Overview & Architecture

Private Cloud Director offers a high level of control on your network architecture, leading to a wide variety of possible configurations. Here, we illustrate 3 common architectures for users who are looking to get started quickly.

Concepts

Concepts we will use in this document:

PCD Management Plane

This is the Private Cloud Director management plane installed locally when using Private Cloud Director self-hosted deployment. See Hosting Options for more information on various hosting options. If using, SaaS hosted deployment model, you can ignore this component in the diagrams below.

Physical Network Interface

In the context of a hypervisor, a network interface refers to a physical network interface, such as eth0, or a bonded network interface (e.g. bond0) that is bonded from multiple physical network interfaces.

Management Network

The network used to carry communications between hypervisor cluster control plane components and data plane components, and to ensure certain cluster level functions (such as host liveness detection).

VLAN

VLAN stands for Virtual Local Area Network. VLANs are logical networks that may operate within a single Physical Network. The network traffic on each VLAN is independent of and invisible to the network traffic on another VLAN on the same Physical Network.

VXLAN

VXLAN stands for Virtual Extensible Local Area Network. VXLAN is a virtual overlay network that is built on top of Open Systems Interconnection Model (OSI) Layer 2 and Layer 3 technology. VXLAN extends the virtual LAN (VLAN) address space.

VLAN supports the assignment of up to 4096 VLAN IDs at a time, which may be insufficient for big-scale cloud computing. VXLAN adds a 24-bit segment ID, and hence, increases the number of available VLAN IDs to 16 million.

GENEVE

GENEVE stands for Generic Network Virtualization Encapsulation and is a network encapsulation / tunneling technology that creates Layer-2 overlay networks over Layer-3 infrastructure, by encapsulating Layer-2 frames in UDP packets.

Architecture 1: Single Network Interface, Simple Networks

In this architecture, a single physical network interface (either single physical or a single bonded interface) is used to carry all network traffic on an existing physical network:

1. The pre-requisite would be to prepare the network interface before configuring the virtualized cluster networking

2. The underlying physical network traits, including its use of VLAN, or connectivity to external networks, can be configured to expose this existing physical network into the virtualized cluster

3. Private Cloud Director can apply all following network changes, including creating a logical management network, a logical storage network, a logical tunnel network (using either VXLAN or Geneve as the underlay)

This is the simplest possible configuration, but is not recommended for production due to the lack of segregation between different traffic types.

Architecture 2: Multiple network interfaces, segregated simple networks

This is a common architecture, suitable for production usage. It features:

1. Multiple physical or bonded network interfaces, which must be ready before configuring networking for the virtualized cluster

2. Isolation and improved QoS is achieved by using separate interfaces for management network, tunnel networks (virtual networks), external network and storage network.

3. All of these networks can be configured within Private Cloud Director

Architecture 3: Complex networks with in-cluster NFV firewall for external traffic

This is an advanced network architecture that uses networking constructs to enable an in-cluster firewall for your virtualized cluster that can filter all north-south traffic leaving the virtualized cluster onto an external network:

1. Beyond preparing the network interfaces, in this architecture, a software firewall (NFV) VM is used to filter traffic

2. The firewall VM is deployed onto a host that serves as the 'Gateway' out of the virtualized cluster. The firewall VM is connected via a special bridge to the external network. No other resources in the cluster can connect to this special bridge directly.

3. All hosts in the virtualized cluster, including the gateway host, use a common bridge configuration (br-phy1in this diagram), which enables the creation of multiple logical networks with connectivity to the firewall (and thereby external networks). In this diagram, net1 using vlan 100 and net2 using vlan 200 are two different physical networks that are used by workloads

4. Virtual routers are deployed to provide the appropriate level of connectivity across networks

5. To ensure adequate throughput, the firewall VM uses trunk ports and multiple vNICs to support internal networks in the cluster that are used by VMs

6. Management, storage and virtual networks are used within the cluster, but since these contain non outgoing traffic, they are not monitored by the firewall