Nuage Networks Ecosystem Program

OpenStack DevOps Cloud Reference Architecture 2.1

Nuage Networks Ecosystem Program The program provides reference architectures based on existing, proven, and operational
is a complete ecosystem of open models that have been deployed at customer sites. This reference architecture leverages
source community projects, networking Nuage Networks Virtualized Services Platform (VSP), an industry-leading Software-
and systems integration partners, Defined Networking (SDN) solution, and includes a wide range of networking services
developers, and customers. The program from partners that have been certified on the Nuage Networks VSP:
accelerates the adoption of Development ■■ Cloud Management System (CMS): Red Hat® OpenStack® Platform
and Operations (DevOps) OpenStack
clouds.
■■ Application Delivery Controllers/Load Balancers: Avi Vantage, Citrix® NetScaler,
F5® Big-IP, Radware® Alteon and Brocade VTM
■■ Security: CounterTack®, CheckPoint®, GuardiCore®, Fortinet™ FortiGate, Palo Alto
Networks® VM-series next-generation firewall and vArmour®
■■ DHCP/DNS/IPAM: Infoblox and Nokia VitalQIP

FIGURE 1. Red Hat OSP networking is managed by Nuage Networks VSP with service insertion from leading vendors

Neutron API Neutron API

Neutron Service
Neutron Plug-in API Red Hat OpenStack Platform provides
network functions including the Neutron
Plug-in Plug-in and Network Service APIs.
Service APIs
Implementation Extensions

Virtual and Physical Networking Infrastructure

Services
Network Neutron API
Functions ADC/Load Balancer Security/Firewall DHCP/DNS/IPAM

Software-Defined Network Services

Networking
Network ADC/Load Balancer Security Services DHCP/DNS/IPAM
Extensions
Ecosystem partners provides quick and detailed insights into
the nature of the attack and responds
F5 BIG-IP® Local Traffic Manager™
(LTM) delivers applications to users in a
Red Hat Enterprise Linux® OpenStack to it in real time. reliable, secure and optimized way. The
Platform combines the world’s most benefits are extensibility and flexibility
trusted, secure, and proven Linux Fortinet FortiGate™ virtual appliances
of application services with the needed
distribution — Red Hat Enterprise offer protection from a broad array
programmability to manage the physical,
Linux — with Red Hat’s rigorously of threats, with support for all of the
virtual and cloud infrastructures. BIG-IP
tested OpenStack technology. To meet security and networking services offered
Local Traffic Manager Virtual Edition
the enterprise need for a predictable by the FortiOS™ operating system.
(VE) Version 11.6.0, per this reference
lifecycle for support and maintenance, FortiGate virtual appliances allow you
architecture, provides the capabilities
Red Hat Enterprise Linux OpenStack to mitigate blind spots by implementing
of BIG-IP LTM with the flexibility of a
Platform brings together innovation critical security controls within your
virtual platform.
across hypervisor, operating system, and virtual infrastructure. They also allow you
OpenStack technologies while creating to rapidly provision security infrastructure Radware’s Alteon Virtual Appliance
a stable platform for certified solutions whenever and wherever it is needed. (Alteon VATM) is a fully-functional
from partners. Red Hat Enterprise Linux FortiGate virtual appliances feature all Application Delivery Controller (ADC)
OpenStack Platform Version 7 was used of the security and networking services solution. It provides an application-
for this reference architecture. common to traditional hardware-based aware approach to deploying and
FortiGate appliances. This reference managing applications to guarantee
Check Point vSEC security gateway architecture features FortiOS 5.2 and full availability, maximum performance
protects cloud environments from later versions. and complete security while extracting
internal and external threats by securing more value from IT investments in Nuage
virtual machines (VMs) and applications Palo Alto Networks VM-Series virtualized VSP environments. Alteon VA provides
with the full range of protections of the next-generation firewall automates identical functionality to Alteon physical
Check Point Software Blade architecture. security provisioning inclusive of firewall ADC devices, including local and global
Check Point’s vSEC delivers advanced services and associated security policies server load balancing, layer 7 capabilities
threat prevention, dynamic service as a means of segmenting virtual and application acceleration. This
insertion, granular segmentation, machines using zero-trust principles. reference architecture features Alteon
automated security provisioning and This reference architecture features VA version 30.5.0 and the ADC Automation
visibility that is context aware. This VM-100 Version 7.0.0. Controller (vDirect) version 3.30
reference architecture features Check
Brocade Virtual Traffic Manager is a Infoblox® DDI for DNS, DHCP and IP
Point R77.30 for vSEC security gateway
software-based Layer 7 application address management are available
and Check Point R80 for Smart Center
delivery controller (ADC) designed to as virtual appliances for KVM-based
Management.
deliver faster, high performance user OpenStack deployments. Infoblox DDI
CounterTack Sentinel is built on big data experience, with more reliable access provides core network services such
architectures to counter endpoint threats to public websites and enterprise as DNS and DHCP, in a highly reliable
at-scale and to leverage tamper-resistant applications, whether they run in a enterprise-grade platform called the
data collection for pure behavioral public cloud, private cloud or virtualized Infoblox Grid. This reference architecture
capture on enterprise endpoints (laptops, environment, while maximizing the features Version 7.1.0 of the Infoblox
servers, workstations, mobile devices). efficiency and capacity of web and virtual appliance for KVM.
CounterTack Sentinel dramatically application servers. This reference
reduces the impact of the most advanced architecture features Brocade vTM(Virtual Nokia VitalQIP is an open, scalable DDI
attacks in real-time, giving teams an Traffic Manager) 10.3 and above as well as solution (DNS, DHCP and IP address
opportunity to defend the enterprise Brocade Services Director 2.2 and above. management) available as software
before incidents escalate. This reference solution and optional hardware or
Citrix NetScaler® VPX provides the virtualised appliances for large enterprise
architecture features Sentinel 5.4.
complete NetScaler web and application and service provider deployments.
GuardiCore Data Center Security Suite load balancing, secure and remote access, VitalQIP includes the Nokia DNS,
provides advanced threat detection and acceleration, security and offload feature Nokia DHCP and Nokia DHCPv6 high
visibility inside the data. Distributed per set in a simple, easy-to-install virtual performance services; with industry-
hypervisor or server, the Suite offers full appliance. IT organizations, cloud and proven reliability and scalability,
coverage of all traffic inside datacenters telecom service providers of any size can VitalQIP allows the enterprise to manage
at large scale with minimal impact on deploy NetScaler VPX on industry standard hundreds of DNS and DHCP servers
hypervisor/server performance. Using a hypervisors — on demand — anywhere in supporting millions of IP addresses.
unique combination of threat deception, the datacenter. This reference architecture This reference architecture features
semantics-based analysis and automated features NetScaler VPX release 11.0 and VitalQIP version 8.1.1
response, GuardiCore exposes attackers, Control Center 10.5.

OPENSTACK DEVOPS CLOUD REFERENCE ARCHITECTURE 2.1 2

vArmour Distributed Security System Nuage Networks Virtualized Services Platform
is the industry’s first distributed security
system that transforms how organizations Nuage Networks VSP lays the foundation for an open and dynamically controlled
protect their virtualized and cloud assets datacenter network fabric to accelerate application programmability, facilitate
in a world without perimeters. vArmour unconstrained mobility, and maximize compute efficiency for cloud service providers,
micro-segments every application in web-scale operators and leading tech enterprises across the globe. Nuage Networks
the datacenter by wrapping protection VSP eliminates the constraints that have held back the responsiveness and efficiency
around every workload, delivering fine- of your datacenter network by:
grained visibility and control in dynamic ■■ Making the datacenter network as dynamic and consumable as the compute
multicloud environments. vArmour infrastructure
Distributed Security System is a single ■■ Eliminating cumbersome configuration-driven processes for datacenter networking
logical system composed of multiple
■■ Simplifying the definition of network service requirements and policies
autonomous, distributed sensors and
enforcement points that are connected ■■ Scaling to meet the demands of thousands of tenants with unique application
by an intelligent fabric. requirements, distinct security policies, and committed service levels

Avi Vantage Platform is an Application Nuage Networks VSP supports

Delivery Controller platform that has
been architected on software-defined highly efficient hybrid clouds
principles to deliver load balancing Nuage Networks VSP is an overlay network for virtualized as well as non-virtualized
as a pool of distributed application network resources. You do not need any purpose-built networking hardware since all
services with central control in a data of the solution’s components are virtualized. Nuage Networks VSP preserves network
center or cloud environment.  The attributes (required network settings including security) no matter where the workload
unique architecture enables Avi Vantage is placed. By replacing the tie to the physical network element with a set of required
to provide application services such network attributes, Nuage Networks VSP provides full network roaming capabilities
as application insights, predictive for all workloads.
autoscaling, policy-driven self-
service for application owners, faster Based on a unique, application-centric approach, the Nuage Networks VSP SDN
troubleshooting, application maps, solution abstracts application networking requirements from your physical network
and micro-segmentation, beyond load topology to streamline management operations and improve agility. Programmable
balancing. This reference architecture business logic and a powerful policy engine let you define Layer 2-4 network requirements
features v16.1.1 once in simplified application terms. This approach ensures compliance with resource
policies across your infrastructure on a per-tenant and per-application basis.

FIGURE 2. Nuage Networks VSP open and dynamic datacenter network fabric

Virtualized
Services Nuage Networks
Directory Virtualized Services Platform (VSP)
Cloud Service
Management Plane
MP-BGP MP-BGP Virtualized Services Directory (VSD)
• Network Policy Engine — abstracts complexity
• Service templates and analytics
Virtualized
Services
Controller
Virtualized Services Controller (VSC)
Datacenter Edge Router • SDN Controller, programs the network
Control Plane • Rich routing feature set based on Alcatel-Lucent SR-OS

Virtual Routing & Switching (VRS)

IP Fabric • Distributed switch/router — L2-4 rules
• Integration of bare-metal assets
HYPERVISOR HYPERVISOR
Virtual
HYPERVISOR HYPERVISOR Routing & Hardware
Switching Gateway
HYPERVISOR HYPERVISOR
Datacenter
Data Plane

OPENSTACK DEVOPS CLOUD REFERENCE ARCHITECTURE 2.1 3

Using event-driven network service published a Virtualized Service Platform tenant environments were created, each
instantiation, network resources are SDK (VSPK) on https://github.com/ hosting separate applications and multi-
instantiated as they are required and nuagenetworks to make the integration vendor security and application delivery
without manual intervention, allowing process easier and build a community for controller solutions (one per application).
the demands of cloud applications to the benefit of customers, developers and
Each tenant’s environment includes a
be quickly met for thousands of users. partners. Many of the integrations with
dedicated instance of Nuage Networks
Seamless interoperability across our partners have been completed using
VSP to provide separate overlay
multiple administrative domains the Nuage Networks VSPK, dramatically
networks for that tenant. This enables
and datacenters lets you place cloud cutting integration times.
each instance to have independent
workloads and services optimally across
your infrastructure, improving server Nuage Networks administrative and management access.
utilization and allowing cloud bursting
and hybrid cloud services. This flexibility
VSP self-certification All of the solutions listed in this reference
architecture have been certified to work
is not limited to virtual partner solutions, infrastructure with the Nuage Networks VSP.
but also includes physical security and
To demonstrate the flexibility of To learn more about this reference
application delivery services.
the platform, the Nuage Networks architecture, our certified partner
Nuage Networks is committed to the Partner Program team has used solutions or to be part of this ecosystem,
partner and developer community and Nuage Networks VSP and OpenStack visit www.nuagenetworks.net/
creating an open platform. As part of to build the Nuage Networks self- partners or e-mail us at partners@
that commitment, the Company has certification infrastructure. Isolated nuagenetworks.net.

FIGURE 3. Multi-tenant isolation provided by dedicated Nuage Networks VSP instances

App1 App2 App1 App2

VM VM VM VM

VM VM VM VM VM VM VM VM

Tenant 1 Tenant 2

App1 App2 App1 App2

VM VM VM VM

VM VM VM VM VM VM VM VM

Tenant 3 Tenant 4

www.nuagenetworks.net Nuage Networks and the Nuage Networks logo are trademarks of the Nokia group
of companies. Nokia is a registered trademark of Nokia Corporation. Other product and company names
mentioned herein may be trademarks or trade names of their respective owners. PR1604019541EN (April)
© Nokia 2016