Building Multi-tenant Application Delivery Solutions
Intel® Network Builders Solution Brief Avi Networks* Cloud Application Delivery Platform Intel® Xeon® Processors Building Multi-tenant Application Delivery Solutions for Cloud Service Providers Avi Networks* applies NFV and SDN principles to improve the visibility, scalability, and controllability of cloud computing infrastructure based on Intel® Xeon® processors. INTRODUCTION Although multi-tenancy enables cloud service providers (CSPs) to offer customers the computing power they need at an appealing price, what happens under the hood is often a mystery. This is because multi-tenant environments often fall short in a number of areas, including: • Built-in analytics to provide performance visibility • Highly-elastic infrastructure to scale performance on demand • Single point of control and management to simplify operations • Security mechanisms to better protect applications To address these issues, Avi Networks* developed a software-based Cloud Application Delivery Platform (CADP) that provides the visibility, high-availability, elastic scalability, application security, and single point of control needed by CSPs. The Avi Networks CADP combines the features of an application delivery controller (ADC), or advanced load balancer, with monitoring and analytics capabilities that allow CSPs to better understand their multi-tenant environment and offer rich, service-level agreement (SLA) based services to their customers. CSPs and end users can scale capacity up and down, only paying for the services they use. Whereas many ADC solutions are appliance-based and designed for static, single-tenant environments, Avi Networks CADP is software-based and designed for multi-tenant private, public, and hybrid cloud, as shown in Figure 1. Avi Networks CADP running on Intel® Xeon® processors incorporates principles from network functions virtualization (NFV) and software-designed networking (SDN) to enable highly-elastic application delivery and a single point of control. As a result, the solution overcomes the challenges CSPs typically face when automating and integrating traditional ADCs into their multitenant cloud infrastructure. Giving CSPs more control over their multi-tenant environments MULTI-TENANCY CHALLENGES AND OPPORTUNITIES As applications move to cloud-based infrastructures and mobile becomes the dominant endpoint, it is increasingly difficult to guarantee application performance and end-user experience. Consequently, large cloud service providers such as Amazon*, Facebook*, and Google* have changed out their fleets of proprietary ADC appliances. Instead, these web giants have internally developed analytics-driven, softwaredefined infrastructure services that enable them to efficiently and reliably deliver hyperscale applications on commodity hardware. However, most CSPs do not have the engineering resources required to internally develop software for new application delivery architectures.1 Traditional ADC appliances lack end-to-end visibility into the end-user experience and cannot automatically scale capacity based on real-time application demands. As a result, CSPs are forgoing opportunities to offer their customers a higher level of service through appropriate performance monitoring, automatic scaling, and enforcement of SLAs at the tenant and the application level. Figure 1. Avi Networks* CADP in a Typical CSP Environment 2 SOLUTION OVERVIEW Avi Networks Cloud Application Delivery Platform (CADP) is a software solution that utilizes real-time application visibility and end-user insights to optimize application delivery. It enables CSPs to offer rich application delivery services, such as elastic load balancing, application security, application acceleration, and realtime monitoring and analytics to tenant applications. The native integration with cloud management platforms, such as OpenStack*, ensures rapid deployment/ provisioning and out-of-the-box automation. The solution is built on the company’s HYDRA* architecture, which enables seamless scaling of network services within and across data centers and clouds, while maintaining a single point of management and control. The architecture separates the data, control, and management planes into individual system components, as shown in Figure 2: • Avi Service Engines provide distributed data-plane services • Avi Controller is the centralized policy and analytics engine • Avi UI offers a rich user interface built on RESTful APIs Avi Service Engines provide dataplane services for application delivery and also serve as distributed probes in the network, capturing hundreds of application metrics and transaction log data. They run on the same hypervisor as the applications they support and monitor. Avi Controller acts as a central, multitenant, policy repository and provisions, configures, and scales Service Engines as needed. Additionally, it runs an analytics engine that provides real-time, highly-granular insights into application performance and end-user experience, without any application changes, server agents, or network taps. Avi UI is a powerful web-based portal that enables CSPs to visualize, analyze, and control their end-to-end, user-toapplication environment from a central location. Built-in support for multitenancy allows cloud providers to expose advanced functionality and monitoring capabilities directly to tenants without the need for building portals. The Avi Networks “pay-as-you-use” model enables CSPs to charge tenants based on their usage of services, such as load balancing, application security, and acceleration (e.g., caching and compression). CSPs can customize services to create offerings on a per tenant basis. This model is essentially a zero-risk offering since CSPs do not have to remove existing load balancing services (no ripand-replace), and they only pay for the Avi Networks services when tenants choose them over a legacy offering. Even more importantly, the built-in elasticity and auto-scaling of the Avi Networks’ CADP platform ensures compute resources in a CSP datacenter are only used as needed, resulting in significant reduction in the cost of service delivery. Figure 2. Main Components of the Avi Networks* Cloud Application Delivery Platform 3 Tenants can pick their overall capacity, from a free-tier to a terabit-class offering with thousands of applications. Capacity can be added and removed at run time with a single click, allowing CSPs to dynamically respond to changing customer needs in real time. ADDRESSING MULTI-TENANCY ISSUES Using Avi Networks CADP, tenants can track SLAs for their business critical apps in a cloud environment, similar to what they are used to in their on-premises data centers. In addition, tenants benefit from user-to-application visibility and real-time analytics services, all of which is strong encouragement for customers thinking about moving their businesscritical applications to the cloud. CSPs can offer these features to customers while maintaining a single point of control and management across all tenants. Figure 3. Consumption-Based Model 4 Avi Networks CADP uniquely addresses other multi-tenancy issues unlike traditional, appliance-based ADCs. Examples include: Built-in analytics to provide performance visibility CADP has built-in analytics for measuring and visualizing application performance in real time. Avi Service Engines integrate data collectors for gathering end-to-end timing information, metrics, and logs for each user-to-application transaction. This information allows the Avi Controller to continuously monitor performance, which it correlates to server and network infrastructure logs. Highly-elastic infrastructure to scale performance on demand Avi Controller automatically adjusts ADC capacity for individual tenants in real time by scaling resources up and down based on the end-user and application insights derived by the inline analytics. The AutoScale feature allows a CSP to add tenants and applications, and increase throughput without worrying about capacity planning or having to add appliances. For example, Figure 3 shows how the Avi Networks model is consumption based, making it more costeffective and scalable than appliancebased models. Single point of control and management to simplify operations Avi Controller is the single point of control, management, and integration for any number of tenants, applications, and users, allowing practically unlimited scalability for cloud environments such as OpenStack. Avi Controller itself is a multi-node, active-active cluster, which simplifies cloud integration and eliminates single points of failure. Security mechanisms to better protect data Avi Networks CADP offers highperformance SSL termination capabilities with perfect forward secrecy (PFS) and elliptic curve cryptography (ECC) to encrypt application traffic. All control- plane data between Avi Controller and Avi Service Engines is encrypted using a secure shell tunnel. Within each tenant, L4-L7 role-based access control further limits the access of different users. Also, distributed denial-of-service (DDoS) mitigation protects against Internet attacks. PLUG-AND-PLAY INTEGRATION WITH OPENSTACK Avi CADP runs natively on virtualized Intel Xeon processor-based servers within OpenStack and seamlessly deploys in both traditional networks and SDN environments. Avi Cloud Connector for OpenStack enables seamless integration with Nova, Keystone, Neutron, and LBaaS components, as shown in Figure 4, and offers: • Automated provisioning of load balancing services • Integrated multi-tenancy and rolebased access control • Elastic scaling based on application performance and end-user experience • Real-time application monitoring and end-user transaction analytics SDN AND NFV PRINCIPLES IN AVI NETWORKS CADP The Avi Controller runs in the OpenStack administrator context and manages the Avi Service Engines in each of the tenant contexts to provide application delivery services. It also enforces strict control-plane and data-plane isolation to guarantee SLAs for each tenant. Per SDN principles, the Avi Networks CADP separates the control and data planes: Data-plane isolation: Each tenant gets a dedicated group of Avi Service Engines, which are auto-provisioned based on a tenant’s policies. This allows a tenant to scale performance automatically to match its SLAs without affecting the performance of other tenants and with complete resource isolation from other tenants. Figure 4. Avi Cloud Connector for OpenStack* 5 Control-plane isolation: Each tenant has complete policy control over and visibility into its applications. Within each tenant, role-based access control further limits the access of different users. Per NFV principles, the Avi Networks services are software-based, virtual network functions (VNFs), including load balancing, application acceleration, SSL termination, and real-time analytics functions. HIGH-PERFORMANCE COMPUTING PLATFORM Avi Networks CADP runs on powerful Intel Xeon processors that deliver significant benefits in performance, power efficiency, virtualization, and security. Combining these benefits with a low total cost of ownership and Intel’s acclaimed product quality, these processors provide a compelling hardware foundation for cloud infrastructure. complex and performance intensive steps of the AES algorithm. Intel AES-NI can be used to accelerate the performance of AES functions by 3 to 10 times over a software-only implementation.2,3 Packet Processing Many equipment manufacturers are reducing the cost and complexity of packet-processing devices by using general-purpose processors instead of specialized processors and ASICs – the traditional approach. This transition is possible with the Data Plane Development Kit (DPDK), which was created by Intel and delivers significant data plane performance improvement3,4 on Intel® processors. Continuing Moore’s Law, Intel Xeon processors allow CSPs to take advantage of regular performance improvements, from generation to generation, without modifying their code base. Computing performance is expected to increase over time with Intel’s continued innovations in manufacturing process technology and processor microarchitecture, which offer software investment protection to the industry. DPDK enables Intel processor cores to process packets continuously – unimpeded by the operating system, other applications, or interrupts – and thus, greatly increases performance.4 At the same time, the other available processor cores can run control plane and application software, allowing equipment manufacturers to consolidate multiple workloads onto a single system. DPDK is supported by a vibrant, open source community that provides free, BSDlicensed source code. Security For more information about the DPDK, visit dpdk.org. Moore’s Law Avi Networks uses Intel® Advanced Encryption Standard New Instructions (Intel® AES-NI) to implement some of the 6 APPLICATION DELIVERY WITH INTEGRATED ANALYTICS The complexity of multi-tenant infrastructure has many CSPs looking beyond traditional, appliance-based ADC solutions in order to get a higher level of visibility, scalability, and controllability. Changing the rules of the game, Avi Networks developed a software-based, L4-L7 solution, called Cloud Application Delivery Platform (CADP), which incorporates principles of SDN and NFV. Running on high-performance Intel Xeon processors, Avi Networks CADP overcomes major multi-tenant challenges by providing highly-elastic application delivery and a single point of control. As enterprises and CSPs take OpenStack from their pilot/lab environments into production deployments, Avi Networks CADP fills in critical gaps for application delivery, security, acceleration, and realtime visibility and analytics services. For more information about Avi Networks CADP, go to https://avinetworks.com. For more information about Intel® solutions for communications infrastructure, visit www.intel.com/go/ commsinfrastructure. For more information about NFV- and SDN-based solutions, visit https:// networkbuilders.intel.com. 1 Source: Avi Networks*, “Avi Networks Launches First Cloud Application Delivery Solution -- Brings Benefits of Hyperscale Architecture to Enterprises, at Any Scale,” http://www.marketwired.com/press-release/avi-networks-launches-firstcloud-application-delivery-solution-brings-benefits-hyperscale-1975635.htm. 2 Source: Intel web site, Intel® Advanced Encryption Standard New Instructions (Intel® AES-NI), Feb 2, 2012, https://software.intel.com/en-us/articles/intel-advanced-encryption-standard-instructions-aes-ni and https://software.intel.com/sites/ default/files/article/165683/aes-wp-2012-09-22-v01.pdf. 3 Performance tests and ratings are measured using specific computer systems and/or components and reflect the approximate performance of Intel® products as measured by those tests. Any difference in system hardware or software design or configuration may affect actual performance. Buyers should consult other sources of information to evaluate the performance of systems or components they are considering purchasing. For more information on performance tests and on the performance of Intel products, visit Intel Performance Benchmark Limitations. 4 Performance estimates Performance estimates are based on L2/L3 packet forwarding measurements. See http://www.intel.com/content/dam/www/public/us/en/documents/solution-briefs/communications-packet-processing-brief.pdf. For more information about Avi Networks CADP, visit https://avinetworks.com. Solution Provided By: Disclaimers Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No computer system can be absolutely secure. Check with your system manufacturer or retailer or learn more at https://avinetworks.com/. Intel, the Intel logo, and Xeon are trademarks of Intel Corporation in the U.S. and/or other countries. *Other names and brands may be claimed as the property of others. © 2015 Intel Corporation 7
© Copyright 2024