ApacheCon LiveBlog: Software Defined Networking (SDN) in CloudStack

This is a live blog from ApacheCon that I'm attending this week.  This session is with Chiradeep Vittal.

Usual Live Blog Disclaimer: This is more of a brain dump typing as fast as I can, please excuse typos, format, and coherent thought process in general.

• Introduction is about how does Amazon built a cloud (see his previous session for this part)
• SDN Definition - Separation of Control Plane from the hardware performing the forwarding hardware - Also centralized control
• Central control eases configuration, troubleshooting, maintain over time
• Eliminates the tedious "log into every box" idea of network maintenance, log into controller
• OpenFlow is that SDN? - NO, it is a protocol for the control plane to talk to the forwarding elements
• Control is on the "top" and forwarding is on the "bottom"
• flexibility example, different route based on direction. Box A and Box B, different flow from A to B and B to A if needed
• IaaS and SDN go hand in hand - Agility, API configuration, Scalability,  Elasticity (all the ity's!)
• SDN enables virtual networking - the illusion of isolated networks on a physical wire
• SDN does have issues - Discovery of virtual addresses -> physical address mapping for instance
• He is now going over a multi-tenant topology example:

• CloudStack model - map virtual networks to physical network - define and provision networks and manage elasticity and scale
• CloudStack Network Model is very robust (see pic, too much to type, things in box tend to be SDN functions)

• How de we put this together?
• CloudStack Service Catalog - Cloud users don't see the "guts" of the configuration, the cloud admin or operator designs the service catalog and presents this to the users
• example - Gold Network - LB + FW + VPN using virtual appliances
• Platinum - LB + FW + VPN but using hardware devices
• Now going over topology example of the Gold offering & Platinum (uses Juniper firewall and Netscaler to Load Balance:

• In both examples the users has no idea if they are on the Gold or Platinum network
• Multi-Tier virtual networking - can define application tiers and isolate based on need as well, who is connected where
• Orchestration - He went through the Multi-Tier example and demonstrated all the steps that would have to be down manually (too many to list) and this will all be done through orchestration
• CloudStack Orchestration Architecture (see picture) - plugin Framework allows this to happen

• SDN works with CloudStack through the plugin model, the SDN controller talks to the plugin, today there is integration with Nicira NVP, BigSwitch, Midokura, and CloudStack Native (requires XenServer)

• CloudStack Native Controller uses GRE and and talks to Open vSwitch on the XenServer
• All isolation happens through the concept of a tenant key over the GRE tunnels. Each tenant has a unique key
• What makes the CloudStack controller different? 
• It is purpose built for IaaS and is not a general purpose SDN solution
• Proactive model - Deny all flows except ones programmed by the end-user API - others send to central controller and may have problems at scale
• Use the CloudStack virtual router to provide L3-L7 services (mainly because most hardware doesn't understand GRE today)