Home > Blogs > OpenStack Blog for VMware

OpenStack Summit Barcelona 2016 Session Recap

Watch below to experience VMware’s Speaker Sessions at this year’s OpenStack Summit in Barcelona!


Rakuten and VMware: How We Got to Enterprise Grade, Production Ready OpenStack
Speaker: Chris Murray

“Our story on how we achieved our OpenStack production private cloud using VMware Integrated OpenStack, NSX, vRealize Log Insight and Operations. Supporting yesterday’s legacy ‘pet’ applications all enterprises have and todays cloud ready ‘cattle’. We share the path we took and explain the decisions we made along the way. We also look forward at what we have planned next.”


Integrated OpenStack with NSX Policy Redirection for NFV: Technical Deep Dive & Demo
Speakers: Vanessa Little, Marcos Hernandez

“Join us for a lecture on how to build efficient service chains with intelligent policy based routing in VMware Integrated Openstack with NSX. With version 2.5 of VMware Integrated OpenStack (VIO), VMware introduced the ability to integrate VMware NSX. With that integration and the NSX-V version of VMware NSX you can now take advantage of NSX-integrated security solutions which can layer in L4-L7 advanced security controls. VMware NSX and Fortinet FortiGate-VMX are closely integrated with the direct purpose of introducing L4-L7 advanced security controls for the VMware Software-Defined Data Center (SDDC). Automated deployment/orchestration, dynamic grouping, policy and policy re-direction enables granular security controls for your mission critical applications. Please join Fortinet experts for an in depth discussion of examples, implementation and use-cases on how to utilize this integrated security solution with your VMware NSX and Integrated OpenStack (VIO) environments.”


Production-Ready Clouds with VMware NSX Networking and OpenStack
Speaker: Dimitri Dismdt

“Do you have challenges with Neutron (reliability, performance, operation, flexibility)? Learn how VMware NSX delivers stable production ready networking for you OpenStack environment. VMware NSX works with and enhances Neutron form key OpenStack distributions like VMware Integrated OpenStack and more.

VMware NSX improves and enhances Neutron:

  • on the reliability side with stable and high-availability network and security services
  • on the performance side with distributed routing, DPDK support, and distributed control plane
  • on the flexibility with BGP dynamic routing support
  • on the operation side, with built-in advanced management and troubleshooting tools

Attendees will leave this session with a firm picture of existing solutions for networking VMware backends, their common features and differences.”

 


OpenStack + VMware : Deploy, Upgrade & Operate Powerful Production OpenStack Cloud in Minutes!
Speakers: Mark Voelker

“VMware has been working rigorously to address some of the most difficult challenges of OpenStack such as installation, upgrade, patching…We have solved almost all operational challenges of OpenStack. In this session, you will learn how you can build a powerful OpenStack cloud in matter of minutes and then operate the cloud with same simplicity. Even the most daunting challenge of OpenStack upgrade has been elegantly solved using blue-green paradigm, so that you can not only upgrade but also cleanly roll back at any point during upgrade. Come join us for an insightful session on how you can build and operate OpenStack private cloud in matter of minutes!”


Sharing our Success and Vision for OpenStack Private Clouds
Speakers: Pete Cruz, Santosh Suderman

“VMware and OpenStack have come a long way together. We started with the mission that “VMware products should be one of the best ways to running OpenStack private cloud”. We are happy to share our success with that mission. We will share our customer success stories, and highlight community contributions from everyone that made some of the most powerful OpenStack private cloud a reality. We will also share our vision for OpenStack + VMware as we look towards 2017 and beyond. Come join us to share our strategy, vision and be excited to build OpenStack clouds leveraging your VMware investments.”

https://www.youtube.com/watch?time_continue=1&v=R3Gn-eZxdLE

 

If you’re ready to deploy OpenStack today, download it now and get started, or  try our VMware Integrated OpenStack Hands-On-Lab, no installation required.

How To Efficiently Derive Value From VMware Integrated OpenStack

One of our recent posts on this blog covered how VMware Integrated Openstack (VIO) can be deployed in less than 15 minutes thanks to an easy and friendly wizard-driven deployment.

That post has also mentioned that recent updates have been added to VIO that focus on its ease of use and consumption, including the integration with your existing vSphere environment.

 

This article will explore in greater detail the latter topic and will focus on two features that are designed to help customers start deriving value from VIO quickly.


vSphere Templates as OpenStack Images

 

An OpenStack cloud without any image is like a physical server without an operating system – not so useful!

 

One of the first elements you want to seed your cloud with is images so users/developers can start building applications. In a private cloud environment, cloud admins will want to expose a list of standard OS (Operating System, not OpenStack…) images to be used to that end, in other words OS master images.

 

When VIO is deployed on top of an existing vSphere environment, these OS master images are generally already present in the virtualization layer as vSphere templates and a great deal of engineering hours have gone into creating and configuring those images to reflect the very own needs of a given corporate organization in terms of security, compliance or regulatory requirements – OS hardening, customization, agents installation, etc…

 

What if you were able to reuse those vSphere templates and turn them into OpenStack images and hence preserve all of your master OS configurations across all of your cloud deployments?

VIO supports this capability out of the box (see diagram below) and enables users to leverage their existing vSphere templates by adding them to their OpenStack deployment as Glance images, which can then be booted as OpenStack instances or used to create bootable Cinder volumes.

 

The beauty of this feature is that it is done without copying the template into the Glance data-store. The media only exists in one place (the original data-store where the template is stored) and we will actually create a “pointer” from the OpenStack image object towards the vSphere template thus saving us from the tedious and possibly lengthy process of copying media from one location to another (OS images tend to be pretty large in corporate environments).

 

This feature is available through the glance CLI only and here are the high-level steps that need to be performed to create an image:

– First: create an OpenStack image

– Second: note that image ID and specify a location pointing towards the vSphere template

– Third: in the images section of the Horizon dashboard for example, a new image will show up called “corporate-windows-2012-r2” from which instances can be launched.

Note: cloud admins will have to make sure those OS images have the cloud-init package installed on them before they can be fully used in the OpenStack environment. If cloud-init needs to be installed, this can be done either pre- or post- the import process into Glance.

Run the video below for a detailed tutorial on the configuration steps, including CLI commands:

Finally, here’s the section in the official configuration guide: http://tinyurl.com/hx4z4jt


Importing vSphere VMs into OpenStack

 

A frequent request from customers deploying VIO on their existing vSphere implementation is “Can I import my existing VMs into my OpenStack environment?”

 

The business rationale for this request is that IT wants to be consistent and offer a similar level of service and user experience to both the new applications deployed through the OpenStack framework as well as the existing workloads currently running under a vSphere management plane “only”. They basically want users in charge of existing applications to enjoy capabilities such as self-service, lifecycle management, automation, etc…and hence avoid creating a two-tier IT offering.

 

VIO supports this capability by allowing users to quickly import vSphere VMs into VIO and start managing them as instances through standard OpenStack APIs. This feature is also available through CLI only and leverages the newly released VMware DCLI toolset.

 

Here are the high-level steps for importing an existing VM under OpenStack:

– First, list the “Unmanaged” VMs in vCenter (ie unmanaged by VIO)

– Import one of those VMs into a specific project/tenant in OpenStack

– The system will then generate a UUID for the newly created instance and the instance will show up in Horizon where it can be managed like any other running one.

 

 

We hope you enjoyed reading this article and that those features will make you want to go ahead and discover VIO!

If you’re ready to deploy OpenStack today, download it now and get started, or dare your IT team to try our VMware Integrated OpenStack Hands-On-Lab, no installation required.


This article was written by Hassan Hamade a Cloud Solution Architect at VMware in the EMEA SDDC technology practice team. 

16 Partners, One Live Demo – OpenStack Barcelona Interop Challenge

 

During Wednesday morning’s keynote session at the OpenStack Summit in Barcelona, I will be on stage along with several other vendors to show off some of our latest work on interoperability between OpenStack clouds.  We will be demonstrating a single workload running successfully on over a dozen different vendors’ OpenStack products without modification, including VMware Integrated OpenStack 3.0.  The idea got started back in April at the last OpenStack Summit when our friends at IBM challenged vendors to demonstrate that their products were interoperable publicly.


VMware has long been a proponent of fostering interoperability between OpenStack clouds.  I currently co-chair the Interop Working Group (formerly known as the DefCore Committee), and VMware Integrated OpenStack 3.0 is an approved OpenStack-Powered product that is compliant with the 2016.08 interoperability guideline, the newest and strictest guideline approved by the OpenStack Foundation Board of Directors.  We also helped produce the Interop Working Group’s first ever report on interoperability issues.  So why do we care about interoperability?  Shouldn’t everything built on OpenStack behave the same anyhow?  Well, to quote the previously mentioned report on interoperability issues:

 

“OpenStack is tremendously flexible, feature-rich, powerful software that can be used to create clouds that fit a wide variety of use cases including software development, web services and e-commerce, network functions virtualization (NFV), video processing, and content delivery to name a few. Commercial offerings built on OpenStack are available as public clouds, installable software distributions, managed private clouds, appliances, and services. OpenStack can be deployed on thousands of combinations of underpinning storage, network, and compute hardware and software. Because of the incredible amount of flexibility OpenStack offers and the constraints of the many use cases it can address, interoperability between OpenStack clouds is not always assured: due to various choices deployers make, different clouds may have some inconsistent behaviors.  One of the goals of the [Interop Working Group]’s work is to create high interoperability standards so that end users of clouds can expect certain behaviors to be consistent between different OpenStack-Powered Clouds and products.”

 

Think of it this way: another amazingly flexible, powerful thing we use daily is electricity.  Electricity is pretty much the same stuff no matter who supplies it to you or what you are using it for, but the way you consume it might be different for different use cases.  The outlet I plug my laptop into at home is a different shape and supplies a different voltage than the one my electric oven is connected into since the oven needs a lot more juice to bake my cookies than my laptop does to type up a blog post.  My home’s air conditioner does not even have a plug: it is wired directly into the house’s circuit breaker.  I consume most of my electricity as a service provided by my power company, but I can also generate some of my power with solar panels I own myself as long as their outputs can are connected to my power grid.  Moreover, to power up my laptop here in Barcelona, I brought along a plug adapter since Europe has some differences in their power grid based on their set of standards and requirements.  However, even though there are some differences, there are many commonalities: electricity is delivered over metal wiring, terminated at some wall socket, most of the world uses one of a few different voltage ranges, and you pay for it based on consumption.  OpenStack is similar: An OpenStack deployment built for NFV workloads might have some different characteristics and interfaces exposed than one made as a public compute cloud.

 

What makes the Interop Challenge interesting is that it is complimentary to the work of the Interop Working Group in that it looks at interoperability in a slightly different light.  To date, the Interop Working Group has mostly focused its efforts on API-level interoperability.  It does so by ensuring that products bearing the OpenStack-Powered mark, pass a set of community-maintained Tempest tests to prove that they expose a set of capabilities (things like booting up a VM with the Nova v2 API or getting a list of available images using the Glance v2 API).  Products bearing the OpenStack-Powered logo are also required to use designated sections of upstream code, so consumers know they are getting community-developed code driving those capabilities.  While the Interop Working Group’s guidelines look primarily at the server side of things, the Interop Challenge seems to address a slightly different aspect of interoperability: workload portability.  Rather than testing a particular set of API’s, the Interop Challenge took a client-side approach by running a real workload against different clouds—in this case, a LAMP stack application with a load-balanced web server tier and a database backend tier, all deployed via Ansible.  The idea was to take a typical application with commonly-used deployment tools and prove that it “just works” across several different OpenStack clouds.

 

In other words, the guidelines produced by the Interop Working Group assure you that certain capabilities are available to end users (just as I can be reasonably confident that any hotel room I walk into will have a socket in the wall from which I can get electricity).  The Interop Challenge compliments that by looking at a more valid use case: it verifies that I can plug in my laptop and get some work done.

 

Along the way, participants also hoped to begin defining some best practices for making workloads more portable among OpenStack clouds to account for some of the differences that are a natural side effect of OpenStack’s flexibility.  For example, we found that the LAMP stack workload was more portable if we let the user specify certain attributes of the cloud he intended to use – such as the name of network the instances should be attached to, the image and flavor that should be used to boot up instances, and block device or network interface names that would be utilized by that image.   Even though we will only be showing one particular workload on stage, that one workload serves as a starting point to help flesh out more best practices in the future.

 

If you want to learn more about VMware’s work on interoperability or about VMware Integrated OpenStack, see us at the keynote or stop by our booth at the OpenStack, and if you’re ready to deploy OpenStack today, download it now and get started, or dare your IT team to try our VMware Integrated OpenStack Hands-On-Lab, no installation required.


*This article was written by Mark Voelker – OpenStack Architect at VMware

VMware Integrated OpenStack (VIO) and NSX – Free webinar

On November 2nd, at 9 am PST/12 pm EST I will be hosting a free webinar, as part of our Getting More Out Of series, focused on OpenStack Integration with VMware NSX. We will also cover how easy it is to deploy VMware’s OpenStack distribution, VIO, and the Day-2 operational tools in the VMWare SDDC portfolio that make it possible for Cloud admins to properly monitor and optimize their OpenStack deployments.

As I mentioned in my 3-part blog series on Neutron-NSX integration, as more features are added to OpenStack (especially to Neutron), its architecture becomes more complex (a universal perception amongst OpenStack users). NSX mitigates these issues and provides a scalable and robust platform that incorporates Enterprise-grade network services into your OpenStack architecture.

Come and learn more about the benefits and participate in this unapologetically technical webinar, with live Q&A with our expert panel.

 

REGISTER NOW!

screenshot1

Also, don’t forget to visit us at the OpenStack Summit in Barcelona, where we will be talking about this and many other relevant topics.

¡Nos vemos en España!

Marcos

Tired of Waiting? Deploy OpenStack in 15 Minutes or Less

Watch this video to learn how to deploy OpenStack in Compact Management Mode in under 15 minutes


If you’re ready to try VIO, take it for a spin with the Hands on Labs that illustrates a step-by-step walkthrough of how to deploy OpenStack in Compact Management Mode in under fifteen minutes.

Deploying OpenStack challenges even the most seasoned, skilled IT organizations. With integrations, configurations, testing, re-testing, stress testing and more. For many, deploying OpenStack appears as an IT ‘Science Project’, wherein the light at the end of the tunnel dims with each passing month.

VMware Integrated OpenStack takes a different approach, reducing the redundancies and confusion of deploying OpenStack with the new Compact Management Control Pane. In the Compact Mode UI, wait minutes, not months. Enterprises seeking to evaluate OpenStack or those that are ready to build OpenStack clouds in the most cost efficient manner now have the ability to deploy in as little as 15 minutes quickly.

 

The architecture for VMware Integrated OpenStack is optimized to support compact architecture mode, reducing the need for support, overall resource costs, and the operational complexity keeping an enterprise from completing their OpenStack adoption.

The most recent update to VMware Integrated OpenStack focuses on the ease of use and the immense benefit to administrators – access and integration to the VMware ecosystem. The seamless integration of the family of VMware products allows the administrators to leverage their current VMware products to enhance their OpenStack, in combination with the ability to manage workloads through developer friendly OpenStack APIs.

The most recent update to VMware Integrated OpenStack focuses on the ease of use and the immense benefit to administrators – access and integration to the VMware ecosystem. The seamless integration of the family of VMware products allows the administrators to leverage their current VMware products to enhance their OpenStack, in combination with the ability to manage workloads through developer friendly OpenStack APIs.


If you’re ready to deploy OpenStack today, download it now and get started, or dare your IT team to try our VMware Integrated OpenStack Hands-On-Lab, no installation required.


You’ll be surprised what you can accomplish in 15 minutes

Advanced Security Services with Neutron, NSX and Palo Alto Next Generation Firewall

Building on the concepts and implementation that I have been working on for the past few weeks around service chaining in Neutron, this post will now focus on how to onboard the Palo Alto Next Generation Firewall platform onto OpenStack.

Palo Alto Networks has one of the most mature and robust integrations with VMware NSX and we also share many joint customers in production. Together, we have seen tremendous success in the market, and that success can now extend to those prospects wanting to do OpenStack, while augmenting their security strategy with the added visibility and protection that Palo Alto offers.

The basic tenets for this integration between Palo Alto Networks and VMware NSX, in the context of an OpenStack deployment, remain the same:

  • The Security/Firewall Team is in complete control of the security lifecycle of the tenant apps.
  • Although not mandatory, Provider Networks are preferred in this context over Tenant Networks.
  • Tenants use the OpenStack API to consume Compute and Storage Services, while Networking and Security remain under the control of the Cloud Admins or Central IT.
  • This model is relatively common in the Enterprise, but not common in the DevOps use case where Tenants control their own network and security workflows.

If the above prerequisites are met, one can safely implement the VMware NSX + Palo Alto integration and overlay OpenStack Neutron on top, offering a complete private Cloud deployment that incorporates advanced security controls for East-West traffic. VMware NetX is the glue holding everything together.

Here is the high level workflow:

  • Integrate VMware NSX and Palo Alto Networks following best practices and recommended software versions for NSX, Panorama and the PAN VM Series. The instructions to do this can be found here.
  • Deploy VMware Integrated OpenStack 3.0 (if it hasn’t been done already) or any OpenStack distribution compatible with the Mitaka release, using VMware vSphere and VMware NSX as the underlying infrastructure components.
  • Identify the Compute clusters that will host your OpenStack workloads and deploy Palo Alto network introspection to those clusters:

screenshot1

screenshot2

  • Ensure the Service VMs (local firewalls) are properly registered and licensed in Panorama:

screenshot3

  • Create an NSX Security Group with a classification criteria that meets your needs. In this example we are using the proverbial example based on VM Name (Name Contains Web in this case):

screenshot5

screenshot6

  • In Panorama, create a Dynamic Address Group for the OpenStack Instances, that corresponds to the NSX Security Group created in the previous step:

screenshot5-1

  • Then, in Panorama, create the Policy you want to apply to the redirected traffic:

screenshot6-8

  • Back on NSX, create a redirection policy, or Partner Security Rule, for the interesting traffic that will be subject to inspection (Network Introspection). In this example we are redirecting inbound HTTP/HTTPS traffic for additional security controls:

Note 1: You will also need to create DFW rules to allow the traffic that will be redirected, as these rules are applied prior to the redirection for outbound traffic (VM >> World) and are applied after redirection for inbound traffic (World >> VM). More details on how these flows move through the Hypervisor can be found on the NSX Design Guide.

Note 2: You may need to use the “ApplyTo” Field in NSX to limit the redirection policy to the specific VMs in question.

  • screenshot7Finally, you can use OpenStack Nova to boot Instances (VMs) that satisfy the membership criteria of the appropriate NSX Security Group. It is extremely important that you DO NOT attach a Neutron Security Group to these Instances. We are bypassing self-service security provisioning in OpenStack and delegating all security controls to the Firewall Team.

Note 3: If you are using Horizon (OpenStack GUI), you may need to detach the default Neutron Security Group after you launch your Instance(s).

screenshot7

Note 4: Another approach, not covered in this document, has to do with the manipulation of the policy.json file for Neutron, in order to restrict Security Group changes or additions by anyone other than the Admin. In this case, launching Instances without a Neutron Security Group attachment is not required, as the Neutron Security Group that is used would only be modified by said Admin.

  • Verify your configuration and security policies.

As we can see, the above approach safely integrates value-add security and visibility services into OpenStack today, and showcases the power of NSX as a platform for Private Cloud deployments based on OpenStack.

Follow these links for the previous two articles in our 3-part blog series:

Part 1: Next Generation Security Services in OpenStack

Part 2: Advanced Security Services in OpenStack and Fortinet

VMware and Palo Alto Networks will be discussing this and many other interesting topics at VMworld Europe 2016 in Barcelona, Spain. Don’t forget to swing by the Palo Alto Networks booth in the Solutions Exchange if you need more information.

Apples To Oranges: Why vSphere & VIO are Best Bests for OpenStack Adoption

OpenStack doesn’t mandate defaults for compute, network and storage, which frees you to select the best technology. For many VMware customers, the best choice will be vSphere to provide OpenStack Nova compute capabilities.

 

It is commonly asserted that KVM is the only hypervisor to use in an OpenStack deployment. Yet every significant commercial OpenStack distro supports vSphere. The reasons for this broad support are clear.

Costs for commercial KVM are comparable to vSphere. In addition, vSphere has tremendous added benefits: widely available and knowledgeable staff, vastly simplified operations, and proven lifecycle management that can keep up with OpenStack’s rapid release cadence.

 

Let’s talk first about cost. Traditional, commercial KVM has a yearly recurring support subscription price. Red Hat OpenStack Platform-Standard 2 sockets can be found online at $11,611/year making the 3 year cost around $34,833[i]. VMware vSphere with Operations Management Enterprise Plus (multiplied by 2 to match Red Hat’s socket pair pricing) for 3 years, plus the $200/CPU/year VMware Integrated OpenStack SnS is $14,863[ii]. Even when a customer uses vCloud Suite Advanced, costs are on par with Red Hat. (Red Hat has often compared prices using VMware’s vCloud Suite Enterprise license to exaggerate cost differences.)

 

 

When 451 Research[iii] compared distro costs based on a “basket” of total costs in 2015 they found that commercial distros had a cost that was close to regular virtualization. And if VMware Integrated OpenStack (VIO) is the point of comparison, the costs would likely be even closer. The net-net is that cost turns out not to be a significant differentiator when it comes to commercial KVM compared with vSphere. This brings us to the significant technical and operational benefits vSphere brings to an OpenStack deployment.

 

In the beginning, it was assumed that OpenStack apps would build in the resiliency that used to be assumed from a vSphere environment, thus allowing vSphere to be removed. As the OpenStack project has matured, capabilities such as VMware vMotion and DRS (Distributed Resource Scheduler) have risen in importance to end users. Regardless of the application the stability and reliability of the underlying infrastructure matters.

 

There are two sets of reasons to adopt OpenStack on vSphere.

 

First, you can use VIO to quickly (minutes or hours instead of days or weeks) build a production-grade, operational OpenStack environment with the IT staff you already have, leveraging the battle-tested infrastructure your staff already knows and relies on. No other distro uses a rigorously tested combination of best-in-class compute (vSphere Ent+ for Nova), network (NSX for Neutron), and storage (VSAN for Cinder).

 

Second, only VMware, a long-time (since 2012), active (consistently a top 10 code contributor) OpenStack community member provides BOTH the best underlying infrastructure components AND the ongoing automation and operational tools needed to successfully manage OpenStack in production.

 

In many cases, it all adds up to vSphere being the best choice for production OpenStack.

 


[i] http://www.kernelsoftware.com/products/catalog/red_hat.html
[ii] http://store.vmware.com/store/vmware/en_US/cat/ThemeID.2485600/categoryID.66071400
[iii] https://451research.com/images/Marketing/press_releases/CPI_PR_05.01.15_FINAL.pdf


This Article was written by Cameron Sturdevant,  Product Line Manager at VMware

Next Generation Security Services in OpenStack – Part 2

In a previous post, I described the high level steps a security admin would follow to onboard NetX redirection services onto an existing OpenStack deployment. If your OpenStack implementation is based on Mitaka and you are running VMware NSX, it is possible to launch instances with no Neutron Security Group association, which under normal circumstances would either blackhole all traffic or allow all traffic, depending on the way you configured the default section of the NSX Distributed Firewall. Prior to Mitaka, the same operation is possible by attaching the instance to a pre-existing Neutron port, but this post focuses on the Mitaka capabilities.

The example below assumes that the following conditions are met, which based on customer discussions, apply to a considerable amount of IT organizations looking at OpenStack:

  1. The security team has relinquished all security control from the Tenant.
  2. Tenants are not able to provision Neutron Security Groups or modify them (this is possible via policy.json manipulation, but outside of the scope of this article).
  3. All Firewall/security operations are owned by the security team.

The example below is based on Fortinet’s FortiGate-VMX Next Generation Firewall, a virtual firewall solution built from the ground-up that seamlessly integrates with VMware NSX vSphere.

Step 1: Integrate FortiGate-VMX with NSX vSphere

The instructions on how to do this can be found here. Once the solution is deployed and operational, you will see it under Service Definitions and in the NSX Service Deployments tab:

screenshot0

screenshot1

Step 2: Create an NSX Security Group and select a classification/membership criteria for the OpenStack VMs

Follow the standard process to create Security Groups in NSX. In this example, we created a Security Group called Virtual_DMZ and we are classifying VMs based on VM name which Contains the word Web:

screenshot2

It is important to notice that Security Groups created post-integration will appear on the FortiGate Services Management console, under Addresses and with the exact names defined in NSX. These Address Groups automatically capture the IP addresses of the corresponding VMs. Notice that OpenStack Security Groups are not populated in the Fortinet SVM:

screenshot3

This 2-way communication between the solutions makes it extremely convenient to keep naming conventions and visibility fully synchronized, leading to a consistent security policy.

Step 3: Create a Security Policy with the appropriate redirection rules and apply it to the NSX Security Group for the OpenStack VMs

An NSX Security Policy combines L3/L4 East-West firewall rules enforced by the NSX Firewall and Network Introspection Firewall rules controlled by Fortinet. In this example our redirection policy is redirecting everything to Fortinet’s VMX appliance. In a real life deployment you would see a combination of DFW rules and NGFW rules, where NSX handles the bulk of the traffic using in-kernel protection, while the partner solution would handle high-risk, “interesting” traffic to be inspected at L5-L7:

screenshot4

Step 4: Use the partner management console to manipulate your application-level security policies and deep traffic inspection

Fortinet’s SVM can be used to create and enforce rich security services for the redirected traffic (antivirus policy shown below):

screenshot5

Step 5: Launch the VIO/OpenStack instances without a Neutron Security Group

The OpenStack instances need to satisfy the membership criteria of the NSX Security Group (VM name contains “Web” in this example) and be launched with no Neutron Security Group attachments. This last step is crucial in maintaining the integrity of your security posture:

screenshot6

screenshot7

 

Step 6: Verify your security policy is working as expected

Take some time to confirm that the redirection rules are punting traffic correctly and that your deep traffic inspection is working as intended.

In a future post we will examine other partner solutions working in concert with NSX and VMware Integrated OpenStack.

Conclusion

The aforementioned approach combines the benefits of the OpenStack framework and its appealing API consumption model, with security services that provide more insight and visibility into the application traffic, using the advanced service integration in NSX. For all of this to work, the security team needs to own all controls of the application security policies, which is a very common Enterprise model.

For more information, you can watch a recorded version of this content (including a demo) co-presented with Fortinet at VMworld 2016 in Las Vegas.

Marcos Hernandez – CCIE #8283, VCIX, VCP-NV 

Twitter: @netvirt

 

Introducing Senlin – a new tool for speedy, load-balanced OpenStack clustering

 Senlin is a new OpenStack project that provides a generic clustering service for OpenStack clouds. It’s capable of managing homogeneous objects exposed by other OpenStack components, including Nova, Heat, or Cinder, making it of interest to anyone using, or thinking of using, VMware Integrated OpenStack.

VMware OpenStack architect Mark Voelker, along with VMware colleague Xinhui Li and Qiming Teng of IBM, offer a helpful introduction to Senlin in their 2016 OpenStack Summit session, now viewable here.

 

Voelker opens by reviewing the generic requirements for OpenStack clustering, which include simple manageability, expandability on demand, load-balancing, customizability to real-life use cases, and extensibility.

 

OpenStack already offers limited cluster management capabilities through Heat’s orchestration service, he notes. But Heat’s mission is to orchestrate composite cloud apps using a declarative template format through an OpenStack-native API. While functions like auto-scaling, high availability, and load balancing are complimentary to that mission, having those functions all in a single service isn’t ideal.

“We thought maybe we should think about cluster management as a first class service that everything else could tie into,” Volker recalls, which is where Senlin comes in.

 

Teng then describes Senlin’s origin, which started as an effort to build within Heat, but soon moved to offload Heat’s autoscaling capabilities into a separate project that expanded OpenStack autoscaling offerings more comprehensively, becoming OpenStack’s first dedicated clustering service.

 

Senlin is designed to be scalable, load-balanced, highly-available, and manageable, Teng explains, before outlining its server architecture and detailing the operations it supports. “Senlin can manage almost any object,” he says. “It can be another server, a Heat stack, a single volume or floating IP protocol, we don’t care. We wanted to just build a foundational service allowing you to manage any type of resource.”

To end the session, Li offers a demo of how Senlin creates a resilient, auto-scaling cluster with both high availability and load balancing in as little as five minutes.

 

If you want to learn more about clustering for OpenStack clouds created with VMware Integrated OpenStack (VIO) you can find expert assistance at our product homepage. Also check out our Hands-on Lab, or try VIO for yourself by downloading and installing VMware Integrated OpenStack direct.

Next Generation Security Services in OpenStack

OpenStack is quickly and steadily positioning itself as a great Infrastructure-as-a-Service solution for the Enterprise. Originally conceived for that proverbial DevOps Cloud use case (and as a private alternative to AWS), the OpenStack framework has evolved to add rich Compute, Network and Storage services to fit several enterprise use cases. This evolution can be evidenced by the following initiatives:

1) Higher number of commercial distributions are available today, in addition to Managed Services and/or DIY OpenStack.
2) Diverse and expanded application and OS support vs. just Cloud-Native apps (a.k.a “pets vs. cattle”).
3) Advanced network connectivity options (routable Neutron topologies, dynamic routing support, etc.).
4) More storage options from traditional Enterprise storage vendors.

This is definitely great news, but one area where OpenStack has lagged behind is security. As of today, the only robust option for application security offered in OpenStack are Neutron Security Groups. The basic idea is that OpenStack Tenants can be in control of their own firewall rules, which are then applied and enforced in the dataplane by technologies like Linux IP Tables, OVS conntrack or, as it is the case with NSX vSphere, a stateful and scalable Distributed Firewall with vNIC-level resolution operating on each and every ESXi hypervisor.

Neutron Security Groups were designed for intra and inter-tier L3/L4 protection within the same application environment (the so-called “East-West” traffic).

In addition to Neutron Security Groups, projects like Firewall-as-a-Service (FWaaS) are also trying to onboard next generation security services onto these OpenStack Clouds and there is an interesting roadmap taking form on the horizon. The future looks great, but while OpenStack gets there, what are the implementation alternatives available today? How can Cloud Architects combine the benefits of the OpenStack framework and its appealing API consumption model, with security services that provide more insight and visibility into the application traffic? In other words, how can OpenStack Cloud admins offer next generation security right now, beyond the basic IP/TCP/UDP inspection offered in Neutron?

The answer is: With VMware NSX.

NSX natively supports and embeds an in-kernel redirection technology called Network Extensibility, or NetX. Third party ecosystem vendors write solutions against this extensibility model, following a rigorous validation process, to deliver elegant and seamless integrations. Once the solution is implemented, the notion is simply beautiful: leverage the NSX policy language, the same language that made NSX into the de facto solution for micro-segmentation, to “punt” interesting traffic toward the partner solution in question. This makes it possible to have protocol-level visibility for East-West traffic. This approach also allows you to create a firewall rule-set that looks like your business and not like your network. Application attributes such as VM name, OS type or any arbitrary vCenter object can be used to define said policies, irrespective of location, IP address or network topology. Once the partner solution receives the traffic, then the security admins can apply deep traffic inspection, visibility and monitoring techniques to it.

screen-shot-2

How does all of the above relate to OpenStack, you may be wondering? Well, the process is extremely simple:

1) First, integrate OpenStack and NSX using the various up-streamed Neutron plugins, or better yet, get out-of-the-box integration by deploying VMware’s OpenStack distro, VMware Integrated OpenStack (VIO), which is free for existing VMware customers.
2) Next, integrate NSX and the Partner Solution in question following documented configuration best practices. The list of active ecosystem partners can be found here.
3) Proceed to create an NSX Security policy to classify the application traffic by using the policy language mentioned above. This approach follows a wizard-based provisioning process to select which VMs will be subject to deep level inspection with Service Composer.
4) Use the Security Partner management console to create protocol-level security policies, such as application level firewalling, web reputation filtering, malware protection, antivirus protection and many more.
5) Launch Nova instances from OpenStack without a Neutron Security Group attached to them. This step is critical. Remember that we are delegating security management to the Security Admin, not the Tenant. Neutron Security Groups do not apply in this context.
6) Test and verify that your security policy is applied as designed.

screen-shot-1

This all assumes that the security admin has relinquished control of the firewall from the Tenant and that all security operations are controlled by the firewall team, which is a very common Enterprise model.

There are some Neutron enhancements in the works, such as Flow Classifier and Service Chaining, that are looking “split” the security consumption between admins and tenants, by promoting these redirection policies to the Neutron API layer, thus allowing a Tenant (or a Security admin) to selectively redirect traffic without bypassing Neutron itself. This implementation, however, is very basic when compared to what NSX can do natively. We are actively monitoring this work and studying opportunities for future integration. In the meantime, the approach outlined above can be used to get the best of both worlds: the APIs you want (OpenStack) with the infrastructure you trust (vSphere and NSX).

In the next blog post we will show an actual working integration example with one of our Security Technology Partners, Fortinet, using VIO and NSX NetX technology.

Author: Marcos Hernandez
Principal Engineer, CCIE#8283, VCIX, VCP-NV
hernandezm@vmware.com
@netvirt