Fast, Simple and Secure: Mirantis OpenStack Express VPN-as-a-Service (VPNaaS) Simplifies Cloud Management, Empowers Hybrid Cloud Strategies
This week, Mirantis OpenStack Express adds the ability to:
Quickly and easily define Virtual Private Networks spanning multiple OpenStack environments.
Use these VPNs to connect private networks in these environments, letting connected resources share ICMP traffic and transmit and receive TCP traffic with good security and isolation.
VPNaaS — Step by Step
Mirantis OpenStack Express’ newly-introduced VPN-as-a-Service capability solves many of the most important hybrid cloud use-cases. Read about it below. Or if that’s “tl;dr,” get a quick look at how it works in this companion tutorial, with video.
The underlying VPNaaS goodness is pure OpenStack: the VPNaaS extension to Neutron is now an official API, and its development continues. What we’ve done in Mirantis OpenStack Express is to port that functionality forward into the Horizon console to help you configure VPNs, along with the back-end work to enable smooth functioning, logging and management in the context of hosted Private-Cloud-as-a-Service. Much of this work has been submitted for review and possible inclusion upstream.
In the meantime, the VPN API is accessible, both via Horizon GUI and command-line/client-remote, in Mirantis OpenStack Express. And it’s also available via command-line/client-remote in Mirantis OpenStack and other complete OpenStack distributions. (Hold that thought, we’ll come back to it in a moment).
Ease of use makes cluster-to-cluster VPNaaS a big deal, and not merely a science project. For Mirantis OpenStack Express users, it can solve basic problems with scaling individual tenant footprints over two or more private, hosted clouds -- securely, simply, and without taking much of a performance hit. What’s even a bigger potential deal, however, is that VPNaaS provides a simple, standards-based way of securely hooking hosted OpenStack cloud tenant resources together, with same-tenant resources running on a premise OpenStack (or elsewhere). In other words (cue the firehoses to rinse clean the cloudwashing): hybrid cloud.
In fact, if you think about it, easy-to-deploy VPNaaS -- this one feature -- solves many of the classic ‘hybrid’ use-cases. It should let you:
Scale out existing applications onto Mirantis OpenStack Express hosted private capacity. Say you need more transaction-fielding, number-crunching, or storage horsepower behind web or similar robust apps hosted on a premise OpenStack (or, even easier, on a Mirantis OpenStack Express hosted Private Cloud), but don’t want to expand the cloud(s) you’re currently operating (e.g., by adding premise hardware, or dialing up the number of bare-metal nodes your current Mirantis OpenStack Express cloud is running on). Just rent another private cloud, set up a Project (tenant), use VPNaaS to link it back to your existing datacenter, and start deploying instances there. In principle, the speed of this transaction makes it “burst capacity” -- you don’t have to knuckle your forehead and plan things out to a fare-thee-well, because a) it’s easy to obtain and integrate the new capacity (should be no more than a few hours, plus time for testing), and b) when you don’t need the extra capacity, you can let it go: no harm, no foul.
Use hosted private clouds for dedicated services, like storage or compute. Say you need a very large amount of online storage, maybe on a temporary basis? You can arrange to have a Mirantis OpenStack Express private cloud provisioned optimally to work as a giant Ceph storage engine ... and VPN it back to your premise infrastructure. Instant Storage as a Service that you configure. The fact that it’s on private bare metal enhances your data security, your performance, and gives you the option of geolocating data as your business and regulatory compliance needs dictate.
Manage multiple clouds from a single “pane of glass.” By using OpenStack’s ‘regions’ construct, it’s possible to put multiple, VPN-linked clouds -- premise and hosted -- under control of a single Horizon console (perhaps on your premise cloud).
Exploit VPNaaS to architect and customize your distributed OpenStack infrastructure to suit special business, security and technical needs. In other words: put OpenStack components where you need them to be (on-premise, or in the “cloud”), to secure and enable your applications.
For example, Intel and Mirantis collaborated earlier this year on a proof of concept where they deployed Mirantis OpenStack on premise and on hosted clouds, and linked them as a two-region hybrid. Then they went further and installed Intel TXT Trusted Compute hardware on specific compute nodes in both the premise and hosted clusters (TXT is a system that monitors and insures the integrity of compute nodes and permits sensitive workloads to be deployed only on trusted infrastructure) creating “trusted compute pools” in both locations. Given that the TXT system depends on an “Attestation Server” to manage and monitor trust-states -- Intel wanted sensibly to keep this critical security resource protected on their premise cloud. And doing so was no great problem: the VPN secured tunnel-encapsulated traffic running between the clusters, and managed both premise and hosted trusted compute pools well from the premise side.
This is powerful stuff, and part of what makes it powerful is that Mirantis OpenStack Express has made it simple. The second part of this blog shows you how it works, step by step, with video.
