Overview:
In today's digital landscape, having a secure and efficient network is crucial for businesses and organizations of all sizes. A reliable network allows you to communicate with others, share data, and deploy applications - all while maintaining confidentiality and security.
At the heart of any network lies its infrastructure: the connections between devices, servers, and other systems that enable communication and data transfer. In PowerVS Private Cloud, this infrastructure is designed to be flexible, scalable, and secure.
Let's take a closer look at how networking works in PowerVS Private Cloud. Figure 1 illustrates two key components:
- Internal Management Network: This network houses essential software like HMC (Hardware Management Console), PowerVC (Power Virtualization Center), NovaLink, and other resources needed to manage the environment efficiently.
- External Networking Connections: The private cloud connects with external networks via Direct Link and VPN technology, providing secure access points for various components within the network.
But how does it all work together? In PowerVS Private Cloud, customers typically deploy Point Of Delivery (POD) containers at their own sites. A POD is essentially an infrastructure stack that holds compute, storage, and network devices - everything you need to run your applications securely within the cloud. By deploying these PODs on-site, you have more control over your infrastructure and can ensure that it meets your specific needs.
As we explore networking in PowerVS Private Cloud further, you'll learn about:
- How these connections are set up and managed
- The types of security measures implemented to protect data and prevent unauthorized access
- Network configuration options for optimized performance
Throughout this discussion, we'll delve into the intricacies of networking in PowerVS Private Cloud, exploring how it enables businesses to achieve their goals while maintaining a secure and efficient environment.
Figure 1
Connectivity Options:
Here are the two major types of networks in PowerVS Private Cloud, explained simply:
- Private Networks: This is a network that allows different parts of your private cloud to communicate with each other internally. It's like a private hallway within your own building, where you can move around without leaving the premises. In PowerVS Private Cloud, a private network enables communication between different VMs (virtual machines) running on separate physical hosts. When you create a private network, it allows these VMs to communicate with each other over their own internal connections, facilitating host-to-host communication. For instance, if we deploy VM A on System A and VM B on the same System B, we can ping between them using the private network they're connected to.
- External Networks: This is a network that connects your private cloud to the outside world, such as the internet. Think of an external network like a public highway that allows you to access external resources and services from within your own private cloud. You can use this connection to communicate with endpoints on the internet or other parts of your organization's infrastructure. There are different ways to configure these connections, but overall, they allow you to tap into the outside world while still maintaining control over what comes in and out of your private cloud.
These two types of networks work together to provide a secure and flexible environment for your applications and services in PowerVS Private Cloud.
External Networks Variations:
BGP Networks in PowerVS Private Cloud:
Imagine you have two separate networks: your own internal network (your "hallway") and a external network that connects to the internet or another company's data center ("the public highway").
To connect these two networks, we need a special kind of bridge called a Border Gateway Protocol (BGP) connection. BGP is like a toll booth on the public highway - it allows our internal network to access resources outside.
Here's how it works:
- Setup: We create a private network in PowerVS Private Cloud and then set up a BGP connection between the pod's routers and your external router.
- Configuration: We configure "neighborhoods" on both sides of the BGP connection, which tells each side what IP addresses are allowed to pass through.
- Routing: The two networks exchange routes (or "routes") with each other, like a list of destinations that we can reach from one network.
Once this is set up, your VMs inside the private network will be accessible over the BGP connection. It's like having a direct link between our internal hallway and the public highway.
Outbound-only Networks in PowerVS Private Cloud:
Consider a situation where you'd like to connect your private cloud to an external entity – such as another data center - while keeping all incoming traffic blocked at that boundary point.
Think of it like your home network: just as you're able to access websites from the comfort of your own home, but the outside website cannot access your home computers without permission. This is similar to what PowerVS Private Cloud offers - a secure and controlled environment for your applications and services, with options for connecting to external resources while maintaining control over incoming traffic.
With an Outbound-only network in PowerVS Private Cloud, the VMs inside are only allowed to send traffic outwards, not receive any incoming requests.
Here's how it works:
- Create a private network: You set up a private network within your cloud.
- Configure port-NAT: The pod edge router sets up a special device called a Port Network Address Translation (NAT) that allows the VMs inside to access external endpoints, but only from the outside in.
- Assign an external IP: One external IP address is provided by you, which acts as a "public identity" for your private cloud.
When this setup is complete, your VMs can send traffic outwards (like sending email), but they won't be able to receive any incoming requests from the outside world without being configured specifically.
L2 out Networks:
One way to connect our private cloud to the outside world is by setting up a direct connection between your existing switches and one of our border leaf nodes. This allows you to bypass traditional routers and establish a more efficient path for data exchange.
To make this happen, we need to follow these steps:
- Connect Your Network: We'll connect your existing network infrastructure to one of our edge devices (border leaf node).
- Create a New Connection Area: We'll create a new "connection area" within the cloud, which will allow you to communicate with your own network.
- Link the Two Networks: We'll establish a connection between this new "connection area" and another existing network within our private cloud (underneath it).
With these steps complete, VMs running in private cloud will be able to access external network directly, using the same IP address space.
Static Routing:
In addition to flexible dynamic routing options, PowerVS Private Cloud also allows administrators to manually configure routes between the private cloud and external resources. This enables a predictable and reliable connection that can be especially useful in situations where making changes to network settings is not practical or desired.
For example, PowerVS Private Cloud administrators configure static routing between two data centers: Primary Data Center and Secondary Data Center. This ensures seamless failover in case of an outage at the Primary Data Center, maintaining continuous service availability for critical applications. Static routing reduces latency and improves overall network performance.
Network Connectivity for Full Linux Subscription Capability in PowerVS Private Cloud:
PowerVS Private Cloud is introducing a feature that allows users to access full Linux subscriptions from IBM, while also supporting their existing Linux VMs. This means they can now take advantage of the latest versions of popular open-source operating systems like Red Hat Linux, with benefits including simplified management and maintenance, timely security patches and updates, and increased flexibility in deploying applications. To make use of this feature, a "proxy" connection needs to be set up between your environment and IBM Cloud's subscription providers using either DirectLink or VPN. This setup allows for seamless communication between your VMs, the Linux satellite server hosted on IBM Cloud, and ultimately ensures you receive timely updates and patches for your operating system. By leveraging this feature, users can enjoy improved efficiency, reduced complexity, and enhanced security for their Linux environments within PowerVS Private Cloud.
Figure 2 provides a visual representation of the network connectivity setup required to access full Linux subscriptions from IBM in PowerVS Private Cloud, illustrating how users can establish a "proxy" connection to leverage the latest versions of popular open-source operating systems.
Figure 2
Creating and Configuring External Networks:
To create external networks in PowerVS Private Cloud using any type of interfaces (UI, CLI or API), follow these steps: First, create a workspace in PowerVS Private Cloud by selecting the appropriate Point of Delivery. Once created, open a first ticket to support team to configure the peer networks in ACI fabrics.
In the context of PowerVS Private Cloud, a peer network refers to a connection between two networks that are configured to communicate with each other. This connection is established through a fabric-based infrastructure, such as Cisco's Application Centric Infrastructure (ACI).
A peer network consists of two or more networks that share a common physical link or virtual interface. These networks can be located in different geographic locations or even within the same data center.
How Peer Networks Work:
In PowerVS Private Cloud, peer networks are used to enable secure and scalable connectivity between multiple sites, data centers, or regions. Here's an overview of how they work:
Network Segmentation: Each network is segmented into smaller sub-networks, which can be controlled and managed independently.
Peer Interface Configuration: A peer interface is created on each network to establish a connection with other networks.
Fabric-Based Connectivity: The peer interfaces are connected through an ACI fabric, which provides a layer of abstraction between the physical links and the virtual interfaces.
Network Policy Enforcement: Network policies are applied to control traffic flow between peer networks, ensuring secure and authorized communication.
Types of Peer Networks:
There are three types of peer networks in PowerVS Private Cloud:
L3BGP: Used for BGP-based network connectivity.
L2: Used for L2 out networks or VLANs.
L3Static: Used for static routing networks.
Each type of peer network has its own characteristics and requirements, but they all enable secure and scalable connectivity between multiple sites or data centers.
In a single workspace, any combination of these network types can be used, with specific rules applying to their combinations - for example, L3BGP can be paired with L2 but not with L3Static.
After the peer interfaces are created by support team, they become visible in the workspace (refer Figure 3(a) or Figure 4(a)). From here, create a subnet in the workspace by selecting required peer interfaces using UI, API, or CLI. Once the subnet is created, open a second ticket to support team to configure the necessary settings in ACI fabrics and routers by providing subnet details (as shown in Figures 3(b) and 4(b)).
Following this configuration process, support team will resolve the second ticket, allowing for VM deployment with specific networks and usage of those networks. With L3BGP configurations, NAT can be enabled when creating subnets in the workspace by inputting a source IP address - similar to Outbound-only network settings referred to in this blog.
For each network type mentioned above, choose an IP assignment method: either DHCP or non-DHCP. However, at present, DHCP is only supported on Redhat VMs, while non-DHCP is available for all OS types including AIX, RHEL, SLES, and IBMi.
In addition to configuring external networks, private subnets and internal networks can also be established concurrently without requiring an initial TLS configuration.
Setting Up External Networks through GUI:
The figure 3(a) shows a settings menu from PowerVS Private Cloud Services that allows users to configure their external network within the cloud infrastructure. It includes fields such as defining the network's name, specifying IPv4 address ranges and subnet masks (CIDR), setting gateways, attaching networks to VPCs or configuring VPN connections, as well as additional settings like DNS hostnames, security group rules, and other advanced networking configurations.
Figure 3(b) displays a detailed view of an already created external network in the PowerVS Private Cloud environment. It shows its name and provides information on how IP addresses are assigned to devices connected to it.
Figure 3(c) is a visual representation of a virtual machine (VM) operating within the IBM PowerVS Private Cloud, which has been connected to an external network. Specific details regarding the VM's network configuration have been highlighted in red color, providing a clear illustration of the underlying networking infrastructure for this particular VM instance.
