to set up policies for Kubernetes applications. Links to slides and video of that demonstration are below.
Support for Microsoft Cloud Ecosystem
On the heels of providing SDN policy-based support for Docker container workloads, Nuage Networks is also releasing support for VM-based applications running on the Microsoft Hyper-V 2012R2 hypervisor. Microsoft Hyper-V is the last major hypervisor platform to be added to the Nuage Networks portfolio and is providing customers with the flexibility to run multiple virtualization platforms across their cloud environment, as well as cloud orchestration tools, such as Microsoft System Center Virtual Machine Manager or OpenStack. This allows customers to avoid vendor lock-in at all layers of the cloud stack and provides the best opportunities to leverage emerging technology going forward without transitioning platforms.
In the Microsoft-enabled cloud environment, VRS is provided as an extension of the Hyper-V virtual switch built into the hypervisor. The VRS extension is based on the Open vSwitch port for Hyper-V 2012R2; this allows for tight integration with the hypervisor resulting in the best performance. By reusing Open vSwitch we are offering users a uniform operational experience across different environments. Policies are downloaded to VRS from the Nuage Networks SDN controller to apply to the local vPorts as in other hypervisors.
VRS tracks VM events through a helper service NuageSvc that watches the Hyper-V hypervisor. NuageSvc will then trigger the configuration of policies on the VRS. As with all other platforms, Nuage Networks supports VXLAN as the overlay encapsulation protocol, for maximum compatibility with all other workloads and cloud infrastructure, although Microsoft platforms also support another overlay protocol, NVGRE.
Phase 1 of our Microsoft Hyper-V support will include running the OpenStack cloud management system with Hyper-V 2012R2 nodes. OpenStack continues to be a leading open platform for cloud management in multi-platform and multi-hypervisor environments and we are seeing significant traction for this integration in our multi-hypervisor customer environments. Within OpenStack, requests for new virtual machines will trigger the VM creation, as well as NuageSvc events to configure VRS with the appropriate SDN policies. In 2017, Nuage Networks will provide tighter integration with Microsoft System Center Virtual Machine Manager (SCVMM) as well as Azure Stack cloud management system for private cloud deployments.
Nuage Policy Automation for Bare Metal End Points (Without Gateways)
Nuage Networks is also increasing options and flexibility for non-virtualized bare metal applications with the industry’s first virtual switch running directly on the bare metal server. Traditionally, to support bare metal applications, VXLAN tunnel end-points (VTEP) had to terminate in a top-of-rack switch that supported VXLAN encapsulation. This could require new hardware to be installed when adding SDN, and depending on the vendor implementation chosen, may not support all the Nuage Networks SDN policy features.
In release 4.0, Nuage has introduced a new instance of virtual switch that can run directly on non-virtualized bare metal server endpoints. By moving this capability (VXLAN encap/decap) directly to the server, no specialized physical top-of-rack switch is required, with no need for rewiring or reracking. Customers can take advantage of the full Nuage Networks policy model consistently across all their workloads. The virtual switch running on bare metal is still an implementation of VRS, based on Open vSwitch. Native applications are unaware of the local encapsulation taking place, and do not need to be modified to support the SDN capabilities. The bare metal VRS is available today for major Linux distributions (Red Hat Enterprise Linux and CentOS).
Additional Scalability and Performance Enhancements
Finally, Nuage Networks is announcing additional support for IPv6 with ability to support joint IPv4 and IPv6 overlays. IPv6 support is being introduced in phases starting for both DC SDN and for SD-WAN product lines.
In addition, we have improved support for networking statistics collection with new back-end storage architecture. With the new architecture, Nuage increases the simplicity and flexibility of how the statistical collection and monitoring engine can be deployed, and we are seeing up to 10x improvement in search for read latency. The model allows for enhanced visualization capabilities including DIY charts and reports for customers. It is based on a widely adopted open source SW.
In release 4.0, we have also improved and streamlined service chaining for NFV applications by introducing the concept of domain linking which allows for VRF based modeling and stitching of service chains. It also offers sticky load balancing across multiple links in a service chain.
With 4.0, we have continued to provide best in class SDN integration for OpenStack. Support for OpenStack Mitaka release, VPNaaS and FWaaS constructs are amongst the many OpenStack related add-ons in this release.
Related: Why PaddyPower Betfair Chose Nuage Networks and OpenStack for DevOps Environment (Youtube 40 mins video).
The next step in server virtualization: How containers are changing the cloud application landscape (PDF).
Hear Nuage Networks Founder and CEO, Sunil Khandekar, speak at Dockercon16 on removing networking constraints for application development here.
Download The New Stack’s e-book on Docker container networking and security (sponsored by Nuage Networks) here.
Listen to The New Stack’s podcast with Nuage Networks about Networking and Security for Containers here.
Networking Field Day 12 Slides – Networking and Policies for Kubernetes Slides
NFD 12 – Kubernetes and Docker container integration: https://www.youtube.com/watch?v=-FV5K3TRXkg
NFD 12 – Docker and Kubernetes integration demo: https://www.youtube.com/watch?v=i2Fc0xa7NlY
Policy-Based Networking and Security for Red Hat OpenShift Solution Brief