Building Multi-tenant Application Delivery Solutions

Intel® Network Builders
Solution Brief
Avi Networks* Cloud
Application Delivery Platform
Intel® Xeon® Processors
Building Multi-tenant
Application Delivery
Solutions for Cloud
Service Providers
Avi Networks* applies NFV and SDN principles to improve the visibility,
scalability, and controllability of cloud computing infrastructure based on
Intel® Xeon® processors.
INTRODUCTION
Although multi-tenancy enables cloud service providers (CSPs) to offer customers the
computing power they need at an appealing price, what happens under the hood is often
a mystery. This is because multi-tenant environments often fall short in a number of
areas, including:
• Built-in analytics to provide performance visibility
• Highly-elastic infrastructure to scale performance on demand
• Single point of control and management to simplify operations
• Security mechanisms to better protect applications
To address these issues, Avi Networks* developed a software-based Cloud Application
Delivery Platform (CADP) that provides the visibility, high-availability, elastic scalability,
application security, and single point of control needed by CSPs. The Avi Networks CADP
combines the features of an application delivery controller (ADC), or advanced load
balancer, with monitoring and analytics capabilities that allow CSPs to better understand
their multi-tenant environment and offer rich, service-level agreement (SLA) based
services to their customers. CSPs and end users can scale capacity up and down, only
paying for the services they use.
Whereas many ADC solutions are appliance-based and designed for static, single-tenant
environments, Avi Networks CADP is software-based and designed for multi-tenant
private, public, and hybrid cloud, as shown in Figure 1. Avi Networks CADP running on
Intel® Xeon® processors incorporates principles from network functions virtualization
(NFV) and software-designed networking (SDN) to enable highly-elastic application
delivery and a single point of control. As a result, the solution overcomes the challenges
CSPs typically face when automating and integrating traditional ADCs into their multitenant cloud infrastructure.
Giving CSPs more control
over their multi-tenant
environments
MULTI-TENANCY CHALLENGES
AND OPPORTUNITIES
As applications move to cloud-based
infrastructures and mobile becomes
the dominant endpoint, it is increasingly
difficult to guarantee application
performance and end-user experience.
Consequently, large cloud service
providers such as Amazon*, Facebook*,
and Google* have changed out their
fleets of proprietary ADC appliances.
Instead, these web giants have internally
developed analytics-driven, softwaredefined infrastructure services that
enable them to efficiently and reliably
deliver hyperscale applications on
commodity hardware. However, most
CSPs do not have the engineering
resources required to internally develop
software for new application delivery
architectures.1
Traditional ADC appliances lack end-to-end
visibility into the end-user experience and
cannot automatically scale capacity based
on real-time application demands. As a
result, CSPs are forgoing opportunities
to offer their customers a higher level of
service through appropriate performance
monitoring, automatic scaling, and
enforcement of SLAs at the tenant and
the application level.
Figure 1. Avi Networks* CADP in a Typical CSP Environment
2
SOLUTION OVERVIEW
Avi Networks Cloud Application Delivery
Platform (CADP) is a software solution
that utilizes real-time application visibility
and end-user insights to optimize
application delivery. It enables CSPs to
offer rich application delivery services,
such as elastic load balancing, application
security, application acceleration, and realtime monitoring and analytics to tenant
applications. The native integration with
cloud management platforms, such as
OpenStack*, ensures rapid deployment/
provisioning and out-of-the-box
automation.
The solution is built on the company’s
HYDRA* architecture, which enables
seamless scaling of network services
within and across data centers and
clouds, while maintaining a single
point of management and control. The
architecture separates the data, control,
and management planes into individual
system components, as shown in Figure 2:
• Avi Service Engines provide
distributed data-plane services
• Avi Controller is the centralized policy
and analytics engine
• Avi UI offers a rich user interface built
on RESTful APIs
Avi Service Engines provide dataplane services for application delivery
and also serve as distributed probes
in the network, capturing hundreds of
application metrics and transaction log
data. They run on the same hypervisor as
the applications they support and monitor.
Avi Controller acts as a central, multitenant, policy repository and provisions,
configures, and scales Service Engines
as needed. Additionally, it runs an
analytics engine that provides real-time,
highly-granular insights into application
performance and end-user experience,
without any application changes, server
agents, or network taps.
Avi UI is a powerful web-based portal
that enables CSPs to visualize, analyze,
and control their end-to-end, user-toapplication environment from a central
location. Built-in support for multitenancy allows cloud providers to expose
advanced functionality and monitoring
capabilities directly to tenants without
the need for building portals.
The Avi Networks “pay-as-you-use”
model enables CSPs to charge tenants
based on their usage of services, such
as load balancing, application security,
and acceleration (e.g., caching and
compression). CSPs can customize services
to create offerings on a per tenant basis.
This model is essentially a zero-risk
offering since CSPs do not have to remove
existing load balancing services (no ripand-replace), and they only pay for the Avi
Networks services when tenants choose
them over a legacy offering. Even more
importantly, the built-in elasticity and
auto-scaling of the Avi Networks’ CADP
platform ensures compute resources in a
CSP datacenter are only used as needed,
resulting in significant reduction in the
cost of service delivery.
Figure 2. Main Components of the Avi Networks* Cloud Application
Delivery Platform
3
Tenants can pick their overall capacity,
from a free-tier to a terabit-class offering
with thousands of applications. Capacity
can be added and removed at run time
with a single click, allowing CSPs to
dynamically respond to changing customer
needs in real time.
ADDRESSING MULTI-TENANCY
ISSUES
Using Avi Networks CADP, tenants can
track SLAs for their business critical apps
in a cloud environment, similar to what
they are used to in their on-premises
data centers. In addition, tenants benefit
from user-to-application visibility and
real-time analytics services, all of which
is strong encouragement for customers
thinking about moving their businesscritical applications to the cloud. CSPs can
offer these features to customers while
maintaining a single point of control and
management across all tenants.
Figure 3. Consumption-Based Model
4
Avi Networks CADP uniquely addresses
other multi-tenancy issues unlike
traditional, appliance-based ADCs.
Examples include:
Built-in analytics to provide
performance visibility
CADP has built-in analytics for measuring
and visualizing application performance
in real time. Avi Service Engines integrate
data collectors for gathering end-to-end
timing information, metrics, and logs for
each user-to-application transaction. This
information allows the Avi Controller
to continuously monitor performance,
which it correlates to server and network
infrastructure logs.
Highly-elastic infrastructure to
scale performance on demand
Avi Controller automatically adjusts ADC
capacity for individual tenants in real
time by scaling resources up and down
based on the end-user and application
insights derived by the inline analytics.
The AutoScale feature allows a CSP
to add tenants and applications, and
increase throughput without worrying
about capacity planning or having to
add appliances. For example, Figure 3
shows how the Avi Networks model is
consumption based, making it more costeffective and scalable than appliancebased models.
Single point of control and
management to simplify operations
Avi Controller is the single point of
control, management, and integration
for any number of tenants, applications,
and users, allowing practically unlimited
scalability for cloud environments such
as OpenStack. Avi Controller itself is a
multi-node, active-active cluster, which
simplifies cloud integration and eliminates
single points of failure.
Security mechanisms to better
protect data
Avi Networks CADP offers highperformance SSL termination capabilities
with perfect forward secrecy (PFS)
and elliptic curve cryptography (ECC) to
encrypt application traffic. All control-
plane data between Avi Controller and
Avi Service Engines is encrypted using a
secure shell tunnel. Within each tenant,
L4-L7 role-based access control further
limits the access of different users. Also,
distributed denial-of-service (DDoS)
mitigation protects against Internet
attacks.
PLUG-AND-PLAY INTEGRATION
WITH OPENSTACK
Avi CADP runs natively on virtualized
Intel Xeon processor-based servers
within OpenStack and seamlessly deploys
in both traditional networks and SDN
environments. Avi Cloud Connector for
OpenStack enables seamless integration
with Nova, Keystone, Neutron, and LBaaS
components, as shown in Figure 4, and
offers:
• Automated provisioning of load
balancing services
• Integrated multi-tenancy and rolebased access control
• Elastic scaling based on application
performance and end-user experience
• Real-time application monitoring and
end-user transaction analytics
SDN AND NFV PRINCIPLES IN
AVI NETWORKS CADP
The Avi Controller runs in the OpenStack
administrator context and manages
the Avi Service Engines in each of the
tenant contexts to provide application
delivery services. It also enforces strict
control-plane and data-plane isolation to
guarantee SLAs for each tenant.
Per SDN principles, the Avi Networks
CADP separates the control and data
planes:
Data-plane isolation: Each tenant gets
a dedicated group of Avi Service Engines,
which are auto-provisioned based on a
tenant’s policies. This allows a tenant
to scale performance automatically to
match its SLAs without affecting the
performance of other tenants and with
complete resource isolation from other
tenants.
Figure 4. Avi Cloud Connector for OpenStack*
5
Control-plane isolation: Each tenant has
complete policy control over and visibility
into its applications. Within each tenant,
role-based access control further limits
the access of different users.
Per NFV principles, the Avi Networks
services are software-based, virtual
network functions (VNFs), including
load balancing, application acceleration,
SSL termination, and real-time analytics
functions.
HIGH-PERFORMANCE
COMPUTING PLATFORM
Avi Networks CADP runs on powerful Intel
Xeon processors that deliver significant
benefits in performance, power efficiency,
virtualization, and security. Combining
these benefits with a low total cost of
ownership and Intel’s acclaimed product
quality, these processors provide a
compelling hardware foundation for cloud
infrastructure.
complex and performance intensive steps
of the AES algorithm. Intel AES-NI can
be used to accelerate the performance
of AES functions by 3 to 10 times over a
software-only implementation.2,3
Packet Processing
Many equipment manufacturers are
reducing the cost and complexity of
packet-processing devices by using
general-purpose processors instead of
specialized processors and ASICs – the
traditional approach. This transition is
possible with the Data Plane Development
Kit (DPDK), which was created by Intel
and delivers significant data plane
performance improvement3,4 on Intel®
processors.
Continuing Moore’s Law, Intel Xeon
processors allow CSPs to take advantage
of regular performance improvements,
from generation to generation, without
modifying their code base. Computing
performance is expected to increase over
time with Intel’s continued innovations in
manufacturing process technology and
processor microarchitecture, which offer
software investment protection to the
industry.
DPDK enables Intel processor cores
to process packets continuously –
unimpeded by the operating system,
other applications, or interrupts – and
thus, greatly increases performance.4
At the same time, the other available
processor cores can run control plane and
application software, allowing equipment
manufacturers to consolidate multiple
workloads onto a single system. DPDK
is supported by a vibrant, open source
community that provides free, BSDlicensed source code.
Security
For more information about the DPDK,
visit dpdk.org.
Moore’s Law
Avi Networks uses Intel® Advanced
Encryption Standard New Instructions
(Intel® AES-NI) to implement some of the
6
APPLICATION DELIVERY WITH
INTEGRATED ANALYTICS
The complexity of multi-tenant
infrastructure has many CSPs looking
beyond traditional, appliance-based ADC
solutions in order to get a higher level of
visibility, scalability, and controllability.
Changing the rules of the game, Avi
Networks developed a software-based,
L4-L7 solution, called Cloud Application
Delivery Platform (CADP), which
incorporates principles of SDN and NFV.
Running on high-performance Intel
Xeon processors, Avi Networks CADP
overcomes major multi-tenant challenges
by providing highly-elastic application
delivery and a single point of control. As
enterprises and CSPs take OpenStack
from their pilot/lab environments into
production deployments, Avi Networks
CADP fills in critical gaps for application
delivery, security, acceleration, and realtime visibility and analytics services.
For more information about Avi Networks
CADP, go to https://avinetworks.com.
For more information about Intel®
solutions for communications
infrastructure, visit www.intel.com/go/
commsinfrastructure.
For more information about NFV- and
SDN-based solutions, visit https://
networkbuilders.intel.com.
1 Source: Avi Networks*, “Avi Networks Launches First Cloud Application Delivery Solution -- Brings Benefits of Hyperscale Architecture to Enterprises, at Any Scale,” http://www.marketwired.com/press-release/avi-networks-launches-firstcloud-application-delivery-solution-brings-benefits-hyperscale-1975635.htm.
2 Source: Intel web site, Intel® Advanced Encryption Standard New Instructions (Intel® AES-NI), Feb 2, 2012, https://software.intel.com/en-us/articles/intel-advanced-encryption-standard-instructions-aes-ni and https://software.intel.com/sites/
default/files/article/165683/aes-wp-2012-09-22-v01.pdf.
3 Performance tests and ratings are measured using specific computer systems and/or components and reflect the approximate performance of Intel® products as measured by those tests. Any difference in system hardware or software design
or configuration may affect actual performance. Buyers should consult other sources of information to evaluate the performance of systems or components they are considering purchasing. For more information on performance tests and on
the performance of Intel products, visit Intel Performance Benchmark Limitations.
4 Performance estimates Performance estimates are based on L2/L3 packet forwarding measurements. See http://www.intel.com/content/dam/www/public/us/en/documents/solution-briefs/communications-packet-processing-brief.pdf.
For more information about Avi Networks CADP,
visit https://avinetworks.com.
Solution Provided By:
Disclaimers
Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No computer system can be absolutely
secure. Check with your system manufacturer or retailer or learn more at https://avinetworks.com/.
Intel, the Intel logo, and Xeon are trademarks of Intel Corporation in the U.S. and/or other countries.
*Other names and brands may be claimed as the property of others.
© 2015 Intel Corporation
7